The Wire · Showcase
KOPS HARDENS AZURE, KUBERNETES CORE ROLLS BACK API DEFINITIONS
By RepoJournal · Filed · About Kubernetes
etcd-manager jumped to v3.0.20260512 in kops while a coordinated kube-openapi revert rippled across four core repos to fix an API definition issue.
The kops team shipped etcd-manager v3.0.20260512 [1], a critical infrastructure upgrade for production clusters. In the same window, kops hardened Azure deployments by fixing VMSS NIC discovery in protokube gossip seeding [2] and matching VM/NIC ARM IDs case-insensitively in the dumper [3] — both addressing real production pain points on Azure. Meanwhile, a coordinated revert of kube-openapi [ref:6, ref:8, ref:11, ref:14] propagated through kubernetes/endpointslice, kube-scheduler, dynamic-resource-allocation, and pod-security-admission to pick up API Definitions fixes [ref:7, ref:9, ref:12, ref:15]. The kube-scheduler also enabled validation-gen for all APIs [8], enforcing stricter schema enforcement going forward. Pod-security-admission added safe sysctls [11], expanding the allowlist for hardened environments. The kops team also cleaned up deprecated code paths [14], removing technical debt from older versions.
Action items
- → Update kops clusters to etcd-manager v3.0.20260512 in next maintenance window kubernetes/kops [plan]
- → Verify kube-openapi revert in your build pipeline if you vendor kubernetes dependencies kubernetes/kubernetes [monitor]
- → Review pod-security-admission safe sysctls additions if enforcing restricted policies kubernetes/pod-security-admission [monitor]
References
- [1] etcd-manager: upgrade to v3.0.20260512 ↗ kubernetes/kops
- [2] Merge pull request #18319 from hakman/azure-fix-gossip-discovery kubernetes/kops
- [3] Merge pull request #18315 from hakman/azure-dump-equalfold kubernetes/kops
- [4] Merge pull request #139001 from jpbetz/bump-kube-openapi-for-revert kubernetes/endpointslice
- [5] Bump kube-openapi to pick up API Definitions revert kubernetes/endpointslice
- [6] Merge pull request #139001 from jpbetz/bump-kube-openapi-for-revert kubernetes/kube-scheduler
- [7] Bump kube-openapi to pick up API Definitions revert kubernetes/kube-scheduler
- [8] Merge pull request #138657 from jpbetz/codegen-discovery kubernetes/kube-scheduler
- [9] Merge pull request #139001 from jpbetz/bump-kube-openapi-for-revert kubernetes/dynamic-resource-allocation
- [10] Bump kube-openapi to pick up API Definitions revert kubernetes/dynamic-resource-allocation
- [11] Merge pull request #138389 from gheffern/add-safe-sysctls-135972 kubernetes/pod-security-admission
- [12] Merge pull request #139001 from jpbetz/bump-kube-openapi-for-revert kubernetes/pod-security-admission
- [13] Bump kube-openapi to pick up API Definitions revert kubernetes/pod-security-admission
- [14] Address misc TODO comments ↗ kubernetes/kops
FAQ
- What changed in Kubernetes on May 13, 2026?
- etcd-manager jumped to v3.0.20260512 in kops while a coordinated kube-openapi revert rippled across four core repos to fix an API definition issue.
- What should Kubernetes teams do about it?
- Update kops clusters to etcd-manager v3.0.20260512 in next maintenance window • Verify kube-openapi revert in your build pipeline if you vendor kubernetes dependencies • Review pod-security-admission safe sysctls additions if enforcing restricted policies
- Which Kubernetes repositories shipped on May 13, 2026?
- kubernetes/kops, kubernetes/endpointslice, kubernetes/kube-scheduler, kubernetes/dynamic-resource-allocation, kubernetes/pod-security-admission