👋 Welcome

This week in Cloud Native saw significant updates across the Kubernetes ecosystem, with several core features graduating to General Availability in Kubernetes v1.36. The increasing integration and impact of AI agents on development workflows and cloud operations also remained a prominent theme, alongside various security and observability enhancements in projects and platforms.

🚀 Notable Releases

CI/CD

• Argo CD v3.4.1 - This release aligns how Argo CD interprets Kubernetes cluster versions with Helm 3.19.0 behavior. This change impacts Application Sets with Cluster Generators that use argocd.argoproj.io/auto-label-cluster-info on cluster secrets.
• Argo CD v3.1.16 - This marks the final release of the 3.1 series, which reached end-of-life on May 6th, 2026. The project maintainers advise upgrading to a supported version (v3.2, v3.3, or v3.4) as this version will no longer receive bug fixes or security updates.

Container Runtime

• CRI-O v1.36.0 - This is a new stable release that includes updated dependencies and provides release bundles with SHA-256 checksums, cosign signatures, and SPDX bills of materials.
• CRI-O v1.35.3 - Includes features and other changes since v1.35.2.
• CRI-O v1.34.8 - Contains dependency changes and other updates since v1.34.7.
• CRI-O v1.33.12 - Features dependency changes and other updates since v1.33.11.

Registry

• Harbor v2.15.1 - Fixes the "Last Pull" time on parent/child artifacts and on creation, adds a User-Agent to all requests, and addresses an issue with proxy cache serving local content when remote is not found.
• Harbor v2.14.4 - Includes fixes for session regeneration arguments and lifetime, prevents background polling from renewing session TTL, and resolves an issue related to the scanner API.

Security

• KubeArmor v1.7.0 - Introduces DNS enforcement capabilities, including support for allow policies and audit logging for DNS activity.
• KubeArmor v1.6.19 - Addresses a bug where the liveness probe was not functioning by making it configurable via environment variables. It also fixes a bpflsm enforcer verifier issue and increases the livenessProbe timeout and failure threshold.
• Kubescape v4.0.8 - Includes fixes for back-propagating connector URLs to configObj during initializeCloudAPI and updates related to VAP timeout.
• Kubescape v4.0.7 - Contains fixes for portforwarder host trimming, and updates related to service discovery and exception expiration filters.
• Kubescape v4.0.6 - Provides fixes for the OPA processor, applying namespace filters in failedIDs pre-seed, surfacing rule evaluation errors, and resolving namespace filter issues for cluster-scoped resources.
• OpenFGA v1.15.1 - Reuses a single MySQL container across tests to improve performance and reduce resource usage. It also fixes a potential panic in command error handling, a bug propagating expected errors from list objects, and cache invalidation logic for the Check API.
• SeeBOM v0.3.2 - Releases container images signed with cosign (keyless) and attested with SLSA provenance.
• SeeBOM v0.3.1 - Releases container images signed with cosign (keyless) and attested with SLSA provenance.
• SeeBOM v0.3.0 - Releases container images signed with cosign (keyless) and attested with SLSA provenance.

Database

• Vitess v24.0.1 - This release includes 6 merged Pull Requests.
• Vitess v23.0.4 - This release includes 44 merged Pull Requests.

Storage

• Longhorn v1.11.2 - Introduces improvements and bug fixes aimed at enhancing system quality, resilience, stability, and security. This includes several critical stability fixes, such as a replica rebuild progress fix.

Orchestration

• Volcano v1.14.2 - Addresses security vulnerability CVE-2026-44247, which relates to a Webhook Server Out-of-Memory (OOM) issue due to unbounded HTTP request body size, along with multiple other bug fixes.
• Volcano v1.13.3 - Addresses security vulnerability CVE-2026-44247, which relates to a Webhook Server Out-of-Memory (OOM) issue due to unbounded HTTP request body size, along with multiple other bug fixes.
• Volcano v1.12.4 - Addresses security vulnerability CVE-2026-44247, which relates to a Webhook Server Out-of-Memory (OOM) issue due to unbounded HTTP request body size, along with multiple other bug fixes.

Configuration

• Baremetal Operator v0.13.0 - Introduces breaking changes by uplifting CAPI to v1.13.0-rc.1, k8s group to v0.35.4, and controller-runtime to v0.23.3. It removes the iRMC driver and deprecates BMH.Spec.Firmware. New features include allowing forced detachment of a host from Ironic, accepting per-host pull secrets for external OCI registries, and adding libvirt network creation and deletion to vbmctl.
• OpenYurt v1.7.0 - OTA (Over-The-Air) upgrade for DaemonSet workloads now supports image preheating. This shifts image pulling to an earlier phase than the Pod restart, which can reduce service downtime in edge environments with limited network connectivity.
• Meshery v1.0.20 - Bumps meshery/schemas to v1.2.15, fixes X-API-Key setting for the anonymous global token, and corrects the catalog path in DefaultLocalProvider.
• Meshery v1.0.19 - Bumps meshery/schemas to v1.2.13 and v1.2.12, fixes post-login redirect locally via cookie, replaces JSON schema-version bridges with typed copies, and standardizes event metadata keys to canonical camelCase.
• Meshery v1.0.18 - Fixes style hydration on evaluator-added components, ensures camelCase server metadata keys in payloads, pins docker/cli to v28.5.1 to match docker/compose/v2 v2.40.3, and clarifies design fetch/get/delete error messages.

Build

• Buildah v1.33.15 - Bumps Go Jose to v3.0.5 and addresses CVE-2026-34986.
• Buildah v1.29.8 - Bumps Go Jose to v3.0.5 and addresses CVE-2026-34986.
• Buildah v1.26.11 - Bumps runc to 1.2.9 to address CVE-2025-52881, CVE-2025-31133, and CVE-2025-52565. It also includes a fix for CVE-2025-47913 related to x/crypto and a minimum Go version bump.

Networking

• Gateway API monthly-2026.05 - This is the monthly release for the Gateway API experimental channel, incorporating the latest features and fixes from the project's main branch.

Edge

• K3s v1.36.0+k3s1 - Updates Kubernetes to v1.36.0. Changes include the addition of a firewall section to check-config.sh and an update to golangci-lint.

📰 This Week in Cloud Native

This week, Kubernetes v1.36 introduced several features to General Availability, including Volume Group Snapshots and Declarative Validation for native types, enhancing data management and configuration reliability. Dynamic Resource Allocation (DRA) also saw updates with new features and drivers. For scalability, Server-Side Sharded List and Watch was introduced to help controllers manage high-cardinality resources in large clusters, while new admission policies prevent deletion of critical security configurations. In the broader ecosystem, Microcks became a CNCF incubating project, and Kyverno released version 1.18, its first update since graduating within the CNCF.

The integration of AI agents into development and operational workflows continues to be a focal point. Benchmarking efforts evaluated AI agent performance on Kubernetes bug fixes, and new tools emerged for securing GitHub Actions CI dependencies. Cloud providers are also adapting, with AWS introducing Trusted Remote Execution (Rex) for policy-enforced scripts and enabling AI agents to interact with legacy applications via WorkSpaces. DigitalOcean announced an AI-Native Cloud for production AI workloads, and Atlassian is leveraging AI agents for routine tasks. However, discussions also highlighted security concerns, such as potential remote bash command execution via ChatGPT and Claude web frontends, and the reported compromise of the Antrea Kubernetes networking project.

Observability and operational efficiency received attention, with ongoing discussions about the complexity of managing multiple observability stacks despite available tools like OpenTelemetry. AWS enhanced EKS Container Network Observability to track inter-AZ and NAT gateway traffic, providing insights for cost and performance optimization. Additionally, OpenYurt v1.7.0 introduced image preheating for DaemonSet OTA upgrades, aiming to reduce service downtime in edge environments by decoupling image pulling from Pod restarts. This week also saw several releases across projects like Harbor and Buildah addressing security vulnerabilities and dependency updates, reinforcing the continuous effort to maintain secure and stable cloud native infrastructure.

💬 Community Buzz

Hacker News discussions this week centered on the security and sandboxing of AI agents, with several new tools and approaches showcased for isolating agent execution environments. Kubernetes management and homelab setups were also recurring topics, alongside the broader implications of AI on software development jobs and workflows. Conversations also covered containerization technologies like Docker Compose in production and comparisons between WebAssembly and Docker images.

📊 Numbers of the Week

• Total stable releases: 31 across 15 projects
• Top 3 projects by commits this week:
  1. cockroachdb/cockroach — 259 commits
  2. meshery/meshery — 240 commits
  3. kubernetes/kubernetes — 181 commits
• Top 3 projects by merged pull requests this week:
  1. cockroachdb/cockroach — 203 merged PRs
  2. kubernetes/kubernetes — 111 merged PRs
  3. envoyproxy/envoy — 80 merged PRs

📚 View all articles from this week →