π Keep Your Scaffold Updated
The migration guide covers upgrading from any version to the latest, including AI-assisted helpers/commands for legacy scaffolds that may require manual steps. For the smoothest path, enable the AutoUpdate Plugin (uses GitHub Actions)) or run kubebuilder alpha update locallyβboth use the same update logic. The other options are primarily for older projects missing cliVersion in the PROJECT file as a one-time step to reach a supported version; after that, you can rely on these workflows for ongoing updates.
β οΈ Breaking changes
Only for users of the Helm Plugin (helm/v2-alpha)
To stabilise helm/v2-alpha, RBAC was reworked (#5579), renaming rbacHelpers to rbac.helpers and introducing namespace/multi-namespace support with dynamic roles.
Required: run kubebuilder edit --plugins=helm/v2-alpha --force to update your Helm config.
Alternative: manually update values.yaml after running the command without --force (More info)
β¨ Upgrades
- (go/v4): Upgrade certmanager from
1.20.0to1.20.1(#5563) - (go/v4): Upgrade golang version from
1.25.3to1.25.7(#5615) - (go/v4): Upgrade cert-manager version from
1.20.1to1.20.2used in tests (#5626) - (go/v4): Upgrade golangci-lint to
v2.11.4(#5653)
β¨ New Features
- (helm/v2): Add support for extra volumes, Deployment Strategy, Priority Class, Topology Constraints, skip manager install, manager labels/annotations, default image tag from
Chart.appVersion, expose service account in values, and enhance RBAC with namespace-scoped deployments, multi-namespace configuration, and dynamic Role/ClusterRole rendering (renamerbacHelperstorbac.helpers) (#5496, #5577, #5581, #5580, #5607, #5603, #5579 - (go/v4): Add support for multiple controllers per GVK (#5539)
- (go/v4): Add
YEARplaceholder in boilerplate for copyright (#5559) - (go/v4): Add
--license-fileflag and preserve boilerplate in alpha generate (#5456) - (go/v4): Enhance test output readability by converting inline comments to
By()statements in e2e tests (#5611) - (CLI): Mark resource flags as required to improve completion (#5647)
π Bug Fixes
- (go/v4): Pin GitHub Actions to commit SHA hashes to improve security (#5555)
- (go/v4): Disable kubectl kuberc in the e2e tests by default (#5558)
- (go/v4, kustomize/v2): Add health probe port to manager deployment (#5608)
- (go/v4, autoupdate/v1-alpha, helm/v2-alpha): Security hardening for GitHub Actions workflows (#5578)
- (helm/v2-alpha): Fix duplicate tolerations block in generated manager template (#5572)
- (helm/v2-alpha): Fix missing regular expression anchor (#5582)
- (helm/v2-alpha): Use dot instead of full path inside
imagePullSecretsblock (#5592) - (helm/v2-alpha): Align test-chart workflow image with docker-build and kind load (#5586)
- (helm/v2-alpha): Ignore
latesttag and use commented tag format in Helm charts (#5617) - (helm/v2-alpha): Fix
secretRefhandling (#5623) - (helm/v2-alpha): Fix duplicate ServiceMonitor and invalid
insecureSkipVerify: falsewithout certificates (#5624) - (grafana/v1-alpha): Remove
initsubcommand from Grafana plugin (#5627) - (autoupdate/v1alpha): Remove
initsubcommand from Auto Update plugin (#5633) - (deploy-image/v1-alpha): Add validation for numeric flags (#5634)
- (helm/v2-alpha): Use conditionals for optional K8s field
manager.image.pullPolicy(#5636) - (cli): Change level for plugin discovery log to debug (#5595)
π Thanks to all contributors!
What's Changed ( Full Changelog )
- π fix(go/v4): bump google.golang.org/grpc to v1.79.3 to address CVE by @0x48core in #5554
- π (go/v4): Pin GitHub Actions to commit SHA hashes to improve security and align with the latest GitHub Actions security policy. For more details, see kubernetes/community#8911. by @vitorfloriano in #5555
- π± infra(CI): actions/checkout version not compatible to hash by @vitorfloriano in #5560
- β¨ (helm/v2-alpha): add extra volumes support by @camilamacedo86 in #5496
- β¨ Upgrade certmanager from '1.20.0' to '1.20.1' by @camilamacedo86 in #5563
- π± infra: Add Pinact GitHub Actions workflow by @vitorfloriano in #5556
- β¨ (go/v4): Add support for multiple controllers per GVK by @camilamacedo86 in #5539
- π docs(helm/v1alpha): Add deprecation notice by @vitorfloriano in #5561
- β¨ (go/v4): add support YEAR placeholder in boilerplate for copyright by @felix-kaestner in #5559
- π± infra(CI): Add gha linter (zizmor) and fix workflows security issues by @vitorfloriano in #5565
- π docs: Fix accessibility for assistive tools in documentation notes by @camilamacedo86 in #5564
- π± Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #5567
- π± Bump shogo82148/actions-goveralls from 1.10.0 to 1.11.0 by @dependabot[bot] in #5568
- π± infra(CI): Add zero-trust top-level permissions in workflows by @vitorfloriano in #5570
- π± infra(CD): cleanup stale
.firebasercfile by @vitorfloriano in #5571 - π fix(plugins): Security hardening for GitHub Actions workflows by @vitorfloriano in #5578
- π docs: Add the Kubebuilder logo to README by @vitorfloriano in #5575
- π docs: Cleanup stale README inside the book by @vitorfloriano in #5576
- πfix(helm/v2alpha): fix duplicate tolerations block in generated manager template by @v47 in #5572
- π fix(helm/v2-alpha): Remediation for missing regular expression anchor by @vitorfloriano in #5582
- π fix(go/v4): disable kubectl kuberc in the e2e tests by default by @sanadhis in #5558
- π± infra(CI): Pin Syft download to release commit hash by @vitorfloriano in #5583
- β¨ (go/v4): add --license-file flag and preserve boilerplate in alpha generate by @camilamacedo86 in #5456
- β¨ (helm/v2-alpha): Add support for Deployment Strategy, Priority Class, and Topology Constraints by @camilamacedo86 in #5577
- β¨ (helm/v2-alpha): add option to skip manager install by @camilamacedo86 in #5581
- π± refactor: consolidate verification targets and GitHub Actions workflows by @camilamacedo86 in #5585
- π fix(docs): Update broken badge on README by @vitorfloriano in #5590
- β¨ (helm/v2-alpha): add manager.labels and manager.annotations by @camilamacedo86 in #5580
- π Fix broken link to "Using External Resources" from "Sub-Module Layouts" page by @iypetrov in #5594
- π use dot instead of full path inside imagePullSecrets block by @v47 in #5592
- π± Bump golang.org/x/mod from 0.34.0 to 0.35.0 by @dependabot[bot] in #5600
- π± Bump helm.sh/helm/v3 from 3.20.1 to 3.20.2 by @dependabot[bot] in #5601
- π± Bump golang.org/x/text from 0.35.0 to 0.36.0 by @dependabot[bot] in #5599
- π± Bump golang.org/x/tools from 0.43.0 to 0.44.0 by @dependabot[bot] in #5598
- π (helm/v2-alpha): Align test-chart workflow image with docker-build and kind load#5574 by @sivaramsingana in #5586
- β οΈ (helm/v2-plugin): enhance RBAC support with namespace-scoped deployments, multi-namespace configuration, and dynamic Role/ClusterRole rendering (rename
rbacHelperstorbac.helpers) by @camilamacedo86 in #5579 - π± fix(helm/v2-alpha): standardize values.yaml comment style (follow-up of changes not released yet) by @camilamacedo86 in #5604
- π (docs): Update sample external plugin go mod by @camilamacedo86 in #5605
- π± Bump actions/upload-artifact from 7.0.0 to 7.0.1 by @dependabot[bot] in #5606
- π fix(docs): changed comment wording by @kylittle in #5602
- π fix(CLI): Change level for plugin discovery log to debug by @vitorfloriano in #5595
- π± (ci)Enhance test output readability by converting inline comments to
By()statements in e2e tests. by @camilamacedo86 in #5610 - β¨ (go/v4) Enhance test output readability by converting inline comments to By() statements in e2e tests. by @camilamacedo86 in #5611
- π± infra(git): Add kubebuilder binary to .gitignore by @vitorfloriano in #5613
- β¨ (helm/v2-alpha): Use Chart.appVersion as default image tag in Helm charts by @camilamacedo86 in #5607
- π(kustomize/v2)Add health probe port to manager deployment by @camilamacedo86 in #5608
- β¨ Upgrade golang version from 1.25.3 to 1.25.7 by @camilamacedo86 in #5615
- π(helm/v2-alpha): Ignore 'latest' tag and use commented tag format in Helm charts ( follow up pr 5607 ) by @camilamacedo86 in #5617
- π± (ci):Add kube linter to helm verify and linter checks by @camilamacedo86 in #5609
- β¨ (helm/v2-alpha): Expose service account into the values by @camilamacedo86 in #5603
- π± Bump zizmorcore/zizmor-action from 0.5.2 to 0.5.3 by @dependabot[bot] in #5618
- π fix(helm/v2-alpha): secretRef fix by @v47 in #5623
- π (helm/v2-alpha): Fix duplicate ServiceMonitor when provided via kustomize and invalid
insecureSkipVerify: falsewithout certificates by @camilamacedo86 in #5624 - β¨ chore(go/v4): Upgrade cert-mamager version from 1.20.1 to 1.20.2 used in the tests by @camilamacedo86 in #5626
- π± Bump github/codeql-action from 4.35.1 to 4.35.2 by @dependabot[bot] in #5629
- π fix(grafana/v1-alpha): Remove
initsubcommand from Grafana plugin by @vitorfloriano in #5627 - π fix(autoupdate/v1alpha): Remove
initsubcommand from the Auto Update plugin by @vitorfloriano in #5633 - π± (helm/v2-alpha): Refactory the code by @camilamacedo86 in #5621
- π fix(deploy-image): Add validation for numeric flags by @camilamacedo86 in #5634
- π± Add Agent Skills and standardize CLI descriptions by @camilamacedo86 in #5631
- π fix(helm/v2-alpha): Use conditionals for optional K8s field
manager.image.pullPolicyby @camilamacedo86 in #5636 - π± refactor(helm/v2-alpha): Remove redundant code comments by @camilamacedo86 in #5637
- π± Add maintenance skill for helm/v2 by @camilamacedo86 in #5635
- π doc(helm/v2-alpha): Shape documentation after introduction of new features by @camilamacedo86 in #5638
- π± Bump devcontainers/ci from 0.3.1900000417 to 0.3.1900000448 by @dependabot[bot] in #5641
- π± Bump k8s.io/apimachinery from 0.35.3 to 0.35.4 by @dependabot[bot] in #5642
- π Enhance documentation to follow Kubernetes style guide by @camilamacedo86 in #5640
- π Add skill for documentation by @camilamacedo86 in #5639
- π± Bump devcontainers/ci from 0.3.1900000448 to 0.3.1900000449 by @dependabot[bot] in #5646
- π chore: remove dependency pins and update by @camilamacedo86 in #5645
- π docs(grafana/v1alpha): remove init from subcommands by @vitorfloriano in #5650
- π± (cli): correct SKILL canonical entries and normalize root help by @nerdeveloper in #5648
- π± (cli/alpha): normalize update/generate flag descriptions per SKILL by @nerdeveloper in #5649
- β¨ feat(cli): mark resource flags as required to improve completion by @vitorfloriano in #5647
- π± Bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #5652
- β¨ (go/v4): upgrade golangci-lint to v2.11.4 by @dongjiang1989 in #5653
- π docs(designs): typo
commited->committedin update_action design by @SAY-5 in #5654 - π± Bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.2 by @dependabot[bot] in #5659
- π± Bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 by @dependabot[bot] in #5660
- π Bump github.com/onsi/ginkgo/v2 from 2.28.1 to 2.28.2 in /docs/book/src/simple-external-plugin-tutorial/testdata/sampleexternalplugin/v1 by @dependabot[bot] in #5661
- π± Bump github.com/onsi/gomega from 1.39.1 to 1.40.0 by @dependabot[bot] in #5665
- π Bump github.com/onsi/ginkgo/v2 from 2.28.2 to 2.28.3 in /docs/book/src/simple-external-plugin-tutorial/testdata/sampleexternalplugin/v1 by @dependabot[bot] in #5662
- π± Bump github.com/onsi/ginkgo/v2 from 2.28.2 to 2.28.3 by @dependabot[bot] in #5663
New Contributors
- @0x48core made their first contribution in #5554
- @felix-kaestner made their first contribution in #5559
- @sanadhis made their first contribution in #5558
- @iypetrov made their first contribution in #5594
- @sivaramsingana made their first contribution in #5586
- @kylittle made their first contribution in #5602
- @SAY-5 made their first contribution in #5654
Full Changelog: v4.13.1...v4.14.0