github kubernetes/kube-state-metrics v2.19.0
on GitHub

4 hours ago

v2.19.0 / 2026-05-05

Notes

This release addresses a security vulnerability (GHSA-g3c8-4qh2-rhrg) where /debug/pprof/* endpoints were not protected by the --auth-filter flag. The endpoints have been moved to the telemetry server and are now correctly gated. See #2924 for details. Credits to @vldevadath for responsible disclosure.

  • This release builds with Go v1.26.2
  • This release builds with k8s.io/client-go: v0.35.4

Changelog

  • [SECURITY] Fix authentication bypass: move pprof endpoints to telemetry server and protect with auth filter (GHSA-g3c8-4qh2-rhrg) by @bhope in #2924
  • [SECURITY] Bump go-jose/v4 to v4.1.4 for CVE-2026-34986 by @marioferh in #2941
  • [SECURITY] Fix CVE-2026-24051 in otel go library by @marvin659 in #2908
  • [SECURITY] Fix CVE-2026-39883 in otel go library by @Dinesh-Jilagam in #2952
  • [SECURITY] Bump google.golang.org/grpc to v1.79.3 by @sturman in #2925
  • [FEATURE] Add PreemptionByScheduler and TerminationByKubelet to kube_pod_status_reason by @bhope in #2892
  • [FEATURE] Add SchedulingGated to kube_pod_status_reason by @bhope in #2880
  • [FEATURE] Add container label to HPA ContainerResource metrics by @bxrne in #2836
  • [FEATURE] Add deployment-based sharding example by @ystkfujii in #2931
  • [BUGFIX] Handle DeletedFinalStateUnknown panic in CR informer by @rexagod in #2955
  • [BUGFIX] Fix memory leak from orphaned CR reflector goroutines on repeated CRD discovery by @bhope in #2920
  • [BUGFIX] Load CRS config when --continue-without-custom-resource-state-config-file is set and file exists by @ybouhachem in #2918
  • [BUGFIX] Accept legacy custom_resource_config_file as deprecated alias by @nmn3m in #2926
  • [BUGFIX] Fix order-dependent metric loss from header deduplication by @jfremy-openai in #2866
  • [BUGFIX] Avoid mutating metric families during write by @bhope in #2852
  • [BUGFIX] Honor stderrthreshold when logtostderr is enabled by @pierluigilenoci in #2906
  • [ENHANCEMENT] Bump to Kubernetes 1.35 by @mrueg in #2861
  • [ENHANCEMENT] Build with Go 1.26 by @mrueg in #2890
  • [ENHANCEMENT] Switch to a maintained fork of robfig/cron by @mrueg in #2874

Full Changelog

  • chore: Merge release-2.18 back into main by @rexagod in #2850
  • chore: Define golang version in a single file by @mrueg in #2853
  • build(deps): Bump actions/setup-go from 6.1.0 to 6.2.0 by @dependabot[bot] in #2858
  • build(deps): Bump actions/checkout from 6.0.1 to 6.0.2 by @dependabot[bot] in #2859
  • docs: Fix typo in scheduler metrics names by @dgrisonnet in #2862
  • fix: tests/e2e - derive image tag using docker --format by @bhope in #2875
  • build(deps): Bump goreleaser/goreleaser-action from 6.4.0 to 7.0.0 by @dependabot[bot] in #2877
  • build(deps): Bump actions/setup-go from 6.2.0 to 6.3.0 by @dependabot[bot] in #2881
  • docs: add code reviews section by @mrueg in #2888
  • chore(Dockerfile): Use Debian 13 as base by @mrueg in #2855
  • chore: Drop embedmd in favor of gomplate by @mrueg in #2871
  • chore: Bump to kubernetes 1.35 by @mrueg in #2861
  • chore: Switch to a maintained version for robfig/cron by @mrueg in #2874
  • feat: add SchedulingGated to kube_pod_status_reason by @bhope in #2880
  • fix: order-dependent metric loss from header dedupe by @jfremy-openai in #2866
  • chore: Build with go 1.26 by @mrueg in #2890
  • feat: add PreemptionByScheduler and TerminationByKubelet to kube_pod_status_reason by @bhope in #2892
  • chore: add @bhope as a reviewer by @bhope in #2897
  • chore: add @nmn3m as a reviewer by @nmn3m in #2900
  • fix: CVE-2026-24051 security fix on otel go library by @marvin659 in #2908
  • fix: honor stderrthreshold when logtostderr is enabled by @pierluigilenoci in #2906
  • build(deps): Bump actions/setup-go from 6.3.0 to 6.4.0 by @dependabot[bot] in #2911
  • build(deps): Bump kubernetes-sigs/release-actions from 0.4.0 to 0.4.1 by @dependabot[bot] in #2912
  • build(deps): Bump kubernetes-sigs/release-actions from 0.4.1 to 0.4.3 by @dependabot[bot] in #2913
  • build(deps): Bump github.com/prometheus/exporter-toolkit from 0.15.1 to 0.16.0 by @dependabot[bot] in #2914
  • build(deps): Bump github.com/netresearch/go-cron from 0.13.1 to 0.13.4 by @dependabot[bot] in #2915
  • fix(horizontalpodautoscaler): Added container label to ContainerResource metrics by @bxrne in #2836
  • fix: avoid mutating metric families during write by @bhope in #2852
  • fix: load CRS config when --continue-without-custom-resource-state-config-file is set and file exists by @ybouhachem in #2918
  • fix(deps): bump google.golang.org/grpc to v1.79.3 by @sturman in #2925
  • fix: accept legacy custom_resource_config_file as deprecated alias by @nmn3m in #2926
  • build(deps): Bump github.com/netresearch/go-cron from 0.13.4 to 0.14.0 by @dependabot[bot] in #2935
  • build(deps): Bump goreleaser/goreleaser-action from 7.0.0 to 7.1.0 by @dependabot[bot] in #2933
  • build(deps): Bump the k8s-dependencies group with 5 updates by @dependabot[bot] in #2934
  • build(deps): Bump github.com/dlclark/regexp2 from 1.11.5 to 1.12.0 by @dependabot[bot] in #2936
  • feat: add deployment-based sharding example by @ystkfujii in #2931
  • build(deps): Bump goreleaser/goreleaser-action from 7.1.0 to 7.2.1 by @dependabot[bot] in #2938
  • fix: bump go-jose/v4 to v4.1.4 for CVE-2026-34986 by @marioferh in #2941
  • build(deps): Bump github.com/fsnotify/fsnotify from 1.9.0 to 1.10.1 by @dependabot[bot] in #2944
  • chore: Rebase #2924 with an additional commit by @rexagod in #2947
  • fix: stop memory leak from orphaned CR reflector goroutines on repeated CRD discovery by @bhope in #2920
  • chore: bump Go from 1.26.1 to 1.26.2 by @bhope in #2950
  • fix: CVE-2026-39883 security fix on otel go library by @Dinesh-Jilagam in #2952
  • fix: Handle DeletedFinalStateUnknown panic by @rexagod in #2955
  • chore: Release v2.19.0 by @bhope in #2949

New Contributors

Full Changelog: v2.18.0...v2.19.0

Check out latest releases or
releases around kubernetes/kube-state-metrics v2.19.0

Don't miss a new kube-state-metrics release

NewReleases is sending notifications on new releases.

Get notifications