artifacthub helm/kedacore/keda 2.20.0
v2.20.0
on Artifact Hub

3 hours ago

We are happy to release KEDA 2.20.0 🎉

⚠️ Upgrade note: events moved to events.k8s.io (#7781)

With the Kubernetes 0.35 dependency bump, KEDA now records Kubernetes events via the events.k8s.io API group instead of the legacy core events resource. If you deploy KEDA with custom or restricted RBAC, grant the operator create/patch on events.k8s.io/events before upgrading, otherwise event recording will fail. The bundled KEDA manifests and Helm chart already include the updated permissions.

Highlights:

  • Introduce new OpenSearch Scaler
  • Introduce Elastic Forecast Scaler
  • Add scalingModifiers fallback behavior
  • Add support for AWS External ID in TriggerAuthentication podIdentity for all AWS scalers
  • Add scaler HTTP request metrics for outbound requests made during metric collection

Learn how to deploy KEDA by reading our documentation.

🗓️ The next KEDA release is currently being estimated for 2nd week of September 2026, learn more in our roadmap.

New

  • General: Add scalingModifiers fallback behavior (#7366)
  • General: Introduce Elastic Forecast Scaler (#7494)
  • General: Introduce new OpenSearch Scaler (#7456)

Improvements

  • General: Add cooldownPeriod and pollingInterval checks for ScaledObject (#7271)
  • General: Add CRD-level validation markers (Minimum, MinLength, MinItems, Enum) for ScaledObject, ScaledJob, ScaleTriggers, and TriggerAuthentication API types (#7533)
  • General: Add --leader-election-id flag to allow configuring the leader election Lease name (#7564)
  • General: Add scaler HTTP request metrics (keda_scaler_http_requests_total, keda_scaler_http_request_duration_seconds) for outbound HTTP requests made during scaler metric collection (#6600)
  • General: Allow more control of TLS versions & ciphers via KEDA_HTTP_TLS_CIPHER_LIST, KEDA_SERVICE_TLS_CIPHER_LIST and KEDA_SERVICE_MIN_TLS_VERSION env vars (#7617)
  • General: Cap each scalers-cache reader at a per-reader budget derived from globalHTTPTimeout so ScalersCache.Close cannot block indefinitely (#7574)
  • General: Make APIService cert injections optional (#7559)
  • General: Remove unconditional json.MarshalIndent calls from admission webhook validation hot paths; replace spec-comparison MarshalIndent-and-string-compare in isRemovingFinalizer variants with reflect.DeepEqual. Prevents webhook OOM under sustained admission load at large scale (observed at ~60k ScaledObjects) (#7670)
  • AWS Scalers: Add support for AWS External ID in TriggerAuthentication podIdentity for all AWS scalers (SQS, Kinesis, DynamoDB, CloudWatch, etc.) to enable cross-account access scenarios (#6921)
  • Elasticsearch Scaler: Add HTTP status check for Elasticsearch errors (#7480)
  • Github Runner Scaler: Handle rate limit errors by respecting X-RateLimit-Reset and Retry-After headers and returning cached queue length (#7683)
  • Kubernetes Workload Scaler: Add groupByNode parameter (#7628)
  • Metrics API Scaler: Add custom HTTP client timeout (#7549)
  • MSSQL Scaler: Add Azure Workload Identity support for Azure SQL authentication (#6104)
  • Prometheus Scaler: Emit metric tracking empty responses from Prometheus (#7062)
  • RabbitMQ Scaler: Add support for OAuth2 authentication for RabbitMQ over HTTP (#7379)
  • Temporal Scaler: Add support for scaling based on Worker Deployment Version backlog via new workerDeploymentName and workerDeploymentBuildId fields. Deprecate buildId, selectAllActive, and selectUnversioned because those parameters are used for Rules-Based Worker Versioning, which was a short-lived experimental feature that has been deprecated in the Temporal server since December 2024 and will stop being supported soon. Users of Rules-Based Worker Versioning should use Worker Deployments instead. (#7672)

Fixes

  • General: Check updated status for Fallback condition instead of ScaledObject (#7488)
  • General: Fail fast in GetMetrics when the gRPC connection is in Shutdown state instead of waiting for context timeout (#7251)
  • General: Fix int64 overflow in milli-quantity conversion for very large metric values (#7441)
  • General: Fix keda_scaler_active not being emitted for CPU and memory triggers (#4945)
  • General: Fix misleading namespace in error log when secret access is restricted (#7739)
  • General: Fix race in scalers cache rebuild that caused transient scaler errors (#7574)
  • General: Fix ScaledJob emitting wrong CloudEvent type (ScaledObjectReadyType instead of ScaledJobReadyType) when transitioning to ready state (#7792)
  • General: Fix ScaledObject admission webhook to return validation error from verifyReplicaCount, preventing invalid ScaledObjects from being created (#5954)
  • General: Fix ScaledObject Ready condition not reflecting HPA status (#7649)
  • General: Handle paused scaling directly in reconciler (#7663)
  • General: Honor stderrthreshold when logtostderr is enabled by updating klog to v2.140.0 (#7568)
  • General: Limit projected service account token reads during Vault authentication (#7783)
  • General: Reject ScaledObject creation and update when the name exceeds 63 characters (#6998)
  • AWS Scalers: Fix TCP connection leak by closing HTTP idle connections on scaler Close() for SQS, Kinesis, DynamoDB, DynamoDB Streams, and CloudWatch scalers (#7756)
  • Azure Data Explorer Scaler: Remove clientSecretFromEnv support (#7554)
  • Azure Event Hub Scaler: Reject non-positive unprocessedEventThreshold to prevent integer division by zero when computing lag (#7732)
  • Azure Pipelines Scaler: Exclude already-assigned jobs from queue length (#7747)
  • Cron Scaler: Fix metric name generation so cron expressions with comma-separated values no longer produce invalid metric names (#7448)
  • External Scaler: gRPC Pool uses TLS context in the key (#7687)
  • Forgejo Scaler: Limit HTTP error response logging (#7469)
  • Forgejo Scaler: Return correct activity to enable scale-to-zero (#7527)
  • GCP Cloud Tasks Scaler: Implement escapeFilterValue for metric filtering (#7482)
  • GCP Scaler: Validate Pub/Sub resource name in BuildMQLQuery (#7468)
  • GCP Storage Scaler: Metadata is not printed in the log (#7688)
  • Github Runner Scaler: Bound etag and per-repo caches to prevent unbounded memory growth when enableEtags is on (#7685)
  • Github Runner Scaler: Improve URL construction and error handling (#7495)
  • Github Runner Scaler: Limit HTTP error response logging (#7469)
  • InfluxDB Scaler: Make authToken optional to support unauthenticated InfluxDB instances (#7616)
  • Loki Scaler: Limit HTTP error response logging (#7469)
  • Loki Scaler: serverAddress now appends /loki/api/v1/query to the end of existing path instead of overriding (#7648)
  • Metrics API Scaler: Fix aggregateFromKubeServiceEndpoints using empty label selector that matched all EndpointSlices in the namespace instead of only the target service's (#7641)
  • Metrics API Scaler: Fix division by zero in average aggregation when all kube service endpoints fail (#7742)
  • Metrics API Scaler: Prevent response value reflection in scaler errors (#7693)
  • NATS JetStream Scaler: Return an error from getMaxMsgLag when the configured consumer is missing instead of falling back to the stream's last sequence, preventing incorrect scale-up to maxReplicaCount (#7657)
  • NATS JetStream Scaler: URL-encode user input in monitoring URL construction (#7483)
  • PostgreSQL Scaler: Quote whitespace-containing connection parameters in generated connection strings (#7784)
  • PredictKube Scaler: Bump dysnix/predictkube-libs to v0.1.0 (drops the predictkube path to the archived/EOL go-grpc-prometheus and to the deprecated golang/protobuf) and use a portable Prometheus-API instant query for the health check so the scaler works against VictoriaMetrics, Thanos and other Prometheus-API-compatible backends (#7745)
  • Prometheus Scaler: Handle NaN results in the same manner as Inf (#7475)
  • Prometheus Scaler: Limit HTTP error response logging (#7469)
  • Pulsar Scaler: Drop bearer/basic auth headers on redirects to a different host or on https->http downgrades to prevent credential leakage (#7686)
  • RabbitMQ Scaler: Fix AMQP connection leak by recovering channels on the existing connection and closing connections properly (#6266)
  • RabbitMQ Scaler: Use SASL EXTERNAL for RabbitMQ AMQP TLS without credentials (#6840)
  • Redis Scaler: Use literal command names in Lua script to fix compatibility with Alibaba Cloud Redis Cluster (#7758)
  • Solace Scaler: Fix URL escaping for Message VPN and Queue names (#7481)
  • Solr Scaler: Use net/url to safely encode query parameters (#7467)
  • Splunk Observability Scaler: Add MTS stream handling with context timeout (#7799)

Breaking Changes

  • GCP PubSub Scaler: The subscriptionSize setting is DEPRECATED and is removed in v2.20 - Use mode and value instead (#7720)
  • Huawei Cloudeye Scaler: The minMetricValue setting is DEPRECATED and is removed - Use activationTargetMetricValue instead (#7436)
  • IBM MQ Scaler: The tls setting code is removed (#6094)
  • InfluxDB Scaler: The authToken setting from triggerMetadata is DEPRECATED and is removed in v2.20 - Use authToken from resolvedEnv or authParams instead (#7722)

Other

  • General: Migrate event recording RBAC from core events to events.k8s.io (#7781)
  • General: Migrate metrics service gRPC response away from Kubernetes API protobuf types for Kubernetes 0.35 (#7781)
  • General: Remove dead code from authentication package and drop unused authModes field from ArangoDB, Loki, Prometheus and PredictKube scalers (#7726)
  • General: Use informer cache for ReplicaSet lookups in GetCurrentReplicas to reduce API server load (#7466)
  • External Scaler: Fix race condition in TestWaitForState causing flaky test under -race detector (#7542)
  • GCP Scaler: Replace credentialsFromJSON with credentialsFromJSONWithType (#7523)
  • Kafka Scaler: Refactor Kafka Scaler (#7528)

New Contributors

Full Changelog: v2.19.0...v2.20.0

Check out latest releases or
releases around helm/kedacore/keda 2.20.0

Don't miss a new keda release

NewReleases is sending notifications on new releases.

Get notifications