This release updates Kubernetes to v1.33.7.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/tokenRKE2 v1.34 Upgrade Warning
This warning targets users who perform upgrades by adding new nodes to the cluster, and removing old ones. If your etcd cluster membership is and has been consistent across versions, you should NOT be affected by this issue.
RKE2 v1.34 and higher include etcd 3.6. Maintainers of the etcd project have indicated that there no safe path from etcd 3.5 to 3.6 except by upgrading to v3.5.26 first.
In mid December, the project released an announcement indicating that there is NO safe path from etcd 3.5 to 3.6 except by upgrading to v3.5.26 first. Failure to do so can cause the cluster to report “zombie members” (etcd nodes that were removed from the cluster some time ago) re-appearing and joining database consensus, ultimately causing the cluster to lose quorum. This updated blog post contradicts previous announcements on this topic, which indicated that it was safe to upgrade from v3.5.20+ as long as nodes had been restarted at least once, to reconcile membership lists across internal storage layers.
The January releases of RKE2 v1.32 and v1.33 will include etcd v3.5.26. All users should plan on upgrading to this patch release, prior to upgrading to v1.34 and v1.35.
Changes since v1.33.7+rke2r1:
- Remove dapper + use crane (#9444)
- Bump calico chart to v3.31.300 (#9457)
- CNI bump Jan 2026 (#9475)
- Bump Ingresses - 2026 Jan (#9482)
- Bulk Backports - 2026 Jan (#9494)
- Rke2-coredns: Use k8s-style "IANA" names (RFC 6335) (#9505)
- K3s bump and backports for 2026-01 (#9515)
- Adjust Windows directory creation order (#9527)
-
- Update to cilium v1.18.6 (#9535)
- Bump Traefik version to v3.6.7 (#9549)
- Update chart and container image versions (#9560)
- Add e2e test for Calico in eBPF mode (#9565)
- Bump etcd to v3.5.26 (#9580)
- Update to v1.33.7-rke2r3 (#9595)
- Fix release arm64 (#9600)
- Backport: Increase timeouts in calico eBPF tests (#9605)
- Fix manifest and sync-prime steps (#9609)
- Revert accidental hardcode of klipper-helm tag (#9625)
- Bump K3s version for etcd reconcile fix (#9630)
- Bump ingress-nginx to v1.14.3-hardened1 (#9635)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.18.601 |
| rke2-canal | v3.31.3-build2026011900 |
| rke2-calico | v3.31.300 |
| rke2-calico-crd | v3.31.300 |
| rke2-coredns | 1.45.008 |
| rke2-ingress-nginx | 4.14.301 |
| rke2-metrics-server | 3.13.006 |
| rancher-vsphere-csi | 3.5.0-rancher200 |
| rancher-vsphere-cpi | 1.12.100 |
| harvester-cloud-provider | 0.2.1100 |
| harvester-csi-driver | 0.1.2500 |
| rke2-snapshot-controller | 4.2.000 |
| rke2-snapshot-controller-crd | 4.2.000 |
| rke2-snapshot-validation-webhook | 0.0.0 |
| rke2-traefik | 38.0.201 |
| rke2-traefik-crd | 38.0.201 |
Packaged Component Versions
| Component | Version |
|---|---|
| Kubernetes | v1.33.7 |
| Etcd | v3.5.26-k3s1 |
| Containerd | v2.1.5-k3s1 |
| Runc | v1.4.0 |
| Metrics-server | v0.8.0 |
| CoreDNS | v1.14.1 |
| Ingress-Nginx | v1.14.3-hardened1 |
| Helm-controller | v0.16.17 |
| Traefik | v3.6.7 |
Available CNIs
| Component | Version | FIPS Compliant |
|---|---|---|
| Canal (Default) | Flannel v0.28.0 Calico v3.31.3 | Yes |
| Calico | v3.31.3 | No |
| Cilium | v1.18.6 | No |
| Multus | v4.2.3 | No |
Helpful Links
As always, we welcome and appreciate feedback from our community of users. Please feel free to:
- Open issues here
- Join our Slack channel
- Check out our documentation for guidance on how to get started.