Week 14 - March 2026

This week: 55 releases, 173 news items. Notable: meshery v1.0.0.

👋 Welcome

This week in Cloud Native was buzzing with activity, especially around KubeCon + CloudNativeCon Europe, which brought a wave of announcements and insights. A strong theme emerged around the deepening integration of AI with cloud native infrastructure, alongside critical discussions on security and the ongoing evolution of the Kubernetes ecosystem. We also saw numerous stable releases across various projects, bringing new features and important bug fixes.

🚀 Notable Releases

CI/CD & Build Tools

  • Argo CD v3.3.6, v3.3.5, v3.2.8, and v3.1.13 - These patch releases include various bug fixes and improvements, alongside continued use of cosign for container image and CLI binary signing.
  • Dapr Runtime v1.17.3 - This update brings bug fixes and critical security patches, including addressing a gRPC authorization bypass (CVE-2026-33186) and a TIFF image OOM denial of service.
  • Dapr Runtime v1.16.11 - Includes a Go version bump to 1.25.8 and critical bug fixes for scheduler stability.
  • Backstage v1.49.3 - A patch release addressing a previous regression.
  • KubeVirt v1.8.0 - This major release aligns with Kubernetes v1.35 and introduces numerous enhancements contributed by 77 developers.
  • Telepresence v2.27.3 - Provides installers with the option to run the root daemon as a system service, simplifying usage.

Networking

  • Cilium v1.19.2 - Features minor changes like moving ztunnel daemonset management to Helm and includes bugfixes such as rate limiting for neighbor reconciler and hairpin redirect for L7 LB on bridge devices.
  • Cilium v1.18.8 - Adds support for attaching Cilium’s XDP program on jumbo MTU interfaces and includes various bugfixes. Users on GKE should review known issues.
  • Cilium v1.17.14 - Addresses several bugfixes, including a hairpin redirect for L7 LB, envoy admin socket permissions, and L7LB ingress policy bypasses.
  • Antrea v2.5.2 - Adds nftables information to supportbundles, supports IPv6 traffic over IPv4 IPsec tunnels, and fixes host tunnel traffic rules.
  • Antrea v2.4.5 - Fixes host tunnel traffic rules, adds IPv6 over IPv4 IPsec tunnel support, and includes a fix for missing Service info for Pod to LB flows.
  • Kube-OVN v1.15.8 - Features fixes for checking northd endpoints by pod IP protocol and improved netpol ipblock expressions.
  • Kube-OVN v1.14.35 - Includes a security update for the google.golang.org/grpc module.

Security & Policy

  • cert-manager v1.20.1 - Fixes an OpenShift RBAC issue, bumps gRPC for a non-affecting vulnerability, and resolves a Gateway API parentRef bug.
  • Open Policy Agent v1.15.0 - Introduces a logger plugin interface with file logger implementation, modifies custom HTTPAuthPlugin behavior, and adds AWS signing support for web identity.
  • OpenFGA v1.13.1 - Fixes a security vulnerability (CVE-2026-33729) where Check requests with conditions and caching could return incorrect cached results.
  • OpenFGA v1.13.0 - Features the AuthZen v1.0 implementation, improvements to error handling, and enhanced observability for list-objects senders.
  • SeeBOM 0.2.0 - A minor release providing container images and a Helm chart for managing Software Bill of Materials (SBOMs).

Storage

  • Rook v1.19.3 - A patch release for the Ceph operator, focusing on CSI updates, erasure code profile cleanup on pool deletion, and setting EC pool status to ready.
  • Rook v1.18.10 - Another patch release for the Ceph operator, including fixes for orphaned ceph-exporter deployments and updates to lockbox key rotation for encrypted OSDs.
  • ScyllaDB Operator v1.20.2 - A patch release with general improvements and bug fixes for the ScyllaDB Operator.

Messaging

  • NATS Server v2.12.6 - Updates Go to 1.25.8, bumps dependencies, and fixes several CVEs affecting systems using MQTT.
  • NATS Server v2.11.15 - Updates Go to 1.25.8, bumps dependencies, and includes fixes for several CVEs.

Service Mesh & Edge

  • Kuma v2.13.3, v2.12.8, v2.11.11, 2.9.13, and v2.7.23 - Multiple patch releases across stable Kuma branches, primarily focusing on security updates, Go version bumps, and dependency upgrades for components like CoreDNS, Distroless-iptables, and Envoy.
  • K3s v1.35.3+k3s1 - Updates Kubernetes to v1.35.3, bumps CoreDNS, and includes a fix for re-encrypting secrets.
  • K3s v1.34.6+k3s1 - Updates Kubernetes to v1.34.6, bumps CoreDNS, and includes a fix for re-encrypting secrets.
  • K3s v1.33.10+k3s1 - Updates Kubernetes to v1.33.10, bumps CoreDNS, and includes a fix for re-encrypting secrets.

Configuration & Observability

  • Meshery v1.0.0 - A significant major release focusing on Infrastructure as Design, improving context handling and CLI error reporting.
  • Meshery v0.9.2, v0.9.1, and v0.9.0 - These patch releases bring various fixes, CLI improvements (e.g., graduating workspace command), and UI enhancements (e.g., migrating to Turbopack).

CLI Tools

  • kubectx v0.11.0 - Introduces kubectx -r for launching a read-only shell, preventing accidental edits to clusters via kubectl.
  • kubectx v0.10.2 - Adds interactive fzf selection for kubectx -s and improves handling of relative paths and multiple kubeconfig files.

Chaos Engineering

  • Chaos Mesh v2.8.2 - This patch version addresses existing CVEs by upgrading direct dependencies and includes various bug fixes. Note that install.sh has been deprecated.

📰 This Week in Cloud Native

The Cloud Native landscape was heavily influenced by KubeCon + CloudNativeCon Europe this week, with a clear spotlight on the intersection of AI and cloud native technologies. The CNCF highlighted how cloud native platforms are becoming indispensable for AI engineering in production, managing the “weight of AI models,” and enabling scalable AI workloads. Projects like Istio announced “AI Era” features such as ambient multicluster and Gateway API inference extensions, while Kubescape 4.0 brought enterprise stability and advanced threat detection tailored for the AI era. New projects like Higress, an enterprise-grade AI gateway, and llm-d, a Kubernetes blueprint for LLM inference, also joined the CNCF, underscoring the foundation’s commitment to supporting AI innovation.

The Kubernetes ecosystem continued its evolution, with significant community updates and discussions. The CNCF released a documentary on Backstage, celebrating its journey to becoming a global open-source standard for platform engineering. KubeVirt announced its v1.8 release, aligning with Kubernetes v1.35 and showcasing substantial community contributions. Broadcom’s donation of Velero to the CNCF marks a pivotal moment for Kubernetes backup and disaster recovery. Meanwhile, the community engaged in debates about simplifying Kubernetes, with some advocating for alternatives like Incus, and explored strategies for eliminating “hidden taxes” on Kubernetes infrastructure through solutions like virtual clusters. The archiving of the Nginx Ingress Controller also sparked considerable discussion, indicating shifts in the ingress landscape.

Security remained a critical theme, particularly concerning the impact of AI on open-source software supply chains. Reports highlighted that a vast majority of codebases rely on open source, with concerns rising about “AI slop” introducing new vulnerabilities. The security of AI agent frameworks, such as Nvidia’s NemoClaw and OpenClaw, was scrutinized, leading to the emergence of new open-source tools like Betterleaks for secrets scanning and Layerleak for Docker Hub vulnerability detection. The Open Cybersecurity Schema Framework (OCSF) achieved ITU support, aiming to power AI-ready security operations. A significant incident involved a supply chain attack on the LiteLLM PyPI package, underscoring the persistent and evolving threats in the software ecosystem.

Beyond AI and security, cloud providers introduced new capabilities and faced challenges. Cloudflare rolled out Custom Regions for fine-grained data residency control, and AWS enhanced Amazon EKS Pod Identity with session policies. Microsoft shared its open-source and Kubernetes advancements from KubeCon EU. Geopolitical events led to service disruptions for AWS data centers in Bahrain. In other developments, WebAssembly continued to gain traction, with reports indicating its superior performance over containers at the edge, signaling a potential shift in how edge workloads are deployed.

💬 Community Buzz

Hacker News was abuzz with discussions surrounding the practical implications and challenges of integrating AI agents into development workflows. Topics ranged from the security risks of AI-generated code and agent-native infrastructure to the complexities of testing Large Language Models (LLMs). The community also debated the operational overhead of Kubernetes, sharing tips for optimization and discussing alternatives, while a critical supply chain attack on the LiteLLM PyPI package highlighted the ever-present security concerns in the open-source world.

📊 Week in Numbers

  • 40 stable releases across 20 projects
  • 96% of codebases rely on open source, with “AI slop” posing new risks
  • Platform teams are tackling a potential $43,800 “hidden tax” on Kubernetes infrastructure
  • The CNCF welcomed 21 new Silver Members and F5 elevated to Gold Membership, reflecting growing interest and investment in cloud native technologies

📚 View all articles from this week →