By Category

CAPA Releases

Dec 16, 2025 CAPA releases releases aws-33.1.1
This patch release fixes an issue with the installation of the Teleport Kube Agent app.
Changes compared to v33.1.0
Apps
- coredns from v1.28.2 to v1.28.3
coredns v1.28.2…v1.28.3
Changed
- Update coredns image to 1.13.2.
Dec 3, 2025 CAPA releases releases aws-33.1.0
Update Kubernetes to v1.33.6, Flatcar to v4459.2.1 and various component upgrades.
Changes compared to v33.0.1
Components
- cluster-aws from v6.2.0 to v6.4.1
- Flatcar from v4230.2.3 to v4459.2.1
- Kubernetes from v1.33.5 to v1.33.6
- os-tooling from v1.26.1 to v1.26.2
cluster-aws v6.2.0…v6.4.1
Added
- This change will roll the nodes on Karpenter node pools Attach the lb Security Group to Karpenter nodes.
- This change will roll the nodes on Karpenter node pools Name instance on AWS after the nodepool name.
- Add node-problem-detector-app, disabled by default.
Changed
- Tidy up dependencies on azs-getter.
- Make global.baseDomain and global.managementCluster required values. These values will be passed to the chart when deploying it from the cluster-app-installation-values ConfigMap in the default namespace.
- Extract required values to its own central file to avoid repeating the required keyword and error messages. This is normally done automatically by a Kyverno policy.
- Change the default root disk size for Karpenter node pools. Karpenter will choose the cheapest instances, and certain instances, like g6f.xlarge come with some drivers that require a larger disk.
- Chart: Update cluster to v4.3.0.
Apps
- aws-ebs-csi-driver from v3.2.0 to v3.3.0
- aws-pod-identity-webhook from v2.0.0 to v2.1.0
- cert-exporter from v2.9.12 to v2.9.14
- cert-manager from v3.9.3 to v3.9.4
- cilium from v1.3.1 to v1.3.2
- etcd-defrag from v1.2.1 to v1.2.3
- etcd-k8s-res-count-exporter from v1.10.9 to v1.10.11
- k8s-audit-metrics from v0.10.8 to v0.10.10
- karpenter-crossplane-resources from v0.4.0 to v0.5.1
- node-exporter from v1.20.7 to v1.20.9
- observability-policies from v0.0.2 to v0.0.3
- security-bundle from v1.13.1 to v1.15.0
- teleport-kube-agent from v0.10.6 to v0.10.7
aws-ebs-csi-driver v3.2.0…v3.3.0
Changed
- Chart: Sync to upstream. (#338)
  - Chart: Update AWS EBS CSI Driver from v1.41.0 to v1.51.0.
  - Chart: ⚠️ URGENT: XFS Compatibility Issue - Newly formatted XFS volumes may fail to mount on nodes with older kernels (Amazon Linux 2). Use node.legacyXFS: true as workaround.
  - Chart: ⚠️ URGENT: Controller Health Checks - Controller now performs AWS API dry-run checks. Ensure proper IAM permissions and network connectivity.
  - Chart: ⚠️ URGENT: StorageClass Parameter Deprecation* - blockExpress parameter is deprecated for io2 volumes (now always uses 256,000 IOPS cap).
  - Chart: Add support for creating instant, point-in-time copies of EBS volumes within the same Availability Zone.
  - Chart: Add debugLogs parameter for maximum verbosity logging and debugging.
  - Chart: Add metadataSources configuration option for node metadata handling.
  - Chart: Add disableMutation parameter for service account mutation control.
  - Chart: Add support for updating node’s max attachable volume count via MutableCSINodeAllocatableCount feature gate (Kubernetes 1.33+).
  - Chart: Update dependencies including AWS SDK, Prometheus, and various Go modules.
  - Chart: Add missing enablePrometheusAnnotations values for controller and node components.
  - Chart: Update sidecar container versions:
- csi-provisioner: v5.2.0 → v5.3.0
- csi-attacher: v4.8.1 → v4.9.0
- csi-snapshotter: v8.2.1 → v8.3.0
- livenessprobe: v2.14.0 → v2.16.0
- csi-resizer: v1.13.2 → v1.14.0
- csi-node-driver-registrar: v2.13.0 → v2.14.0
- volume-modifier-for-k8s: v0.5.1 → v0.8.0
aws-pod-identity-webhook v2.0.0…v2.1.0
Changed
- Set VPA minAllowed CPU to 50m. Otherwise VPA will set the CPU to tiny values that will cause CPU throttling.
cert-exporter v2.9.12…v2.9.14
Changed
- Go: Update dependencies.
- Go: Update dependencies.
cert-manager v3.9.3…v3.9.4
Added
- Add E2E tests using apptest-framework for automated PR testing across multiple providers (CAPA, CAPV, CAPZ, CAPVCD).
  - Basic test suite: Validates fresh installations
  - Upgrade test suite: Tests upgrade scenarios and certificate reconciliation
- Add certificate issuance integration test to cluster-test-suites.
Changed
- Upgrade cert-manager to v1.18.2.
cilium v1.3.1…v1.3.2
Changed
- Upgrade Cilium to v1.18.4.
etcd-defrag v1.2.1…v1.2.3
Changed
- Chart: Update dependency ahrtr/etcd-defrag to v0.36.0. (#69)
- Chart: Update dependency ahrtr/etcd-defrag to v0.35.0. (#64)
etcd-k8s-res-count-exporter v1.10.9…v1.10.11
Changed
- Go: Update dependencies.
- Go: Update dependencies.
k8s-audit-metrics v0.10.8…v0.10.10
Changed
- Go: Update dependencies.
- Go: Update dependencies.
karpenter-crossplane-resources v0.4.0…v0.5.1
Added
- Add new Helm value to configure the workers IAM role. When Karpenter launches worker instances, it will attach the worker instance profile.
Fixed
- Default the iam:PassRole resource to old worker role ARN (the one used before crossplane started managing the IAM Roles) when workersIamRole is not provided. This is needed to make our tests automation to work, regardless of the version of this app used.
node-exporter v1.20.7…v1.20.9
Changed
- Go: Update dependencies.
- Go: Update dependencies.
observability-policies v0.0.2…v0.0.3
Fixed
- Missing RBAC for kyverno-report-controller
security-bundle v1.13.1…v1.15.0
Added
- Add kubescape (app) version v0.0.4.
Changed
- Update kyverno (app) to v0.21.1.
- Update kyverno-crds (app) to v1.15.0.
- Update kyverno (app) to v0.20.1.
- Update kyverno-crds (app) to v1.14.0.
- Update kyverno-policies (app) to v0.24.0.
- Update reports-server (app) to v0.0.3.
teleport-kube-agent v0.10.6…v0.10.7
Added
- Add ephemeral-storage requests and limits to satisfy Kyverno policy require-emptydir-requests-and-limits.
Changed
- Enable upstream-provided Prometheus PodMonitor to scrape metrics from Teleport Kube Agent pods.
Nov 2, 2025 CAPA releases releases aws-32.1.0
This release updates Flatcar to v4230.2.4 and includes several app updates and improvements.
Changes compared to v32.0.0
Components
- cluster-aws from v5.0.0 to v5.3.0
- Flatcar from v4230.2.2 to v4230.2.4
- os-tooling from v1.26.1 to v1.26.2
cluster-aws v5.0.0…v5.3.0
Added
- Expose value to configure terminationGracePeriod in the karpenter node pools.
Changed
- Configure the following startupTaints to help karpenter ignore pending Pods due to these taints that will be removed after the node starts, avoiding unnecessary instance provisioning:
  - node.cluster.x-k8s.io/uninitialized:NoSchedule
  - node.cilium.io/agent-not-ready:NoSchedule
  - ebs.csi.aws.com/agent-not-ready:NoExecute
- Reduce heartbeat timeout for ASG lifecycle hooks to from 30 minutes to 3 minutes since aws-node-termination-handler-app (NTH) can now send heartbeats
Apps
- aws-ebs-csi-driver from v3.0.5 to v3.3.0
- aws-nth-bundle from v1.2.2 to v1.3.0
- aws-pod-identity-webhook from v1.19.1 to v2.0.0
- capi-node-labeler from v1.1.3 to v1.1.5
- cert-exporter from v2.9.9 to v2.9.13
- cert-manager from v3.9.2 to v3.9.4
- cilium from v1.3.0 to v1.3.1
- coredns from v1.27.0 to v1.28.2
- etcd-defrag from v1.0.8 to v1.2.2
- etcd-k8s-res-count-exporter from v1.10.7 to v1.10.10
- k8s-audit-metrics from v0.10.6 to v0.10.9
- node-exporter from v1.20.5 to v1.20.8
- observability-bundle from v2.2.2 to v2.3.2
- security-bundle from v1.12.0 to v1.14.0
- vertical-pod-autoscaler from v6.0.1 to v6.1.1
- vertical-pod-autoscaler-crd from v4.0.1 to v4.1.1
aws-ebs-csi-driver v3.0.5…v3.3.0
Changed
- Chart: Sync to upstream. (#338)
  - Chart: Update AWS EBS CSI Driver from v1.41.0 to v1.51.0.
  - Chart: ⚠️ URGENT: XFS Compatibility Issue - Newly formatted XFS volumes may fail to mount on nodes with older kernels (Amazon Linux 2). Use node.legacyXFS: true as workaround.
  - Chart: ⚠️ URGENT: Controller Health Checks - Controller now performs AWS API dry-run checks. Ensure proper IAM permissions and network connectivity.
  - Chart: ⚠️ URGENT: StorageClass Parameter Deprecation* - blockExpress parameter is deprecated for io2 volumes (now always uses 256,000 IOPS cap).
  - Chart: Add support for creating instant, point-in-time copies of EBS volumes within the same Availability Zone.
  - Chart: Add debugLogs parameter for maximum verbosity logging and debugging.
  - Chart: Add metadataSources configuration option for node metadata handling.
  - Chart: Add disableMutation parameter for service account mutation control.
  - Chart: Add support for updating node’s max attachable volume count via MutableCSINodeAllocatableCount feature gate (Kubernetes 1.33+).
  - Chart: Update dependencies including AWS SDK, Prometheus, and various Go modules.
  - Chart: Add missing enablePrometheusAnnotations values for controller and node components.
  - Chart: Update sidecar container versions:
- csi-provisioner: v5.2.0 → v5.3.0
- csi-attacher: v4.8.1 → v4.9.0
- csi-snapshotter: v8.2.1 → v8.3.0
- livenessprobe: v2.14.0 → v2.16.0
- csi-resizer: v1.13.2 → v1.14.0
- csi-node-driver-registrar: v2.13.0 → v2.14.0
- volume-modifier-for-k8s: v0.5.1 → v0.8.0
- Configure gsoci.azurecr.io as the default container image registry.
- Set default updateStrategy.rollingUpdate.maxUnavailable to 25% in DaemonSet to speed up rolling update.
aws-nth-bundle v1.2.2…v1.3.0
Changed
- Upgrade aws-nth-crossplane-resources to v1.3.0, fixing support for multiple OIDC providers in the NTH IAM role as required for cleanup of migrated vintage clusters, and supporting heartbeat sending
- Upgrade aws-node-termination-handler-app to v1.23.0, enabling heartbeats by default and upgrading to upstream application version v1.25.2 which fixes a resource leak bug relevant to heartbeat sending
- Upgrade aws-nth-crossplane-resources to v1.1.1, supporting multiple OIDC providers in the NTH IAM role as required for cleanup of migrated vintage clusters
aws-pod-identity-webhook v1.19.1…v2.0.0
Changed
- Upgrade IRSA to latest v0.6.9
capi-node-labeler v1.1.3…v1.1.5
Changed
- Go: Update dependencies.
- Go: Update dependencies.
cert-exporter v2.9.9…v2.9.13
Changed
- Go: Update dependencies.
- Go: Update dependencies.
- Chart: Add value to toggle creation of Daemonset resources.
- Go: Update dependencies.
cert-manager v3.9.2…v3.9.4
Added
- Add E2E tests using apptest-framework for automated PR testing across multiple providers (CAPA, CAPV, CAPZ, CAPVCD).
  - Basic test suite: Validates fresh installations
  - Upgrade test suite: Tests upgrade scenarios and certificate reconciliation
- Add certificate issuance integration test to cluster-test-suites.
Changed
- Upgrade cert-manager to v1.18.2.
- Fix missing targetPort in cainjector-service
cilium v1.3.0…v1.3.1
Changed
- Upgrade Cilium to v1.18.2.
coredns v1.27.0…v1.28.2
Changed
- Update coredns image to 1.13.1.
- Add value to toggle creation of controlplane deployment.
- Update coredns image to 1.13.0.
etcd-defrag v1.0.8…v1.2.2
Changed
- Chart: Update dependency ahrtr/etcd-defrag to v0.35.0. (#64)
- Chart: Update dependency ahrtr/etcd-defrag to v0.34.0. (#62)
- Chart: Update dependency ahrtr/etcd-defrag to v0.33.0. (#60)
- Update Kyverno API to v2 for policy exceptions
- Chart: Update dependency ahrtr/etcd-defrag to v0.32.0. (#57)
etcd-k8s-res-count-exporter v1.10.7…v1.10.10
Changed
- Go: Update dependencies.
- Go: Update dependencies.
- Update Kyverno API to v2 for policy exceptions
- Go: Update dependencies.
k8s-audit-metrics v0.10.6…v0.10.9
Changed
- Go: Update dependencies.
- Go: Update dependencies.
- Update Kyverno API to v2 for policy exceptions
- Go: Update dependencies.
node-exporter v1.20.5…v1.20.8
Changed
- Go: Update dependencies.
- Go: Update dependencies.
- Update Kyverno API to v2 for policy exceptions
- Go: Update dependencies.
observability-bundle v2.2.2…v2.3.2
Added
- Add KSM metrics for cloudnative-pg Cluster objects
Changed
- Update alloy-app to 0.15.0
  - Bumps alloy to 1.11.0
Fixed
- Update alloy-app to 0.15.1
  - Bumps alloy to 1.11.2
security-bundle v1.12.0…v1.14.0
Changed
- Update kyverno (app) to v0.20.1.
- Update kyverno-crds (app) to v1.14.0.
- Update kyverno-policies (app) to v0.24.0.
- Update reports-server (app) to v0.0.3.
- Revert previous kyverno update (#536, #531, #538).
- Update kyverno-policy-operator (app) to v0.1.6.
- Update kyverno (app) to v0.20.0.
- Update kyverno-crds (app) to v1.14.0.
- Update kyverno-policies (app) to v0.24.0.
- Update kyverno-policy-operator (app) to v0.1.5.
- Update trivy-operator (app) to v0.12.1.
- Update trivy (app) to v0.14.1.
- Update falco (app) to v0.11.0.
vertical-pod-autoscaler v6.0.1…v6.1.1
Changed
- Chart: Update Helm release vertical-pod-autoscaler to v11.1.1. (#375)
- Chart: Update Helm release vertical-pod-autoscaler to v11.1.0. (#372)
vertical-pod-autoscaler-crd v4.0.1…v4.1.1
Changed
- Chart: Sync to upstream. (#166)
- Chart: Sync to upstream. (#164)
Oct 21, 2025 CAPA releases releases aws-33.0.1
This release improves the stability of Karpenter node pools.
Changes compared to v33.0.0
Components
- cluster-aws from v6.0.0 to v6.2.0
cluster-aws v6.0.0…v6.2.0
Added
- Add capa-karpenter-taint-remover to handle CAPA - Karpenter taint race condition.
Changed
- Change default consolidation time to 6 hours to avoid constant node rolling.
- Rename capa-karpenter-taint-remover app.
- Set terminationGracePeriod default to 30m, to avoid having karpenter nodes stuck in Deleting state due to Pods blocking the deletion i.e. PDBs.
Apps
- aws-pod-identity-webhook from v1.19.1 to v2.0.0
- karpenter from v1.3.0 to v1.4.0
- Added karpenter-taint-remover v1.0.1
- security-bundle from v1.12.0 to v1.13.1
aws-pod-identity-webhook v1.19.1…v2.0.0
Changed
- Upgrade IRSA to latest v0.6.9
karpenter v1.3.0…v1.4.0
Changed
- Updated karpenter to 1.8.1
- Fixes RBAC issues when OwnerReferencesPermissionEnforcement featuregate is enabled by allowing finalizers sub’resource modification.
karpenter-taint-remover v1.0.1
Changed
- Use default catalog
security-bundle v1.12.0…v1.13.1
Changed
- Revert previous kyverno update (#536, #531, #538).
- Update kyverno-policy-operator (app) to v0.1.6.
- Update kyverno (app) to v0.20.0.
- Update kyverno-crds (app) to v1.14.0.
- Update kyverno-policies (app) to v0.24.0.
- Update kyverno-policy-operator (app) to v0.1.5.
- Update trivy-operator (app) to v0.12.1.
- Update trivy (app) to v0.14.1.
- Update falco (app) to v0.11.0.
Oct 15, 2025 CAPA releases releases aws-33.0.0
WARNING: This release enables the OwnerReferencesPermissionEnforcement admission controller by default. This means that only users with delete permission to an object can change its metadata.ownerReferences, and only users with update permission to the finalizers subresource of the referenced owner can change metadata.ownerReferences[x].blockOwnerDeletion. If you have workloads that need to modify these fields, please ensure that the necessary RBAC permissions are in place before upgrading to this release.
Example:
```
- apiGroups: ["<group>"]
  resources: ["<resource>", "<resource>/finalizers"]
  verbs: ["delete", "..."]  # Add any additional verbs your use case requires
```
Changes compared to v32.0.0
Components
- cluster-aws from v5.0.0 to v6.0.0
- Flatcar from v4230.2.2 to v4230.2.3
- Kubernetes from v1.32.9 to v1.33.5
cluster-aws v5.0.0…v6.0.0
Added
- Add standard tags to IRSA infrastructure.
- Expose value to configure terminationGracePeriod in the karpenter node pools.
Changed
- Chart: Update cluster to v4.2.0.
- The container registry passed as value to default apps is set to gsoci.azurecr.io, regardless of the cluster region. The mirroring feature of containerd will make sure the right registry is used.
- Switch to HelmReleases to install karpenter and karpenter-crossplane-resources charts.
- Bump flux HelmReleases api version to v2.
- Reduce heartbeat timeout for ASG lifecycle hooks to from 30 minutes to 3 minutes since aws-node-termination-handler-app (NTH) can now send heartbeats
- Configure the following startupTaints to help karpenter ignore pending Pods due to these taints that will be removed after the node starts, avoiding unnecessary instance provisioning:
  - node.cluster.x-k8s.io/uninitialized:NoSchedule
  - node.cilium.io/agent-not-ready:NoSchedule
  - ebs.csi.aws.com/agent-not-ready:NoExecute
- Include cilium ENI mode pod CIDRs in the NodePort Services security group ingress rules.
Removed
- Removed capi-node-labeler app. From now on, the worker nodes won’t have the node-role.kubernetes.io/worker or node.kubernetes.io/worker labels.
Apps
- aws-ebs-csi-driver from v3.0.5 to v3.2.0
- aws-nth-bundle from v1.2.2 to v1.3.0
- cert-exporter from v2.9.9 to v2.9.12
- cert-manager from v3.9.2 to v3.9.3
- cilium from v1.3.0 to v1.3.1
- cloud-provider-aws from v1.32.3 to v1.33.2-1
- cluster-autoscaler from v1.32.2-gs1 to v1.33.1-2
- coredns from v1.27.0 to v1.28.2
- etcd-defrag from v1.0.8 to v1.2.1
- etcd-k8s-res-count-exporter from v1.10.7 to v1.10.9
- k8s-audit-metrics from v0.10.6 to v0.10.8
- Added karpenter v1.3.0
- Added karpenter-crossplane-resources v0.4.0
- node-exporter from v1.20.5 to v1.20.7
- observability-bundle from v2.2.2 to v2.3.2
- vertical-pod-autoscaler from v6.0.1 to v6.1.1
- vertical-pod-autoscaler-crd from v4.0.1 to v4.1.1
aws-ebs-csi-driver v3.0.5…v3.2.0
Changed
- Configure gsoci.azurecr.io as the default container image registry.
- Set default updateStrategy.rollingUpdate.maxUnavailable to 25% in DaemonSet to speed up rolling update.
aws-nth-bundle v1.2.2…v1.3.0
Changed
- Upgrade aws-nth-crossplane-resources to v1.3.0, fixing support for multiple OIDC providers in the NTH IAM role as required for cleanup of migrated vintage clusters, and supporting heartbeat sending
- Upgrade aws-node-termination-handler-app to v1.23.0, enabling heartbeats by default and upgrading to upstream application version v1.25.2 which fixes a resource leak bug relevant to heartbeat sending
- Upgrade aws-nth-crossplane-resources to v1.1.1, supporting multiple OIDC providers in the NTH IAM role as required for cleanup of migrated vintage clusters
cert-exporter v2.9.9…v2.9.12
Changed
- Go: Update dependencies.
- Chart: Add value to toggle creation of Daemonset resources.
- Go: Update dependencies.
cert-manager v3.9.2…v3.9.3
Changed
- Fix missing targetPort in cainjector-service
cilium v1.3.0…v1.3.1
Changed
- Upgrade Cilium to v1.18.2.
cloud-provider-aws v1.32.3…v1.33.2-1
Changed
- Chart: Update to upstream v1.33.2.
cluster-autoscaler v1.32.2-gs1…v1.33.1-2
Changed
- Chart: Grant access to VolumeAttachments. (#345)
- Update Kyverno API to v2 for policy exceptions
- Chart: Update to upstream v1.33.1.
coredns v1.27.0…v1.28.2
Changed
- Update coredns image to 1.13.1.
- Add value to toggle creation of controlplane deployment.
- Update coredns image to 1.13.0.
etcd-defrag v1.0.8…v1.2.1
Changed
- Chart: Update dependency ahrtr/etcd-defrag to v0.34.0. (#62)
- Chart: Update dependency ahrtr/etcd-defrag to v0.33.0. (#60)
- Update Kyverno API to v2 for policy exceptions
- Chart: Update dependency ahrtr/etcd-defrag to v0.32.0. (#57)
etcd-k8s-res-count-exporter v1.10.7…v1.10.9
Changed
- Go: Update dependencies.
- Update Kyverno API to v2 for policy exceptions
- Go: Update dependencies.
k8s-audit-metrics v0.10.6…v0.10.8
Changed
- Go: Update dependencies.
- Update Kyverno API to v2 for policy exceptions
- Go: Update dependencies.
karpenter v1.3.0
Changed
- Updated karpenter to 1.7.1
karpenter-crossplane-resources v0.4.0
Changed
- Add iam:ListInstanceProfiles for release 1.7.1
node-exporter v1.20.5…v1.20.7
Changed
- Go: Update dependencies.
- Update Kyverno API to v2 for policy exceptions
- Go: Update dependencies.
observability-bundle v2.2.2…v2.3.2
Added
- Add KSM metrics for cloudnative-pg Cluster objects
Changed
- Update alloy-app to 0.15.0
  - Bumps alloy to 1.11.0
Fixed
- Update alloy-app to 0.15.1
  - Bumps alloy to 1.11.2
vertical-pod-autoscaler v6.0.1…v6.1.1
Changed
- Chart: Update Helm release vertical-pod-autoscaler to v11.1.1. (#375)
- Chart: Update Helm release vertical-pod-autoscaler to v11.1.0. (#372)
vertical-pod-autoscaler-crd v4.0.1…v4.1.1
Changed
- Chart: Sync to upstream. (#166)
- Chart: Sync to upstream. (#164)
Sep 15, 2025 CAPA releases releases aws-32.0.0
WARNING: With Flatcar 4230.2.0, cgroups v1 backwards compatibility has been removed. This means that enabling legacy cgroups v1 is no longer supported and nodes still using them will fail to update.
Changes compared to v31.1.2
Components
- cluster-aws from v3.6.2 to v5.0.0
- Flatcar from v4152.2.3 to v4230.2.2
- Kubernetes from v1.31.11 to v1.32.9
cluster-aws v3.6.2…v5.0.0
Added
- Add global.connectivity.network.nodePortIngressRuleCidrBlocks value to allow configuring the CIDRs in the NodePort security group ingress rules.
- Expose new machinepool values to configure the karpenter node pools:
- consolidateAfter
- consolidationBudgets
- consolidationPolicy
Changed
- Chart: Update cluster to v3.0.1.
  - BREAKING CHANGE: Cgroups v1 is not supported anymore. The .internal.advancedConfiguration.cgroupsv1 and .global.nodePools.().cgroupsv1 flags have been removed.
  - Chart: Simplify containerd configuration by using a single config file for both control-plane and worker nodes.
- Chart: Update cluster to v2.6.2.
- Chart: Update cluster to v2.6.1.
Fixed
- Add cluster chart nodepool fields to the schema.
Removed
- Remove Helm chart that creates karpenter node pools, because they will be created by a kubernetes controller running in the management cluster.
Apps
- capi-node-labeler from v1.1.2 to v1.1.3
- cert-exporter from v2.9.8 to v2.9.9
- cert-manager from v3.9.1 to v3.9.2
- cilium from v1.2.2 to v1.3.0
- cloud-provider-aws from v1.31.5-gs1 to v1.32.3
- cluster-autoscaler from v1.31.3-gs1 to v1.32.2-gs1
- coredns from v1.26.0 to v1.27.0
- etcd-defrag from v1.0.6 to v1.0.8
- etcd-k8s-res-count-exporter from v1.10.6 to v1.10.7
- k8s-audit-metrics from v0.10.5 to v0.10.6
- k8s-dns-node-cache from v2.9.0 to v2.9.1
- karpenter-bundle from v2.1.0 to v2.2.0
- metrics-server from v2.6.0 to v2.7.0
- node-exporter from v1.20.4 to v1.20.5
- observability-bundle from v2.0.0 to v2.2.2
- vertical-pod-autoscaler from v5.5.1 to v6.0.1
- vertical-pod-autoscaler-crd from v3.3.1 to v4.0.1
capi-node-labeler v1.1.2…v1.1.3
Changed
- Go: Update dependencies.
cert-exporter v2.9.8…v2.9.9
Changed
- Go: Update dependencies.
cert-manager v3.9.1…v3.9.2
Changed
- Add alloy ingress rules for cainjector metrics ingestion.
cilium v1.2.2…v1.3.0
Changed
- Upgrade Cilium to v1.18.1.
- Improve the k8s service host autodiscovery mechanism
- Upgrade Cilium to v1.17.7.
cloud-provider-aws v1.31.5-gs1…v1.32.3
Changed
- Chart: Update to upstream v1.32.3.
- Chart: Update to upstream v1.32.3.
cluster-autoscaler v1.31.3-gs1…v1.32.2-gs1
Changed
- Chart: Update to upstream v1.32.2.
coredns v1.26.0…v1.27.0
Changed
- Updated E2E tests to use apptest-framework v1.14.0
- Update coredns image to 1.12.3.
etcd-defrag v1.0.6…v1.0.8
Changed
- Chart: Update dependency ahrtr/etcd-defrag to v0.31.0. (#52)
- Chart: Update dependency ahrtr/etcd-defrag to v0.30.0. (#46)
etcd-k8s-res-count-exporter v1.10.6…v1.10.7
Changed
- Go: Update dependencies.
k8s-audit-metrics v0.10.5…v0.10.6
Changed
- Go: Update dependencies.
k8s-dns-node-cache v2.9.0…v2.9.1
Changed
- Update PolicyException apiVersion to v2.
karpenter-bundle v2.1.0…v2.2.0
Changed
- Change karpenter to it’s own namespace.
- Bump karpenter to v1.6.3.
- Allow changing karpenter app versions.
metrics-server v2.6.0…v2.7.0
Changed
- Chart: Update PolicyExceptions to v2.
node-exporter v1.20.4…v1.20.5
Changed
- Go: Update dependencies.
observability-bundle v2.0.0…v2.2.2
Added
- Add KSM metrics for IRSAClaim objects
Changed
- Upgrade kube-prometheus-stack-app to 18.1.0
  - Add relabeling rules from cluster-api-monitoring-app so that cluster_id label points to the workload cluster name as expected in some alert definitions
- Upgrade kube-prometheus-stack to 77.0.1
  - Bumps prometheus-operator and CRDs to 0.85.0
- Update alloy-app to 0.13.0
- Upgrade kube-prometheus-stack to 76.4.0
  - Bumps prometheus-operator and CRDs to 0.84.1
  - Bumps prometheus to 3.5.0
- Update alloy-app to 0.12.1
  - Bumps alloy to 1.10.1
vertical-pod-autoscaler v5.5.1…v6.0.1
Changed
- Chart: Update Helm release vertical-pod-autoscaler to v11.0.1. (#370)
- Chart: Update Helm release vertical-pod-autoscaler to v11.0.0. (#362)
vertical-pod-autoscaler-crd v3.3.1…v4.0.1
Changed
- Chart: Sync to upstream. (#162)
- Chart: Sync to upstream. (#154)
Sep 5, 2025 CAPA releases releases aws-31.1.2
This release updates the cluster-aws chart to fix an issue around Helm values schema validation when using certain node pool fields.
Changes compared to v31.1.1
Components
- cluster-aws from v3.6.1 to v3.6.2
cluster-aws v3.6.1…v3.6.2
Fixed
- Add cluster chart nodepool fields to the schema.
Aug 21, 2025 CAPA releases releases aws-31.1.1
This release updates the cluster-aws chart and the underlying cluster chart to address an issue around Helm values schema validation uncovered by newer Helm versions.
Changes compared to v31.1.0
Components
- cluster-aws from v3.6.0 to v3.6.1
cluster-aws v3.6.0…v3.6.1
Changed
- Chart: Update cluster to v2.5.1.
Aug 21, 2025 CAPA releases releases aws-30.1.5
This release updates the cluster-aws chart and the underlying cluster chart to address an issue around Helm values schema validation uncovered by newer Helm versions.
Changes compared to v30.1.4
Components
- cluster-aws from v3.2.3 to v3.2.4
cluster-aws v3.2.3…v3.2.4
Changed
- Chart: Update cluster to v2.2.2.
Aug 5, 2025 CAPA releases releases aws-30.1.4
This release backports a fix for reducing IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security. For clusters in ENI mode, all nodes are rolled when upgrading to this release.
Changes compared to v30.1.3
Components
- cluster-aws from v3.2.2 to v3.2.3
cluster-aws v3.2.2…v3.2.3
Changed
- Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.
Apps

Giant Swarm Offerings

By Category

CAPA Releases

Changes compared to v33.1.0

Apps

coredns v1.28.2…v1.28.3

Changed

Changes compared to v33.0.1

Components

cluster-aws v6.2.0…v6.4.1

Added

Changed

Apps

aws-ebs-csi-driver v3.2.0…v3.3.0

Changed

aws-pod-identity-webhook v2.0.0…v2.1.0

Changed

cert-exporter v2.9.12…v2.9.14

Changed

cert-manager v3.9.3…v3.9.4

Added

Changed

cilium v1.3.1…v1.3.2

Changed

etcd-defrag v1.2.1…v1.2.3

Changed

etcd-k8s-res-count-exporter v1.10.9…v1.10.11

Changed

k8s-audit-metrics v0.10.8…v0.10.10

Changed

karpenter-crossplane-resources v0.4.0…v0.5.1

Added

Fixed

node-exporter v1.20.7…v1.20.9

Changed

observability-policies v0.0.2…v0.0.3

Fixed

security-bundle v1.13.1…v1.15.0

Added

Changed

teleport-kube-agent v0.10.6…v0.10.7

Added

Changed

Changes compared to v32.0.0

Components

cluster-aws v5.0.0…v5.3.0

Added

Changed

Apps

aws-ebs-csi-driver v3.0.5…v3.3.0

Changed

aws-nth-bundle v1.2.2…v1.3.0

Changed

aws-pod-identity-webhook v1.19.1…v2.0.0

Changed

capi-node-labeler v1.1.3…v1.1.5

Changed

cert-exporter v2.9.9…v2.9.13

Changed

cert-manager v3.9.2…v3.9.4

Added

Changed

cilium v1.3.0…v1.3.1

Changed

coredns v1.27.0…v1.28.2

Changed

etcd-defrag v1.0.8…v1.2.2

Changed

etcd-k8s-res-count-exporter v1.10.7…v1.10.10

Changed

k8s-audit-metrics v0.10.6…v0.10.9

Changed

node-exporter v1.20.5…v1.20.8

Changed

observability-bundle v2.2.2…v2.3.2

Added

Changed

Fixed

security-bundle v1.12.0…v1.14.0

Changed