Skip to main content

v1.33.X

Upgrade Notice

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

VersionRelease dateKubernetesEtcdContainerdRuncMetrics-serverCoreDNSIngress-NginxHelm-controllerCanal (Default)CalicoCiliumMultus
v1.33.7+rke2r3Feb 04 2026v1.33.7v3.5.26-k3s1v2.1.5-k3s1v1.4.0v0.8.0v1.14.1v1.14.3-hardened1v0.16.17Flannel v0.28.0
Calico v3.31.3		v3.31.3v1.18.6v4.2.3
v1.33.7+rke2r1Dec 18 2025v1.33.7v3.5.25-k3s1v2.1.5-k3s1v1.4.0v0.8.0v1.13.1v1.13.5-hardened2v0.16.17Flannel v0.27.4
Calico v3.31.2		v3.31.2v1.18.4v4.2.3
v1.33.6+rke2r1Nov 20 2025v1.33.6v3.5.21-k3s1v2.1.5-k3s1v1.3.3v0.8.0v1.13.1v1.13.4-hardened1v0.16.16Flannel v0.27.4
Calico v3.30.3		v3.30.4v1.18.3v4.2.3
v1.33.5+rke2r1Sep 18 2025v1.33.5v3.5.21-k3s1v2.1.4-k3s2v1.3.1v0.8.0v1.12.3v1.12.6-hardened1v0.16.13Flannel v0.27.3
Calico v3.30.3		v3.30.3 v1.18.1v4.2.2
v1.33.4+rke2r1Aug 23 2025v1.33.4v3.5.21-k3s1v2.0.5-k3s2v1.2.6v0.8.0v1.12.3v1.12.4-hardened7v0.16.13Flannel v0.27.2
Calico v3.30.2		v3.30.2v1.18.0v4.2.2
v1.33.3+rke2r1Jul 25 2025v1.33.3v3.5.21-k3s1v2.0.5-k3s2v1.2.6v0.8.0v1.12.2v1.12.4-hardened2v0.16.13Flannel v0.27.1
Calico v3.30.2		v3.30.1v1.17.6v4.2.1
v1.33.2+rke2r1Jun 27 2025v1.33.2v3.5.21-k3s1v2.0.5-k3s1v1.2.6v0.7.2v1.12.2v1.12.2-hardened2v0.16.11Flannel v0.27.0
Calico v3.30.1		v3.30.1v1.17.4v4.2.1
v1.33.1+rke2r1May 21 2025v1.33.1v3.5.21-k3s1v2.0.5-k3s1v1.2.6v0.7.2v1.12.1v1.12.1-hardened6v0.16.10Flannel v0.26.7
Calico v3.30.0		v3.30.0v1.17.3v4.2.0
v1.33.0+rke2r1May 07 2025v1.33.0v3.5.21-k3s1v2.0.4-k3s2v1.2.5v0.7.2v1.12.1v1.12.1-hardened3v0.16.10Flannel v0.26.6
Calico v3.29.3		v3.29.3v1.17.3v4.2.0

Release v1.33.7+rke2r3

This release updates Kubernetes to v1.33.7.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

RKE2 v1.34 Upgrade Warning

This warning targets users who perform upgrades by adding new nodes to the cluster, and removing old ones. If your etcd cluster membership is and has been consistent across versions, you should NOT be affected by this issue.

RKE2 v1.34 and higher include etcd 3.6. Maintainers of the etcd project have indicated that there no safe path from etcd 3.5 to 3.6 except by upgrading to v3.5.26 first.

In mid December, the project released an announcement indicating that there is NO safe path from etcd 3.5 to 3.6 except by upgrading to v3.5.26 first. Failure to do so can cause the cluster to report “zombie members” (etcd nodes that were removed from the cluster some time ago) re-appearing and joining database consensus, ultimately causing the cluster to lose quorum. This updated blog post contradicts previous announcements on this topic, which indicated that it was safe to upgrade from v3.5.20+ as long as nodes had been restarted at least once, to reconcile membership lists across internal storage layers.

The January releases of RKE2 v1.32 and v1.33 will include etcd v3.5.26. All users should plan on upgrading to this patch release, prior to upgrading to v1.34 and v1.35.

Changes since v1.33.7+rke2r1:

  • Remove dapper + use crane (#9444)
  • Bump calico chart to v3.31.300 (#9457)
  • CNI bump Jan 2026 (#9475)
  • Bump Ingresses - 2026 Jan (#9482)
  • Bulk Backports - 2026 Jan (#9494)
  • Rke2-coredns: Use k8s-style "IANA" names (RFC 6335) (#9505)
  • K3s bump and backports for 2026-01 (#9515)
  • Adjust Windows directory creation order (#9527)
  • Bump Traefik version to v3.6.7 (#9549)
  • Update chart and container image versions (#9560)
  • Add e2e test for Calico in eBPF mode (#9565)
  • Bump etcd to v3.5.26 (#9580)
  • Update to v1.33.7-rke2r3 (#9595)
  • Fix release arm64 (#9600)
  • Backport: Increase timeouts in calico eBPF tests (#9605)
  • Fix manifest and sync-prime steps (#9609)
  • Revert accidental hardcode of klipper-helm tag (#9625)
  • Bump K3s version for etcd reconcile fix (#9630)
  • Bump ingress-nginx to v1.14.3-hardened1 (#9635)

Charts Versions

ComponentVersion
rke2-cilium1.18.601
rke2-canalv3.31.3-build2026011900
rke2-calicov3.31.300
rke2-calico-crdv3.31.300
rke2-coredns1.45.008
rke2-ingress-nginx4.14.301
rke2-metrics-server3.13.006
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.2.000
rke2-snapshot-controller-crd4.2.000
rke2-snapshot-validation-webhook0.0.0
rke2-traefik38.0.201
rke2-traefik-crd38.0.201

Release v1.33.7+rke2r1

This release updates Kubernetes to v1.33.7.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.6+rke2r1:

  • Remove NetworkManager check for nm-cloud.service (#9291)
  • Bump rke2-coredns to 1.45.002 (#9335)
  • Bump rke2-multus to v4.2.303 (#9328)
  • Update CNI to the latest versions (#9354)
  • Update to multus chart version v4.2.305 (#9358)
    • Update to CoreDNS chart 1.45.003 and Kubernetes Metrics Server chart 3.13.004 (#9369)
  • Update to v1.33.7 and Go v1.24.11 (#9387)
  • Bump traefik version (#9385)
  • Backports for 2025-12 (#9378)
  • Bump ingress-nginx and vsphere-csi (#9392)
  • Bump kine to v0.14.9 (#9407)
  • Bump klipper-helm to v0.9.12 (#9401)
  • Revert "Remove FlannelBackend from config" (#9422)

Charts Versions

ComponentVersion
rke2-cilium1.18.401
rke2-canalv3.31.2-build2025120500
rke2-calicov3.31.200
rke2-calico-crdv3.31.200
rke2-coredns1.45.003
rke2-ingress-nginx4.13.500
rke2-metrics-server3.13.004
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.6+rke2r1

This release updates Kubernetes to v1.33.6.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.5+rke2r1:

  • Bump harvester-cloud-provider chart to v0.2.11 with app image tag v0.2.5 (#8958)
  • Update traefik to v3.5.1, use new hardened image (#8971)
  • Bump rke2-ingress-nginx to v1.13.3-hardened1 (#8999)
  • Container runtime endpoint description and Docker warning (#8986)
  • Add calico envoy-proxy and envoy-ratelimit images (#9023)
  • Move dualstack to larger docker runners to prevent eviction failures (#9031)
  • Charts: Bump Harvester CSI driver 0.1.25 (#9037)
      • Support CSI Snapshot
  • Bump k3s (#9044)
  • Update to cilium v1.18.2 (#9076)
  • October 2025 bumps for canal, flannel and multus (#9098)
  • Update to CoreDNS chart 1.44.300 and Kubernetes Metrics Server chart 3.13.002 (#9090)
  • Bump images for go1.24.9 (#9104)
  • Add new kubeapiserver argument for cis-1.11 benchmark (#9119)
  • Bump traefik and ingress-nginx (#9128)
  • Bump helm-controller/klipper-helm (#9136)
  • Tests: update e2e tests to use images from the rancher org (#9159)
  • Bump k3s and backport uninstall fixes (#9175)
  • Bump traefik to v3.5.4 and ingress-nginx to v1.13.4 (#9188)
  • Bump runc to v1.3.3 (#9193)
  • Improve PR Trivy Scanning Reports (#9239)
  • More backports for 2025-11 (#9251)
    • Update to multus chart version v4.2.300 (#9253)
  • Bump k3s and helm-controller (#9264)
  • Update k8s and Go (#9272)
  • Fix race condition with Calico startup on Windows (#9280)
  • Release race condition (#9297)

Charts Versions

ComponentVersion
rke2-cilium1.18.300
rke2-canalv3.30.3-build2025101500
rke2-calicov3.30.401
rke2-calico-crdv3.30.401
rke2-coredns1.44.300
rke2-ingress-nginx4.13.400
rke2-metrics-server3.13.002
rancher-vsphere-csi3.5.0-rancher100
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.5+rke2r1

This release updates Kubernetes to v1.33.5.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.4+rke2r1:

  • Added Calico new images (#8829)
  • Added Cilium with wireguard e2e tests (#8814)
  • CNI and coredns bumps for Sep 25 release (#8845)
  • Bump k3s, containerd, runc (#8865)
  • Bump crictl and cloud provider (#8862)
  • Bump ingress-nginx v1.12.6-hardened1 (#8869)
  • Bump CNI chart latest version (#8883)
  • Update metrics-server chart 3.13.001 (#8904)
  • Update CoreDNS chart 1.43.302 (#8908)
  • Bump etcd (#8912)
  • Update to v1.33.5 and Go to v1.24.6 (#8918)
  • Bump vsphere charts (#8939)

Charts Versions

ComponentVersion
rke2-cilium1.18.103
rke2-canalv3.30.3-build2025090900
rke2-calicov3.30.300
rke2-calico-crdv3.30.300
rke2-coredns1.43.302
rke2-ingress-nginx4.12.600
rke2-metrics-server3.13.001
rancher-vsphere-csi3.5.0-rancher100
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.4+rke2r1

This release updates Kubernetes to v1.33.4.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.3+rke2r1:

  • Add.utils test (#8651) - backport 1.33 (#8662)
  • CNI Bumps for Aug 25 release (#8695)
  • Bump rke2-coredns to 1.43.100 (#8721)
  • Update to cilium v1.18.000 (#8716)
  • Bump ingress-nginx to v1.12.4-hardened6 (#8732)
  • Update Kubernetes Metrics Server chart 3.13.000 (#8741)
  • Separate pod template generation and static pod execution code (#8746)
  • Add prime ribs index upload and cache invalidation (#8711)
  • Bump k3s (#8749)
  • Bump K3s version for certificate startup check fix (#8762)
  • Update K8s to v1.33.4 and Go to v1.24.5 (#8773)
  • Fix missing ECM config (#8778)
  • Fix uploader authentication (#8783)
  • Bump k3s for metric and event fixes (#8785)
  • Bump ingress-nginx to hardened7 (#8789)
  • Bump coredns chart and image (#8736) (#8795)
  • Fix static pod cleanup (#8806)

Charts Versions

ComponentVersion
rke2-cilium1.18.000
rke2-canalv3.30.2-build2025073100
rke2-calicov3.30.200
rke2-calico-crdv3.30.200
rke2-coredns1.43.101
rke2-ingress-nginx4.12.404
rke2-metrics-server3.13.000
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.3+rke2r1

This release updates Kubernetes to v1.33.3.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.2+rke2r1:

  • Update Canal chart to latest version (#8529)
  • Prepend defaults to extra kube args (#8513)
  • Bump multus and whereabouts chart (#8536)
  • Update Kubernetes Metrics Server chart 3.12.203 (#8555)
  • Change structure and set namespace for ctr command (#8545)
  • Bump ingress-nginx to v1.12.4-hardened1 (#8568)
  • Charts: Bump Harvester CSI driver 0.1.24 (#8507)
      • Support online resize
      • Support external storage
  • Allow for zypper remove 104 code on uninstall (#8579)
    • Fix snapshot controller backwards compatibility (#8591)
  • Update flannel chart v0.27.100 (#8601)
  • Backports for 2025-07 (#8606)
  • Update K8s to v1.33.3 (#8625)
  • Bump ingress-nginx to hardened2 (#8632)
  • Update to cilium v1.17.6 (#8643)

Charts Versions

ComponentVersion
rke2-cilium1.17.600
rke2-canalv3.30.2-build2025071100
rke2-calicov3.30.100
rke2-calico-crdv3.30.100
rke2-coredns1.42.302
rke2-ingress-nginx4.12.401
rke2-metrics-server3.12.203
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.2+rke2r1

This release updates Kubernetes to v1.33.2.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.1+rke2r1:

  • June 2025 CNI bumps (#8328)
  • Windows: Allow for silent/non confirmation use of uninstall.ps1 (#8342)
  • Testing Overhaul Backports (#8364)
  • Bump canal, flannel and cilium charts (#8359) (#8382)
  • Bump multus and whereabouts (#8360) (#8387)
  • Support profile: etcd (#8371)
  • Bump for etcd, containerd, cloud provider, runc and crictl (#8407)
  • Backports for 2025-06 (#8417)
  • Update Kubernetes Metrics Server chart 3.12.2 (#8421)
  • Update CoreDNS chart 1.42.3 (#8425)
  • Bump ingress-nginx to v1.12.2 and hardened-dns-node for CVE fixes (#8403)
  • Bump K3s version (#8434)
  • June K8s v1.33.2 patch (#8446)
  • Update runc to the newest image (#8471)

Charts Versions

ComponentVersion
rke2-cilium1.17.401
rke2-canalv3.30.1-build2025061101
rke2-calicov3.30.100
rke2-calico-crdv3.30.100
rke2-coredns1.42.302
rke2-ingress-nginx4.12.201
rke2-metrics-server3.12.202
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0

Release v1.33.1+rke2r1

This release updates Kubernetes to v1.33.1.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.0+rke2r1:

  • Upload prime ribs assets (#8172)
  • Feat: bump harvester-cloud-provider to v0.2.10 (#8183)
  • Backports for 2025-05 (#8195)
  • Update calico chart to v3.30.0 and Canal image (#8201)
  • Bump nginx version (#8178)
  • Update to Kubernetes Metrics Server 3.12.201 (#8210)
  • Update to flannel v0.26.700 (#8218)
  • Update cilium and multus to cni-plugins v1.7.1 (#8226)
  • Upgrade nginx chart (#8231)
  • Update to flannel v0.26.701 and canal v3.30.0-build2025051500 (#8257)
  • Update to CoreDNS 1.42.000 (#8265)
  • Update k8s to v1.33.1 (#8241)
  • Fix race conditions in startup readiness checks (#8275)
  • Fix secrets syntax (#8283)

Charts Versions

ComponentVersion
rke2-cilium1.17.301
rke2-canalv3.30.0-build2025051500
rke2-calicov3.30.001
rke2-calico-crdv3.30.001
rke2-coredns1.42.000
rke2-ingress-nginx4.12.103
rke2-metrics-server3.12.201
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0

Release v1.33.0+rke2r1

This release updates Kubernetes to v1.33.0.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.4+rke2r1:

  • Bump to K8s to v1.33.0 and golang v1.24.2 (#8126)
  • Remove kube-apiserver flags removed by upstream (#8136)

Charts Versions

ComponentVersion
rke2-cilium1.17.300
rke2-canalv3.29.3-build2025040801
rke2-calicov3.29.300
rke2-calico-crdv3.29.101
rke2-coredns1.39.201
rke2-ingress-nginx4.12.101
rke2-metrics-server3.12.200
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.900
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0