RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Crossplane解除 ×

Crossplane

Orchestration & Management2026年6月22日

Crossplane v2.3.3 patches a TOCTOU security flaw in OCI package signature verification (GHSA-mf7q-r4rv-jv94) and fixes a namespace injection bug in `crossplane render`. Routine CVE bumps for Go deps included.

  • securityUpgrade immediately to fix OCI signature TOCTOU (GHSA-mf7q-r4rv-jv94)

    The TOCTOU flaw means a compromised or malicious OCI registry could serve unsigned package content after passing signature verification. Any Crossplane deployment that installs packages from OCI registries is exposed. Upgrade to v2.3.3 — this fix lives in crossplane-runtime and is bundled in this release. Review the crossplane-runtime v2.3.3 advisory for full technical details and assess whether any packages installed on affected versions should be reinstalled.

  • securitygolang.org/x/net and x/sys CVE patches — rebuild or upgrade

    The apis module now pulls updated golang.org/x/net and golang.org/x/sys. If you build Crossplane from source or vendor these deps in your own providers/functions, update your dependency pins to pick up the same CVE fixes. Pre-built images in v2.3.3 already include the patched versions.

  • breakingcrossplane render namespace behavior changed for namespaced XRs

    If you use `crossplane render` in CI pipelines or local testing with namespaced XRs, the injected resource refs no longer carry a namespace. This matches real reconciler behavior and fixes breakage with strict-schema functions (e.g., KCL-generated bindings). Re-run your render tests after upgrading to confirm output changes don't mask real issues in your composition logic.

主な変更 (4)
  • TOCTOU fix in OCI package signature verification via crossplane-runtime v2.3.3 (GHSA-mf7q-r4rv-jv94): a malicious registry could swap unsigned content after signature check passed
  • Fixed `crossplane render` incorrectly setting namespace on resource refs for namespaced XRs, which broke strict-schema functions like generated KCL bindings
  • Go toolchain bumped to 1.25.11
  • golang.org/x/net and golang.org/x/sys updated in the apis module to pick up CVE fixes
原文

Crossplane

Orchestration & Management2026年6月5日

Patch release adding a v2 upgrade readiness scanner, a golang.org/x/net security fix, and a runtime bump. The new CLI command is the practical reason to upgrade now.

  • securityUpdate immediately for golang.org/x/net fix

    golang.org/x/net was updated to v0.55.0 to address a security issue. The release notes tag this as a security dependency update, so treat it as mandatory. Upgrade to v1.20.9 before the next planned maintenance window, don't wait for a convenient moment.

  • breakingTreat upgrade check findings as real blockers, not warnings

    The command reports usage of features that are removed or changed in v2 — native patch-and-transform Compositions, ControllerConfig, external secret stores, and unqualified package sources. These are not deprecation warnings; they are hard blockers. If your control plane has any findings, start migration work using the linked guides before attempting any v2 upgrade. Ignoring them and upgrading anyway will break running workloads.

  • enhancementRun upgrade check before any v2 planning work

    If your team is on a v1.x control plane and Crossplane v2 is anywhere on the roadmap, run `crossplane beta upgrade check` against your environment now. It surfaces exactly which Compositions, ControllerConfigs, and package references will block an upgrade — saving hours of manual audit. Pipe it with `-o json` into your CI pipeline to enforce a clean bill of health before any v2 upgrade PR is merged. The non-zero exit code makes gating trivial.

主な変更 (5)
  • New `crossplane beta upgrade check` command scans a live control plane for v2 breaking changes before you upgrade
  • Checks cover native P&T Compositions, ControllerConfig usage, external secret stores, unqualified package sources, and connection details
  • Output is human-readable by default, JSON-capable via `-o json`, exits non-zero on blockers — CI-gate friendly
  • Each finding links directly to relevant migration guides and `crossplane beta convert` commands where applicable
  • Security update: golang.org/x/net bumped to v0.55.0; crossplane-runtime updated to v1.20.9
原文

Crossplane

Orchestration & Management2026年5月21日

Crossplane v2.3.0 ships a high-fidelity local render engine, per-resource reconciliation control, alpha Provider deletion protection, and multiple security dependency bumps including Go stdlib CVE fixes.

  • securityGo stdlib CVEs fixed — pull the new image

    Go was bumped to 1.25.10 specifically to address stdlib CVEs, on top of several other dependency security patches (grpc, go-git, go-jose, cloudflare/circl, golang.org/x/net). Update your Crossplane deployment to v2.3.0 promptly; if you mirror images internally, make sure the new digest is pulled before rolling out.

  • breakingUpdate API import paths and bookmark the new CLI repo

    If you import Crossplane APIs in Go code, change `github.com/crossplane/crossplane/v2/apis` to `github.com/crossplane/crossplane/apis/v2` and note that `v1.Resource*` types are now `v2.ClusterManagedResource*`. Pin your CLI tooling to the new `github.com/crossplane/cli` repo — version numbers will diverge from core after this release, so update any scripts or CI pipelines that assumed aligned versioning.

  • breakingUpgrade sequentially from v2.2 — do not skip minor versions

    Crossplane migrates CRDs on upgrade, and skipping minor versions can leave the API server in an inconsistent state. If you are on v1.20, that branch receives extended support but you should plan your migration to v2.x. Always follow the sequential upgrade path documented in the Crossplane upgrade guide.

  • enhancementUse per-resource poll annotations to reduce API server load

    Set `crossplane.io/poll-interval: 24h` on stable, infrequently-changing XRs to dramatically cut reconcile frequency. Pair it with `crossplane.io/reconcile-requested-at` to trigger on-demand reconciliation when needed. This is available immediately for XRs; for managed resources, wait for your providers to release versions based on crossplane-runtime v2.3.0 before relying on it.

  • enhancementEnable Provider deletion protection in non-prod first

    The new `--enable-provider-deletion-protection` alpha flag auto-creates `ClusterUsage` resources that block Provider deletion while managed resources exist. Useful safety net in shared clusters. Enable it in staging environments first to validate that your existing `ClusterUsage` webhook setup handles the auto-created resources correctly before rolling to production.

主な変更 (6)
  • APIs module split: `github.com/crossplane/crossplane/apis/v2` is now a separate Go module; external consumers must update import paths
  • Crossplane CLI (`crank`) moved to its own repo (`github.com/crossplane/cli`) with an independent release schedule starting after v2.3.0
  • High-fidelity `crossplane render` now runs the real composite reconciler instead of a parallel reimplementation, so local output matches actual cluster behavior
  • New per-resource annotations `crossplane.io/poll-interval` and `crossplane.io/reconcile-requested-at` give fine-grained reconciliation control (XRs immediately; managed resources need provider update to crossplane-runtime v2.3.0)
  • Alpha Provider deletion protection via `--enable-provider-deletion-protection` blocks accidental Provider removal while managed resources still exist
  • Multiple security dependency updates: Go bumped to 1.25.10 fixing stdlib CVEs, plus grpc, go-git, go-jose, cloudflare/circl, and others
原文

Crossplane

Orchestration & Management2026年4月20日

Crossplane v2.2.1 patches two user-reported bugs — ImageConfig prefix rewrite dependency upgrades and ResourceSelector handling — plus a broad sweep of security dependency updates.

  • securityUpgrade to v2.2.1 immediately for dependency security fixes

    This release pulls in security patches for at least 8 upstream libraries including cosign, go-git, go-jose, and cloudflare/circl. These are not cosmetic bumps — go-git had two separate security-tagged updates in this release alone (v5.17.1 and v5.18.0). If you're running v2.2.0, plan the upgrade now. The patch is a drop-in replacement with no breaking changes.

  • breakingVerify your ImageConfig prefix rewrite setups after upgrading

    If you use ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry mirror), your packages may have been silently stuck on stale dependency versions before this fix. After upgrading to v2.2.1, expect Crossplane to reconcile and potentially upgrade dependent packages that were previously frozen. Review installed package versions post-upgrade to confirm the expected state.

  • enhancementComposition functions can now use broad ResourceSelectors safely

    Composition functions that need to select all existing resources of a given kind no longer need workarounds. A ResourceSelector with only apiVersion and kind set is now valid. If you patched around this limitation with explicit matchLabels or matchName wildcards, you can simplify those selectors in your function logic.

主な変更 (5)
  • Fixed: packages installed via ImageConfig prefix rewrites were silently skipping dependency upgrades, leaving stale versions in place
  • Fixed: composition functions returning a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security tag
  • Security updates across: cosign, go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTel OTLP HTTP trace exporter
  • CI workflow hardening: mitigated potential script injection in the promote workflow and added required job-level permissions
原文

Crossplane

Orchestration & Management2026年4月20日

v2.1.5 patches three behavioral bugs (ImageConfig upgrades, ResourceSelector matching, circuit breaker resets) and pulls in a broad sweep of security dependency updates including Go 1.25.9.

  • securityUpgrade to v2.1.5 promptly — this release addresses multiple CVEs in core dependencies

    The dependency list here is long: grpc, go-git (patched twice), go-jose, cloudflare/circl, moby/spdystream, docker/cli, and the OTel OTLP trace exporter all received security updates, plus Go itself was bumped to 1.25.9. Any of these could carry CVEs relevant to your threat model. This isn't a routine chore bump — prioritize this upgrade over staying on v2.1.4.

  • breakingCheck for silently stale packages if you use ImageConfig prefix rewrites

    If your environment uses ImageConfig to rewrite registry prefixes, dependent packages may have been silently pinned at outdated versions since the bug was introduced. After upgrading to v2.1.5, verify that your package dependency graph resolves to the expected versions — stale packages won't auto-upgrade retroactively, so you may need to trigger a reinstall or version bump manually.

  • enhancementResourceSelector 'select all of a kind' unlocks cleaner composition function patterns

    If you've been working around the previous rejection of bare apiVersion/kind selectors — adding dummy matchLabels or splitting logic — you can now clean that up. A selector with no match fields is treated as 'give me all resources of this kind,' which is the intuitive behavior. Review your composition functions for any workarounds and simplify them after upgrading.

主な変更 (5)
  • ImageConfig prefix rewrite users were silently stuck on stale dependency versions — now dependency upgrades work correctly through rewrites
  • Composition functions can now use a ResourceSelector with only apiVersion/kind (no matchName or matchLabels) to select all resources of a given kind
  • Circuit breaker state is now cleared on XR deletion, preventing newly recreated XRs from being blocked by leftover breaker state
  • Security dependency bumps across grpc, go-git, go-jose, cloudflare/circl, moby/spdystream, docker/cli, sigstore, and OTel OTLP HTTP exporter
  • Go runtime bumped to 1.25.9 for underlying security fixes
原文

Crossplane

Orchestration & Management2026年4月20日

v2.0.8 fixes two user-reported bugs (ImageConfig prefix rewrite upgrades, ResourceSelector with no match field) and patches multiple security vulnerabilities in upstream dependencies.

  • securityUpgrade to v2.0.8 immediately for dependency security patches

    Multiple upstream dependencies received security-tagged fixes in this release — go-git (two separate bumps to v5.17.1 then v5.18.0), go-jose, cloudflare/circl, and others. These aren't just routine bumps; they carry CVE-related fixes. If you're running any v2.0.x release prior to v2.0.8, upgrade now. There are no API changes, so the upgrade path is straightforward.

  • breakingAudit packages installed via ImageConfig prefix rewrites for stale dependencies

    If your environment uses ImageConfig prefix rewrites to redirect package pulls (e.g., to a private registry), dependent packages may have been silently stuck on outdated versions since you adopted that configuration. After upgrading to v2.0.8, force a reconciliation and verify that all package dependencies are on their expected versions — don't assume the upgrade alone will catch everything already in a stuck state.

  • enhancementUse bare ResourceSelector (apiVersion+kind only) for 'select all' semantics in composition functions

    Previously, omitting matchName and matchLabels from a ResourceSelector caused Crossplane to reject the request outright. That's now fixed — a bare selector correctly means 'all resources of this kind'. If you worked around this limitation by enumerating resources explicitly or adding dummy match conditions, clean up those workarounds after upgrading.

主な変更 (5)
  • ImageConfig prefix rewrite: dependency upgrades now propagate correctly — packages were silently stuck on stale versions before this fix
  • ResourceSelector with only apiVersion+kind (no matchName/matchLabels) now correctly selects all resources of that kind instead of being rejected
  • Go runtime bumped to 1.25.9 with security fixes
  • Security patches across go-git, go-jose, cloudflare/circl, moby/spdystream, sigstore/timestamp-authority, docker/cli, and the OTLP HTTP trace exporter
  • CI workflow hardened against potential script injection in the promote pipeline
原文