k3s-io/k3s v1.36.0-rc1+k3s1

on GitHub

What's Changed

• Expand docker upgrade test, sunset E2E upgrade test by @dereknola in #13338
• Add firewall section to check-config.sh by @dereknola in #13234
• Update golangci-lint and re-enable CI linting step by @brandond in #13343
• Fix PR lint checkout depth by @brandond in #13369
• Update stable channel to v1.34.3+k3s1 by @rafaelbreno in #13374
• Bump actions/download-artifact from 6 to 7 by @dependabot[bot] in #13346
• Bump stable to 1.34 and add 1.35 by @brandond in #13373
• Enable secret encryption on existing clusters by @dereknola in #13370
• Bump Local Path Provisioner version by @github-actions[bot] in #13387
• Use Get, not Head for channel page by @dereknola in #13402
• Fix typos in documentation by @oglok in #13411
• Bump actions/cache from 4 to 5 by @dependabot[bot] in #13347
• Replace temporary etcd server with raw mvcc store access by @brandond in #13368
• Bump Traefik and CoreDNS - Jan 2025 by @dereknola in #13424
• Remove flannel external-ip annotations when disabled by @brandond in #13431
• Bump local path provisioner to v0.0.34 by @dereknola in #13430
• [main] Publish GA images to staging registry by @rafaelbreno in #13438
• Bump cni plugins by @brandond in #13439
• Fix atomic write in WriteSubnetFile by @luojiyin1987 in #13380
• Bump expr-lang/expr by @brandond in #13440
• Bump spegel to v0.6.0 by @brandond in #13198
• Update longhorn version in integration test from v1.4.0 to v1.10.1 by @brandond in #13443
• Bump kine to v0.14.10 for NATS conformance fixes by @brandond in #13441
• Remove download/generate from vulncheck by @brandond in #13445
• Bump to coredns 1.14.0 by @mgfritch in #13449
• Add Momentum Coach AI to K3S adopters list by @geoffreyPerrin in #13467
• Fix lines to satisfy lint and fix CI by @manuelbuil in #13475
• Update Traefik version to v3.6.7 by @manuelbuil in #13474
• Prevent caching on PR of golangci-lint entries by @dereknola in #13487
• Move to rootlesskit v2 by @dereknola in #13486
• Bump actions/stale from 10.1.0 to 10.1.1 by @dependabot[bot] in #13296
• Fix CVE-2025-54410: Update docker/docker to v25.0.13 by @rahulrairai59 in #13473
• Bump golang:alpine image version by @github-actions[bot] in #13345
• Update install tests with new images, add alma10 by @dereknola in #13489
• Bump etcd to v3.6.7 by @brandond in #13495
• Add Percona and Solanica to k3s adopters by @edithturn in #13510
• [main] Update to v1.35.0-k3s3 by @rafaelbreno in #13524
• Fix restart of control-plane-only nodes attempting to reconcile from local datastore by @brandond in #13534
• Fix spegel filter for wildcards by @brandond in #13527
• Add IPv6 loopback to kubelet-serving cert by @brandond in #13532
• Fix handling of empty token file by @brandond in #13529
• Use channel.yaml instead of curling for stable for kubectl install by @dereknola in #13531
• Fix VPN node IP not being applied to kubelet by @zijiren233 in #13457
• Bump aws-actions/configure-aws-credentials from 4 to 5 by @dependabot[bot] in #13185
• Bump scorecard checkout to match all other versions by @dereknola in #13568
• Bump kine for list/watch revision fixes by @brandond in #13575
• Explicitly close mvcc backend to fix high CPU on initial etcd server after restart by @brandond in #13569
• Support commit builds via GHA artifacts by @dereknola in #13559
• Bump rancher/mirrored-coredns-coredns image version by @github-actions[bot] in #13499
• [main] Update stable channel to v1.34.3+k3s3 by @rafaelbreno in #13554
• Bump metrics-server to v0.8.1 by @mgfritch in #13594
• [main] Add registry prefix to image-list file by @rafaelbreno in #13603
• Bump klipper-helm and klipper-lb images by @brandond in #13613
• Fix removal of init node via annotation by @brandond in #13624
• [master] Update to v1.35.1-k3s1 and Go 1.25.6 by @rafaelbreno in #13638
• Update stable to v1.34.4+k3s1 by @rafaelbreno in #13642
• Make artifact URL prefix configurable by @manuelbuil in #13367
• Bump kine to v0.14.12 by @brandond in #13661
• Install binutils-gold only for arm64 builds by @mmoll in #13654
• Rootlesskit Revert + Test Fixes by @dereknola in #13681
• Improve resilience of datastore bootstrap reconcile from etcd by @brandond in #13677
• Bump Traefik to v3.6.9 by @manuelbuil in #13693
• [main] Update to v1.35.2-k3s1 and Go 1.25.7 by @rafaelbreno in #13708
• Assign github.event to env first by @dereknola in #13715
• config: Add default imports to containerd base templates by @fidencio in #13680
• update channel server to 1.34.5 by @briandowns in #13732
• Add nix-snapshotter support to the embedded containerd by @nuketownada in #13676
• Do not create etcd name file if etcd is not in use by @brandond in #13727
• Bump actions/download-artifact from 7 to 8 by @dependabot[bot] in #13714
• build(deps): bump actions/stale from 10.1.1 to 10.2.0 by @dependabot[bot] in #13670
• build(deps): bump aquasecurity/trivy-action from 0.33.1 to 0.34.1 by @dependabot[bot] in #13669
• build(deps): bump aws-actions/configure-aws-credentials from 5 to 6 by @dependabot[bot] in #13596
• Bump softprops/action-gh-release from 2.2.1 to 2.5.0 by @dependabot[bot] in #13376
• Bump rancher/mirrored-coredns-coredns image version by @github-actions[bot] in #13743
• Bump klipper-lb and klipper-helm by @brandond in #13761
• Bump golang:alpine image version by @github-actions[bot] in #13653
• Update packages to remove unmaintained dependencies by @brandond in #13724
• Bump DeterminateSystems/nix-installer-action from 17 to 21 by @dependabot[bot] in #13744
• Bump docker/build-push-action from 6 to 7 by @dependabot[bot] in #13745
• Bump docker/setup-qemu-action from 3 to 4 by @dependabot[bot] in #13746
• Bump docker/setup-docker-action from 4 to 5 by @dependabot[bot] in #13747
• Save cluster state before reencyrpting secrets with newly created key by @dereknola in #13764
• Bump docker/metadata-action from 5 to 6 by @dependabot[bot] in #13748
• Bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 by @dependabot[bot] in #13713
• Bump github.com/docker/cli from 28.3.2+incompatible to 29.2.0+incompatible by @dependabot[bot] in #13730
• build(deps): bump github.com/pion/dtls/v3 from 3.0.6 to 3.0.11 by @dependabot[bot] in #13645
• Use etcd-snapshot-retention as default for s3 if etcd-s3-retention is not set by @brandond in #13770
• Bump traefik and local-path-provisioner by @brandond in #13787
• install.sh: Simplify handling for fedora rpm-ostree based distributions by @becarusys in #13712
• Bump containerd to v2.2.2 by @brandond in #13788
• Bump runc to v1.4.1 by @brandond in #13796
• Bump Traefik helm chart version by @manuelbuil in #13805
• Fix trivy updatecli config by @manuelbuil in #13816
• Bump cni plugins to v1.9.1 by @brandond in #13817
• Simplify snapshot compress/decompress logic by @brandond in #13826
• build(deps): bump docker/login-action from 3 to 4 by @dependabot[bot] in #13804
• build(deps): bump softprops/action-gh-release from 2.5.0 to 2.6.1 by @dependabot[bot] in #13803
• build(deps): bump aquasecurity/trivy-action from 0.34.1 to 0.35.0 by @dependabot[bot] in #13802
• [main] Update to v1.35.3-k3s1 and Go 1.25.7 by @rafaelbreno in #13836
• Bump Trivy version by @github-actions[bot] in #13845
• Fix typo: overriden -> overridden in snapshot_handler.go in #13847
• fix: typo in etcd membership error message by @DT1mote in #13848
• Bump helm-controller for job race fix by @brandond in #13853
• Add context to controller event recorders by @brandond in #13856
• Pin GH Actions to commit sha by @cwayne18 in #13861
• Dapper is kill by @cwayne18 in #13860
• Update to flannel v0.28.2 by @mgfritch in #13863
• [main] Update stable to v1.34.6+k3s1 by @rafaelbreno in #13873
• Add sipgate to the list of adopters by @caesarakalaeii in #13881
• Add Rocket Technologies to the list of adopters by @BenBo17 in #13890
• Make Dockerfile.test more secure by @manuelbuil in #13882
• Make tests/integration/Dockerfile.test more secure by @manuelbuil in #13883
• Secure the vagrant-setup action.yaml by @manuelbuil in #13884
• Secure the e2e yaml GHA by @manuelbuil in #13885
• Pin govulncheck GHA version by @manuelbuil in #13887
• Verify sha256sum for kubelet, vagrant zip and go binary by @manuelbuil in #13889
• Check the k3s-root sha256sum by @manuelbuil in #13888
• build(deps): bump github.com/go-jose/go-jose/v4 from 4.1.3 to 4.1.4 by @dependabot[bot] in #13891
• build(deps): bump actions/upload-artifact from 6.0.0 to 7.0.0 by @dependabot[bot] in #13880
• build(deps): bump github/codeql-action from 4.34.1 to 4.35.1 by @dependabot[bot] in #13879
• build(deps): bump docker/setup-buildx-action from 3.12.0 to 4.0.0 by @dependabot[bot] in #13878
• build(deps): bump updatecli/updatecli-action from 2.100.0 to 3.0.0 by @dependabot[bot] in #13876
• Fix reproducibility of embedded data tarball by @jonhermansen in #13875
• build(deps): bump github.com/buger/jsonparser from 1.1.1 to 1.1.2 by @dependabot[bot] in #13837
• build(deps): bump github.com/nats-io/nats-server/v2 from 2.12.2 to 2.12.6 by @dependabot[bot] in #13852
• Fix S3 test to account for change to s3mock by @brandond in #13906
• Bump klipper helm to v0.9.16-build20260410 by @vitorsavian in #13908
• Bump runc/spegel/helm-controller/kine by @brandond in #13909
• build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @dependabot[bot] in #13914
• build(deps): bump aws-actions/configure-aws-credentials from 6.0.0 to 6.1.0 by @dependabot[bot] in #13915
• build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #13916
• build(deps): bump softprops/action-gh-release from 2.6.1 to 3.0.0 by @dependabot[bot] in #13917
• build(deps): bump docker/build-push-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #13918
• Bump traefik to 3.6.12 by @manuelbuil in #13912
• Fix embedded executor VPN config injection by @brandond in #13920
• Bump containerd to v2.2.3 by @brandond in #13931
• Bump flannel to v0.28.4 by @thomasferrandiz in #13937
• [main] Update to v1.35.4-k3s1 and Go 1.25.9 by @rafaelbreno in #13946
• [main] Immutable release changes by @rafaelbreno in #13902
• Bump Traefik to 3.6.13 by @cwayne18 in #13969
• [main] Switch from draft to pre-release by @rafaelbreno in #13951
• Fix SANs added from comma-separated node-external-ip list by @brandond in #13989
• Fix docker dualstack test by @brandond in #13994
• Bump klipper-helm image for revision check fix by @brandond in #13995

New Contributors

• @oglok made their first contribution in #13411
• @luojiyin1987 made their first contribution in #13380
• @geoffreyPerrin made their first contribution in #13467
• @rahulrairai59 made their first contribution in #13473
• @edithturn made their first contribution in #13510
• @zijiren233 made their first contribution in #13457
• @mmoll made their first contribution in #13654
• @fidencio made their first contribution in #13680
• @nuketownada made their first contribution in #13676
• @becarusys made their first contribution in #13712
• @DT1mote made their first contribution in #13848
• @caesarakalaeii made their first contribution in #13881
• @BenBo17 made their first contribution in #13890
• @jonhermansen made their first contribution in #13875

Full Changelog: v1.35.0+k3s1...v1.36.0-rc1+k3s1