Week 27, Jun 29 - Jul 5, 2026

This week: 77 releases, 176 news items. Notable: clusternet v1.0.0, podman v6.0.0.

👋 Welcome

This week in Cloud Native saw significant updates across security, AI integration, and core ecosystem projects. Multiple projects released security patches addressing various vulnerabilities, while the discussion around AI agents and their operational implications continued to grow. Kubernetes ecosystem projects also received updates, enhancing management and observability capabilities.

🚀 Notable Releases

Security

  • cert-manager v1.20.3 - Addresses a security vulnerability (GHSA-8rvj-mm4h-c258) where the cert-manager-edit ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly.
  • cert-manager v1.19.6 - Addresses a security vulnerability (GHSA-8rvj-mm4h-c258) where the cert-manager-edit ClusterRole granted namespace users permission to create ACME Challenge and Order resources directly.
  • Crossplane v2.3.3 - Fixes a package signature verification time-of-check-to-time-of-use (TOCTOU) flaw (GHSA-mf7q-r4rv-jv94) that could allow malicious OCI registries to serve unsigned content after initial verification.
  • Crossplane v2.2.3 - Fixes a package signature verification time-of-check-to-time-of-use (TOCTOU) flaw (GHSA-wfqx-gjrf-g28r) that could allow malicious OCI registries to serve unsigned content after initial verification.
  • Crossplane v2.1.7 - Includes security updates for dependencies, updating github.com/quic-go/quic-go to v0.59.1 and golang.org/x/net to v0.55.0.
  • Crossplane v1.20.10 - Includes security updates, bumping Go to 1.25.11 and updating go.mongodb.org/mongo-driver to v1.17.7.
  • Envoy v1.38.3 - Includes security fixes for CVE-2026-47205 (Authz per route crash), CVE-2026-47207 (ext_proc response handling), and CVE-2026-47221 (router internal redirects).
  • Envoy v1.37.5 - Includes security fixes for CVE-2026-47205 (Authz per route crash), CVE-2026-47207 (ext_proc response handling), and CVE-2026-47221 (router internal redirects).
  • Envoy v1.36.9 - Includes security fixes for CVE-2026-47205 (Authz per route crash), CVE-2026-47207 (ext_proc response handling), CVE-2026-47221 (router internal redirects), and CVE-2026-47775 (OAuth2 code verifier padding oracle).
  • Envoy v1.35.13 - Includes security fixes for CVE-2026-47207 (ext_proc response handling), CVE-2026-47221 (router internal redirects), CVE-2026-47775 (OAuth2 code verifier padding oracle), and CVE-2026-48044 (HTTP/2 flood vulnerability).
  • Keycloak 26.6.4 - Addresses security vulnerabilities including CVE-2026-9099 (group-admin escalation to realm-admin) and CVE-2026-9083 (Keycloak admin console XSS).
  • Capsule v0.13.7 - Addresses security vulnerabilities GHSA-gxjc-74v5-3vx3 (malformed ForbiddenAnnotations.Regex bypassing Tenant validation) and GHSA-gjw4-3v3v-rqxg (Tenant owner bypasses forbidden label/annotation enforcement).
  • Podman v6.0.0 - Addresses CVE-2026-57231, where a malicious image could leak host environment variables into containers via malformed Env entries. This release also introduces breaking changes.
  • Podman v5.8.4 - Addresses CVE-2026-57231, where a malicious image could leak host environment variables into containers via malformed Env entries, and updates golang.org/x/crypto to v0.55.0.
  • Ko v0.19.0 - Rejects -toolexec in the GOFLAGS environment variable for security, adds a repeatable --ldflags flag for go build, fixes defaultFlags application in .ko.yaml, and writes directory headers in kodata tar archives.
  • External Secrets v2.7.0 - General updates include releasing Helm charts 2.6.0 and adding an Infisical provider e2e test suite.
  • External Secrets helm-chart-2.7.0 - Helm chart release for external secrets management in Kubernetes.

Orchestration & Cluster Management

  • Open Policy Agent (OPA) v1.18.0 - Introduces a breaking fix to the outbound User-Agent header to conform to RFC 9110, adds container-aware resource limits with automatic GOMAXPROCS and GOMEMLIMIT support, and includes opa fmt correctness fixes.
  • Volcano v1.14.3 - Fixes Network-Topology-Aware scheduling soft mode for jobs, corrects scalar in-queue resource accounting to use milli-units, and clears device-related annotations when releasing pods.
  • Clusternet v1.0.0 - Introduces support for Kubernetes 1.32, includes Protobuf serialization optimizations, adds new field patch type support, and resolves multiple defects.
  • Cluster API v1.13.3 - Supports Management Cluster v1.32.x -> v1.36.x and Workload Cluster v1.30.x -> v1.36.x. Adds DefaultTransform on CacheOptions and fixes 3 bugs.
  • Cluster API v1.12.9 - Supports Management Cluster v1.31.x -> v1.35.x and Workload Cluster v1.29.x -> v1.35.x. Fixes 2 bugs, including skipping update check for clusterctl completion and granting RBAC for OwnerReferencesPermissionEnforcement.
  • Baremetal Operator v0.13.1 - Fixes reconciliation for Host Firmware Settings (HFS) created before BareMetalHosts (BMH) and updates cluster-api to v1.13.3.
  • Baremetal Operator v0.12.5 - Updates cluster-api to v1.12.9 and Go version to 1.25.11.

Networking & Service Mesh

  • Envoy v1.38.3 - (See Security section for details).
  • Envoy v1.37.5 - (See Security section for details).
  • Envoy v1.36.9 - (See Security section for details).
  • Envoy v1.35.13 - (See Security section for details).
  • Istio 1.30.2 - This is a patch release.
  • Istio 1.29.5 - This is a patch release.
  • Istio 1.28.9 - This is a patch release.
  • Kube-OVN v1.15.16 - Updates golang.org/x/tools to v0.47.0 and refreshes kubectl golang.org/x dependencies.
  • Kube-VIP v1.2.1 - Adds dhcp-broadcast annotation, includes endpointless reconciliation after service refactor, and bumps Go to 1.26.4.
  • Kuma v2.11.16 - Bumps Envoy from 1.35.11 to 1.35.12, updates Go version from 1.26.3 to 1.26.4, and fixes policy matching for ignored inbounds for Dataplane.

Observability

  • Fluentd v1.19.3 - Implements strict host validation for dynamic HTTP endpoints, enforces size limits on decompressed payloads, and changes default visibility for in_monitor_agent config.
  • OpenTelemetry Collector v0.155.0 - Removes stabilized feature gates confighttp.framedSnappy, configoptional.AddEnabledField, confmap.newExpandedValueSanitizer, and exporter.PersistRequeue.
  • OpenCost v1.120.4 - Updates UI image build commands, fixes custom provider GPU default pricing, and adds queryProjectID field to BigQuery integration.
  • Meshery v1.0.49 - Adds telemetry routes to Next.js and de-duplicates Artifact Hub registrant summary in startup logs.
  • Meshery v1.0.48 - Refactors context handler methods, improves connection persistence logging, and fixes error handling in mesheryctl tests.
  • Meshery v1.0.47 - Fixes UI build issues due to mui-tree ESM mismatch, updates connection and credential handling for local provider, and adds Telemetry support with Grafana dashboards and Prometheus metrics.
  • Meshery v1.0.46 - Updates Meshery Schemas to v1.3.16, fixes duplicate ErrInvalidUUID errors, and adds release-scoped cache headers for the served UI.

Database

Registry

  • Dragonfly v2.5.0 - Adds support for direct repository downloads from Hugging Face and ModelScope for its client.
  • Dragonfly v2.4.4 - Fixes a scheduler issue where missing seed peers in refresh were treated as an error instead of a warning.

Messaging

Build & Application Frameworks

  • Backstage v1.52.1 - Fixes an internal refactor issue for app sign-in runtime, resolves scheduler tasks stuck with NULL next_run_start_at when switching trigger types, and corrects a broken configuration schema in @backstage/plugin-kubernetes-react.
  • Telepresence v2.29.1 - Provides official release artifacts with installers that include an option to run the root daemon as a system service.
  • Spin v4.0.2 - Uses P3-friendly WAC in spin-environments.
  • Spin canary - This is an unstable release intended for developers to try out the latest features.

Edge

  • K3s v1.36.2+k3s1 - Updates Kubernetes to v1.36.2 and includes backports for June 2026.
  • K3s v1.35.6+k3s1 - Updates Kubernetes to v1.35.6 and includes backports for June 2026.
  • K3s v1.34.9+k3s1 - Updates Kubernetes to v1.34.9 and includes backports for June 2026.
  • K3s v1.33.13+k3s1 - Updates Kubernetes to v1.33.13 and includes backports for June 2026, and bumps Traefik to v3.7.4.

Backup

  • Velero v1.18.2 - Skips VolumeGroupSnapshots (VGS) cleanup when backups did not use them, and fixes a backup performance regression with includedNamespaces ["*"] by restoring cross-namespace API listing optimization.

📰 This Week in Cloud Native

The cloud native landscape saw continued focus on AI integration and its operational implications. Multiple reports discussed the development and governance of AI agents, with Vercel introducing Eve, an open-source framework for building AI agents. The integration of AI agents within Kubernetes clusters, leveraging tools like Argo CD and GitOps for CI/CD, was also explored. Discussions extended to considerations for keeping AI inference close to data for security and compliance, with some organizations focusing on FedRAMP boundaries for AI agent governance. The Kubernetes Working Group Device Management highlighted new requirements for hardware management driven by AI and Edge workloads, underscoring the need for advanced hardware specification beyond traditional CPU and memory metrics.

Security and supply chain hardening remained a key theme this week. The CNCF blog featured updates on the Security Profiles Operator v1, noting its stable APIs and role in shaping upstream Kubernetes security. Hardening CI/CD pipelines was also detailed, with a focus on credentials and verification processes to enhance security. Additionally, an open-source security body, Akrites, was launched by Anthropic and other organizations to coordinate vulnerability responses. In the Java ecosystem, efforts were highlighted to address unpatched JVM vulnerabilities and provide remediated libraries to mitigate security backlogs.

In the Kubernetes ecosystem and observability space, new plugins for Headlamp were introduced, extending its UI capabilities to manage Cluster API, Volcano workloads, and Knative serverless functions. These additions aim to provide enhanced visual context and debugging for various Kubernetes components. For distributed tracing, Jaeger’s ClickHouse backend was discussed, demonstrating significant data compression ratios. AWS announced performance and scalability improvements for Amazon EKS Auto Mode, alongside a new capability for customer-routed control plane egress through VPC, enhancing network control and security for EKS clusters.

Developer experience and open-source community dynamics also received attention. The role of open-source maintainership in the age of AI was debated, as more contributors leverage AI tools for patch generation. The Rust Foundation debuted official training programs to address the language’s learning curve. Discussions also covered practical aspects like achieving zero-downtime deployments with Docker Compose and federating Kubernetes clusters. The announcement of a new community governance model for MySQL by Oracle marked a step towards broader community involvement in the database’s future development.

💬 Community Buzz

Discussions on Hacker News this week frequently addressed the implementation, scaling, and debugging of AI agents, along with challenges and tooling for managing their context and identity. Topics also included strategies for achieving zero-downtime deployments using Docker Compose and federating Kubernetes clusters, as well as experiences with rebuilding Kubernetes operators for improved scalability. The impact of AI on software development practices and developer jobs also generated commentary.

📊 Numbers of the Week

  • Total stable releases: 54 across 30 projects
  • Top 3 projects by commits this week:
    1. meshery/meshery — 370 commits
    2. kubernetes/kubernetes — 162 commits
    3. kubevirt/kubevirt — 139 commits
  • Top 3 projects by merged pull requests this week:
    1. envoyproxy/envoy — 97 merged PRs
    2. kubernetes/kubernetes — 77 merged PRs
    3. keycloak/keycloak — 70 merged PRs

📚 View all articles from this week →