May 25, 2026

Week 22, May 25-31, 2026

This week: 55 releases, 160 news items.

👋 Welcome

This week in Cloud Native saw the graduation of OpenTelemetry to a CNCF Graduated project, signaling its widespread adoption as an observability standard. Multiple projects released patch updates addressing security vulnerabilities and introducing various fixes. Discussions also continued around the integration of AI agents within cloud native development and infrastructure.

🚀 Notable Releases

Container Runtime

containerd v2.3.1 - This patch release includes a security update for CVE-2026-46680 and fixes a bug where failed gRPC plugins were not tolerated during listener startup.
containerd v2.2.4 - This patch release includes security updates for CVE-2026-46680 and CVE-2026-34986, and uses the mount manager during image volume processing to support snapshotters requiring writable block volumes.
containerd v2.0.9 - This patch release includes a security fix for CVE-2026-46680, ensures container exit events are retained during containerd restarts, and applies hardening against TOCTOU race conditions in tar extraction.
containerd v1.7.32 - This patch release includes a security fix for CVE-2026-46680, allows hosts.toml to contain root-level fields without an explicit [host] section, and fixes handling of out-of-range USER values in OCI specs.
containerd API 1.11.1 - This patch release includes a fix for sandbox task API endpoints when using non-runc runtimes.

Orchestration

Crossplane v2.3.1 - This patch release addresses user-reported issues and includes security updates for dependencies, such as golang.org/x/crypto.
Crossplane v2.2.2 - This patch release fixes user-reported issues and includes security updates for dependencies, such as github.com/in-toto/in-toto-golang and github.com/go-git/go-git/v5.
Crossplane v2.1.6 - This patch release addresses user-reported issues and includes security updates for dependencies, such as golang.org/x/net and go.opentelemetry.io/otel.
Crossplane v1.20.8 - This patch release fixes user-reported issues and includes security updates for dependencies, such as github.com/docker/cli and golang.org/x/net.
Crossplane v2.3.0 - This release introduces a local rendering engine, finer-grained reconciliation control for XRs and managed resources, and alpha deletion protection for Provider packages.

CI/CD

Flux v2.8.8 - This patch release includes CVE fixes via go-git, reliability fixes in helm-controller and source-controller, moves Helm back to upstream v4.2.0, and adds support for GCP sovereign cloud artifact registries.
OpenCost v1.120.2 - This release updates Go dependencies, supports shorter node names, and includes a fix for a memory leak during scrape target processing.

Service Mesh

Istio 1.30.0 - This is a new stable release of the service mesh.
Istio 1.29.3 - This is a patch release for the 1.29 series.
Istio 1.28.7 - This is a patch release for the 1.28 series.

Security

Kyverno v1.18.1 - This release adds support for cluster-scoped resource generation in GeneratingPolicy and passes AdmissionRequest to update requests for mutate existing policies.
SPIRE v1.15.0 - This release adds an account_id selector for aws_iid nodeattestor, TLS support for the Prometheus metrics sink, and a feature to prevent prefetching of X509-SVIDs for specific registration entries. It also adds rootless Podman support for the Docker workload attestor.
Keycloak 26.6.2 - This release includes security fixes for CVE-2026-33871 (HTTP/2 CONTINUATION Frame Flood Denial of Service) and CVE-2026-33870 (RFC violation).
OpenFGA v1.16.0 - This release adds datastore ping timeout configurations, reports allowed results and tuple_key on Check and experimental weighted_graph_check resolution trace spans, and fixes cache key collisions in experimental weighted_graph_check union resolution.

Observability

OpenTelemetry Collector v0.153.0 - This release includes breaking changes by stabilizing feature gates for configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, exporter.PersistRequestContext, and otelcol.printInitialConfig.
OpenTelemetry Collector v0.152.1 - This release adds the otelcol_exporter_in_flight_requests metric to track the number of concurrent export requests per exporter.

Build

Backstage v1.51.0 - This release removes the deprecated NavItemBlueprint from @backstage/frontend-plugin-api, with navigation items now discovered from PageBlueprint extensions.

Framework

KServe v0.17.1 - This patch release includes fixes for installation scripts and Helm charts.

Chaos Engineering

LitmusChaos 3.29.0 - This release includes a dependency bump for google.golang.org/grpc to v1.79.3, addressing CVE-2026-33186, and prevents duplicate chaos experiment triggers under concurrent reconciles.

Messaging

NATS Server v2.14.1 - This release updates the Go version to 1.26.3, updates dependencies, and adds new metrics (in_client_msgs, in_client_bytes, out_client_msgs, out_client_bytes) for client message and byte counts.
NATS Server v2.12.9 - This release updates the Go version to 1.25.10, updates dependencies, and adds new client metrics (in_client_msgs, in_client_bytes, out_client_msgs, out_client_bytes).

Networking

Kube-OVN v1.14.38 - This release includes Go dependency updates.
Kube-OVN v1.15.12 - This release backports u2o overlay-only routing and packages the ipvlan plugin in the kube-ovn image.
Kube-OVN v1.14.37 - This release backports u2o overlay-only routing and packages the ipvlan plugin in the kube-ovn image.

Configuration

Meshery v1.0.28 - This release includes UI fixes for Next.js build imports and builder dependencies.
Meshery v1.0.27 - This release updates meshery/schemas to v1.2.23, indexes matchlabels and binding identification loops, and fixes batch-loading of connection environments.
Meshery v1.0.26 - This release includes Dockerfile updates.
Meshery v1.0.25 - This release updates meshery/schemas to v1.2.22, fixes non-determinism in the relationship evaluation engine, and refactors provider naming.
Meshery v1.0.24 - This release includes UI fixes to stop React update-depth loops on /management/connections, fixes performance dashboard crashes on null test_start_time, fixes permission issues in the configuration panel, and restores Navigator icons.
Meshery v1.0.23 - This release updates meshery/schemas to v1.2.20, fixes a URL path, removes a test directory, and guards MeshSync metadata lookup when registry tables are absent.

Scheduling

Descheduler Helm Chart 0.36.0 - This is a Helm chart release for the Kubernetes Descheduler.
Descheduler v0.36.0 - This release adds init container support to the Helm chart and updates Helm RBAC to account for PVC failures.

Edge

K3s v1.36.1+k3s1 - This release updates Kubernetes to v1.36.1, includes May backports, and updates the rancher/local-path-provisioner image version.
K3s v1.35.5+k3s1 - This release updates Kubernetes to v1.35.5, includes May backports, and updates the rancher/local-path-provisioner image version.
K3s v1.34.8+k3s1 - This release updates Kubernetes to v1.34.8, includes May backports, and updates the rancher/local-path-provisioner image version.
K3s v1.33.12+k3s1 - This release updates Kubernetes to v1.33.12, includes May backports, and updates the rancher/local-path-provisioner image version.

Database

ScyllaDB Operator v1.21.0 - This is a new stable release of the ScyllaDB Operator.

Backup

Velero v1.18.1 - This release fixes wildcard expansion when includes are empty and excludes have wildcards, and adds a 2-second gap between temporary CSI VolumeSnapshotContent creation and deletion.

📰 This Week in Cloud Native

The Cloud Native Computing Foundation (CNCF) announced that OpenTelemetry has graduated, signifying its maturity and widespread adoption as a vendor-neutral standard for observability across traces, metrics, and logs. This milestone reflects its use in production environments and its role in modern cloud native architectures. Related discussions covered techniques for designing end-to-end ingress request tracing in multi-tenant SaaS platforms and how Jaeger achieved significant data compression using ClickHouse as a storage backend.

The intersection of AI/ML and Cloud Native continued to be a prominent theme. NetEase Games shared insights on achieving 30-second cold starts for Large Language Models (LLMs) on Kubernetes, addressing the challenge of elastic compute for data-intensive AI workloads. New open-source initiatives like Prempti were introduced to provide policy and visibility for AI coding agents, which are increasingly integrated into developer workflows. Automation of Confidential Containers (CoCo) infrastructure with Kyverno was explored as a method to enhance security for containerized AI workloads. AWS highlighted Kubernetes Dynamic Resource Allocation as a way to simplify AI infrastructure management for specialized hardware like AWS Trainium and Elastic Fabric Adapter. Microsoft discussed the foundational role of open source in AI and agentic systems, introducing STATE-Bench as a benchmark for AI agent memory. Camunda announced ProcessOS, which incorporates an intelligence layer designed to learn from and optimize business processes using AI.

In Kubernetes Ecosystem news, the Kubernetes blog announced the availability of etcd 3.7.0-beta.0. CVS Health joined the CNCF as a Platinum member, expanding collaboration on cloud native initiatives. A field guide was published for the upcoming KubeCon + CloudNativeCon India event. A technical post discussed the limitations of kubectl debug in retaining termination container records, highlighting a “silent evidence gap” for debugging ephemeral states. AWS also announced that Bitnami container images will no longer be available on Amazon ECR Public Gallery starting June 10th, 2026, requiring users to adjust their image pulling strategies.

Security updates were released across several projects, including containerd, Crossplane, FluxCD, Keycloak, and Litmus Chaos, addressing various CVEs and dependency vulnerabilities. Discussions also touched upon the security implications of AI coding agents and the importance of supply chain security, with calls from the Open Source Security Foundation (OpenSSF) for broader industry support for open source maintainers.

💬 Community Buzz

Hacker News discussions this week covered various aspects of Kubernetes, including new runtimes for AI agents, deep dives into Kubernetes internals, and tools for infrastructure-as-code that integrate with Kubernetes and Helm. Topics also included strategies for cost optimization in Kubernetes environments through off-hours scaling and analyses of default insecure CoreDNS configurations. Docker-related threads explored reverse-engineering undocumented microVM APIs and techniques for reducing Docker container image sizes. The broader impact of AI agents on development, local AI model execution, and the creation of reliability layers for LLM tool-calling also generated discussions.

📊 Numbers of the Week

Total stable releases: 43 across 20 projects
Top 3 projects by commits this week:
1. falcosecurity/falco — 263 commits
2. meshery/meshery — 233 commits
3. cockroachdb/cockroach — 228 commits
Top 3 projects by merged pull requests this week:
1. cockroachdb/cockroach — 184 merged PRs
2. cilium/cilium — 116 merged PRs
3. keycloak/keycloak — 84 merged PRs

📚 View all articles from this week →