k3s-io/k3s v1.32.0+k3s1

on GitHub

This release is K3S's first in the v1.32 line. This release updates Kubernetes to v1.32.0.

Kubernetes 1.32 moves the AuthorizeNodeWithSelectors feature gate to Beta and on by default. See KEP-4601 for more information.

This feature-gate breaks some of the RBAC that previous releases of K3s relied upon. The January releases of K3s v1.29, v1.30, and v1.31 will contain backported fixes. Until then, you must set --kube-apiserver-arg=feature-gates=AuthorizeNodeWithSelectors=false on server nodes, if you want to mix K3s v1.32 nodes with nodes of other versions (within the limits of what is supported by the Kubernetes Version Skew Policy).

For more details on what's new, see the Kubernetes release notes.

Changes since v1.31.4+k3s1:

• Fix rotateca validation failures when not touching default self-signed CAs (#10710)
• Bump runc to v1.1.13 (#10737)
• Update stable channel to v1.30.4+k3s1 (#10739)
• Fix deploy latest commit on E2E tests (#10725)
• Remove secrets encryption controller (#10612)
• Update kubernetes to v1.31.0-k3s3 (#10764)
• Bump traefik to v2.11.8 (#10779)
• Update coredns to 1.11.3 and metrics-server to 0.7.2 (#10760)
• Add trivy scanning to PR reports (#10758)
• Cover edge case when on new minor release for E2E upgrade test (#10781)
• Bump aquasecurity/trivy-action from 0.20.0 to 0.24.0 (#10795)
• Update CNI plugins version (#10798)
• Bump Sonobuoy version (#10792)
• Fix /trivy action running against target branch instead of PR branch (#10824)
• Launch private registry with init (#10822)
• Add channel for v1.31 (#10826)
• Bump containerd to v1.7.21, runc to v1.1.14 (#10805)
• Bump helm-controller for skip-verify/plain-http and updated tolerations (#10832)
• Tag PR image build as latest before scanning (#10825)
• Only clean up containerd hosts dirs managed by k3s (#10823)
• Remove otelgrpc pinned dependency (#10799)
• Add node-internal-dns/node-external-dns address pass-through support (#10852)
• Give good report if no CVEs found in trivy (#10853)
• Fix hosts.toml header var (#10870)
• Bump Trivy version (#10863)
• Add int test for flannel-ipv6masq (#10440)
• Bump Trivy version (#10899)
• Update Kubernetes to v1.31.1-k3s3 (#10911)
• Add MariaDB to CI (#10724)
• Update stable channel tov1.30.5+k3s1 (#10921)
• Use static CNI bin dir (#10868)
  • K3s now uses a stable directory for CNI binaries, which simplifies the installation of additional CNI plugins.
• Breakup trivy scan and check comment author (#10935)
• Fix getMembershipForUserInOrg call (#10937)
• Check k3s-io organization membership not team membership for trivy scans (#10940)
• Bump kine to v0.13.0 (#10932)
  • Kine has been bumped to v0.13.0. This release includes changes that should enhance performance when using postgres as an external DB. The updated schema will be automatically used for new databases; to migrate to the new schema on existing databases, K3s can be started with the KINE_SCHEMA_MIGRATION=2 environment variable set.
• Fix trivy report download (#10943)
• Trivy workflow: Specify GH_REPO env to use gh cli (#10949)
• Bump Trivy version (#10924)
• Bump traefik to chart 27.0.2 (#10939)
• Pass Rancher's VEX report to Trivy to remove known false-positives CVEs (#10956)
• Fix trivy vex line (#10970)
• Add user path to runtimes search (#10953)
  • Runtimes detection will now use $PATH
• Bump to new wharfie version (#10971)
• Update README.md (#10523)
• Remove trailing whitespace (#9362)
• Bump kine to v0.13.2 (#10978)
• Allow configuration of Rootlesskit's CopyUpDirs through an environment variable (#10386)
  • Add new environment variable "K3S_ROOTLESS_COPYUPDIRS" to add folders to the Rootlesskit configuration.
• Fix race condition when multiple nodes reconcile S3 snapshots (#10979)
• Bump Trivy version (#10996)
• Add ca-cert rotation integration test, and fix ca-cert rotation (#11013)
• Add e2e test which verifies traffic policies and firewall in services (#10972)
• Update tcpproxy for import path change (#11029)
• Bump Local Path Provisioner version (#10862)
• Bump local-path-provisioner to v0.0.30 (#11049)
• Bump helm-controller and klipper-helm (#11060)
• Bump containerd to v1.7.22 (#11067)
• Simplify svclb daemonset (#10954)
  • Stop using klipper-lb as the image for svclb. Replace it with a simple busybox which just sleeps
• Add the nvidia runtime cdi (#11065)
  • Add nvidia cdi runtime to the list of supported and discoverable runtimes
• Bump Trivy version (#11103)
• Rollback GHA to Ubuntu 22.04 (#11111)
• Revert "Make svclb as simple as possible" (#11109)
• Fix Github Actions for Ubuntu-24.04 (#11112)
• Bump aquasecurity/trivy-action from 0.24.0 to 0.27.0 (#11105)
• Check the last 10 commits for upgrade E2E test (#11086)
• Bump aquasecurity/trivy-action from 0.27.0 to 0.28.0 (#11138)
• Fixes "file exists" error from CNI bins when upgrading k3s (#11123)
• Reduce the number of GH api request for E2E nightly (#11148)
• Update Kubernetes to v1.31.2-k3s1 and Go 1.22.8 (#11163)
• Update stable channel to v1.30.6+k3s1 (#11186)
• Fix timeout when defragmenting etcd on startup (#11164)
• Capture all fedora atomic variants in install script (#11170)
  • Allow easier installation of k3s on all variants of fedora atomic that use rpm-ostree
• Typo fixes in contributing.md (#11201)
• Bump Trivy version (#11206)
• Pin vagrant to older version to avoid known issue 13527 (#11226)
• Set kine EmulatedETCDVersion from embedded etcd version (#11221)
• Add nonroot-devices flag to agent CLI (#11200)
  • Device_ownership_from_security_context can now be enabled in the containerd CRI config by setting the --nonroot-devices flag or config key.
• Bump runc to v1.2 (#10896)
• Update flannel and base cni plugins version (#11188)
• Bump github.com/golang-jwt/jwt/v4 from 4.5.0 to 4.5.1 (#11236)
• Fix MustFindString returning override flags on external CLI commands (#11237)
• Bump containerd to v1.7.23-k3s1 to fix registry rewrite token scopes (#11238)
• Fix the "Standalone"-mode of oidc-login in the wrapped kubectl library (#11266)
  • Fixes 'no Auth Provider found for name "oidc"' when using oidc-login in standalone mode.
• Bump K3s-root version to v0.14.1 (#11282)
• Bump kine (#11277)
• Bump kine for mysql connection close fix (#11305)
• Fix handling of wrapped subcommands when run with a path (#11306)
• Fix updatecli config for klipper and helm-controller (#11290)
• Fix issue with loadbalancer failover to default server (#11319)
• Update localstorage_int_test.go reference (#11339)
  • Update localstorage_int_test.go reference in tests/integration/README.md
• Add to the output command to be consistent with the product command (#11345)
• Allow install script to print error on failed binary download (#11335)
• Remove the go toolchain line (#11358)
• Add ubuntu 24.04 apt command for e2e test (#11361)
• Bump Trivy version (#11360)
• Bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 (#11364)
• Convert legacy docker tests from bash to golang (#11357)
• Update Kubernetes to v1.31.3-k3s1 (#11373)
• Fix Branch Name logic for Dependabot and UpdateCLI pushes to k3s-io (#11376)
• Fix INSTALL_K3S_PR support (#11383)
• Fix etcd backup/restore test and add guardrail for etcd-snapshot (#11314)
• Bump containerd to -k3s2 to fix rewrites (#11401)
• Fix opensuse-leap install test (#11379)
• Fix secrets-encrypt reencrypt timeout error (#11385)
• Rework loadbalancer server selection logic (#11329)
• Remove experimental from embedded-registry flag (#11443)
• Update stable channel to v1.31.3+k3s1 (#11436)
• Fix agent tunnel address with dedicated supervisor port (#11427)
• Update coredns to 1.12.0 (#11387)
• Bump Trivy version (#11430)
• Update to v1.31.4-k3s1 and Go 1.22.9 (#11463)
• Bump alpine from 3.20 to 3.21 in /conformance (#11433)
• Fix docker check warnings (#11474)
• Update stable channel to v1.31.4+k3s1 (#11483)
• V1.32.0+k3s1 (#11478)
• Switch to using kubelet config file for all supported flags (#10433)
• Load kernel modules for nft in agent setup (#11527)

Embedded Component Versions

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started or to dive deep into K3s.
• Read how you can contribute here