Week 21, May 18-24, 2026

👋 Welcome

This week saw a focus on Kubernetes stability and new features with several patch releases and the v1.36 update bringing advancements in scheduling and proxy capabilities. Security remained a key theme, with numerous projects addressing CVEs and updating dependencies. Discussions around AI agents and their integration into cloud native workflows continued to generate community interest.

🚀 Notable Releases

CI/CD

• Argo CD v3.2.12 - A patch release providing installation manifests and signed container images.
• Argo CD v3.3.10 - A patch release providing installation manifests and signed container images.
• Argo CD v3.4.2 - A patch release providing installation manifests and signed container images.
• Flux2 v2.8.7 - Includes a bug fix in kustomize-controller for object annotation management and a CVE fix in source-controller and image-automation-controller via go-git v5.19.0.

Networking

• Cilium v1.19.4 - When --k8s-service-proxy-name is set, EndpointSlices are now filtered by the service.kubernetes.io/service-proxy-name label. Operators managing EndpointSlices must stamp the matching label.
• Cilium v1.18.10 - Fixes a cilium-agent crash during CiliumNode updates by implementing retries. Addresses an issue where CiliumLocalRedirectPolicy addressMatcher could override an existing Service’s frontend.
• Cilium v1.17.16 - CiliumLocalRedirectPolicy addressMatcher now prevents overriding an existing Service’s frontend by default; the previous behavior can be restored via a flag. Fixes a panic in parseSPI with malformed input.
• Kube-OVN v1.15.11 - Blocks VPC deletion if SNAT, DNAT, or FIP rules are actively using it.
• Kube-OVN v1.14.36 - Includes updates to Go dependencies.
• Submariner v0.24.0 - A new stable release.

Build

• Dapr v1.17.7 - Resolves an issue where Workflow GetWorkItems gRPC streams were terminated when history payloads exceeded maximum size. Addresses orphaned workflows after scheduler pod restarts under load.
• Helm v4.2.0 - A feature release.
• Helm v3.21.0 - A feature release; Helm v3 is approaching end-of-life.
• Telepresence v2.28.0 - Provides official release artifacts, including installers that support running the root daemon as a system service.
• Buildah v1.39.9 - Addresses CVE-2025-49713 by updating x/crypto to v0.43.0. Bumps Go Jose to v4.1.4 to address CVE-2026-34986.

Orchestration

• Kubernetes v1.36.1 - A patch release for Kubernetes v1.36.
• Kubernetes v1.35.5 - A patch release for Kubernetes v1.35.
• Kubernetes v1.34.8 - A patch release for Kubernetes v1.34.
• Kubernetes v1.33.12 - A patch release for Kubernetes v1.33.

Observability

• Jaeger v2.18.0 - Introduces breaking changes to metrics due to OpenTelemetry collector package upgrades and removes the min step api from metricstore. Adds auto-detection of UI base path from browser URL.
• OpenTelemetry Collector v0.152.0 - Adds otelcol_exporter_in_flight_requests metric to track the number of in-flight export requests per exporter.

Security

• Open Policy Agent v1.16.2 - Updates the Go version used to build binaries and images to 1.26.3, addressing multiple vulnerabilities.
• The Update Framework (Python) v7.0.0 - A major release primarily due to a minor ngclient API adjustment. Fixes GHSA-qp9x-wp8f-qgjj related to incorrect delegation path matching on Windows. Updater() now explicitly requires a named bootstrap argument.
• External Secrets v2.5.0 - Includes general updates and a documentation fix for VaultDynamicSecret examples.
• External Secrets Helm Chart v2.5.0 - A Helm chart release for external secrets management.
• KubeArmor v1.7.1 - Fixes controller and operator UBI image releases and updates workflows for separate UBI image builds.
• SeeBOM v0.4.3 - Container images are signed with cosign and attested with SLSA provenance.
• SeeBOM v0.4.2 - Container images are signed with cosign and attested with SLSA provenance.
• SeeBOM v0.4.1 - Container images are signed with cosign and attested with SLSA provenance.
• SeeBOM v0.4.0 - Introduces a package search feature to find dependencies by name across ingested SBOMs and identify projects using them.
• Skopeo v1.11.5 - Addresses CVE-2025-65637 by updating Logrus. Bumps Go Jose to v3.0.5 to address CVE-2026-34986.

Service Mesh

• Kuma v2.13.6 - Updates golang.org/x/net from 0.48.0 to 0.53.0 and helm.sh/helm/v4 from 4.0.2 to 4.1.4. Exposes Control Plane HPA behavior. Addresses dp-server shutdown and context propagation.

Configuration

• Meshery v1.0.22 - Updates remote provider URLs and fixes a workspace crash in the Meshery UI.
• Meshery v1.0.21 - Bumps meshery/schemas to v1.2.19 and v1.2.18. Pins Node.js to v22 in the eslint-gh workflow. Fixes server handling of comma-separated PROVIDER_BASE environment variables.

Application Frameworks

• Spin canary - A canary release of the latest commits, not intended for stable use.

Cluster Management

• Cluster API v1.13.2 - Fixes a Tilt kube-state-metrics deployment issue and an in-place update problem for KCP with InfraMachine webhooks.
• Cluster API v1.12.8 - Fixes a Tilt kube-state-metrics deployment issue and an in-place update problem for KCP with InfraMachine webhooks.
• Cluster API v1.11.11 - Bumps github.com/moby/spdystream to v0.5.1 and adds a kubeadm cluster role for KCP.

Database

• CrateDB 6.3.2 - A patch release.
• CrateDB 6.2.8 - A patch release.

📰 This Week in Cloud Native

Kubernetes project developments included several patch releases across older versions (v1.33.12, v1.34.8, v1.35.5) and a new patch for v1.36.1. The v1.36 release also introduced new alpha metrics for Route Sync in the Cloud Controller Manager, graduated the Mixed Version Proxy to Beta, and deprecated the .spec.externalIPs field for Services. Workload-Aware Scheduling in Kubernetes v1.36 advanced with features for AI/ML and batch workloads, and Pressure Stall Information (PSI) Metrics for Kubernetes graduated to GA. Discussions within the CNCF community highlighted strategies for reducing engineering time spent on Kubernetes upgrades and building cloud native platforms from the ground up using tools like Kairos, k0rdent, and bindy.

The integration of AI agents into cloud native environments was a significant theme. The CNCF published articles on extending AI gateways with Rust for custom transformations and on KubeStellar’s use of AI agents for PR acceptance. Microsoft announced Conductor, an open-source CLI for deterministic orchestration of multi-agent AI workflows using YAML definitions. GitHub introduced updates to Copilot individual plans with flex allotments and a new desktop application. Anthropic launched its Claude Platform on AWS. The New Stack covered various aspects, including the energy consumption of AI, the role of AI in security operations centers, and the requirements for an “agent-native cloud.” MinIO’s MemKV was noted for its potential to improve GPU utilization by reducing AI recompute overhead.

Cloud security and governance received attention, with Cloud Custodian marking a decade of managing public cloud environments, Kubernetes, and infrastructure as code. Open Policy Agent (OPA) v1.16.2 updated its Go version to address vulnerabilities, and The Update Framework (python-tuf) v7.0.0 included a security fix for delegation path matching. SeeBOM v0.4.0 introduced a package search feature to assist with supply chain incident response by identifying dependency usage across SBOMs. Containers/Buildah and Skopeo also released updates addressing CVEs. In Europe, Germany’s BSI updated its C5 criteria catalog for cloud security and introduced the C3A catalog for sovereign clouds, prompting discussions on digital sovereignty and potential digital taxes for cloud software providers.

💬 Community Buzz

Discussions on Hacker News covered various aspects of Kubernetes, including TUI tools, local-first GitOps workspaces, secret management, and the implications of memory requests. The role of AI agents in development and operations was also a recurring topic, with discussions on agent-native cloud architectures, LLM observability, and structured multi-agent AI frameworks. Other popular topics included self-hosted media streaming platforms, Prometheus exporters for TLS certificate expiration, and the broader implications of AI in software development, including concerns about AI fatigue and over-reliance.

📊 Numbers of the Week

• Total stable releases: 40 across 16 projects
• Top 3 projects by commits this week:
  1. meshery/meshery — 1013 commits
  2. kubescape/kubescape — 280 commits
  3. cockroachdb/cockroach — 209 commits
• Top 3 projects by merged pull requests this week:
  1. meshery/meshery — 155 merged PRs
  2. cockroachdb/cockroach — 152 merged PRs
  3. kumahq/kuma — 111 merged PRs

📚 View all articles from this week →