v1.36.X
Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.
| Version | Release date | Kubernetes | Etcd | Containerd | Runc | Metrics-server | CoreDNS | Ingress-Nginx | Helm-controller | Traefik | Canal (Default) | Calico | Cilium | Multus |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| v1.36.1+rke2r1 | May 18 2026 | v1.36.1 | v3.6.7-k3s1 | v2.2.3-k3s1 | v1.4.2 | v0.8.1 | v1.14.3 | v1.14.5-hardened2 | v0.17.1 | v3.6.16 | Flannel v0.28.4 Calico v3.32.0 | v3.32.0 | v1.19.3 | v4.2.4 |
| v1.36.0+rke2r1 | May 12 2026 | v1.36.0 | v3.6.7-k3s1 | v2.2.3-k3s1 | v1.4.2 | v0.8.1 | v1.14.3 | v1.14.5-hardened2 | v0.17.1 | v3.6.16 | Flannel v0.28.4 Calico v3.32.0 | v3.32.0 | v1.19.3 | v4.2.4 |
Release v1.36.1+rke2r1
[!WARNING] Upstream
ingress-nginxRetirement & Transition to Traefik Becauseingress-nginxwas retired upstream as of March 2026, Traefik is now the default for new clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid breakage). This transition brings the following structural changes:
- Airgapped Environments: The
rke2-images-coretarball now contains Traefik images instead ofingress-nginx. The standalonerke2-images-traefiktarball has been removed. Users who must continue usingingress-nginxwill now need to manually provide therke2-images-ingress-nginxtarball.- Future Removal: The
ingress-nginxchart will not receive any additional updates and will be completely removed in v1.37 for community users.- Prime Customers: Please refer to the official product documentation for specific Prime considerations.
This release updates Kubernetes to v1.36.1.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.36.0+rke2r1:
- Update Kubernetes Metrics Server chart 3.13.010 (#10379)
- Fix inconsistent klipper-lb version (#10401)
- Bump images for CVE reasons (#10391)
- Update to v1.36.1 (#10399)
- Bump images for CVE reasons: Part Deux (#10408)
- Bump ingress-nginx for prime (#10415)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.19.303 |
| rke2-canal | v3.32.0-build2026051100 |
| rke2-calico | v3.32.001 |
| rke2-calico-crd | v3.32.001 |
| rke2-coredns | 1.45.212 |
| rke2-ingress-nginx | 4.14.508 |
| rke2-metrics-server | 3.13.011 |
| rancher-vsphere-csi | 3.7.0-rancher100 |
| rancher-vsphere-cpi | 1.14.000 |
| harvester-cloud-provider | 0.2.1100 |
| harvester-csi-driver | 0.1.2800 |
| rke2-snapshot-controller | 4.2.005 |
| rke2-snapshot-controller-crd | 4.2.003 |
| rke2-traefik | 39.0.703 |
| rke2-traefik-crd | 39.0.702 |
Release v1.36.0+rke2r1
[!WARNING] Upstream
ingress-nginxRetirement & Transition to Traefik Becauseingress-nginxwas retired upstream as of March 2026, Traefik is now the default for new clusters starting in v1.36 (existing clusters will keep their current ingress upon upgrade to avoid breakage). This transition brings the following structural changes:
- Airgapped Environments: The
rke2-images-coretarball now contains Traefik images instead ofingress-nginx. The standalonerke2-images-traefiktarball has been removed. Users who must continue usingingress-nginxwill now need to manually provide therke2-images-ingress-nginxtarball.- Future Removal: The
ingress-nginxchart will not receive any additional updates and will be completely removed in v1.37 for community users.- Prime Customers: Please refer to the official product documentation for specific Prime considerations.
This release updates Kubernetes to v1.36.0.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.35.3+rke2r1:
- Add restorecon for /var/lib/rancher/rke2 when installing with tarball (#10039)
- Update GHA hash to the latest (#10083)
- Add checksum verification for 3rd party dependencies (#10081)
- Bump ingress-chart to 4.14.503 (#10084)
- Change default ingress controller to traefik, with support for detecting legacy default ingress-class (#10037)
- The default ingress-controller is now traefik. Clusters with ingress-nginx installed and set as default will continue to use ingress-nginx by default, unless manually configured to deploy traefik instead.
- Charts: bump Harvester CSI Driver 0.1.28 (#10109)
- Fix the race-condition issue during a huge pod respawn simultaneously
- Support both Harvester v1.7/v1.8 Cluster
- Support Backup
- Checksum verification in Dockerfile.windows, this ones gonna be a doo… (#10047)
- Fix checksums in Dockerfile.windows (#10128)
- Test-suite: fix vault action failure (#10135)
- Update stable channel to
v1.34.6+rke2r3(#10139) - Make releases immutable (#10043)
- Bump images to build20260410 (#10141)
- Update Flannel and Canal chart with updated images (#10169)
- Bump rke2-multus to v4.2.408 (#10173)
- Update to Kubernetes Metrics Server chart 3.13.008 (#10180)
- Bump etcd for CVE reasons (#10195)
- Bump to snapshot-controller v8.5.0 (#10207)
- Update to calico v3.31.5 (#10219)
- CNI bumps for the Apr 2026 release (part deux) (#10220)
- K3s bump for 2026-04 (#10208)
- Update to cilium v1.19.3 (#10240)
- Bump rke2-multus to v4.2.410 (#10272)
- Add ADR about gateway-api bundle (#10104)
- Bump k3s and klipper helm (#10283)
- Added updatecli automation for CNI update (#10100)
- Replace ingress-nginx with traefik in core image list (#10269)
- The
rke2-images-coretarball now contains images for traefik, instead of ingress-nginx. Users who will continue to use ingress-nginx in airgapped environments will need to provide images from therke2-images-ingress-nginxtarball. The standalonerke2-images-traefiktarball has been removed.
- The
- Update to Kubernetes v1.36.0 (#10296)
- Update kubernetes image in Dockerfile to v1.36.0 (#10299)
- Do not expect boringcrypto experiment on windows (#10303)
- Add support for ovirt CSI via
--cloud-provider-name=ovirt(#10315) - Bump ingress-nginx (#10321)
- Traefik 3.6.16 (#10325) (#10339)
- Do not bundle ovirt images on arm64 (#10341)
- CNI update May release (#10347)
- Bump K3s version (#10356)
- Add verification before disabling CCM (#10352)
- Update CNIs for 2026-05 Release Cycle (#10384)
- Update CoreDNS chart 1.45.212 (#10371)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.19.303 |
| rke2-canal | v3.32.0-build2026051100 |
| rke2-calico | v3.32.001 |
| rke2-calico-crd | v3.32.001 |
| rke2-coredns | 1.45.212 |
| rke2-ingress-nginx | 4.14.506 |
| rke2-metrics-server | 3.13.008 |
| rancher-vsphere-csi | 3.7.0-rancher100 |
| rancher-vsphere-cpi | 1.14.000 |
| harvester-cloud-provider | 0.2.1100 |
| harvester-csi-driver | 0.1.2800 |
| rke2-snapshot-controller | 4.2.003 |
| rke2-snapshot-controller-crd | 4.2.003 |
| rke2-traefik | 39.0.702 |
| rke2-traefik-crd | 39.0.702 |