RATATOSKRATATOSK
ログイン

リリース

CNCF graduated・incubatingプロジェクトのリリースノートのAI分析。

プロジェクト: Rook解除 ×

Rook

Storage & Data昨日2026年7月7日

Rook v1.20.2は、バグ修正と細かい改善を中心としたルーティンパッチです。mgrのNetworkPolicyをイングレス専用に制限するセキュリティ強化と、Cephのデフォルトバージョンのv20.2.2への更新が主な変更点です。

  • securitymgrのNetworkPolicyがイングレス専用に変更

    mgrのNetworkPolicyがイングレス専用に制限されました。mgrを外部からアクセス可能にしている構成では、エグレス方向の通信が遮断されないか確認し、必要に応じてポリシーを調整してください。

主な変更 (7)
  • mgrのNetworkPolicyをイングレスのみに制限し、ネットワーク制御を強化(#17827)
  • Cephのデフォルトバージョンをv20.2.2に更新(#17774)
  • ceph-csi-operatorをv1.0.4に更新(#17875)
  • ノードのラベル・アノテーション変更時にリコンサイルをトリガーするようノードウォッチャーを改善
  • 外部クラスタのアンマウント時にVolumeAttachmentを正しく削除し、残留アタッチメントを防止
  • 起動時の初期キャッシュ同期中はノードウォッチャーをスキップし、無用なリコンサイルループを回避
  • その他: モンのフェイルオーバー応答時間短縮、OSDアクティベーション時のrbdデバイス誤分類修正、設定末尾の改行保証、オブジェクトストアのアクセスキーURL安全化、NetworkPolicyのCRサンプル追加、Ceph警告のミュート対応API追加
原文

Rook

Storage & Data2026年5月27日

Rook v1.19.6 is a targeted patch release addressing OSD device class handling, Prometheus metric labeling, and a network-layer dependency vulnerability. Mainly operational refinements for Ceph clusters already in production.

  • securityPatch golang.org/x/net vulnerability

    Rook v1.19.6 bumps golang.org/x/net twice (to fix govulncheck CI failures and address GO-2026-5026). If you run Rook in high-traffic environments or handle untrusted network input, review the golang.org/x/net advisory for the specific vulnerability. Upgrade to 1.19.6 to inherit the patched dependency, but do not delay if your Rook instance exposes networking logic to untrusted sources.

  • enhancementOSD device class detection fixed in raw-mode

    OSD device class handling now works correctly in raw-mode prepare and reconcile operations (#17407). If you use device classes to segregate fast (NVMe) from slow (HDD) storage, verify after upgrading that your OSD topology reflects the correct device classes. Check `ceph osd crush tree` and OSD weight distribution to ensure placement rules work as intended.

  • enhancementCluster label added to Prometheus metrics

    Prometheus scrape metrics now include a `cluster` label from upstream Ceph rules (#17544). If you aggregate Rook metrics across multiple Ceph clusters, this label addition improves metric cardinality and avoids collisions. Update any Prometheus rules, dashboards, or alerts that rely on the old label set; test in non-production first to catch any PromQL query breaks.

主な変更 (8)
  • Prometheus rules updated with upstream Ceph changes; cluster label added to all scraped metrics
  • OSD device class now honored in raw-mode prepare and reconcile operations
  • golang.org/x/net patched to fix network-layer vulnerability (GO-2026-5026)
  • Self-signed certificate creation retry logic added for wrapped context deadline errors
  • Node existence checks added to monitor health check iterations
  • Default ResourceRequirements added for cmd-reporter pod
  • Encryption label detection improved for dmcrypt paths
  • DNS policy corrected for rook-ceph-exporter
原文

Rook

Storage & Data2026年3月24日

Rook v1.18.10 patches several OSD reliability issues, tightens RBAC permissions, and adds minor operational improvements to the Ceph exporter and NFS server.

  • securityAudit your Rook RBAC after upgrading — nodes/proxy grant is gone

    The operator's nodes/proxy RBAC permission has been removed. If any custom tooling or monitoring in your environment relied on Rook's ServiceAccount having that grant, it will break silently after upgrade. Review any pipelines or dashboards that use the Rook operator ServiceAccount before rolling this out to production.

  • breakingEncrypted OSD users should test key rotation after upgrading

    The lockbox key rotation logic for encrypted OSDs was updated. Encrypted OSD clusters should run a non-production upgrade first and explicitly verify key rotation still works end-to-end. The CephX key init fix (no overwrite on failure) also changes behavior during error recovery — test any failure/retry scenarios you have documented.

  • enhancementUse the new CephNFS image fields to pin or customize NFS server images

    The new spec.server.image and spec.server.imagePullPolicy fields let you specify a custom NFS Ganesha image per CephNFS resource. This is useful if you need to pin a specific version for compliance or test a patched image without waiting for a Rook release. Update your CephNFS manifests if you currently work around this with other hacks.

主な変更 (5)
  • Orphaned ceph-exporter deployments are now cleaned up automatically during reconcile
  • RBAC: nodes/proxy grants removed from the operator — reduces cluster-wide privilege footprint
  • Encrypted OSD lockbox key rotation logic updated — important for clusters using OSD encryption
  • CephX key init no longer overwrites an existing key on failure — prevents accidental key loss
  • CephNFS gains spec.server.image and spec.server.imagePullPolicy fields for custom NFS images
原文