rancher/rke2 v1.36.0+rke2r1

on GitHub

This release updates Kubernetes to v1.36.0.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.35.0+rke2r1:

• Adjust directory creation order in rke2-runtime image (#9433)
• Use crane to package non-core images (#9440)
• Bump alpine from 3.22 to 3.23 (#9345)
• Rke2-coredns: Use k8s-style "IANA" names (RFC 6335) (#9498)
• Add retry when downloading kubectl in builds (#9520)
• Add el10 for the install script (#9557)
• Replace deprecated wait.Poll with wait.PollUntilContextTimeout (#9509)
• Add path prefix support to system-default-registry (#9404)
  • System-default-registry now supports custom registry with repository prefix.
• Consolidate vagrant network configuration for the extra interface in one script (#9570)
• Increase time-outs in calico ebpf test (#9590)
• Install the kubectl version from stable defined in channels.yaml (#9652)
• Update nightly images 2026 (#9615)
• Remove cloud-config arg from kubelet for windows (#9664)
• Update to Kubernetes Metrics Server chart 3.13.007 (#9666)
• Prevent manifest race in Ingress Migration test (#9742)
• Change SLES 16 default installation to rpms (#9723)
• Fix tarball ownership and permissions (#9754)
• Fix rke2 startup when embedded registry is enabled but not configured (#9756)
• Fix to only set the default for SLES 16 and not for SLEMicro 6.2 (#9769)
• Prevent a node transform from agent/server to server/agent (#9729)
• Align integration test and coverage file generation (#9799)
• Reduce embedded registry peer wait from 60 seconds to 15 (#9839)
• Add prime configuration (#9859)
  • A new prime flag for use by prime customers to access the SUSE Rancher Prime registry
• Bump snapshot crd for groupsnapshot v1beta2 (#9893)
• Bump runc to v1.4.1 (#9954)
• Add restorecon if selinux is installed in tar to fix wrong contexts (#9923)
  • Install script will now use restorecon if rke2-selinux is installed in tarball installation
• Bump K3s version for main (#9985)
• Remove old data dirs after succesful start (#9977)
  • Old versioned directories in /rke2/data are now cleaned up on startup. Preventing unbounded disk usage growth across updates and upgrades.
• Add restorecon for /var/lib/rancher/rke2 when installing with tarball (#10039)
• Bump nginx to fix kubegen (#10077)
• Add checksum verification for 3rd party dependencies (#10081)
• Change default ingress controller to traefik, with support for detecting legacy default ingress-class (#10037)
  • The default ingress-controller is now traefik. Clusters with ingress-nginx installed and set as default will continue to use ingress-nginx by default, unless manually configured to deploy traefik instead.
• Charts: bump Harvester CSI Driver 0.1.28 (#10109)
  • • Fix the race-condition issue during a huge pod respawn simultaneously
  • • Support both Harvester v1.7/v1.8 Cluster
  • • Support Backup
• Checksum verification in Dockerfile.windows, this ones gonna be a doo… (#10047)
• Fix checksums in Dockerfile.windows (#10128)
• Update Flannel and Canal chart with updated images (#10169)
• Update to Kubernetes Metrics Server chart 3.13.008 (#10180)
• Bump etcd for CVE reasons (#10195)
• Bump to snapshot-controller v8.5.0 (#10207)
• Update to calico v3.31.5 (#10219)
• Update to cilium v1.19.3 (#10240)
• Bump rke2-multus to v4.2.410 (#10272)
• Replace ingress-nginx with traefik in core image list (#10269)
  • The rke2-images-core tarball now contains images for traefik, instead of ingress-nginx. Users who will continue to use ingress-nginx in airgapped environments will need to provide images from the rke2-images-ingress-nginx tarball. The standalone rke2-images-traefik tarball has been removed.
• Update to Kubernetes v1.36.0 (#10296)
• Update kubernetes image in Dockerfile to v1.36.0 (#10299)
• Do not expect boringcrypto experiment on windows (#10303)
• Add support for ovirt CSI via --cloud-provider-name=ovirt (#10315)
• Bump ingress-nginx (#10321)
• • Update CoreDNS chart 1.45.211 (#10330)
• Traefik 3.6.16 (#10325) (#10339)
• Do not bundle ovirt images on arm64 (#10341)
• Bump K3s version (#10356)
• Add verification before disabling CCM (#10352)
• • Update CNIs for 2026-05 Release Cycle (#10384)
• • Update CoreDNS chart 1.45.212 (#10371)

Charts Versions

Packaged Component Versions

Available CNIs

Helpful Links

As always, we welcome and appreciate feedback from our community of users. Please feel free to:

• Open issues here
• Join our Slack channel
• Check out our documentation for guidance on how to get started.