Week 24, Jun 8-14, 2026

This week: 69 releases, 159 news items.

👋 Welcome

This week in Cloud Native saw a range of project updates, including security fixes across container runtimes, networking components, and service meshes. Discussions focused on the evolving landscape of AI in cloud native environments, developer experience, and ongoing security challenges in CI/CD pipelines.

🚀 Notable Releases

Container Runtimes

  • containerd v2.1.8 - Addresses CVE-2026-46680. Fixes handling of out-of-range USER values in OCI specifications and resolves bugs in the sandbox service.
  • CRI-O v1.36.1 - Contains various fixes and updates.
  • CRI-O v1.35.4 - Contains various fixes and updates.
  • CRI-O v1.34.9 - Contains various fixes and updates, including bug fixes.
  • CRI-O v1.33.13 - Contains various fixes and updates.
  • Lima v2.1.2 - Fixes limactl shell mount checks, adds a --param shortcut for template parameters, and corrects path quoting for rsync.

Orchestration

  • Crossplane v1.20.9 - Addresses user-reported issues and security vulnerabilities in dependencies. Introduces a crossplane beta upgrade check command to assess v2 upgrade readiness.
  • KEDA v2.20.0 - Records Kubernetes events through the events.k8s.io API group, requiring RBAC updates for custom deployments.
  • Capsule v0.13.4 - Fixes status reconciliation for best-effort patches and adjusts the match strategy.
  • Capsule v0.13.3 - Preserves CA bundles injected by external providers and updates Go to version 1.26.4.
  • Capsule v0.13.2 - Adds observedgeneration to CRD status objects, includes a tenant list in CapsuleConfiguration status, and adds conditions and tenant references for TenantOwners status.

Networking

  • Envoy v1.38.1 - Includes security fixes for CVE-2026-47774, resetting HTTP/2 streams that exceed header list size limits and counting uncompressed cookies towards header limits.
  • Envoy v1.37.3 - Includes security fixes for CVE-2026-47774, resetting HTTP/2 streams that exceed header list size limits and counting uncompressed cookies towards header limits.
  • Envoy v1.36.7 - Includes security fixes for CVE-2026-47774, resetting HTTP/2 streams that exceed header list size limits and counting uncompressed cookies towards header limits.
  • Envoy v1.35.11 - Includes security fixes for CVE-2026-47774, resetting HTTP/2 streams that exceed header list size limits and counting uncompressed cookies towards header limits.
  • etcd v3.6.12 - Contains various fixes and updates.
  • etcd v3.5.31 - Contains various fixes and updates.
  • etcd v3.4.45 - Contains various fixes and updates.
  • NATS Server v2.14.2 - Updates the Go version to 1.26.3 and exposes the client ID via the embedded ClientAuthentication API.
  • NATS Server v2.12.10 - Updates the Go version to 1.25.10 and makes the client ID available through the embedded ClientAuthentication API. Fixes a race condition.
  • Kube-OVN v1.15.13 - Updates Go to v1.26.4 and corrects the egress sync status field upon ACL update failures.
  • Kube-OVN v1.14.40 - Updates Go to v1.26.4 and backports IP port mapping updates.
  • Kube-OVN v1.16.2 - Introduces support for multiple network interfaces from the same subnet and updates Go to v1.26.4.
  • Submariner v0.25.0-m0 - Contains various fixes and updates.

Storage

  • Rook v1.20.0 - Requires the Ceph CSI operator for managing CSI driver settings; existing settings remain functional.
  • Longhorn v1.12.0 - Announces the General Availability (GA) of the V2 Data Engine. Adds topology-aware provisioning, dual-stack and V2 IPv6 support, and improved observability.
  • OpenEBS v4.5.0 - Introduces improvements for disk detachment, hot removal, offline node/pool management, and usability fixes across various storage provisioners.
  • Kubernetes CSI External Snapshotter client/v8.6.0 - Promotes the VolumeGroupSnapshot API to GA (v1) and updates controllers to utilize v1 VolumeGroupSnapshot APIs.

Service Mesh

  • Istio 1.30.1 - Contains various fixes and updates.
  • Istio 1.29.4 - Contains various fixes and updates.
  • Istio 1.28.8 - Contains various fixes and updates.
  • Kuma v2.13.8 - Includes security updates and updates Envoy to version 1.36.7.
  • Kuma v2.12.12 - Includes security updates and updates Envoy to version 1.35.11.
  • Kuma v2.11.15 - Includes security updates and updates Envoy to version 1.35.11.
  • Kuma 2.9.17 - Includes security updates and updates Envoy to version 1.35.11.
  • Kuma v2.7.27 - Includes security updates and updates Envoy to version 1.35.11.
  • Kuma v2.13.7 - Aligns the Envoy go-control-plane fork, bumps golang.org/x/crypto and golang.org/x/net dependencies, and adds a DiscoveryResponse size histogram.
  • Kuma v2.12.11 - Aligns the Envoy go-control-plane fork, bumps golang.org/x/crypto and golang.org/x/net dependencies, and updates Helm.
  • Kuma v2.11.14 - Aligns the Envoy go-control-plane fork, bumps golang.org/x/crypto and golang.org/x/net dependencies, and updates Helm.
  • Kuma 2.9.16 - Aligns the Envoy go-control-plane fork, bumps golang.org/x/crypto and golang.org/x/net dependencies, and updates Helm.
  • Kuma v2.7.26 - Aligns the Envoy go-control-plane fork, bumps golang.org/x/crypto and golang.org/x/net dependencies, and updates Helm.

Observability

  • Jaeger v2.19.0 - Implements the findtracesummaries gRPC handler, supports the query.attributes filter in /api/v3/traces, and adds TLS configuration for ClickHouse.
  • Inspektor Gadget v0.53.1 - Includes security hardening fixes for USDT/uprobe ELF/ld.so.cache parsing.
  • Inspektor Gadget v0.53.0 - Adds a new trace_link gadget and modifies ustack, ebpf, and symbolizer to remove the [N] prefix from stack symbols, showing binary and offset.

Security

  • Keycloak 26.6.3 - Includes security fixes, such as CVE-2026-4800 related to lodash.
  • OpenFGA v1.17.1 - Prevents v2Check fallback for throttling and validation, and updates the Go toolchain to 1.26.4.
  • OpenFGA v1.17.0 - Introduces a configurable trace sampler (trace.sampler) supporting standard OpenTelemetry strategies, defaulting to traceidratio.
  • External Secrets helm-chart-2.6.0 - Helm chart release for external secrets management.
  • External Secrets v2.6.0 - Implements the provider_api_calls_count metric.
  • Kubewarden Controller v1.36.0 - Fixes a typo in spec.namespacedPoliciesCapabilities and updates the sigstore-rs dependency.
  • SeeBOM v0.5.0 - Transforms SeeBOM into a multi-cluster, multi-format SBOM platform with project-level grouping, optional API authentication, and Kubernetes deployment improvements. Increases API endpoints from 19 to 24.
  • Trivy v0.71.0 - Contains various fixes and updates.

Build & Development

  • Dapr Runtime v1.17.9 - Fixes a workflow retention purge failure on Azure Cosmos DB when customStatus is not persisted.
  • KubeVirt v1.8.3 - Contains various fixes and updates.
  • KubeVirt v1.7.4 - Contains various fixes and updates.
  • KubeVirt v1.6.6 - Contains various fixes and updates.
  • Spin canary - A canary release intended for developers to test the latest features, noted as not stable.
  • Kind v0.32.0 - Includes critical dependency updates and bug fixes. Defaults to Kubernetes 1.36.1. Requires upgrading kind for compatibility with new node images due to a containerd upgrade.

Configuration

  • Meshery v1.0.38 - Updates go.mod for wasm policy.
  • Meshery v1.0.37 - Upgrades Meshery schemas and adds an evaluate button for design relationship evaluation in the UI.
  • Meshery v1.0.36 - Ships policy-engine wasm and wasm_exec.js in the server image.
  • Meshery v1.0.35 - Adds doc.go for the native Go policy engine.

CLI Tools

📰 This Week in Cloud Native

The cloud native ecosystem continued its integration with Artificial Intelligence, with discussions highlighting the concept of “Cloud native is now AI-native.” The New Stack reported on the challenges of high-velocity AI deployments, noting that existing pipelines may not be equipped for deployment rates of 1,000 times per month. Microsoft’s strategy around AI agents, developer experience, and data context was a prominent theme, with announcements regarding a free agent runtime, new AI development tools like Rayfin, and an emphasis on data context for enterprise AI. Google also contributed to the local AI landscape with the Gemma 4 12B model, which reportedly runs on laptops while approaching the performance of larger models.

Security remained a critical focus. The CNCF published a whitepaper on Identity and Access Management in distributed cloud native architectures and discussed securing CI/CD pipelines for open-source projects. Inspektor Gadget completed its first independent security audit, with results released this week. Multiple projects, including containerd, Envoy, and Keycloak, released patches addressing security vulnerabilities. Concerns were also raised regarding AI-related supply chain attack vectors, specifically mentioning hooks from Claude, Gemini, and Cursor, which could lead to compromised GitHub organizations.

In the broader Kubernetes ecosystem, the transition from the Kubernetes Dashboard to Headlamp was detailed, offering insights into evolving cluster management interfaces. AWS published an architecture for multi-region event-driven failover using EventBridge and Route 53, demonstrating approaches to enhance resilience. Discussions also resurfaced around when Kubernetes might be considered overkill for certain deployments, alongside the introduction of new tools like StackPulse for Kubernetes observability and Kubelize for multi-cluster management. Reddit’s engineering team shared an update on their shift from proxy-based to proxyless architectures for feed serving, specifically regarding the removal of Envoy.

💬 Community Buzz

Hacker News discussions this week centered on the practical implications of AI agents in development, including their memory management, cost optimization, and potential security risks highlighted by “coding agent horror stories.” There was also interest in Kubernetes alternatives and management tools, as well as Docker-related developer tools for logging and management.

📊 Numbers of the Week

  • Total stable releases: 63 across 26 projects
  • Top 3 projects by commits this week:
    1. meshery/meshery — 189 commits
    2. cilium/cilium — 100 commits
    3. cockroachdb/cockroach — 89 commits
  • Top 3 projects by merged pull requests this week:
    1. keycloak/keycloak — 112 merged PRs
    2. envoyproxy/envoy — 87 merged PRs
    3. cilium/cilium — 71 merged PRs

📚 View all articles from this week →