Week 19, May 4-10, 2026

This week: 73 releases, 185 news items. Notable: vitess v24.0.0, strimzi-kafka-operator 1.0.0.

👋 Welcome

This week in Cloud Native saw significant security updates across several projects, including critical fixes for Argo CD, Prometheus, and SPIFFE/SPIRE. Kubernetes v1.36 introduced new alpha and beta features for resource management and controller observability. Discussions also focused on the increasing integration of AI agents within cloud native environments and their associated security and operational considerations.

🚀 Notable Releases

Security

  • Argo CD v3.3.9 - Contains a security fix for a critical vulnerability (GHSA-3v3m-wc6v-x4x3).
  • Argo CD v3.2.11 - Contains a security fix for a critical vulnerability (GHSA-3v3m-wc6v-x4x3).
  • Kyverno v1.18.0 - Adds configurable blocklist and scoped token authorization for HTTP context loading and introduces support for namespaced secrets and pod-level references for image registry credentials.
  • Open Policy Agent v1.16.1 - Addresses a regression in the plugin manager that could cause the service to hang on shutdown.
  • Open Policy Agent v1.16.0 - Introduces uri.parse and uri.is_valid built-in functions, adds data API request/response metadata, and exports Prometheus metrics via OTLP. The release notes advise users to upgrade directly to v1.16.1 due to a plugin manager regression.
  • Prometheus v3.11.3 - Fixes multiple security issues, including a remote-read snappy decode vulnerability, an AzureAD OAuth client_secret exposure, and an old UI XSS vulnerability.
  • Prometheus v3.5.3 - Fixes multiple security issues, including a remote-read snappy decode vulnerability, an AzureAD OAuth client_secret exposure, and an old UI XSS vulnerability.
  • SPIFFE/SPIRE v1.14.6 - Fixes an issue in the aws_iid server node attestor plugin where an attacker could impersonate EC2 instances during node attestation.
  • SPIFFE/SPIRE v1.13.6 - Fixes an issue in the aws_iid server node attestor plugin where an attacker could impersonate EC2 instances during node attestation.
  • Backstage v1.50.4 - Contains security fixes for @backstage/plugin-catalog-backend-module-unprocessed, @backstage/plugin-catalog-unprocessed-entities-common version, and @backstage/plugin-catalog-unprocessed-entities.
  • Kubewarden Controller v1.35.0 - Fixes a security vulnerability (GHSA-wqcw-g35j-j578) and adds a host-capabilities whitelist feature.
  • Kuma v2.13.5 - Fixes localhost admin authentication, addresses KDS mux client reconnection issues, and deduplicates access logs for shared inbound ports.
  • Kuma v2.12.10 - Fixes localhost admin authentication, addresses KDS mux client reconnection issues, and deduplicates access logs for shared inbound ports.
  • Kuma v2.11.13 - Fixes localhost admin authentication, addresses KDS mux client reconnection issues, and deduplicates access logs for shared inbound ports.
  • Kuma v2.9.15 - Fixes localhost admin authentication, addresses KDS mux client reconnection issues, and deduplicates access logs for shared inbound ports.
  • Kuma v2.7.25 - Fixes localhost admin authentication, addresses KDS mux client reconnection issues, and deduplicates access logs for shared inbound ports.
  • Distribution v3.1.1 - Fixes CVE-2026-41888, bounds-checks the file basename in PurgeUploads Walk callback, adds S3 Express One Zone support, and fixes the tag list endpoint in proxy mode.
  • External Secrets v2.4.1 - Supports multiple replicationLocations on PushSecret for GCP.
  • External Secrets Helm Chart v2.4.1 - Updates the Helm chart for external secrets management.
  • Kubernetes-sigs/secrets-store-csi-driver v1.6.0 - Replaces the dedicated secret rotation controller with the CSI RequiresRepublish mechanism, causing kubelet to re-fetch secrets from the provider when rotation is enabled.
  • Skopeo v1.14.6 - Bumps Go Jose to v3.0.5 to address CVE-2026-34986 and fixes an issue where listing tags in JFrog Artifactory could fail.
  • OpenFGA v1.15.0 - Implements edge pruning in the list objects pipeline algorithm, which improves request latency for complex authorization models. It also fixes the experimental weighted_graph_check query cache being skipped.

Container Runtime

  • containerd v2.3.0 - Focuses on stability, new features, and improvements. It marks the first annual LTS release under a new schedule aligned with Kubernetes releases, offering extended support.
  • containerd API v1.11.0 - Adds transfer types for container filesystem copy and updates the sandbox API to include a spec field. It also adds os.features support for EROFS native container images.

Orchestration & Cluster Management

  • Karmada v1.17.2 - Contains bug fixes and improvements; refer to the changelog for details.
  • Karmada v1.16.5 - Contains bug fixes and improvements; refer to the changelog for details.
  • Karmada v1.15.8 - Contains bug fixes and improvements; refer to the changelog for details.
  • Kubernetes-sigs/cluster-api v1.13.1 - Adds support for Management Clusters v1.32.x to v1.36.x and Workload Clusters v1.30.x to v1.36.x. It also includes dependency updates.
  • K3s v1.35.4+k3s1 - Updates Kubernetes to v1.35.4 and includes flannel v0.28.4.
  • K3s v1.34.7+k3s1 - Updates Kubernetes to v1.34.7 and includes flannel v0.28.4.
  • K3s v1.33.11+k3s1 - Updates Kubernetes to v1.33.11 and includes flannel v0.28.4.

Databases

  • etcd v3.6.11 - Contains bug fixes and improvements; refer to the changelog for details.
  • etcd v3.5.30 - Contains bug fixes and improvements; refer to the changelog for details.
  • etcd v3.4.44 - Contains bug fixes and improvements; refer to the changelog for details.
  • Vitess v24.0.0 - Introduces window function pushdown for sharded keyspaces, view routing rules, tablet targeting via USE statement, VTGate Binlog Streaming support, and structured logging.
  • CrateDB v6.2.7 - Contains bug fixes and improvements; refer to the release notes for details.

Messaging

  • Dapr v1.17.6 - Fixes an issue where pub/sub messages were incorrectly routed to the dead-letter queue during graceful shutdown or hot-reload of a pub/sub component.
  • NATS Server v2.14.0 - Adds feature flags in the server configuration and introduces fast-ingest batch publishing for JetStream. Requires Go 1.26.2.
  • NATS Server v2.12.8 - Refactors and simplifies setting pinned headers in consumers and improves scanning for the starting sequence for consumers in JetStream. Requires Go 1.25.9.
  • NATS Server v2.11.17 - Fixes reload logic on gateways. Requires Go 1.25.9.
  • Strimzi Kafka Operator v1.0.0 - Removes support for the v1beta2 API; only the new v1 CRD API is supported. Upgrades require conversion of custom resources and CRDs.

Observability

  • OpenCost v1.120.1 - Corrects lookup fallbacks, provider detection, and network support for Carbon. It also makes MCP server opt-in by defaulting MCP_SERVER_ENABLED to false and adds an AWS Spot Price History API caching layer.
  • OpenTelemetry Collector v0.151.0 - Changes replace statements in the generated Collector Go module to use relative paths by default, which may affect existing build use-cases.

Storage

  • Rook v1.19.5 - Grants scc to the rook-ceph-nvmeof service account, removes newlines from liveness probe scripts, adds Helm ownership annotation to CSI resources, and fixes CRUSH device class not being applied during OSD re-discovery.

Application Frameworks

  • KServe v0.18.0 - Includes updates to the build process, fixes for Helm chart packaging, and refactoring for endpoint testing and chart naming.
  • Fermyon Spin Canary - A canary release reflecting recent commits on the main branch, intended for developers to preview features that may not be fully implemented.

Configuration

  • Meshery v1.0.17 - Fixes server authentication for shutdown deregister and logout, and addresses a nil pointer dereference in processEvaluationResponse.
  • Meshery v1.0.16 - Prevents ProviderUIHandler from emitting an empty meshery-provider cookie.
  • Meshery v1.0.15 - Addresses a redirect loop in enforced-provider mode for /user/login and /provider endpoints, and updates github.com/meshery/schemas to v1.2.6.
  • Meshery v1.0.14 - Promotes raw error passthroughs to MeshKit codes and includes various server-side chore tasks.

📰 This Week in Cloud Native

The integration of Artificial Intelligence (AI) into cloud native ecosystems was a prominent theme this week. Multiple reports and discussions highlighted the increasing presence of AI agents in development workflows and operational environments. Concerns were raised regarding the security implications of autonomous AI agents, particularly their ability to find and exploit zero-day vulnerabilities, prompting calls for robust sandboxing mechanisms and enhanced security measures within Kubernetes. The CNCF also released initial data on AI’s impact on open-source development, indicating growing adoption and exploration within cloud native projects.

Kubernetes itself saw updates with announcements for v1.36 features. This includes the introduction of Pod-Level Resource Managers as an alpha feature, designed to provide more granular resource control. In-Place Vertical Scaling for Pod-Level Resources graduated to Beta, allowing dynamic adjustment of container resources without restarting pods. Other v1.36 features include updates to Memory QoS for tiered memory protection and improvements to staleness mitigation and observability for controllers. The ability to modify container resource requests and limits in pod templates for suspended Jobs also moved to beta.

💬 Community Buzz

Discussions on Hacker News covered various Kubernetes-related projects, including K3k for running Kubernetes inside Kubernetes, Kured for node reboots, and several Rust-based Kubernetes reimplementations like Rusternetes and Superkube. AI agent orchestration and security were also frequent topics, with projects like AgentPort (a security gateway for agents) and ToolMesh (for turning REST APIs into agent tools) being showcased. Other subjects included self-hosting applications (Piruetas, DD Photos, AliothPress), containerization tools (Docker Compose, Docker 29's default image store change, Docker vs. Podman), and message brokers (LavinMQ).

📊 Numbers of the Week

  • Total stable releases: 50 across 22 projects
  • Top 3 projects by commits this week:
    1. meshery/meshery — 321 commits
    2. cockroachdb/cockroach — 311 commits
    3. kubernetes/kubernetes — 123 commits
  • Top 3 projects by merged pull requests this week:
    1. cockroachdb/cockroach — 208 merged PRs
    2. cilium/cilium — 87 merged PRs
    3. meshery/meshery — 81 merged PRs

📚 View all articles from this week →