RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Flux解除 ×

Flux

CI/CD & App Delivery2026年5月20日

Flux v2.8.8 patches two go-git CVEs in source and image-automation controllers, fixes a memory leak in helm-controller, and adds GCP sovereign cloud registry support.

  • securityUpgrade immediately to patch two go-git CVEs

    CVE-2026-45571 and CVE-2026-45570 affect source-controller and image-automation-controller. Both are fixed in go-git v5.19.1 bundled with this release. If you run either of these controllers — and most Flux installations do — upgrade to v2.8.8 now. There's no workaround short of disabling those controllers.

  • breakingReview charts that place non-CRD resources under crds/ directory

    Helm-controller previously force-applied any object found under a chart's crds/ directory, not just actual CRDs. That behavior is now corrected. If you have Helm charts (especially community or third-party ones) that bundle non-CRD manifests under crds/ as a workaround for install ordering, those objects will no longer be force-applied. Audit your HelmRelease resources and test in a non-production environment before rolling this out broadly.

  • enhancementInvestigate artifact fetch timeouts if reconciliations have been stalling

    The new configurable HTTP timeout for artifact fetching directly addresses indefinite blocking during fetches. If you've seen helm-controller or source-controller reconciliations hang without clear errors, this fix likely explains it. After upgrading, configure the timeout explicitly rather than relying on defaults — check the helm-controller v1.5.5 changelog for the specific field name. Also worth auditing memory usage before and after upgrade if your helm-controller pods have been growing steadily in memory.

主な変更 (5)
  • go-git updated to v5.19.1 to address CVE-2026-45571 and CVE-2026-45570 in source-controller and image-automation-controller
  • helm-controller fix: unbounded memory growth from Kubernetes client transport retry wrapper accumulating on every reconcile cycle
  • New configurable HTTP timeout for artifact fetching prevents indefinite blocking and stalled reconciliations in helm-controller
  • helm-controller no longer force-applies non-CRD objects placed under a chart's crds/ directory — a behavioral correction that could affect existing charts
  • GCP sovereign cloud artifact registry support added to source-controller and image-reflector-controller
原文

Flux

CI/CD & App Delivery2026年5月12日

Flux v2.8.7 patches a CVE in go-git and fixes a destructive reconciliation bug where non-namespaced resources with ssa:IfNotPresent were being deleted and recreated every cycle.

  • securityPatch CVE-2026-45022 by upgrading now

    go-git v5.19.0 fixes CVE-2026-45022, which affects source-controller and image-automation-controller — two components that actively clone and interact with Git repos. If your Flux installation pulls from any external or semi-trusted Git source, treat this as a priority upgrade. Run 'flux install' or update your Helm release to v2.8.7 immediately.

  • breakingCheck non-namespaced resources using ssa:IfNotPresent for unintended churn

    If you're managing ClusterRoles, CRDs, or other cluster-scoped resources with the kustomize.toolkit.fluxcd.io/ssa: IfNotPresent annotation, those resources were being silently deleted and recreated on every reconciliation loop before this fix. Audit your Kustomization objects and verify resource state after upgrading to confirm the churn has stopped. Any dependent workloads may have experienced disruptions you weren't aware of.

  • enhancementFollow the v2.7+ upgrade procedure if coming from v2.6

    The Flux team has a specific upgrade discussion thread for v2.7+ migrations. Skipping it when jumping from v2.6 to v2.8.7 can cause issues. Review the linked procedure before applying this update in environments running older Flux versions.

主な変更 (4)
  • CVE-2026-45022 fixed via go-git v5.19.0 in source-controller and image-automation-controller
  • kustomize-controller no longer deletes and recreates non-namespaced resources annotated with ssa:IfNotPresent on every reconciliation
  • fluxcd/pkg dependency updates across source-controller, kustomize-controller, and image-automation-controller
  • helm-controller v1.5.4, kustomize-controller v1.8.5, source-controller v1.8.4 component bumps
原文

Flux

CI/CD & App Delivery2026年3月12日

Flux v2.8.2 delivers critical fixes for reconciliation loops, Azure Container Registry authentication, and includes a security patch for CVE-2026-27138. The release focuses on operational stability improvements.

  • securityApply CVE-2026-27138 patch immediately

    This release fixes a potential Denial of Service vulnerability during TLS handshakes. Schedule your upgrade to v2.8.2 as soon as possible, especially if your Flux installation handles external TLS connections or operates in environments with security compliance requirements.

  • enhancementEnable DefaultToRetryOnFailure for better HelmRelease reliability

    If you use CancelHealthCheckOnNewRevision and have experienced stuck HelmReleases, enable the new DefaultToRetryOnFailure feature gate. This prevents canceled releases without retry strategies from hanging indefinitely, improving deployment reliability.

  • enhancementVerify Azure Container Registry authentication after upgrade

    The ACR authentication scope fix may resolve intermittent authentication failures you've experienced with Azure registries. After upgrading, monitor your image pulls and source operations to confirm improved reliability with ACR repositories.

主な変更 (5)
  • Fixed unnecessary reconciliation requests when source objects are already processing the current revision
  • Resolved Helm template YAML separator bug by upgrading to Helm 4.1.3
  • Added DefaultToRetryOnFailure feature gate to prevent HelmReleases from getting stuck when canceled
  • Corrected Azure Container Registry authentication scope for proper access
  • Patched CVE-2026-27138 TLS handshake DoS vulnerability by building with Go 1.26.1
原文