RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Contour解除 ×

Contour

Networking & Messaging2026年5月29日

Contour v1.33.5 is a security patch: it closes a JWT verification bypass that was possible when fallback certificates were combined with JWT-protected HTTPProxy routes.

主な変更 (4)
  • Patches GHSA-g3xr-5w5j-w4q4: HTTPProxy configs combining a fallback certificate with JWT verification could let requests without SNI, or with unrecognized SNI, skip JWT verification
  • Contour now rejects this invalid fallback-certificate-plus-JWT configuration outright instead of silently allowing the bypass
  • Tested against Kubernetes 1.32 through 1.34
  • No other functional changes in this release
原文

Contour

Networking & Messaging2026年4月21日

v1.33.4 is a security-critical patch fixing a Lua code injection CVE in Contour's Cookie Rewriting feature — upgrade immediately, and note the hard Envoy 1.35.0 minimum requirement.

  • securityPatch CVE-2026-41246 immediately — arbitrary code execution risk in shared Envoy

    Any tenant with RBAC permissions to create or modify HTTPProxy resources could inject arbitrary Lua code through a crafted pathRewrite value. In multi-tenant clusters where Envoy is shared infrastructure, this means a compromised or malicious tenant could steal xDS client credentials or deny service to other tenants. Upgrade Contour to v1.33.4 and ensure Envoy is at 1.35.0 or later before deploying. Audit your RBAC policies to limit HTTPProxy write access to trusted principals as a defense-in-depth measure.

  • breakingEnvoy 1.35.0 minimum — verify your Envoy version before upgrading Contour

    This release will not function correctly with Envoy versions older than 1.35.0 due to the new filterContext-based Lua approach. If you manage your own Envoy image or pin versions, upgrade Envoy first. The bundled Envoy in the official manifests is already at v1.35.10, so if you use the standard deployment you're covered — but custom or air-gapped environments need explicit attention here.

  • enhancementReview HTTPProxy RBAC regardless of upgrade timing

    Even after patching, the underlying attack surface is broad write access to HTTPProxy resources. Take this as a signal to tighten RBAC: restrict HTTPProxy creation/modification to platform operators rather than application developers where possible. In high-trust multi-tenant environments this kind of privilege separation is the right long-term control.

主な変更 (4)
  • CVE-2026-41246 fixed: Lua code injection via malicious cookieRewritePolicies pathRewrite values could allow arbitrary code execution in Envoy
  • Cookie Rewriting feature redesigned: text/template generation dropped in favor of structured filterContext data passed to a static Lua script
  • Envoy 1.35.0 is now a hard minimum requirement for this release
  • Bundled Envoy bumped to v1.35.10
原文

Contour

Networking & Messaging2026年4月21日

v1.32.5 is a security patch fixing a Lua code injection vulnerability (CVE-2026-41246) in Contour's Cookie Rewriting feature, plus an Envoy bump to v1.34.14. Upgrade immediately in multi-tenant environments.

  • securityPatch CVE-2026-41246 immediately in multi-tenant clusters

    Any cluster where untrusted users or teams have RBAC permissions to create or modify HTTPProxy resources is directly exposed. An attacker crafts a pathRewrite.value that breaks out of the Lua string context, gaining code execution in Envoy — which runs as shared infrastructure. That means credential theft (xDS client certs) or denial of service for every tenant on the same Envoy instance. Upgrade to v1.32.5 now. While you prepare the upgrade, audit who has create/update rights on HTTPProxy and tighten RBAC to the minimum necessary.

  • breakingReview existing cookieRewritePolicies after upgrade

    The fix adds escaping to pathRewrite.value inputs. Legitimate values with special characters (backslashes, quotes, etc.) will now be escaped before Lua interpolation, which changes runtime behavior. Test any HTTPProxy resources using cookieRewritePolicies[].pathRewrite.value in a staging environment post-upgrade to confirm cookie rewriting still behaves as expected.

  • enhancementEnvoy v1.34.14 is bundled — no separate action needed

    The Envoy bump is included in the Contour image. If you run a managed Envoy deployment alongside Contour, verify your Envoy image is also updated to v1.34.14 to stay consistent with Contour's tested configuration.

主な変更 (5)
  • CVE-2026-41246 fixed: Lua code injection via malicious cookieRewritePolicies[].pathRewrite.value in HTTPProxy resources
  • Attackers with HTTPProxy RBAC write access could achieve arbitrary code execution inside the shared Envoy proxy
  • Injected code could exfiltrate Envoy's xDS client credentials or cause DoS for co-located tenants
  • Fix escapes user-provided cookie path rewrite values before Lua interpolation
  • Envoy updated to v1.34.14
原文

Contour

Networking & Messaging2026年4月21日

Contour v1.31.6 patches a Lua code injection vulnerability (CVE-2026-41246) in Cookie Rewriting that could allow arbitrary code execution in shared Envoy infrastructure.

  • securityPatch immediately if you allow untrusted users to create/modify HTTPProxy resources

    CVE-2026-41246 is a privilege escalation path in multi-tenant clusters. Any user with RBAC write access to HTTPProxy objects can inject arbitrary Lua into Envoy — and since Envoy is shared infrastructure, the blast radius extends to other tenants and exposes xDS credentials. Upgrade to v1.31.6 now. If you cannot upgrade immediately, audit existing HTTPProxy objects for suspicious pathRewrite values and tighten RBAC so only trusted principals can write HTTPProxy resources.

  • enhancementReview RBAC around HTTPProxy write permissions regardless of upgrade status

    This CVE class — user-controlled values interpolated into code — is a design risk whenever untrusted users can write Kubernetes custom resources that drive proxy configuration. Use this as a prompt to apply least-privilege RBAC on HTTPProxy, HTTPRoute, and similar resources across your clusters. Namespace-scoped RBAC and admission webhooks that validate pathRewrite values are good mitigations to layer on top of the patch.

主な変更 (4)
  • Security fix for CVE-2026-41246: Lua code injection via malicious cookieRewritePolicies[].pathRewrite.value in HTTPProxy resources
  • Injected code could exfiltrate Envoy xDS client credentials from the filesystem or cause DoS for co-tenants
  • Fix escapes user-provided values before interpolation into Lua code — no API changes required
  • Envoy bumped to v1.34.14
原文

Contour

Networking & Messaging2026年3月24日

Contour v1.33.3 is a security-focused patch bumping Envoy to v1.35.9 and grpc-go to v1.79.3, with a minor cleanup to example manifests.

  • securityUpgrade to get the Envoy security fixes

    The Envoy bump to v1.35.9 is the main reason to upgrade — it addresses real security vulnerabilities in the data plane. The grpc-go CVE-2026-33186 does not affect Contour, but the Envoy issues are reason enough to prioritize this patch. Plan a rollout soon, especially if your clusters are exposed to untrusted traffic.

  • breakingCheck custom manifests for the removed hostPort: 8002

    If you copied or extended the example manifests and rely on hostPort: 8002 for scraping Envoy metrics directly from the node, that configuration is now gone from the upstream examples. Audit your manifests before upgrading to confirm whether you've inherited this setting and whether any monitoring pipelines depend on it.

主な変更 (4)
  • Envoy bumped to v1.35.9 to address security vulnerabilities
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour itself is not affected)
  • Removed hostPort: 8002 from Envoy metrics in example manifests
  • Tested against Kubernetes 1.32 through 1.34
原文

Contour

Networking & Messaging2026年3月24日

Contour v1.32.4 is a security/stability patch bumping Envoy to v1.34.13 and grpc-go to v1.79.3 (CVE-2026-33186), with a minor manifest cleanup.

  • securityUpgrade for the Envoy security fixes

    The Envoy bump to v1.34.13 is the real reason to update here. Envoy releases in this range carry security fixes — check the Envoy v1.34.13 changelog directly to understand which CVEs apply to your traffic patterns. The grpc-go CVE-2026-33186 does not affect Contour, but upgrading still gets you the fix in the dependency graph. Plan a rolling upgrade now rather than waiting.

  • breakingCheck custom manifests that reference Envoy hostPort 8002

    The example manifests removed hostPort 8002 from the Envoy metrics container. If your deployment pipelines diff against or are derived from the upstream example manifests, this change will appear as a diff. More importantly, if you have firewall rules, monitoring scrapers, or Prometheus scrape configs targeting that host port directly, verify they still reach the metrics endpoint through an alternative path (e.g., ClusterIP Service or pod IP) before upgrading.

主な変更 (3)
  • Envoy updated to v1.34.13 for security vulnerability fixes and stability improvements
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour itself is not affected by this CVE)
  • Removed hostPort 8002 from Envoy metrics in example manifests
原文

Contour

Networking & Messaging2026年3月24日

Contour v1.31.5 is a security/stability patch: Envoy bumped to v1.34.13, grpc-go updated to patch CVE-2026-33186 (Contour itself unaffected), and a minor manifest cleanup.

  • securityUpgrade for Envoy security fixes — don't wait on this one

    Envoy v1.34.13 carries security vulnerability fixes. The release notes don't enumerate specific CVEs, but Envoy patches at the .13 point release level are serious. Upgrade Contour to pull in the new Envoy image. If you run a heavily customized Envoy config, verify behavior in staging first, but don't sit on this.

  • securityCVE-2026-33186 in grpc-go: patched, Contour not affected — no emergency action needed

    The grpc-go update closes CVE-2026-33186, but Contour's own code doesn't hit the vulnerable path. You still benefit from upgrading since the dependency is bundled in the Contour binary. No emergency rollout required, but include this in your next maintenance window.

  • breakingCheck custom manifests if you rely on Envoy metrics hostPort 8002

    The example manifests no longer expose hostPort: 8002 for Envoy metrics. If you copy or base your deployment manifests on Contour's examples and depend on host-level metrics scraping via that port, update your scrape configs and manifests accordingly. Production installs using the operator or Helm are unlikely to be affected unless you explicitly templated this.

主な変更 (3)
  • Envoy updated to v1.34.13 to address security vulnerabilities and improve stability
  • grpc-go updated to v1.79.3, patching CVE-2026-33186 (Contour is not in the affected code path)
  • Removed hostPort: 8002 from Envoy metrics in example manifests
原文

Contour

Networking & Messaging2026年2月21日

Contour v1.33.2 is a maintenance release that fixes a critical HTTPProxy status update bug, upgrades Go to v1.25.7, and improves CPU allocation for the shutdown-manager container.

  • securityUpgrade for Go security patches

    Go v1.25.7 includes security fixes and performance improvements. Schedule an upgrade to benefit from these updates, especially if you're running production workloads with previous Contour versions.

  • breakingFix HTTPProxy status update issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, this release fixes the CRD schema issue. Upgrade immediately if you rely on status fields for monitoring or automation.

  • enhancementImproved Gateway Provisioner performance

    The increased CPU limit for shutdown-manager prevents throttling issues. If you're using Contour Gateway Provisioner and experiencing slow shutdown operations, this upgrade will improve performance.

主な変更 (4)
  • Go runtime updated to v1.25.7 for latest security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Increased shutdown-manager CPU limit from 50m to 200m in Gateway Provisioner to prevent throttling
  • Maintains compatibility with Kubernetes versions 1.32 through 1.34
原文

Contour

Networking & Messaging2026年2月21日

Contour v1.32.3 is a maintenance release that updates Go runtime to v1.24.13 and fixes a critical CRD schema bug preventing load balancer status updates.

  • securityUpdate for Go Security Fixes

    Go v1.24.13 includes security patches. Schedule upgrade to v1.32.3 during your next maintenance window to benefit from runtime security improvements and bug fixes.

  • breakingFix Load Balancer Status Issues

    If you're experiencing load balancer status update failures with HTTPProxy resources, upgrade immediately. The CRD schema fix resolves status reporting issues that could affect traffic routing visibility and monitoring.

主な変更 (4)
  • Go runtime updated to v1.24.13 with security fixes and improvements
  • Fixed HTTPProxy CRD schema bug that incorrectly marked status.loadBalancer.ingress[].ports[].error as required field
  • Resolved load balancer status update failures affecting ingress traffic routing
  • Maintained compatibility with Kubernetes versions 1.31 through 1.33
原文

Contour

Networking & Messaging2026年2月21日

Contour v1.31.4 is a patch release addressing a critical load balancer status update bug and updating Go to v1.24.13 for security and stability improvements.

  • securityUpgrade for Go security patches

    Go v1.24.13 includes security fixes that improve runtime security. Plan to upgrade Contour to v1.31.4 during your next maintenance window to benefit from these security improvements.

  • enhancementFix load balancer status reporting issues

    If you've experienced failures in load balancer status updates with HTTPProxy resources, this release resolves the CRD schema issue. Upgrade to restore proper status reporting functionality, especially important for automation and monitoring systems that depend on load balancer status.

主な変更 (4)
  • Go runtime updated to v1.24.13 for security and performance improvements
  • Fixed HTTPProxy CRD schema bug causing load balancer status update failures
  • Maintains compatibility with Kubernetes 1.30-1.32
  • Focused on stability improvements with no breaking changes
原文