Skip to main content

v1.33.X

Upgrade Notice

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

VersionRelease dateKubernetesEtcdContainerdRuncMetrics-serverCoreDNSIngress-NginxHelm-controllerCanal (Default)CalicoCiliumMultus
v1.33.5+rke2r1Sep 18 2025v1.33.5v3.5.21-k3s1v2.1.4-k3s2v1.3.1v0.8.0v1.12.3v1.12.6-hardened1v0.16.13Flannel v0.27.3
Calico v3.30.3		v3.30.3 v1.18.1v4.2.2
v1.33.4+rke2r1Aug 23 2025v1.33.4v3.5.21-k3s1v2.0.5-k3s2v1.2.6v0.8.0v1.12.3v1.12.4-hardened7v0.16.13Flannel v0.27.2
Calico v3.30.2		v3.30.2v1.18.0v4.2.2
v1.33.3+rke2r1Jul 25 2025v1.33.3v3.5.21-k3s1v2.0.5-k3s2v1.2.6v0.8.0v1.12.2v1.12.4-hardened2v0.16.13Flannel v0.27.1
Calico v3.30.2		v3.30.1v1.17.6v4.2.1
v1.33.2+rke2r1Jun 27 2025v1.33.2v3.5.21-k3s1v2.0.5-k3s1v1.2.6v0.7.2v1.12.2v1.12.2-hardened2v0.16.11Flannel v0.27.0
Calico v3.30.1		v3.30.1v1.17.4v4.2.1
v1.33.1+rke2r1May 21 2025v1.33.1v3.5.21-k3s1v2.0.5-k3s1v1.2.6v0.7.2v1.12.1v1.12.1-hardened6v0.16.10Flannel v0.26.7
Calico v3.30.0		v3.30.0v1.17.3v4.2.0
v1.33.0+rke2r1May 07 2025v1.33.0v3.5.21-k3s1v2.0.4-k3s2v1.2.5v0.7.2v1.12.1v1.12.1-hardened3v0.16.10Flannel v0.26.6
Calico v3.29.3		v3.29.3v1.17.3v4.2.0

Release v1.33.5+rke2r1

This release updates Kubernetes to v1.33.5.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.4+rke2r1:

  • Added Calico new images (#8829)
  • Added Cilium with wireguard e2e tests (#8814)
  • CNI and coredns bumps for Sep 25 release (#8845)
  • Bump k3s, containerd, runc (#8865)
  • Bump crictl and cloud provider (#8862)
  • Bump ingress-nginx v1.12.6-hardened1 (#8869)
  • Bump CNI chart latest version (#8883)
  • Update metrics-server chart 3.13.001 (#8904)
  • Update CoreDNS chart 1.43.302 (#8908)
  • Bump etcd (#8912)
  • Update to v1.33.5 and Go to v1.24.6 (#8918)
  • Bump vsphere charts (#8939)

Charts Versions

ComponentVersion
rke2-cilium1.18.103
rke2-canalv3.30.3-build2025090900
rke2-calicov3.30.300
rke2-calico-crdv3.30.300
rke2-coredns1.43.302
rke2-ingress-nginx4.12.600
rke2-metrics-server3.13.001
rancher-vsphere-csi3.5.0-rancher100
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.4+rke2r1

This release updates Kubernetes to v1.33.4.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.3+rke2r1:

  • Add.utils test (#8651) - backport 1.33 (#8662)
  • CNI Bumps for Aug 25 release (#8695)
  • Bump rke2-coredns to 1.43.100 (#8721)
  • Update to cilium v1.18.000 (#8716)
  • Bump ingress-nginx to v1.12.4-hardened6 (#8732)
  • Update Kubernetes Metrics Server chart 3.13.000 (#8741)
  • Separate pod template generation and static pod execution code (#8746)
  • Add prime ribs index upload and cache invalidation (#8711)
  • Bump k3s (#8749)
  • Bump K3s version for certificate startup check fix (#8762)
  • Update K8s to v1.33.4 and Go to v1.24.5 (#8773)
  • Fix missing ECM config (#8778)
  • Fix uploader authentication (#8783)
  • Bump k3s for metric and event fixes (#8785)
  • Bump ingress-nginx to hardened7 (#8789)
  • Bump coredns chart and image (#8736) (#8795)
  • Fix static pod cleanup (#8806)

Charts Versions

ComponentVersion
rke2-cilium1.18.000
rke2-canalv3.30.2-build2025073100
rke2-calicov3.30.200
rke2-calico-crdv3.30.200
rke2-coredns1.43.101
rke2-ingress-nginx4.12.404
rke2-metrics-server3.13.000
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.3+rke2r1

This release updates Kubernetes to v1.33.3.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.2+rke2r1:

  • Update Canal chart to latest version (#8529)
  • Prepend defaults to extra kube args (#8513)
  • Bump multus and whereabouts chart (#8536)
  • Update Kubernetes Metrics Server chart 3.12.203 (#8555)
  • Change structure and set namespace for ctr command (#8545)
  • Bump ingress-nginx to v1.12.4-hardened1 (#8568)
  • Charts: Bump Harvester CSI driver 0.1.24 (#8507)
      • Support online resize
      • Support external storage
  • Allow for zypper remove 104 code on uninstall (#8579)
    • Fix snapshot controller backwards compatibility (#8591)
  • Update flannel chart v0.27.100 (#8601)
  • Backports for 2025-07 (#8606)
  • Update K8s to v1.33.3 (#8625)
  • Bump ingress-nginx to hardened2 (#8632)
  • Update to cilium v1.17.6 (#8643)

Charts Versions

ComponentVersion
rke2-cilium1.17.600
rke2-canalv3.30.2-build2025071100
rke2-calicov3.30.100
rke2-calico-crdv3.30.100
rke2-coredns1.42.302
rke2-ingress-nginx4.12.401
rke2-metrics-server3.12.203
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.2+rke2r1

This release updates Kubernetes to v1.33.2.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.1+rke2r1:

  • June 2025 CNI bumps (#8328)
  • Windows: Allow for silent/non confirmation use of uninstall.ps1 (#8342)
  • Testing Overhaul Backports (#8364)
  • Bump canal, flannel and cilium charts (#8359) (#8382)
  • Bump multus and whereabouts (#8360) (#8387)
  • Support profile: etcd (#8371)
  • Bump for etcd, containerd, cloud provider, runc and crictl (#8407)
  • Backports for 2025-06 (#8417)
  • Update Kubernetes Metrics Server chart 3.12.2 (#8421)
  • Update CoreDNS chart 1.42.3 (#8425)
  • Bump ingress-nginx to v1.12.2 and hardened-dns-node for CVE fixes (#8403)
  • Bump K3s version (#8434)
  • June K8s v1.33.2 patch (#8446)
  • Update runc to the newest image (#8471)

Charts Versions

ComponentVersion
rke2-cilium1.17.401
rke2-canalv3.30.1-build2025061101
rke2-calicov3.30.100
rke2-calico-crdv3.30.100
rke2-coredns1.42.302
rke2-ingress-nginx4.12.201
rke2-metrics-server3.12.202
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0

Release v1.33.1+rke2r1

This release updates Kubernetes to v1.33.1.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.0+rke2r1:

  • Upload prime ribs assets (#8172)
  • Feat: bump harvester-cloud-provider to v0.2.10 (#8183)
  • Backports for 2025-05 (#8195)
  • Update calico chart to v3.30.0 and Canal image (#8201)
  • Bump nginx version (#8178)
  • Update to Kubernetes Metrics Server 3.12.201 (#8210)
  • Update to flannel v0.26.700 (#8218)
  • Update cilium and multus to cni-plugins v1.7.1 (#8226)
  • Upgrade nginx chart (#8231)
  • Update to flannel v0.26.701 and canal v3.30.0-build2025051500 (#8257)
  • Update to CoreDNS 1.42.000 (#8265)
  • Update k8s to v1.33.1 (#8241)
  • Fix race conditions in startup readiness checks (#8275)
  • Fix secrets syntax (#8283)

Charts Versions

ComponentVersion
rke2-cilium1.17.301
rke2-canalv3.30.0-build2025051500
rke2-calicov3.30.001
rke2-calico-crdv3.30.001
rke2-coredns1.42.000
rke2-ingress-nginx4.12.103
rke2-metrics-server3.12.201
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0

Release v1.33.0+rke2r1

This release updates Kubernetes to v1.33.0.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.4+rke2r1:

  • Bump to K8s to v1.33.0 and golang v1.24.2 (#8126)
  • Remove kube-apiserver flags removed by upstream (#8136)

Charts Versions

ComponentVersion
rke2-cilium1.17.300
rke2-canalv3.29.3-build2025040801
rke2-calicov3.29.300
rke2-calico-crdv3.29.101
rke2-coredns1.39.201
rke2-ingress-nginx4.12.101
rke2-metrics-server3.12.200
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.900
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0