Skip to main content

v1.33.X

Upgrade Notice

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.

VersionRelease dateKubernetesEtcdContainerdRuncMetrics-serverCoreDNSIngress-NginxHelm-controllerTraefikCanal (Default)CalicoCiliumMultus
v1.33.11+rke2r1Apr 24 2026v1.33.11v3.6.7-k3s1v2.2.3-k3s1v1.4.2v0.8.1v1.14.2v1.14.5-hardened2v0.17.1v3.6.13Flannel v0.28.4
Calico v3.31.5		v3.31.5v1.19.3v4.2.4
v1.33.10+rke2r3Apr 08 2026v1.33.10v3.5.26-k3s1v2.2.2-k3s1v1.4.1v0.8.1v1.14.2v1.14.5-hardened1v0.16.17v3.6.10Flannel v0.28.2
Calico v3.31.4		v3.31.4v1.19.1v4.2.4
v1.33.10+rke2r1Mar 28 2026v1.33.10v3.5.26-k3s1v2.2.2-k3s1v1.4.1v0.8.1v1.14.2v1.14.5-hardened1v0.16.17v3.6.10Flannel v0.28.2
Calico v3.31.4		v3.31.4v1.19.1v4.2.4
v1.33.9+rke2r1Mar 05 2026v1.33.9v3.5.26-k3s1v2.1.5-k3s1v1.4.0v0.8.1v1.14.1v1.14.3-hardened3v0.16.17v3.6.9Flannel v0.28.1
Calico v3.31.3		v3.31.3v1.19.1v4.2.3
v1.33.8+rke2r1Feb 13 2026v1.33.8v3.5.26-k3s1v2.1.5-k3s1v1.4.0v0.8.1v1.14.1v1.14.3-hardened2v0.16.17v3.6.7Flannel v0.28.1
Calico v3.31.3		v3.31.3v1.19.0v4.2.3
v1.33.7+rke2r3Feb 04 2026v1.33.7v3.5.26-k3s1v2.1.5-k3s1v1.4.0v0.8.0v1.14.1v1.14.3-hardened1v0.16.17v3.6.7Flannel v0.28.0
Calico v3.31.3		v3.31.3v1.18.6v4.2.3
v1.33.7+rke2r1Dec 18 2025v1.33.7v3.5.25-k3s1v2.1.5-k3s1v1.4.0v0.8.0v1.13.1v1.13.5-hardened2v0.16.17VersionFlannel v0.27.4
Calico v3.31.2		v3.31.2v1.18.4v4.2.3
v1.33.6+rke2r1Nov 20 2025v1.33.6v3.5.21-k3s1v2.1.5-k3s1v1.3.3v0.8.0v1.13.1v1.13.4-hardened1v0.16.16VersionFlannel v0.27.4
Calico v3.30.3		v3.30.4v1.18.3v4.2.3
v1.33.5+rke2r1Sep 18 2025v1.33.5v3.5.21-k3s1v2.1.4-k3s2v1.3.1v0.8.0v1.12.3v1.12.6-hardened1v0.16.13VersionFlannel v0.27.3
Calico v3.30.3		v3.30.3 v1.18.1v4.2.2
v1.33.4+rke2r1Aug 23 2025v1.33.4v3.5.21-k3s1v2.0.5-k3s2v1.2.6v0.8.0v1.12.3v1.12.4-hardened7v0.16.13VersionFlannel v0.27.2
Calico v3.30.2		v3.30.2v1.18.0v4.2.2
v1.33.3+rke2r1Jul 25 2025v1.33.3v3.5.21-k3s1v2.0.5-k3s2v1.2.6v0.8.0v1.12.2v1.12.4-hardened2v0.16.13VersionFlannel v0.27.1
Calico v3.30.2		v3.30.1v1.17.6v4.2.1
v1.33.2+rke2r1Jun 27 2025v1.33.2v3.5.21-k3s1v2.0.5-k3s1v1.2.6v0.7.2v1.12.2v1.12.2-hardened2v0.16.11VersionFlannel v0.27.0
Calico v3.30.1		v3.30.1v1.17.4v4.2.1
v1.33.1+rke2r1May 21 2025v1.33.1v3.5.21-k3s1v2.0.5-k3s1v1.2.6v0.7.2v1.12.1v1.12.1-hardened6v0.16.10VersionFlannel v0.26.7
Calico v3.30.0		v3.30.0v1.17.3v4.2.0
v1.33.0+rke2r1May 07 2025v1.33.0v3.5.21-k3s1v2.0.4-k3s2v1.2.5v0.7.2v1.12.1v1.12.1-hardened3v0.16.10VersionFlannel v0.26.6
Calico v3.29.3		v3.29.3v1.17.3v4.2.0

Release v1.33.11+rke2r1

This release updates Kubernetes to v1.33.11.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.10+rke2r3:

  • Charts: bump Harvester CSI Driver 0.1.28 (#10112)
      • Fix the race-condition issue during a huge pod respawn simultaneously
      • Support both Harvester v1.7/v1.8 Cluster
      • Support Backup
  • Test-suite: fix vault action failure (#10138)
  • Checksum verification for Dockerfiles (#10127)
  • Make releases immutable (#10040)
  • Bump images to build20260410 (#10145)
    • CNI bumps for the Apr 2026 release (#10157)
  • Update Flannel and Canal chart with updated images (#10172)
  • Bump rke2-multus to v4.2.408 (#10176)
  • Update Traefik to v3.6.12 (#10165)
    • Update Kubernetes Metrics Server chart 3.13.008 (#10187)
    • Update to CoreDNS chart 1.45.208 (#10193)
    • Bump to snapshot-controller v8.5.0 (#10217)
    • CNI bumps for the Apr 2026 release (part deux) (#10231)
  • K3s bump and backports for 2026-04 (#10228)
  • Update to v1.33.11 and Go v1.25.9 (#10232)
  • Bump ingress-nginx to fix CVEs (#10244)
  • Bump Traefik v3.6.13 (#10249)
    • Update to CoreDNS chart 1.45.209 (#10268)
  • Bump k3s and klipper-helm (#10286)

Charts Versions

ComponentVersion
rke2-cilium1.19.300
rke2-canalv3.31.5-build2026041500
rke2-calicov3.31.500
rke2-calico-crdv3.31.500
rke2-coredns1.45.209
rke2-ingress-nginx4.14.504
rke2-metrics-server3.13.008
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2800
rke2-snapshot-controller4.2.003
rke2-snapshot-controller-crd4.2.003
rke2-traefik39.0.701
rke2-traefik-crd39.0.701

Release v1.33.10+rke2r3

This release updates Kubernetes to v1.33.10.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.10+rke2r1:

  • Bump nginx to fix kubegen (#10074)
  • Update to K8s v1.33.10+rke2r2 (#10078)
  • Bump ingress-chart to 4.14.503 (#10085)
  • Add checksum verification for 3rd party dependencies (#10093)
  • Add INGRESS_IMAGES (#10118)
  • Update to v1.33.10+rke2r3 (#10122)

Charts Versions

ComponentVersion
rke2-cilium1.19.101
rke2-canalv3.31.4-build2026032700
rke2-calicov3.31.400
rke2-calico-crdv3.31.400
rke2-coredns1.45.205
rke2-ingress-nginx4.14.503
rke2-metrics-server3.13.007
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.2.002
rke2-snapshot-controller-crd4.2.002
rke2-snapshot-validation-webhook0.0.0
rke2-traefik39.0.502
rke2-traefik-crd39.0.502

Release v1.33.10+rke2r1

This release updates Kubernetes to v1.33.10.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.9+rke2r1:

  • Add prime configuration (#9875)
  • Bump ingresses 2026 March (#9890)
  • Bump snapshot crd for groupsnapshot v1beta2 (#9904)
    • Update to multus chart v4.2.403 (#9912)
    • Update to CoreDNS chart 1.45.205 (#9920)
  • Update PSA namespace exceptions (#9929)
  • Bump flannel with newer busybox image (#9937)
  • Version bumps and backports for 2026-03 (#9940)
    • Update to canal v3.31.4-build2026031000 (#9952)
  • Bump runc to v1.4.1 (#9957)
  • Pass PRIME_REGISTRY env var to make ci steps (#9965)
  • Add PRIME_REGISTRY passthrough to in-docker-XXXXX targets (#9975)
  • Bump K3s version (#9988)
  • Update to v1.33.10 (#9991)
  • Bump ingress nginx to 1.14.5 (#10006)
  • Pin GH Actions to commit sha (#10017)
  • Add Install Trivy step (#10024)
  • Revert "[release-1.33] Make releases immutable (#10040)" (#10045)

Charts Versions

ComponentVersion
rke2-cilium1.19.101
rke2-canalv3.31.4-build2026032700
rke2-calicov3.31.400
rke2-calico-crdv3.31.400
rke2-coredns1.45.205
rke2-ingress-nginx4.14.501
rke2-metrics-server3.13.007
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.2.002
rke2-snapshot-controller-crd4.2.002
rke2-snapshot-validation-webhook0.0.0
rke2-traefik39.0.502
rke2-traefik-crd39.0.502

Release v1.33.9+rke2r1

This release updates Kubernetes to v1.33.9.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.8+rke2r1:

  • Ingress-Nginx to Traefik Docker Test (#9737)
  • Prevent manifest race in Ingress Migration test (#9744)
  • Prevent a node transform from agent/server to server/agent (#9780)
  • Fix package dev broken after dapper removal from rke2-packaging (#9806)
  • Bump Traefik to v3.6.9 (#9820)
  • Update to v1.33.9 and Go v1.24.13 (#9810)
  • Bump k3s for etcd bootstrap fix (#9795)
  • Bump ETCD version to v3.5.26-k3s1-20260227 (#9826)
  • Chore: Bump ingress-nginx 2026-Feb (#9831)
  • Backports for 2026-02 BONUS RELEASE (#9842)
  • Bump crictl, runc and containerd to build20260303 (#9850)

Charts Versions

ComponentVersion
rke2-cilium1.19.100
rke2-canalv3.31.3-build2026020600
rke2-calicov3.31.300
rke2-calico-crdv3.31.300
rke2-coredns1.45.201
rke2-ingress-nginx4.14.303
rke2-metrics-server3.13.007
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.2.001
rke2-snapshot-controller-crd4.2.001
rke2-snapshot-validation-webhook0.0.0
rke2-traefik39.0.002
rke2-traefik-crd39.0.002

Release v1.33.8+rke2r1

This release updates Kubernetes to v1.33.8.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.7+rke2r3:

  • Bump k3s + Bulk Backports 2026-02 (#9656)
    • Update to CoreDNS chart 1.45.201 (#9646)
  • CNI bumps for the Feb 2026 release (#9681)
    • Update Kubernetes Metrics Server chart 3.13.007 (#9689)
  • Bump ingress-nginx to v1.14.3-hardened2 (#9698)
  • Update K8s to v1.33.8 and Go to v1.24.12 (#9701)
  • Bump k3s/rke2-ccm/klipper-lb/klipper-helm (#9714)

Charts Versions

ComponentVersion
rke2-cilium1.19.001
rke2-canalv3.31.3-build2026020600
rke2-calicov3.31.300
rke2-calico-crdv3.31.300
rke2-coredns1.45.201
rke2-ingress-nginx4.14.302
rke2-metrics-server3.13.007
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.2.001
rke2-snapshot-controller-crd4.2.001
rke2-snapshot-validation-webhook0.0.0
rke2-traefik39.0.000
rke2-traefik-crd39.0.000

Release v1.33.7+rke2r3

This release updates Kubernetes to v1.33.7.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

RKE2 v1.34 Upgrade Warning

This warning targets users who perform upgrades by adding new nodes to the cluster, and removing old ones. If your etcd cluster membership is and has been consistent across versions, you should NOT be affected by this issue.

RKE2 v1.34 and higher include etcd 3.6. Maintainers of the etcd project have indicated that there no safe path from etcd 3.5 to 3.6 except by upgrading to v3.5.26 first.

In mid December, the project released an announcement indicating that there is NO safe path from etcd 3.5 to 3.6 except by upgrading to v3.5.26 first. Failure to do so can cause the cluster to report “zombie members” (etcd nodes that were removed from the cluster some time ago) re-appearing and joining database consensus, ultimately causing the cluster to lose quorum. This updated blog post contradicts previous announcements on this topic, which indicated that it was safe to upgrade from v3.5.20+ as long as nodes had been restarted at least once, to reconcile membership lists across internal storage layers.

The January releases of RKE2 v1.32 and v1.33 will include etcd v3.5.26. All users should plan on upgrading to this patch release, prior to upgrading to v1.34 and v1.35.

Changes since v1.33.7+rke2r1:

  • Remove dapper + use crane (#9444)
  • Bump calico chart to v3.31.300 (#9457)
  • CNI bump Jan 2026 (#9475)
  • Bump Ingresses - 2026 Jan (#9482)
  • Bulk Backports - 2026 Jan (#9494)
  • Rke2-coredns: Use k8s-style "IANA" names (RFC 6335) (#9505)
  • K3s bump and backports for 2026-01 (#9515)
  • Adjust Windows directory creation order (#9527)
  • Bump Traefik version to v3.6.7 (#9549)
  • Update chart and container image versions (#9560)
  • Add e2e test for Calico in eBPF mode (#9565)
  • Bump etcd to v3.5.26 (#9580)
  • Update to v1.33.7-rke2r3 (#9595)
  • Fix release arm64 (#9600)
  • Backport: Increase timeouts in calico eBPF tests (#9605)
  • Fix manifest and sync-prime steps (#9609)
  • Revert accidental hardcode of klipper-helm tag (#9625)
  • Bump K3s version for etcd reconcile fix (#9630)
  • Bump ingress-nginx to v1.14.3-hardened1 (#9635)

Charts Versions

ComponentVersion
rke2-cilium1.18.601
rke2-canalv3.31.3-build2026011900
rke2-calicov3.31.300
rke2-calico-crdv3.31.300
rke2-coredns1.45.008
rke2-ingress-nginx4.14.301
rke2-metrics-server3.13.006
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.2.000
rke2-snapshot-controller-crd4.2.000
rke2-snapshot-validation-webhook0.0.0
rke2-traefik38.0.201
rke2-traefik-crd38.0.201

Release v1.33.7+rke2r1

This release updates Kubernetes to v1.33.7.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.6+rke2r1:

  • Remove NetworkManager check for nm-cloud.service (#9291)
  • Bump rke2-coredns to 1.45.002 (#9335)
  • Bump rke2-multus to v4.2.303 (#9328)
  • Update CNI to the latest versions (#9354)
  • Update to multus chart version v4.2.305 (#9358)
    • Update to CoreDNS chart 1.45.003 and Kubernetes Metrics Server chart 3.13.004 (#9369)
  • Update to v1.33.7 and Go v1.24.11 (#9387)
  • Bump traefik version (#9385)
  • Backports for 2025-12 (#9378)
  • Bump ingress-nginx and vsphere-csi (#9392)
  • Bump kine to v0.14.9 (#9407)
  • Bump klipper-helm to v0.9.12 (#9401)
  • Revert "Remove FlannelBackend from config" (#9422)

Charts Versions

ComponentVersion
rke2-cilium1.18.401
rke2-canalv3.31.2-build2025120500
rke2-calicov3.31.200
rke2-calico-crdv3.31.200
rke2-coredns1.45.003
rke2-ingress-nginx4.13.500
rke2-metrics-server3.13.004
rancher-vsphere-csi3.5.0-rancher200
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.6+rke2r1

This release updates Kubernetes to v1.33.6.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.5+rke2r1:

  • Bump harvester-cloud-provider chart to v0.2.11 with app image tag v0.2.5 (#8958)
  • Update traefik to v3.5.1, use new hardened image (#8971)
  • Bump rke2-ingress-nginx to v1.13.3-hardened1 (#8999)
  • Container runtime endpoint description and Docker warning (#8986)
  • Add calico envoy-proxy and envoy-ratelimit images (#9023)
  • Move dualstack to larger docker runners to prevent eviction failures (#9031)
  • Charts: Bump Harvester CSI driver 0.1.25 (#9037)
      • Support CSI Snapshot
  • Bump k3s (#9044)
  • Update to cilium v1.18.2 (#9076)
  • October 2025 bumps for canal, flannel and multus (#9098)
  • Update to CoreDNS chart 1.44.300 and Kubernetes Metrics Server chart 3.13.002 (#9090)
  • Bump images for go1.24.9 (#9104)
  • Add new kubeapiserver argument for cis-1.11 benchmark (#9119)
  • Bump traefik and ingress-nginx (#9128)
  • Bump helm-controller/klipper-helm (#9136)
  • Tests: update e2e tests to use images from the rancher org (#9159)
  • Bump k3s and backport uninstall fixes (#9175)
  • Bump traefik to v3.5.4 and ingress-nginx to v1.13.4 (#9188)
  • Bump runc to v1.3.3 (#9193)
  • Improve PR Trivy Scanning Reports (#9239)
  • More backports for 2025-11 (#9251)
    • Update to multus chart version v4.2.300 (#9253)
  • Bump k3s and helm-controller (#9264)
  • Update k8s and Go (#9272)
  • Fix race condition with Calico startup on Windows (#9280)
  • Release race condition (#9297)

Charts Versions

ComponentVersion
rke2-cilium1.18.300
rke2-canalv3.30.3-build2025101500
rke2-calicov3.30.401
rke2-calico-crdv3.30.401
rke2-coredns1.44.300
rke2-ingress-nginx4.13.400
rke2-metrics-server3.13.002
rancher-vsphere-csi3.5.0-rancher100
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1100
harvester-csi-driver0.1.2500
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.5+rke2r1

This release updates Kubernetes to v1.33.5.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.4+rke2r1:

  • Added Calico new images (#8829)
  • Added Cilium with wireguard e2e tests (#8814)
  • CNI and coredns bumps for Sep 25 release (#8845)
  • Bump k3s, containerd, runc (#8865)
  • Bump crictl and cloud provider (#8862)
  • Bump ingress-nginx v1.12.6-hardened1 (#8869)
  • Bump CNI chart latest version (#8883)
  • Update metrics-server chart 3.13.001 (#8904)
  • Update CoreDNS chart 1.43.302 (#8908)
  • Bump etcd (#8912)
  • Update to v1.33.5 and Go to v1.24.6 (#8918)
  • Bump vsphere charts (#8939)

Charts Versions

ComponentVersion
rke2-cilium1.18.103
rke2-canalv3.30.3-build2025090900
rke2-calicov3.30.300
rke2-calico-crdv3.30.300
rke2-coredns1.43.302
rke2-ingress-nginx4.12.600
rke2-metrics-server3.13.001
rancher-vsphere-csi3.5.0-rancher100
rancher-vsphere-cpi1.12.100
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.4+rke2r1

This release updates Kubernetes to v1.33.4.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.3+rke2r1:

  • Add.utils test (#8651) - backport 1.33 (#8662)
  • CNI Bumps for Aug 25 release (#8695)
  • Bump rke2-coredns to 1.43.100 (#8721)
  • Update to cilium v1.18.000 (#8716)
  • Bump ingress-nginx to v1.12.4-hardened6 (#8732)
  • Update Kubernetes Metrics Server chart 3.13.000 (#8741)
  • Separate pod template generation and static pod execution code (#8746)
  • Add prime ribs index upload and cache invalidation (#8711)
  • Bump k3s (#8749)
  • Bump K3s version for certificate startup check fix (#8762)
  • Update K8s to v1.33.4 and Go to v1.24.5 (#8773)
  • Fix missing ECM config (#8778)
  • Fix uploader authentication (#8783)
  • Bump k3s for metric and event fixes (#8785)
  • Bump ingress-nginx to hardened7 (#8789)
  • Bump coredns chart and image (#8736) (#8795)
  • Fix static pod cleanup (#8806)

Charts Versions

ComponentVersion
rke2-cilium1.18.000
rke2-canalv3.30.2-build2025073100
rke2-calicov3.30.200
rke2-calico-crdv3.30.200
rke2-coredns1.43.101
rke2-ingress-nginx4.12.404
rke2-metrics-server3.13.000
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.3+rke2r1

This release updates Kubernetes to v1.33.3.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.2+rke2r1:

  • Update Canal chart to latest version (#8529)
  • Prepend defaults to extra kube args (#8513)
  • Bump multus and whereabouts chart (#8536)
  • Update Kubernetes Metrics Server chart 3.12.203 (#8555)
  • Change structure and set namespace for ctr command (#8545)
  • Bump ingress-nginx to v1.12.4-hardened1 (#8568)
  • Charts: Bump Harvester CSI driver 0.1.24 (#8507)
      • Support online resize
      • Support external storage
  • Allow for zypper remove 104 code on uninstall (#8579)
    • Fix snapshot controller backwards compatibility (#8591)
  • Update flannel chart v0.27.100 (#8601)
  • Backports for 2025-07 (#8606)
  • Update K8s to v1.33.3 (#8625)
  • Bump ingress-nginx to hardened2 (#8632)
  • Update to cilium v1.17.6 (#8643)

Charts Versions

ComponentVersion
rke2-cilium1.17.600
rke2-canalv3.30.2-build2025071100
rke2-calicov3.30.100
rke2-calico-crdv3.30.100
rke2-coredns1.42.302
rke2-ingress-nginx4.12.401
rke2-metrics-server3.12.203
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2400
rke2-snapshot-controller4.0.003
rke2-snapshot-controller-crd4.0.003
rke2-snapshot-validation-webhook0.0.0

Release v1.33.2+rke2r1

This release updates Kubernetes to v1.33.2.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.1+rke2r1:

  • June 2025 CNI bumps (#8328)
  • Windows: Allow for silent/non confirmation use of uninstall.ps1 (#8342)
  • Testing Overhaul Backports (#8364)
  • Bump canal, flannel and cilium charts (#8359) (#8382)
  • Bump multus and whereabouts (#8360) (#8387)
  • Support profile: etcd (#8371)
  • Bump for etcd, containerd, cloud provider, runc and crictl (#8407)
  • Backports for 2025-06 (#8417)
  • Update Kubernetes Metrics Server chart 3.12.2 (#8421)
  • Update CoreDNS chart 1.42.3 (#8425)
  • Bump ingress-nginx to v1.12.2 and hardened-dns-node for CVE fixes (#8403)
  • Bump K3s version (#8434)
  • June K8s v1.33.2 patch (#8446)
  • Update runc to the newest image (#8471)

Charts Versions

ComponentVersion
rke2-cilium1.17.401
rke2-canalv3.30.1-build2025061101
rke2-calicov3.30.100
rke2-calico-crdv3.30.100
rke2-coredns1.42.302
rke2-ingress-nginx4.12.201
rke2-metrics-server3.12.202
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0

Release v1.33.1+rke2r1

This release updates Kubernetes to v1.33.1.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.33.0+rke2r1:

  • Upload prime ribs assets (#8172)
  • Feat: bump harvester-cloud-provider to v0.2.10 (#8183)
  • Backports for 2025-05 (#8195)
  • Update calico chart to v3.30.0 and Canal image (#8201)
  • Bump nginx version (#8178)
  • Update to Kubernetes Metrics Server 3.12.201 (#8210)
  • Update to flannel v0.26.700 (#8218)
  • Update cilium and multus to cni-plugins v1.7.1 (#8226)
  • Upgrade nginx chart (#8231)
  • Update to flannel v0.26.701 and canal v3.30.0-build2025051500 (#8257)
  • Update to CoreDNS 1.42.000 (#8265)
  • Update k8s to v1.33.1 (#8241)
  • Fix race conditions in startup readiness checks (#8275)
  • Fix secrets syntax (#8283)

Charts Versions

ComponentVersion
rke2-cilium1.17.301
rke2-canalv3.30.0-build2025051500
rke2-calicov3.30.001
rke2-calico-crdv3.30.001
rke2-coredns1.42.000
rke2-ingress-nginx4.12.103
rke2-metrics-server3.12.201
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.1000
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0

Release v1.33.0+rke2r1

This release updates Kubernetes to v1.33.0.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.4+rke2r1:

  • Bump to K8s to v1.33.0 and golang v1.24.2 (#8126)
  • Remove kube-apiserver flags removed by upstream (#8136)

Charts Versions

ComponentVersion
rke2-cilium1.17.300
rke2-canalv3.29.3-build2025040801
rke2-calicov3.29.300
rke2-calico-crdv3.29.101
rke2-coredns1.39.201
rke2-ingress-nginx4.12.101
rke2-metrics-server3.12.200
rancher-vsphere-csi3.3.1-rancher1000
rancher-vsphere-cpi1.11.000
harvester-cloud-provider0.2.900
harvester-csi-driver0.1.2300
rke2-snapshot-controller4.0.002
rke2-snapshot-controller-crd4.0.002
rke2-snapshot-validation-webhook0.0.0