v1.13.3

Changelog since v1.13.2

Changes by Kind

Fixes of Bugs or Regressions

• Fix release formats, return zip files in release assets back #4049, @kron4eg

v1.13.2

Changelog since v1.13.1

Changes by Kind

Fixes of Bugs or Regressions

• Fix typo in cilium config #4044, @kron4eg

v1.13.1

Changelog since v1.13.0

Changes by Kind

Fixes of Bugs or Regressions

• Fix Azure CCM and CNM image versions #4042, @kron4eg

v1.13.0

Changelog since v1.12.0

Urgent and BREAKING Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Support for Kubernetes 1.31 and 1.32 has been removed. KubeOne v1.13 supports Kubernetes versions 1.33, 1.34, and 1.35. Before upgrading KubeOne, ensure your clusters are running Kubernetes v1.33 or newer. (#3973, @kron4eg)
• Delete long deprecated MachineAnnotations (#3936, @kron4eg)
• REQUIRES FIPS-140 ENABLED VCENTER! Upgrade vSphere CSI driver to v3.7.0

Changes by Kind

Feature

• Add Terraform-free Hetzner control plane provisioning (beta): A new controlPlane.nodeSets API field combined with cloudProvider.hetzner.controlPlane.loadBalancer configuration allows KubeOne to provision and manage Hetzner VMs and a load balancer for the control plane directly from the KubeOne manifest, without requiring Terraform for provisioning VMs/loadbalancer. - THIS IS BETA, DO NOT USE FOR PRODUCTION! (#3895, @kron4eg)
• Add kubeone etcd command group with subcommands for operating on the etcd cluster of a KubeOne-managed Kubernetes cluster: members (list members and alarms), defragment (defragment a member's storage), disarm (disarm alarms on one or all members), snapshot (take an etcd snapshot from a member). etcd controlPlaneComponents.etcd configuration options (quotaBackendBytes, autoCompactionRetention, autoCompactionMode) are also now supported. (#3998, @kron4eg)
• Add support for Kubernetes 1.35. (#3973, @kron4eg)
• Add features.alwaysPullImages API field to enable the AlwaysPullImages admission plugin on the Kubernetes API server. (#4027, @adoi)
• Add features.eventRateLimit API field to enable the EventRateLimit admission plugin with a configurable config file path. (#4029, @adoi)
• NodeRestriction admission plugin is now enabled by default. (#4012, @adoi)
• Add clusterNetwork.cni.cilium.enableL2Announcements option to enable Cilium Layer 2 announcement feature. (#3991, @rguhr)
• Add insecure field in Helm release. (#3921, @mohamed-rafraf)
• Add helm authentication in HelmRelease. (#3922, @mohamed-rafraf)
• Add registry authentication support for both source registry and mirror hosts in containerRuntime.containerd.registries. (#4014, @rajaSahil)
• Remove validation of mutual exclusivity between ContainerdRegistry and RegistryConfiguration. Both can now be configured simultaneously. (#3993, @kron4eg)
• Upgrade containerd from v1.7.x to v2.2.x.
  Note: The deprecated CRI-based registry authentication configuration is still being used with containerd v2. It is recommended to use Kubernetes ImagePullSecrets for registry authentication instead. (#4006, @rajaSahil)
• Use certificateAuthority.bundle field consistently across all configuration paths that previously used caBundle. (#3925, @kron4eg)
• Skip aznfs apt package installation on Azure when the addon is not needed. (#3949, @dharapvj)
• Update install script to support ARM architecture on Linux and macOS. (#3914, @scheeles)
• Add support for ECDSA CA key (#4004, @kron4eg)

Fixes of Bugs or Regressions

• Remove CPU/memory limits from machine-controller and operating-system-manager deployments. (#3979, @kron4eg)
• Restore Cilium CIDR match policy that was missing from the Cilium configmap. (#4036, @kron4eg)
• Add permission for services in KubeVirt CCM. (#4035, @rajaSahil)
• Set the infra namespace annotation on the control plane nodes for KubeVirt. (#4034, @rajaSahil)
• Fix cilium-envoy image reference (#3910, @peschmae)
• Run file permission reconciliation across all SSH-managed nodes, not just the leader. (#4030, @adoi)
• Enables policy-cidr-match-mode: nodes in the Cilium CNI addon configuration. (#4005, @rajaSahil)
• Fix kernel version parsing to correctly ignore + suffix present in some kernel version strings (e.g., on Flatcar). (#4009, @ttuellmann)
• Add allowVolumeExpansion: true to the OpenStack Cinder CSI StorageClass to allow volume expansion. (#4001, @jan-di)
• Fix incorrect cluster name passed to KubeVirt CCM arguments. (#3980, @kron4eg)
• Mirror CoreDNS image when containerd mirrors or overwriteRegistry are configured. (#3929, @mohamed-rafraf)
• Fix missing sandbox (pause) image when mirroring images. (#3926, @mohamed-rafraf)
• Respect customized addon manifests when applying addons. (#3920, @appiepollo14)
• Fix GCP CCM addon being applied twice when provided as a user-managed addon. (#3919, @appiepollo14)
• Fixed an issue in the OpenStack Terraform Quickstart configs that Neutron can not assign the floating IP to the basion host. (#3943, @kleini)
• Fix kubernetes-apt-keyring.gpg file permissions to be set explicitly. (#3940, @piotr1212)
• Fix /etc/kubeone/proxy-env file permissions to be set explicitly. (#3939, @piotr1212)
• Fix cluster-autoscaler deployment not being migrated when matchLabels changed. (#3958, @kron4eg)

Updates

• Update machine-controller to v1.65.0 and operating-system-manager to v1.9.0. (#3979, #3982, #3983, @kron4eg)
• Update KubeVirt CSI image to v0.4.5 (#3981, @kron4eg)
• Update Hetzner CSI driver to v2.18.3 (#3934, @kron4eg)
• Update component versions (#4013, #4017, @kron4eg):
  • Cilium updated to v1.19.2
  • Canal (Calico) updated to v3.31.4
  • Hetzner CCM updated to v1.30.1 (now uses watch-based route reconciliation instead of polling)
  • Hetzner CSI driver updated to v2.20.0
  • vSphere CSI driver updated to v3.7.0
  • KubeVirt CSI driver updated to v0.4.5
  • metrics-server updated to v0.8.1
  • AWS EBS CSI driver updated to v1.57.1
  • AWS CCM: v1.33.2 / v1.34.0 / v1.35.0 (per Kubernetes version)
  • Azure CCM: v1.33.3 / v1.34.2 / v1.35.0 (per Kubernetes version)
  • OpenStack CCM: v1.33.1 / v1.34.1 / v1.35.0 (per Kubernetes version)
  • OpenStack Cinder CSI: v1.33.1 / v1.34.1 / v1.35.0 (per Kubernetes version)
  • vSphere CPI: v1.33.0 / v1.34.0 / v1.35.1 (per Kubernetes version)
  • ClusterAutoscaler: v1.33.4 / v1.34.3 / v1.35.0 (per Kubernetes version)
  • Equinix Metal CCM updated to v3.8.1
  • GCP CCM updated to v33.1.1
  • GCP Compute Persistent Disk CSI driver updated to v1.17.4
• Rename cluster-autoscaler-values.yaml addon values file to cluster-autoscaler-values (without extension). (#3916, @steled)
• Update KubeOne c...

v1.12.3

Changelog since v1.12.2

Changes by Kind

Chore

• Update Hetzner CSI driver to v2.18.3 #3935 @kron4eg

Fixes of Bugs or Regressions

• fix:(addons) Migrate cluster-autoscaler deployment if matchLabels changed #3960 @kron4eg

v1.12.2

Changelog since v1.12.1

Changes by Kind

Chore

• Update cloud components versions #3915 @kron4eg
  • Update metrics-server helm chart to v3.13.0
  • Update vSphere CSI driver to v3.6.0
  • Update OpenStack Cinder CSI driver to v2.34.1
  • Update DigitalOcean CSI driver to v4.15.0
  • Update AzureFile CSI driver to v1.34.2
  • Update Azure Disk CSI driver to v1.33.7
  • Update AWS EBS CSI driver to v2.53.0
  • Update Cilium to v1.18.4
  • Update Canal to v3.31.2
  • Update OpenStack CCM to v1.34.1
  • Update Azure CCM to v1.34.2
  • Update AWS CCM to v0.0.10

Fixes of Bugs or Regressions

• Fix error applying cluster-autoscaler addon #3916 @steled
• Respect customized Addons manifests #3920 @appiepollo14

v1.11.4

Changelog since v1.11.3

Changes by Kind

Fixes of Bugs or Regressions

• Fixed defaulting of LoggingConfig #3881 @kron4eg
• Fix openstack CSI image resource reference #3892 @kron4eg
• Respect customized Addons manifests #3920 @appiepollo14

v1.12.1

Changelog since v1.12.0

Changes by Kind

Fixes of Bugs or Regressions

• Fix cilium-envoy image reference #3910 @peschmae

v1.12.0

v1.12.0 - 2025-11-21

Changelog since v1.11.0

Urgent and BREAKING Upgrade Notes

(No, really, you MUST read this before you upgrade)

• Update RockyLinux 8 -> 9 and RHEL 8 -> 9 versions for the supported providers. (#3822, @rajaSahil).
  RockyLinux 8 and RHEL 8 are not supported anymore because of their too old kernel version fall off minimal required version by Kubernetes.

Known Issues

• rocky-9 image on hetzner doesn't work as of time of the release, since it only has IPv6 NS servers configured, regardless of the stack.

Changes by Kind

Feature

• Add --all flag to config images list showing all images independent of Kubernetes version (#3782, @peschmae)
• Add remove-volumes and remove-lb-services flags to delete dynamically provisioned and unretained PersistentVolumes and LoadBalancer Services before resetting the cluster (#3507, @rajaSahil)
• Add bastion SSH private key file setting in host config (#3814, @kron4eg)
• Add overridePath API, to configure containerd override_path mirrors parameter (#3843, @kron4eg)
• Add support for k8s version 1.34 (#3823, @archups)
• Cleanup /etc/kubernetes/tmp after upgrades (#3775, @kron4eg)
• Cluster wide KubeletConfig (#3845, @kron4eg)
• Export NewRoot() function (#3809, @kron4eg)
• Make machine-controller -join-cluster-timeout configurable (#3779, @kron4eg)
• Non-root device usage on non-static worker nodes can now be enabled for containerd runtime by setting the value operatingSystemManager.enableNonRootDeviceOwnership to true when OSM is enabled. (#3793, @soer3n)
• TBD (#3835, @archups)
• kubeone certificates renew command can be used to renew control plane certificates in a KubeOne cluster (#3773, @kron4eg)

Fixes of Bugs or Regressions

• Default canal_iface_regex only for hetzner (#3797, @kron4eg)
• Don't install software-properties-common on deb systems (#3833, @ttuellmann)
• Enable_disk_uuid in vsphere terraform (#3772, @kron4eg)
• Fix CSI snapshot webhook name for Nutanix (#3761, @kron4eg)
• Fix Nutanix credentials (#3776, @kron4eg)
• Fix upgrading OCI helm releases and uninstalling them without reason (#3849, @mohamed-rafraf)
• Fix validation to pass when ChartURL is given (#3821, @kron4eg)
• Fixed an invalid image reference for the GCE Persistent Disk CSI Driver and update associated images. (#3884, @rajaSahil)
• Fixed defaulting of LoggingConfig (#3881, @kron4eg)
• Fixes the Hubbele Relay Connection Issues with the Cilium Agent, SSL Connection is fixed by mounting the Server Certificates in the Cilium Agent Container (#3795, @tobstone)
• Make it possible to configure FLANNELD_IFACE (#3790, @kron4eg)
• Restart kubelets sequentially (#3770, @kron4eg)
• Terraform configs for Hetzner are now using cx23 instead of cx22 instance type by default. The cx22 server type is deprecated and will no longer be available for order as of January 1, 2026. Make sure to override the instance type if you are using the new Terraform configs with an existing cluster. (#3871, @adoi)
• Upgrade helm v3.18.5 (#3781, @kron4eg)

Chore

• Add RHEL and RockyLinux 9.6 test scenarios for v1.34 (#3851, @kron4eg)
• Bump machine-controller version to v1.63.1 and operating-system-manager version to v1.7.6 (#3817, @archups)
• Cluster-autoscaler addon now supports new variable CLUSTER_AUTOSCALER_SCALE_DOWN_UTIL_THRESHOLD to control --scale-down-utilization-threshold parameter. (#3780, @dharapvj)
• Update Azure CCM to v1.34.1
  Update DigitalOcean CCM to v0.1.64
  Update Hetzner CCM and CSI to v2.18.0
  Update AWS EBS CSI to v1.51.0
  Update ClusterAutoscaler to v1.34.1 (#3847, @archups)
• Update OpenStack CCM and CSI version to 1.34.0 (#3846, @archups)
• Update machine-controller and operating-system-manager images to v1.64.0 and v1.8.0 respectively (#3848, @kron4eg)
• Update machine-controller to v1.63.0 (#3799, @archups)
• Upgrade nutanix CSI driver to 3.3.4 (#3808, @kron4eg)
• Use flatcar-container-linux-corevm-amd64 for flatcar Azure terraform example (#3806, @kron4eg)

Other (Cleanup or Flake)

• Drop centos from azure terraform example (#3805, @kron4eg)
• Improve OS package handling on deb systems (#3840, @ttuellmann)
• Remove everything regarding amzn2 linux (#3842, @kron4eg)

v1.11.3

Changelog since v1.11.2

Changes by Kind

Chore

• Upgrade machine-controller version to v1.62.1 and operating-system-manager version to v1.7.6 (#3818, @archups)

Bug or Regression

• Fix validation to pass when ChartURL is given (#3824, @kubermatic-bot)