CRI-O v1.36.1 is a small patch fixing a container status regression where ImageRef flipped to a raw image ID after restart, plus a debug log verbosity reduction.
breakingUpgrade if you rely on ImageRef for image identity after restarts
Before this fix, CRI-O restarts caused ImageRef in container status to switch from a repo@digest string to a raw image ID. Any tooling that parses ImageRef — admission controllers, audit pipelines, image policy enforcers — could silently receive the wrong format and fail validation or produce incorrect audit records. If you run workloads where CRI-O restarts are common (e.g., upgrades, node reboots), patch to v1.36.1 immediately and validate your tooling handles the repo@digest format consistently.
enhancementExpect quieter debug logs under high-frequency List* RPC calls
Clusters with aggressive monitoring or reconciliation loops generating frequent ListContainers/ListPodSandboxes calls were generating excessive debug log volume, which hurt CRI-O performance under high load. After this patch, debug logging is less chatty for these paths. If you previously reduced log levels specifically to work around this noise, you can now safely re-enable debug logging without the same overhead.
主な変更 (4)
- Fixed ImageRef regression: container status now correctly returns repo@digest format (not raw image ID hash) after CRI-O restarts
- Reduced log verbosity for List* RPC calls, cutting noise in debug-level logging under frequent polling
- No dependency changes — pure bug fix release
- SLSA provenance, OpenVEX, and SPDX SBOMs published for supply chain verification