👋 Welcome
This week saw a significant number of stable releases across the Cloud Native ecosystem, with updates to container runtimes, CI/CD tools, and observability platforms. Discussions centered on the expanding role of AI in cloud environments, alongside continued focus on security and Kubernetes operational practices.
🚀 Notable Releases
CI/CD
- Argo CD v3.4.5 - A patch release that includes updated install manifests and release signatures for container images.
- Flux v2.9.1 - A patch release that disables Flux variable substitution on Flux CRDs to prevent schema corruption from Kustomizations with post-build substitution.
- Helm v4.2.3 - A patch release.
- Helm v3.21.3 - A patch release.
- Meshery v1.0.55 - Adopts schemas v1beta3 for User and integrates with Meshery Cloud account consolidation.
Container Runtime
- containerd v2.3.3 - Fixes the SystemTemp environment variable on Windows for SYSTEM services and addresses a nil pointer dereference in NRI GetIPs during pod sandbox teardown or container exit.
- containerd v2.2.6 - Addresses a nil pointer dereference in NRI GetIPs and rejects
CreateContainercalls when the target sandbox is not running. - containerd v2.0.11 - Limits fallback to the
/blobsendpoint during reference resolution to mitigate content store pollution. - containerd v1.7.34 - Fixes an issue where container exit events were lost if they arrived before container information was cached.
- Podman v6.0.1 - Fixes an issue where Podman Machine VMs on Mac using the
libkrunprovider could be shut down by host port-scanning, and addressespodman machine initfailures on Windows with thehypervprovider when WSL is not installed. - Podman v5.8.5 - Fixes an issue where Podman Machine VMs on Mac using the
libkrunprovider could be shut down by host port-scanning.
Database
- CrateDB 6.4.0 - A new stable release with changes detailed in its release notes.
- CrateDB 6.3.5 - A patch release with changes detailed in its release notes.
- CrateDB 6.2.11 - A patch release with changes detailed in its release notes.
- CrateDB 6.1.6 - A patch release with changes detailed in its release notes.
- CrateDB 6.0.8 - A patch release with changes detailed in its release notes.
- TiKV v8.5.7 - This release includes features, improvements, and bug fixes as detailed in the TiDB v8.5.7 release notes.
Networking
- CoreDNS v1.14.6 - This patch release addresses ARM and MIPS build issues by downgrading the
dd-trace-godependency and includes improvements for forwarding and secondary zone support. - CoreDNS v1.14.5 - Improves DNS transport security and operational reliability through safer DoH/DoH3 handling, enhanced forwarding configuration, and improved dnstap support. It also includes robustness improvements across various DNS functions.
- Kube-OVN v1.15.19 - Bumps GoBGP to v4.7.0 and adds support for HCP ovn-central scheduling within the Helm chart.
- Kube-OVN v1.15.18 - Adds support for HCP ovn-central chart deployment and updates the
golang.org/x/textmodule to v0.39.0.
Observability
- OpenTelemetry Collector v0.156.0 - Adds support for defining stability levels and semantic convention references for resource attributes in
mdatagen, and introduces health events for thememory_limiterprocessor. - Prometheus v3.13.1 - A bugfix release that addresses an issue where the head-chunk cache returned incorrect samples or spurious not-found errors to range queries after head-chunk truncation.
- Prometheus v3.5.5 - Built with Go 1.25.12, this release fixes CVE-2026-53606 by updating
sanitize-htmlto v2.17.5 in the UI. - Thanos v0.42.0 - Includes improvements to the Receive component’s tenant lifecycle handling and per-endpoint configuration. It also displays fanout information in Thanos Query and fixes exemplar proxy stripping external label matchers in multi-tier query topologies.
- Inspektor Gadget v0.54.0 - The
advise_networkpolicytool can now generate CiliumNetworkPolicyresources in addition to KubernetesNetworkPolicy. Users can now define CPU and memoryrequestsandlimitson the Kubernetes deployment.
Orchestration
- etcd v3.7.0 - This is a new major stable release. Users are advised to consult the changelog and upgrade guide for a full list of changes and potential breaking changes.
- Capsule v0.13.9 - Fixes a cache timeout issue for the RBAC controller.
Security
- cert-manager v1.21.0 - Adds ACME Renewal Information (ARI) support and AWS IAM authentication for the Vault issuer. It includes several security hardening changes and continued improvements to Gateway API integration and
cainjector. There are three breaking changes related to Helm chart RBAC and metrics values. - Kyverno v1.18.2 - Fixes dynamic watchers restarting on 410 errors, prevents required validation abortion on non-matching images, and allows multiple CRDs in the
--crd-pathfile for the CLI. - SPIFFE/SPIRE v1.15.2 - Adds support for configuring JTI claim inclusion in JWT-SVIDs at the entry level. It introduces experimental per-caller rate limiting for the agent Workload API and Envoy SDS, and adds TLS support for the Prometheus metrics endpoint using a SPIRE SVID. Optional verification of client certificate IPs is now available in the
x509popnode attestor, and a SPIFFE Broker endpoint and API have been introduced. - Keycloak 26.7.0 - This release introduces SCIM API for user provisioning (preview) and simplified multi-cluster high availability without external caches (preview). It also includes enhanced reverse proxy guides.
Service Mesh
- Kuma v2.13.9 - Updates Envoy to version 1.36.8 and Go to version 1.26.4. It includes security updates and adds configurable zone proxy probes via Helm. Fixes an issue distinguishing an unreachable leader from a leader change.
- Kuma v2.12.13 - Updates Envoy to version 1.35.12 and Go to version 1.26.4. It includes security updates and fixes an issue distinguishing an unreachable leader from a leader change, as well as unwrapping
DeletedFinalStateUnknownin the Kubernetes event listener. - Kuma v2.11.17 - Includes security updates. Fixes an issue distinguishing an unreachable leader from a leader change and unwrapping
DeletedFinalStateUnknownin the Kubernetes event listener. It also removes a noisy log for MeshMetrics/metrics coexistence. - Kuma 2.9.18 - Updates Envoy to version 1.35.12 and Go to version 1.26.4. It includes security updates and fixes an issue distinguishing an unreachable leader from a leader change, as well as unwrapping
DeletedFinalStateUnknownin the Kubernetes event listener. - Kuma v2.7.28 - Updates Envoy to version 1.35.12 and Go to version 1.26.4. It includes security updates and fixes an issue distinguishing an unreachable leader from a leader change.
Developer Tools
- Telepresence v2.29.3 - Provides installers that include an option to run the root daemon as a system service, which removes the requirement for elevated privileges during use.
📰 This Week in Cloud Native
The Cloud Native landscape this week was characterized by a strong emphasis on Artificial Intelligence, with numerous announcements and discussions surrounding its integration into cloud infrastructure and development workflows. Several CNCF blog posts addressed the deployment of AI workloads, data storage requirements for AI, and the establishment of network boundaries for AI agents, including considerations for sandboxing and platform engineering for AI-native applications. AWS announced Lambda MicroVMs, designed to provide VM-level isolation and near-instant startup for serverless compute environments, specifically highlighting their utility for secure code execution by AI agents. AWS also introduced Loom for building secure AI agents at scale and an open-source Model Context Protocol (MCP) server for AI-powered dataset discovery.
In the Kubernetes ecosystem, the upcoming retirement of the Kubernetes SIG Network ingress-nginx controller by March 2026 was highlighted, with a focus on preparing for the post-retirement landscape. The etcd project announced its v3.7.0 release, a significant update for the Kubernetes backing store. Discussions also covered migrating Amazon EC2 instances to EKS Auto Mode and implementing full request and response compliance logging on Amazon EKS. Other related news included projects exploring Kubernetes-native VM orchestration and bridging the local-to-cluster development gap.
Security remained a consistent theme, with several projects releasing updates addressing vulnerabilities and hardening measures. cert-manager v1.21.0 introduced security hardening changes, and Prometheus v3.5.5 fixed a UI security issue. SPIFFE/SPIRE v1.15.2 added features for configuring JTI claims in JWT-SVIDs and experimental rate limiting for the agent Workload API, along with TLS support for Prometheus metrics. Cloudflare introduced temporary accounts for autonomous worker deployment, which can be used by AI agents, prompting considerations for secure deployment practices. The concept of software supply chain risk beyond zero-vulnerability code packages was also explored.
The broader cloud native community engaged in discussions around developer productivity in the age of AI, with conversations on the potential for AI to introduce bottlenecks in code review processes and the evolving role of engineers. The CNCF marked two months since the launch of its Open Community Groups, an open-source online meetup platform, indicating ongoing efforts to foster community engagement and collaboration.
💬 Community Buzz
Hacker News discussions this week frequently revolved around the impact of AI agents on software development and productivity, including concerns about workflow interruptions and the role of developers. Topics also included Kubernetes ecosystem tooling, alternative container orchestration approaches, and various open-source data and analytics projects. Supply chain security for GitHub Actions and general developer tools and personal projects were also subjects of community interest.
📊 Numbers of the Week
- Total stable releases: 41 across 24 projects
- Top 3 projects by commits this week:
- kubernetes/kubernetes — 245 commits
- telepresenceio/telepresence — 122 commits
- cilium/cilium — 114 commits
- Top 3 projects by merged pull requests this week:
- cilium/cilium — 138 merged PRs
- kubernetes/kubernetes — 102 merged PRs
- kumahq/kuma — 85 merged PRs