RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: OpenCost解除 ×

OpenCost

Observability2026年6月26日

This is a routine patch release for OpenCost, dominated by bug fixes for GPU pricing, data races, and Azure Windows pricing, plus a new STACKIT provider integration. There are no breaking changes, deprecations, or CVE fixes in this release.

主な変更 (7)
  • Several data-race and stability fixes: cloudcost Status coverage read is now guarded and the ClusterMap ticker is stopped to prevent leaks, customcost Status() copies its coverage map, and GPUAllocation.Equal now compares pointer field values correctly
  • On-demand pricing is now OS-aware for Azure Windows nodes, correcting pricing calculations that previously used the wrong base rate
  • Custom provider GPU default pricing is fixed, and a nil filter guard was added to prevent a crash
  • Cloud pricing HTTP clients now have timeouts to prevent hangs
  • STACKIT added as a supported cloud provider
  • New queryProjectID field on BigQueryConfiguration, plus GKE Workload Identity Federation support for accessing Provider Pricing Data
  • Smaller items: step parameter exposed in the get_efficiency tool, Bingen 0.1.1 streaming writer support, UI build tooling switched from parcel to react-router/vite, Dockerfile.debug restored for Tilt, and reduced log verbosity for spot price auth failures
原文

OpenCost

Observability2026年5月30日

v1.120.3 patches two Go CVEs and ships a wide range of bug fixes across AWS, Azure, Oracle, and DigitalOcean providers, plus OVH support and cosign image signing.

  • securityPatch vulnerable Go dependencies — upgrade immediately

    A Go dependency update patches GHSA-xmrv-pmrh-hhx2 and CVE-2026-34986. If you're running any v1.120.x release prior to v1.120.3, upgrade now — these are dependency-level vulnerabilities, not just code changes.

  • breakingMCP server is now opt-in — check your config before upgrading

    The MCP server now defaults to disabled (MCP_SERVER_ENABLED=false). If you were relying on it being on by default, set the env var explicitly after upgrading. Check your deployment manifests before rolling out.

  • enhancementEnable cosign image verification in your admission pipeline

    Container images are now signed with cosign keyless signing and include SLSA provenance attestations. If your admission policy requires image signature verification, you can now enforce it against OpenCost images. Update your policy tooling (e.g., Kyverno, Cosign verify) to validate these attestations in CI or at deploy time.

主な変更 (7)
  • Security: vulnerable Go dependencies patched (GHSA-xmrv-pmrh-hhx2, CVE-2026-34986)
  • MCP server now opt-in via MCP_SERVER_ENABLED=false default
  • OVH cloud provider added; DigitalOcean and Oracle/Karpenter pricing fixes
  • AWS Spot Price History API now cached; toggle added to disable spot data feed entirely
  • Memory leak fixed in scrape target parsing; CPU usage counter overflow protection added
  • Container images now signed with cosign and include SLSA provenance attestations
  • CUR 2.0 support added for AWS cost data ingestion
原文

OpenCost

Observability2026年5月19日

v1.120.2 is a substantial release with security fixes, memory leak patches, AWS CUR 2.0 support, OVH cloud provider, and supply chain security improvements via cosign image signing.

  • securityUpgrade immediately for CVE-2026-34986 fix

    This release patches GHSA-xmrv-pmrh-hhx2 and CVE-2026-34986 in Go dependencies. If you're running any prior v1.120.x or v1.119.x version, upgrade to v1.120.2 now. Check your vulnerability scanner output to confirm the affected packages are resolved post-upgrade.

  • enhancementVerify cosign image signatures in your admission pipeline

    OpenCost images are now signed with cosign keyless signing and include SLSA provenance attestations. If your cluster uses an admission controller (e.g., Kyverno, Connaisseur), add a policy to enforce signature verification on opencost images. This closes a real supply-chain gap for teams running OpenCost in regulated environments.

  • enhancementEnable AWS CUR 2.0 and tune spot data feed behavior

    If your AWS billing is already on CUR 2.0, you can now configure OpenCost to use it directly. Additionally, if you don't use the AWS spot data feed, set the new toggle to disable it — this suppresses noisy warnings and avoids unnecessary config polling. Teams with spot-heavy workloads should also benefit from the new spot price API caching layer reducing API call volume.

主な変更 (5)
  • Security: Patched vulnerable Go dependencies (GHSA-xmrv-pmrh-hhx2, CVE-2026-34986) — upgrade promptly
  • AWS CUR 2.0 support added, plus a configurable toggle to disable the spot data feed and spot price API caching
  • Memory leak fixed in scrape target parsing; CPU counter overflow/reset protection added
  • Container images now signed with cosign keyless signing and SLSA provenance attestation
  • OVH cloud provider added; PV pricing can now be set via annotations; PV capacity parsing fixed for Ki/Mi/Gi/Ti units
原文

OpenCost

Observability2026年4月29日

v1.120.1 is a patch release focused on carbon cost fixes, AWS Spot pricing performance, memory optimization, and a security-relevant MCP server default change.

  • breakingCheck if MCP server was relied upon — it's now off by default

    The MCP server flipped from opt-out to opt-in. If any tooling or integrations depended on the MCP server being active without explicit configuration, they will silently stop working after this upgrade. Before deploying, audit whether MCP_SERVER_ENABLED needs to be explicitly set to true in your environment config.

  • enhancementAWS Spot users: Spot Price History caching reduces API pressure

    If you run workloads on AWS Spot instances, OpenCost was previously hitting the Spot Price History API more aggressively. The new caching layer cuts down on AWS API calls, which matters both for rate limiting and for cost attribution latency. No action required, but worth validating your Spot cost data accuracy after upgrading.

  • enhancementCarbon cost data was wrong — upgrade if you track emissions

    The carbon cost fixes address incorrect provider detection and broken fallback logic, meaning prior carbon cost figures may have been inaccurate. If you surface carbon/emissions data to teams or dashboards, re-baseline your metrics post-upgrade rather than comparing historical data across this version boundary.

主な変更 (5)
  • MCP server now defaults to disabled (MCP_SERVER_ENABLED=false) — previously it was opt-out, now it's opt-in
  • Carbon cost lookups fixed: provider detection, fallback logic, and network cost support corrected
  • AWS Spot Price History API now has a caching layer, reducing API call volume and latency
  • Memory usage tweaks in a second pass of optimizations, continuing work from prior releases
  • Local storage cost queries replaced with direct math, removing Prometheus query dependency for that path
原文

OpenCost

Observability2026年4月14日

OpenCost v1.120.0 adds OVH cloud provider support, AWS CUR 2.0 compatibility, and fixes several resource leaks and bugs across AWS, DigitalOcean, and S3 integrations.

  • breakingCheck PV cost accuracy after upgrading — unit parsing was broken

    PV capacity was previously mishandled for Ki/Mi/Gi/Ti units, which means PV cost allocations may have been wrong in earlier versions. After upgrading, verify your PV cost data looks correct, especially if you were seeing anomalous persistent volume costs.

  • enhancementMigrate to AWS CUR 2.0 if you haven't already

    AWS is deprecating CUR 1.0 — this release adds CUR 2.0 support. If you're still on CUR 1.0 exports, now is the time to update your AWS billing export configuration and point OpenCost at the new format. Don't wait for AWS to force the migration.

  • enhancementSuppress noisy Spot feed warnings with the new toggle

    Teams not using AWS Spot instances were getting misleading log warnings about spot data feeds. You can now explicitly disable the Spot Data Feed via config. Set the toggle if you're not using Spot — it cleans up your logs and removes the misleading provider log noise fixed in this release.

主な変更 (7)
  • New OVH cloud provider integration for cost tracking
  • AWS CUR 2.0 (Cost and Usage Report) support added
  • Memory leak fixed in Prometheus scrape target parsing
  • Plugin processes now properly killed on ingestor shutdown, preventing zombie processes
  • PV capacity parsing fixed to correctly handle Ki, Mi, Gi, and Ti units
  • Account field added to allocation data, cluster name added to CSV exports
  • Configuration toggle added to disable AWS Spot Data Feed when not in use
原文