Week Ending November 30, 2025

Developer News

CVE-2025-13281: the in-tree Portworxs CSI driver exposes a security hole in the kube-controller-manager, which was patched for other storage drivers but not for Portworx. Vulnerable users are ones who still haven't migrated to the external CSI StorageClass.

SIG-Scheduling has published their technical plan for Kubernetes 1.36.

Wei Fu was nominated as SIG-Etcd Tech Lead.

Release Schedule

Next Deadline: Release Highlights Complete, Dec. 9

We are in Code Freeze. Release highlight items need to be finished and fully edited by next week. Also, please be on the alert for any blocking test failures, and get them debugged quickly so we can release on time.

Friday is the cherry-pick deadline for the next set of patch releases.

Other Merges

• Allow relaxed Ingress defaultBackend service names with RelaxedServiceNameValidation
• Eliminate spurious warning log messages about enabled alpha APIs while starting API server
• Prevent spurious namespace-not-found errors in admission

Version Updates

• Go to 1.24.10 and distroless iptables for 1.32

Subprojects and Dependency Updates

• cri-o v1.34.3 adds support for the external crio-credential-provider plugin, fixes CVE-2025-58183 by updating github.com/vbatts/tar-split to v0.12.2, introduces a new housekeeping option for the irq-load-balancing.crio.io annotation (surfacing housekeeping CPUs via OPENSHIFT_HOUSEKEEPING_CPUS and adjusting IRQ affinity behaviour), and refreshes core dependencies including the Kubernetes 0.34.1 stack and new Podman image/storage libraries.
• cri-o v1.33.7 and v1.32.11 are focused patch releases that backport the CVE-2025-58183 tar-split update across the 1.33 and 1.32 lines, with v1.32.11 additionally fixing network cleanup failures when the network namespace path is empty on server teardown.
• kops v1.35.0-alpha.1 advances the 1.35 line with etcd 3.5.23/3.5.24 updates, containerd v2.1.5, refreshed CNI plugin sources, AWS Karpenter v1.8.1 plus configurable feature gates, expanded scale and GCE/Azure testing, initial Ubuntu 25.10 support, tighter AWS IAM permissions, and deeper ClusterAPI integration including new toolbox commands and CAPI-oriented nodeup refactors.
• cluster-autoscaler 1.34.2, 1.33.3, and 1.32.5 align the 1.34, 1.33 and 1.32 branches with common fixes: more robust proactive scale-up handling for scheduling-gated pods, a SimulateNodeRemoval panic fix for missing node info, Azure LTS test updates and refreshed static SKU lists, CI/lint cleanups, and Kubernetes dependency bumps to v1.34.2, v1.33.6, and v1.32.10 respectively.
• cluster-api v1.12.0-rc.1 continues the v1.12 line toward GA with in-place update support for KCP and MachineDeployments, chained multi-minor Kubernetes upgrades for managed topologies, new InPlaceUpdates, MachineTaintPropagation, and ReconcilerRateLimiting feature gates, MachineHealthCheck condition-based health checks, plus a round of bugfixes across webhooks, e2e tests, runtime SDK, and condition handling on top of Go 1.24 and Kubernetes 0.34.x library bumps.
• cluster-api-provider-vsphere v1.15.0-rc.0 tracks CAPI v1.12 and Kubernetes v1.35/cloud-provider-vsphere v1.35, introduces a dedicated CAPV ServiceAccount, and adds govmomi flags to tune CPU and memory shares, reservations, and limits, while also updating etcd/Kubernetes dependencies, bumping CPI/autoscaler versions, and hardening tests and CI (including network debug improvements and flake-focused timeouts).
• prometheus v3.8.0 is the first release to mark Native Histograms as a stable opt-in feature via the new scrape_native_histogram config knob, updates Remote Write v2 to the 2.0-rc.4 spec, adds unified AWS service discovery (EC2, Lightsail, ECS), introduces OAuth2 JWT-bearer grant support, extends promtool with Remote Write 2.0 pushes, and delivers a broad set of PromQL, TSDB, and UI performance fixes (including faster large alerts/rules pages and improved NHCB handling).

Shoutouts

• Petr Mullar -- Shoutout for organizing a meeting to support new contributors in Prow, gathering ideas to improve onboarding and reduce entry barriers for newcomers.