This release updates Kubernetes to v1.36.0, and fixes a number of issues.
For more details on what's new, see the Kubernetes release notes.
Changes since v1.35.0+k3s1:
- Add firewall section to check-config.sh (#13234)
- Update golangci-lint and re-enable CI linting step (#13343)
- Enable secret encryption on existing clusters (#13370)
- Use Get, not Head for channel page (#13402)
- Replace temporary etcd server with raw mvcc store access (#13368)
- Remove flannel external-ip annotations when disabled (#13431)
- Bump local path provisioner to v0.0.34 (#13430)
- Publish GA images to staging registry (#13438)
- Fix atomic write in WriteSubnetFile (#13380)
- Bump expr-lang/expr (#13440)
- Bump spegel to v0.6.0 (#13198)
- Update longhorn version in integration test from v1.4.0 to v1.10.1 (#13443)
- Remove download/generate from vulncheck (#13445)
- Add Momentum Coach AI to K3S adopters list (#13467)
- NONE
- Move to rootlesskit v2 (#13486)
- Fix CVE-2025-54410: Update docker/docker to v25.0.13 (#13473)
- Bump etcd to v3.6.7 (#13495)
- Add Percona and Solanica to k3s adopters (#13510)
- Fix restart of control-plane-only nodes attempting to reconcile from local datastore (#13534)
- Fix spegel filter for wildcards (#13527)
- Add IPv6 loopback to kubelet-serving cert (#13532)
- Fix handling of empty token file (#13529)
- Use channel.yaml instead of curling for stable for kubectl install (#13531)
- Fix VPN node IP not being applied to kubelet (#13457)
- Bump scorecard checkout to match all other versions (#13568)
- Explicitly close mvcc backend to fix high CPU on initial etcd server after restart (#13569)
- Support commit builds via GHA artifacts (#13559)
- Bump metrics-server to v0.8.1 (#13594)
- Add registry prefix to image-list file (#13603)
- Fix removal of init node via annotation (#13624)
- Make artifact URL prefix configurable (#13367)
- Added INSTALL_K3S_ARTIFACT_URL to donwload K3s binary from a different URL
- Install binutils-gold only for arm64 builds (#13654)
- Rootlesskit Revert + Test Fixes (#13681)
- Improve resilience of datastore bootstrap reconcile from etcd (#13677)
- Assign github.event to env first (#13715)
- Config: Add default imports to containerd base templates (#13680)
- Containerd config generated by k3s now includes
importspointing at versioned drop-in directories:config.toml.dfor v2 config andconfig-v3.toml.dfor v3 (e.g./var/lib/rancher/k3s/agent/etc/containerd/config.toml.d/*.tomland.../config-v3.toml.d/*.toml). Additional.tomlfiles in the matching directory are automatically loaded by containerd. Use these directories for drop-in config (e.g. proxy plugins, custom runtimes, or debug settings) without modifying the main config or custom templates.
- Containerd config generated by k3s now includes
- Add nix-snapshotter support to the embedded containerd (#13676)
- Add nix-snapshotter plugin to the embedded containerd to enable rootless k3s + nix-snapshotter
- Do not create etcd name file if etcd is not in use (#13727)
- Bump rancher/mirrored-coredns-coredns image version (#13743)
- Update packages to remove unmaintained dependencies (#13724)
- Save cluster state before reencyrpting secrets with newly created key (#13764)
- Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 (#13713)
- Bump github.com/docker/cli from 28.3.2+incompatible to 29.2.0+incompatible (#13730)
- Build(deps): bump github.com/pion/dtls/v3 from 3.0.6 to 3.0.11 (#13645)
- Use etcd-snapshot-retention as default for s3 if etcd-s3-retention is not set (#13770)
- Install.sh: Simplify handling for fedora rpm-ostree based distributions (#13712)
- Bump cni plugins to v1.9.1 (#13817)
- Simplify snapshot compress/decompress logic (#13826)
- Fix typo: overriden -> overridden in snapshot_handler.go (#13847)
- Fix: typo in etcd membership error message (#13848)
- Bump helm-controller for job race fix (#13853)
- Add context to controller event recorders (#13856)
- Dapper is kill (#13860)
- Add sipgate to the list of adopters (#13881)
- Add Rocket Technologies to the list of adopters (#13890)
- Pin govulncheck GHA version (#13887)
- Verify sha256sum for kubelet, vagrant zip and go binary (#13889)
- Check the k3s-root sha256sum (#13888)
- Build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 (#13891)
- Fix reproducibility of embedded data tarball (#13875)
- Build(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 (#13837)
- Build(deps): bump github.com/nats-io/nats-server/v2 from 2.12.2 to 2.12.6 (#13852)
- Fix S3 test to account for change to s3mock (#13906)
- Bump runc/spegel/helm-controller/kine (#13909)
- Bump runc to v1.4.2
- Bump spegel to v0.6.0-k3s2
- Bump helm-controller to v0.17.1
- Bump kine to v0.14.16
- Fix embedded executor VPN config injection (#13920)
- Bump containerd to v2.2.3 (#13931)
- Bump flannel to v0.28.4 (#13937)
- Immutable release changes (#13902)
- Bump Traefik to 3.6.13 (#13969)
- Switch from draft to pre-release (#13951)
- Fix SANs added from comma-separated node-external-ip list (#13989)
- Fix docker dualstack test (#13994)
- Bump klipper-helm image for revision check fix (#13995)
- Bump upstream to v1.36 (#13986)
- Fix kubectl exec when using docker (#14021)
Embedded Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.36.0 |
| Kine | v0.14.16 |
| SQLite | 3.51.3 |
| Etcd | v3.6.7-k3s1 |
| Containerd | v2.2.3-k3s1 |
| Runc | v1.4.2 |
| Flannel | v0.28.4 |
| Metrics-server | v0.8.1 |
| Traefik | v3.6.13 |
| CoreDNS | v1.14.2 |
| Helm-controller | v0.17.1 |
| Local-path-provisioner | v0.0.35 |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started or to dive deep into K3s.
- Read how you can contribute here