Week 18 - April 2026

This week: 49 releases, 180 news items. Notable: spin v4.0.0.

👋 Welcome

This week saw the Kubernetes project release v1.36, introducing General Availability for fine-grained Kubelet API authorization and User Namespaces. The Gateway API also advanced with its v1.5 stable release. Discussions around AI agents and their integration into cloud native development, operations, and security workflows were also prominent.

🚀 Notable Releases

CI/CD

  • Argo CD v3.3.8 - A patch release providing container images and CLI binaries signed by cosign with generated provenance.
  • Argo CD v3.2.10 - A patch release providing container images and CLI binaries signed by cosign with generated provenance.
  • Argo CD v3.1.15 - A patch release providing container images and CLI binaries signed by cosign with generated provenance.
  • Flux 2 v2.8.6 - Includes bug fixes and improvements across helm-controller, image-automation-controller, kustomize-controller, notification-controller, and source-controller, addressing a post-renderer conflict.

Security

  • cert-manager v1.19.5 - A patch release addressing reported vulnerabilities by bumping Go dependencies and updating Go to 1.25.8.
  • Kyverno v1.17.2 - Fixes policy logging verbosity, report creation for namespaced policies, handling of empty results for target expressions, and object usage checks.
  • Kyverno v1.16.4 - Addresses CVE-2025-68121 and CVE-2026-24051.
  • External Secrets v2.4.0 - Releases the Helm chart for v2.3.0 and includes a documentation fix.
  • External Secrets helm-chart-2.4.0 - Helm chart release for external secrets management.

Networking

  • CoreDNS v1.14.3 - Adds Windows service support, full TSIG verification across DoH, DoH3, QUIC, and gRPC transports, and optional TLS for the metrics endpoint. Includes performance improvements via cache prefetching and QUIC optimizations.
  • Envoy v1.38.0 - Introduces breaking changes requiring explicit max_early_data_bytes for tcp_proxy with certain upstream_connect_mode values, and alters on_demand filter behavior regarding internal redirects.
  • Kube-OVN v1.16.1 - Fixes controller behavior to retain VM LSP port-group memberships when a sibling pod is active and includes dependency updates.

Orchestration

  • Crossplane v2.2.1 - A patch release addressing dependency upgrade issues with ImageConfig prefix rewriting and includes security fixes for dependencies.
  • Crossplane v2.1.5 - A patch release addressing dependency upgrade issues with ImageConfig prefix rewriting and includes security fixes for dependencies.
  • Crossplane v2.0.8 - A patch release addressing dependency upgrade issues with ImageConfig prefix rewriting and includes security fixes for dependencies.
  • Crossplane v1.20.7 - A patch release including a security fix by updating Go to 1.25.9 to address multiple CVEs.
  • Crossplane v1.20.6 - A patch release mitigating potential script injection in the promote workflow, adding required permissions to workflows, and including security fixes for dependencies.
  • Kubernetes v1.36.0 - The “Haru” release, graduating fine-grained Kubelet API authorization and User Namespaces to General Availability.
  • Cluster API v1.13.0 - Updates Go to 1.25 and controller-runtime to v0.23, and improves KCP recovery from various failures. Supports management clusters v1.32.x to v1.35.x and workload clusters v1.30.x to v1.35.x.
  • Cluster API v1.12.7 - Fixes CVE-2026-39883 and addresses KCP deletion issues when InfraTemplates are missing.
  • Cluster API v1.11.10 - Fixes CVE-2026-39883 and updates cert-manager to v1.20.2 for clusterctl.

Build

  • Backstage v1.50.3 - Fixes issues with home page widget drag/resize, performance regressions in the facets endpoint, and preservation of external hrefs in BUI link components.
  • KubeVirt v1.8.2 - A patch release with general bug fixes and improvements, and signed release tags.
  • KubeVirt v1.7.3 - A patch release with general bug fixes and improvements, and signed release tags.
  • KubeVirt v1.6.5 - A patch release with general bug fixes and improvements, and signed release tags.

Configuration

  • Metal3-io Baremetal Operator v0.12.4 - Fixes HFC controller error loops on deleted resources, removes unused RBAC permissions, and bumps CAPI to v1.12.7 and Go to 1.25.9.
  • Metal3-io Baremetal Operator v0.11.7 - Fixes HFC controller error loops on deleted resources, removes unused RBAC permissions, and updates CAPI to v1.11.10 and Go to 1.25.9.
  • Meshery v1.0.13 - Restores mutated fields when relationships are deleted and fixes SSE event streamer disconnect handling in the CLI.
  • Meshery v1.0.12 - Uses file names for imported designs, canonicalizes camelCase wrapper keys, and supports dual-accept for design/pattern files in API requests.
  • Meshery v1.0.11 - Fixes a nil logger panic in Kubernetes machine initialization and addresses a remote provider pattern file data format mismatch.
  • Meshery v1.0.10 - Adopts MesheryPatternImportRequestBody schema, makes the Go engine default for local server evaluation, and includes UI fixes for extension loading and CSS subpaths.

Application Frameworks

  • Spin v4.0.0 - A major release with artifacts signed by cosign.

Observability

📰 This Week in Cloud Native

Kubernetes Core Developments

Kubernetes v1.36, codenamed “Haru,” was released, bringing fine-grained Kubelet API authorization and User Namespaces to General Availability. The User Namespaces feature is specific to Linux. Additionally, SELinux Volume Label Changes reached GA, with potential breaking changes anticipated in v1.37. The Gateway API also released v1.5, moving several features to stable status. Discussions emerged concerning the state of Kubernetes resource optimization, with reports indicating low CPU and memory utilization, and the ongoing shift from Ingress NGINX following its retirement.

AI and Agentic Workflows

The integration of AI agents into cloud native operations and development workflows was a recurring theme. Examples include using AI for migrating Ingress NGINX configurations to Higress, auto-diagnosing Kubernetes alerts with AI tools, and AI agents assisting with pull request acceptance in projects like KubeStellar. Observability for AI agents is being addressed, with Jaeger adopting OpenTelemetry. OpenAI introduced Workspace Agents, GPT-5.5, and a local Privacy Filter for PII, indicating a move towards more autonomous and privacy-aware AI tools. Google also announced its eighth-generation TPUs, designed for the agentic era, and stated that 75% of its new code is AI-written. Concerns were raised regarding the security implications of AI software vulnerability exploitation and the control over autonomous AI agents.

Security and Compliance

The retirement of Ingress NGINX highlighted the need for migration and security updates. Supply chain compromises were reported, including malicious Axios npm package versions and Checkmarx artifacts in the KICS Docker repository. Germany’s BSI published criteria for sovereign cloud services, emphasizing digital autonomy. Cursor and Chainguard announced a partnership to secure the AI agent supply chain. OpenAI’s Privacy Filter for local PII processing represents a new approach to data privacy in AI applications.

Ecosystem and Tools

Several projects released updates or were highlighted. Meshery saw multiple patch releases addressing server stability and API handling. CoreDNS added Windows service support and improved TSIG verification. Cluster API updated Go versions and improved KCP recovery. New open-source tools for self-hosting Docker containers, Kubernetes operators for identity management, AI gateways, and credential vaults for agents were also noted. AWS announced a partnership with Meta involving Graviton Cores for agentic AI and discussed decoupling authorization at scale with Cedar-based resource policies.

💬 Community Buzz

Discussions on Hacker News focused on the Kubernetes v1.36 release, including User Namespaces, and broader topics like Kubernetes resource optimization, probes, and alternative implementations (e.g., Rusternetes). AI agents were a major subject, covering their impact on coding, security implications, and tools for managing credentials, sandboxes, and multi-agent systems. Other topics included self-hosting Docker containers, the utility of syntax highlighting, challenges in open-source contributions, and the perceived decline in Google search quality.

📊 Numbers of the Week

  • Total stable releases: 34 across 17 projects
  • Top 3 projects by commits this week:
    1. meshery/meshery — 279 commits
    2. kubernetes/kubernetes — 189 commits
    3. cockroachdb/cockroach — 185 commits
  • Top 3 projects by merged pull requests this week:
    1. cockroachdb/cockroach — 193 merged PRs
    2. kubernetes/kubernetes — 136 merged PRs
    3. cilium/cilium — 90 merged PRs

📚 View all articles from this week →