CAPA Releases

• Mar 2, 2026 CAPA releases releases aws-34.1.0

  Changes compared to v34.0.0

  Components

  • cluster-aws from v7.2.5 to v7.4.0
  • Flatcar from v4459.2.2 to v4459.2.3
  • Kubernetes from v1.34.3 to v1.34.5
  • os-tooling from v1.26.3 to v1.26.4

  cluster-aws v7.2.5…v7.4.0

  Added

  • Add JSON schema validation patterns for global.providerSpecific.region.
  • Add JSON schema validation patterns for global.providerSpecific.awsAccountId.
  • Add JSON schema validation patterns for global.controlPlane.instanceType and node pool instanceType.
  • Add JSON schema maxLength: 20 constraint for global.metadata.name, aligning with the constraint enforced by our kyverno policies.

  Changed

  • Values: Use container registries from cluster chart.
  • Karpenter: Provide proxy configuration.
  • AWS EBS CSI Driver & Karpenter: Reduce interval and enable drift detection.\
  • Install the aws-ebs-csi-driver-bundle that contains the aws-ebs-csi-driver app, together with the crossplane resources to manage the AWS IAM Roles required by the app.
  • Install the karpenter-bundle that contains the karpenter app, together with the crossplane custom resources to manage the AWS resources required by karpenter.
  • Use cluster chart values for Karpenter kubelet systemReserved and kubeReserved configuration instead of hardcoded values.
  • Set correct maxPods value for karpenter node pools, based on the configured nodeCidrMaskSize, but capped at 110 pods.
  • Always install the karpenter-bundle, regardless of whether karpenter node pools are configured. This is useful when deleting karpenter node pools, because otherwise the karpenter app was being removed and karpenter did not have time to clean up the node pools.
  • Allow CertManager to use DNS challenges on non-private clusters.

  Fixed

  • Install node-termination-handler bundle even if falling back to default node pools. No workers could come up without NTH, so nodePools: {} (= use default node pools) did not create a working cluster.

  Apps

  • aws-ebs-csi-driver from v3.4.1 to v4.1.1
  • aws-ebs-csi-driver-servicemonitors from v0.1.0 to v0.1.2
  • aws-pod-identity-webhook from v2.1.0 to v2.2.0
  • cert-exporter from v2.9.15 to v2.9.16
  • cert-manager from v3.9.4 to v3.11.0
  • chart-operator-extensions from v1.1.2 to v1.1.3
  • cilium from v1.3.4 to v1.4.1
  • cilium-servicemonitors from v0.1.3 to v0.1.4
  • cluster-autoscaler from v1.34.1-1 to v1.34.3-1
  • coredns-extensions from v0.1.2 to v0.1.3
  • etcd-defrag from v1.2.3 to v1.2.4
  • etcd-k8s-res-count-exporter from v1.10.12 to v1.10.14
  • irsa-servicemonitors from v0.1.0 to v0.1.1
  • k8s-audit-metrics from v0.10.11 to v0.10.13
  • k8s-dns-node-cache from v2.9.1 to v2.9.2
  • karpenter from v1.4.0 to v2.1.0
  • karpenter-taint-remover from v1.0.1 to v1.0.2
  • metrics-server from v2.7.0 to v2.8.0
  • net-exporter from v1.23.0 to v1.23.1
  • node-exporter from v1.20.10 to v1.20.11
  • observability-bundle from v2.5.0 to v2.6.0
  • observability-policies from v0.0.3 to v0.0.4
  • priority-classes from v0.3.0 to v0.3.1
  • prometheus-blackbox-exporter from v0.5.0 to v0.5.1
  • security-bundle from v1.16.1 to v1.17.0
  • teleport-kube-agent from v0.10.7 to v0.10.8
  • vertical-pod-autoscaler from v6.1.1 to v6.1.2
  • vertical-pod-autoscaler-crd from v4.1.1 to v4.1.2

  aws-ebs-csi-driver v3.4.1…v4.1.1

  Added

  • Introduce bundle chart architecture with Crossplane IAM resources.
    • Add aws-ebs-csi-driver-app-bundle chart that includes:
    • Crossplane IAM Role with EBS CSI driver permissions
    • Flux HelmRelease to deploy the workload cluster chart
    • ConfigMap for values passthrough
    • Bundle chart is installed on the management cluster and deploys the app chart to the workload cluster
    • IAM role uses OIDC federation (IRSA) and reads configuration from <clusterID>-crossplane-config ConfigMap
    • Both charts share the same version and are released together

  Changed

  • Refactor crossplane config data retrieval. Fail installation if the ConfigMap can’t be found, otherwise the chart was creating invalid IAM roles.
  • Change IAM role name for the ebs-csi-driver-controller, to differentiate it from the old one managed by the iam-operator.
  • Remove dependency for the cloud-provider-aws in the aws-ebs-csi-driver HelmRelease. That dependency should be set in the bundle HelmRelease by the provider cluster chart
  • Update CircleCI configuration to push both app and bundle charts
  • Update README with bundle architecture documentation

  Fixed

  • Fix boolean type of the expansion
  • Allow volume expansion by default on gp3

  aws-ebs-csi-driver-servicemonitors v0.1.0…v0.1.2

  Changed

  • Migrate to App Build Suite (ABS).

  Fixed

  • Remove duplicate application.giantswarm.io/team label in PodMonitor that caused install failure. The label is already included via the common labels helper.

  aws-pod-identity-webhook v2.1.0…v2.2.0

  Changed

  • Sanitize Chart.Version when used in labels due to flux appending the artifact digest to the version.

  cert-exporter v2.9.15…v2.9.16

  Changed

  • Go: Update dependencies.

  cert-manager v3.9.4…v3.11.0

  Added

  • Add Vertical Pod Autoscaler (VPA) support for webhook pods.
  • Add io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.
  • Add PodLogs for log collection.

  Fixed

  • Fix controller Vertical Pod Autoscaler (VPA) resource syntax.

  chart-operator-extensions v1.1.2…v1.1.3

  Changed

  • Migrate Chart.yaml annotations to new format as per https://docs.giantswarm.io/reference/platform-api/chart-metadata/

  cilium v1.3.4…v1.4.1

  Changed

  • Upgrade Cilium to v1.19.1.
  • Upgrade Cilium to v1.19.0.
  • Update chart icon to use Giant Swarm-hosted Cilium icon.
  • Upgrade Cilium to v1.18.7.

  cilium-servicemonitors v0.1.3…v0.1.4

  Changed

  • Migrate chart metadata annotations

  cluster-autoscaler v1.34.1-1…v1.34.3-1

  Changed

  • Chart: Update to upstream v1.34.3.
  • Chart: Update to upstream v1.34.2.

  etcd-defrag v1.2.3…v1.2.4

  Changed

  • Chart: Update dependency ahrtr/etcd-defrag to v0.37.0. (#78)

  etcd-k8s-res-count-exporter v1.10.12…v1.10.14

  Changed

  • Migrate to App Build Suite (ABS) for Helm chart building.
  • Go: Update dependencies.

  Removed

  • Removed PodSecurityPolicy.
  • Removed global.podSecurityStandards.enforced helm value.
  • Removed resource.psp helm value.

  irsa-servicemonitors v0.1.0…v0.1.1

  Changed

  • Migrate to App Build Suite (ABS) for building and publishing Helm charts.

  k8s-audit-metrics v0.10.11…v0.10.13

  Changed

  • Migrate to App Build Suite (ABS) for Helm chart building.
  • Go: Update dependencies.

  Removed

  • Removed PodSecurityPolicy.
  • Removed global.podSecurityStandards.enforced helm value.
  • Removed resource.psp helm value.

  k8s-dns-node-cache v2.9.1…v2.9.2

  Changed

  • Upgrade application to version 1.26.7 (includes coredns 1.13.1)

  karpenter v1.4.0…v2.1.0

  Added

  • Add PodLogs and PodMonitor custom resources for observability data ingestion.
  • Deployment: Add HTTP proxy support.
  • Add e2e tests for this app.
  • Add karpenter-bundle chart that consolidates karpenter-app and karpenter-crossplane-resources into a single deployable bundle. The bundle includes:
    • HelmRelease and OCIRepository for deploying karpenter to workload clusters
    • IAM roles for karpenter and nodeclassgenerator via Crossplane
    • SQS queue and CloudWatch event rules for interruption handling

  Fixed

  • Use only clustertest v3 instead of v2 and v3. We also upgraded to apptest-framework v3 due to this.

  karpenter-taint-remover v1.0.1…v1.0.2

  Changed

  • Migrate to App Build Suite (ABS) for building and publishing Helm charts.

  metrics-server v2.7.0…v2.8.0

  Changed

  • Upgrade metrics-server to v0.8.1.
  • Change team annotation in Chart.yaml to OpenContainers format (io.giantswarm.application.team).

  net-exporter v1.23.0…v1.23.1

  Removed

  • Removed PodSecurityPolicy.
  • Removed global.podSecurityStandards.enforced helm value.

  node-exporter v1.20.10…v1.20.11

  Changed

  • Migrate to App Build Suite (ABS) for building and publishing Helm charts.

  Fixed

  • Removed duplicated app label which is already added by the selector helper.

  observability-bundle v2.5.0…v2.6.0

  Added

  • Add KSM metrics for Gateway API resources

  observability-policies v0.0.3…v0.0.4

  Changed

  • Rename app to observability-policies
  • Change team annotation in Chart.yaml to OpenContainers format (io.giantswarm.application.team).

  priority-classes v0.3.0…v0.3.1

  Fixed

  • Sanitize Chart.Version used in labels. This is needed because flux apapends the digest to the version using the + character which is not allowed in labels.

  prometheus-blackbox-exporter v0.5.0…v0.5.1

  Changed

  • Migrate to App Build Suite (ABS) for Helm chart building.

  security-bundle v1.16.1…v1.17.0

  Changed

  • Update kyverno (app) to v0.23.0.
  • Update kyverno-crds (app) to v1.16.0.
  • Update reports-server (app) to v0.1.0.
  • Update cloudnative-pg (app) to v0.0.13.
  • Update kubescape (app) to v0.0.5.
  • Update starboard-exporter (app) to v1.0.2.

  teleport-kube-agent v0.10.7…v0.10.8

  Added

  • Add io.giantswarm.application.audience and io.giantswarm.application.managed chart annotations for Backstage visibility.

  Changed

  • Migrate chart metadata annotations to OCI-compatible format.

  vertical-pod-autoscaler v6.1.1…v6.1.2

  Fixed

  • Pushed helm chart to OCI repository.

  vertical-pod-autoscaler-crd v4.1.1…v4.1.2

  Fixed

  • Pushed helm chart to OCI repository.
• Jan 23, 2026 CAPA releases releases aws-34.0.0

  Warning: Important Note for Upgrading to this Release

  tl;dr: Please first upgrade your existing cluster to Giant Swarm Release v33.1.4 for CAPA or newer before upgrading to this release! Otherwise, you risk service outage and severe issues.

  Giant Swarm Release v34.0.0 for CAPA comes with Kubernetes v1.34. This version contains etcd v3.6, which makes use of the so-called v3 store by default. Before, with etcd v3.5, the v2 store was used by default and synchronized to the already existing v3 store.

  Different flaws could lead to an inconsistency between the old v2 store and the already present but unused standby v3 store in etcd v3.5 and before. Because of this, new etcd v3.6 members, which first start to use this v3 store, might suffer from these inconsistencies.

  This can come into play when upgrading a cluster to this and future releases from any release older than Giant Swarm Release v33.1.4 for CAPA. For this reason, we require you to first upgrade your cluster to Giant Swarm Release v33.1.4 for CAPA or newer before upgrading to this or future releases.

  OIDC Structured Authentication (optional)

  This release introduces optional support for Kubernetes Structured Authentication Configuration for OIDC providers. We recommend testing this feature on a non-production cluster first.

  Minimal example

  global:
    controlPlane:
      oidc:
        structuredAuthentication:
          enabled: true
          issuers:
            - issuerUrl: https://your-idp.example.com
              clientId: kubernetes
  

  Example with customization

  global:
    controlPlane:
      oidc:
        structuredAuthentication:
          enabled: true
          issuers:
            - issuerUrl: https://your-idp.example.com
              clientId: kubernetes
              usernameClaim: email          # Optional: use 'email' instead of 'sub'
              groupsClaim: roles            # Optional: use 'roles' instead of 'groups'
              usernamePrefix: "oidc:"       # Optional: prefix usernames
              groupsPrefix: "oidc:"         # Optional: prefix groups
  

  Migration from legacy OIDC configuration

  If you already use OIDC with the legacy configuration, add structuredAuthentication.enabled: true to migrate:

  global:
    controlPlane:
      oidc:
        issuerUrl: https://your-idp.example.com
        clientId: kubernetes
        structuredAuthentication:
          enabled: true
  

  This will automatically convert your legacy configuration to the new structured format.

  Advanced options

  Additional configuration options are available for more complex setups, including:

  • Multiple audiences (audiences, audienceMatchPolicy)
  • Custom discovery URL (discoveryUrl)
  • Custom CA certificate (caPem)
  • CEL expressions for claim and user validation (claimValidationRules, userValidationRules)
  • Advanced claim mappings with CEL expressions (claimMappings)

  Refer to the Kubernetes Structured Authentication documentation for details.

  Changes compared to v33.1.4

  Components

  • cluster-aws from v6.4.3 to v7.2.5
  • Flatcar from v4459.2.1 to v4459.2.2
  • Kubernetes from v1.33.6 to v1.34.3
  • os-tooling from v1.26.2 to v1.26.3

  cluster-aws v6.4.3…v7.2.5

  Warning: Breaking Changes

  • The following IAM permissions have been removed from the control plane nodes
  • autoscaling:SetDesiredCapacity
  • autoscaling:TerminateInstanceInAutoScalingGroup
  • Removed global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers value, as that’s the default behavior now. It cannot be overridden anymore.

  Added

  • Add kubernetes.io/cluster/$clusterName: "owned" and sigs.k8s.io/cluster-api-provider-aws/cluster/$clusterName: "owned" tags to the IRSAClaim CR so that resources created by Crossplane contain the expected tags. This also allows to find the S3 buckets that need to be deleted when removing a cluster.
  • This change will roll the control plane nodes Add preKubeadmCommand to wait for the API server load balancer DNS to be resolvable before running kubeadm on control plane nodes. This prevents kubeadm from failing when the ELB DNS record hasn’t propagated yet.
  • This change will roll the nodes Add Crossplane IAM Roles, policies and instance profiles for worker and control plane nodes. Instead of having an IAM Role per node pool, now we’ll use the same for all node pools.
  • Add the priority-classes default app, enabled by default. This app provides standardised PriorityClass resources like giantswarm-critical and giantswarm-high, which should replace the previous inconsistent per-app priority classes.
  • This change will roll the nodes on Karpenter node pools Attach the lb Security Group to Karpenter nodes.
  • This change will roll the nodes on Karpenter node pools Name instance on AWS after the nodepool name.

  Changed

  • Chart: Update cluster to v5.1.2.
  • Chart: Update cluster to v5.1.1.
  • Chart: Update cluster to v5.1.0.
  • Chart: Update cluster to v5.0.0.
  • Reduce redundant parts of JSON schema for Karpenter vs. MachinePool types of node pools
  • Adjust node max pods based on the nodeCidrMaskSize

  Fixed

  • Fix Karpenter schema definition: changed from app schema to helmRelease schema to correctly reflect that Karpenter is deployed as a HelmRelease resource. This fixes incorrect field definitions in extraConfigs (capitalized enum values ConfigMap/Secret and optional field instead of priority).
  • Fix Karpenter NodePool subnet filtering: when users define custom subnetTags, the default giantswarm.io/role: "nodes" filter is no longer applied, allowing full control over subnet selection. The cluster ownership tag (sigs.k8s.io/cluster-api-provider-aws/cluster/<cluster-name>: owned) is still enforced for security.
  • Fix Karpenter HelmRelease: add missing valuesFrom parent field for extraConfigs, enabling customers to use custom ConfigMaps and Secrets for Karpenter configuration.
  • Ensure AWSCluster.spec.network.subnets.tags is not rendered as null
  • Add missing documentation for node pools (health checks were not listed)
  • Ensure defaulting maxHealthyPercentage since Helm does not use the default from the schema

  Removed

  • Remove RolePolicyAttachment crossplane custom resources as they are not needed when using Role and RolePolicy.

  Apps

  • cert-exporter from v2.9.14 to v2.9.15
  • cilium from v1.3.2 to v1.3.4
  • cloud-provider-aws from v1.33.2-1 to v2.0.0
  • cluster-autoscaler from v1.33.1-2 to v1.34.1-1
  • coredns from v1.28.3 to v1.29.1
  • etcd-k8s-res-count-exporter from v1.10.11 to v1.10.12
  • external-dns from v3.2.0 to v3.4.0
  • k8s-audit-metrics from v0.10.10 to v0.10.11
  • network-policies from v0.1.1 to v0.1.3
  • node-exporter from v1.20.9 to v1.20.10
  • Added node-problem-detector v0.5.2
  • observability-bundle from v2.3.2 to v2.5.0
  • Added priority-classes v0.3.0
  • security-bundle from v1.15.0 to v1.16.1

  cert-exporter v2.9.14…v2.9.15

  Changed

  • Go: Update dependencies.

  cilium v1.3.2…v1.3.4

  Changed

  • Upgrade Cilium to v1.18.6.
  • Upgrade Cilium to v1.18.5.

  cloud-provider-aws v1.33.2-1…v2.0.0

  Changed

  • Chart: Update to upstream v1.34.0.

  cluster-autoscaler v1.33.1-2…v1.34.1-1

  Changed

  • Chart: Update to upstream v1.34.1.

  coredns v1.28.3…v1.29.1

  Changed

  • Update coredns image to 1.14.1.
  • Update coredns image to 1.14.0.

  etcd-k8s-res-count-exporter v1.10.11…v1.10.12

  Changed

  • Go: Update dependencies.

  external-dns v3.2.0…v3.4.0

  Changed

  • Sync to upstream helm chart 1.20.0.
    • Add option to set annotationPrefix.
    • Fixed the missing schema for .provider.webhook.serviceMonitor configs.
    • Fixed incorrect indentation of selector labels under spec.template.spec.topologySpreadConstraints when topologySpreadConstraints is set.
  • Use kubectl-apply-job when installing CRDs.
  • Upgrade external-dns to v0.20.0.
  • Update DNSEndpoints CRD.
  • Sync to upstream helm chart 1.19.0.
    • Grant discovery.k8s.io/endpointslices permission only when using service source.
    • Update RBAC for Service source to support EndpointSlices.
    • Allow extraArgs to also be a map enabling overrides of individual values.
    • Set defaults for automountServiceAccountToken and serviceAccount.automountServiceAccountToken to true in Helm chart values.
    • Correctly handle txtPrefix and txtSuffix arguments when both are provided.
    • Add ability to generate schema with helm plugin schema.
    • Regenerate JSON schema with `helm-values-schema-json’ plugin.
    • Added ability to configure imagePullSecrets via helm global value.
    • Added options to configure labelFilter and managedRecordTypes via dedicated helm values.
    • Allow templating serviceaccount.annotations keys and values, by rendering them using the tpl built-in function.
    • Added support for extraContainers argument.
    • Added support for setting excludeDomains argument.
    • Added support for setting dnsConfig.
    • Added support for webhook providers.
  • Restrict managed record types to A and CNAME.

  k8s-audit-metrics v0.10.10…v0.10.11

  Changed

  • Go: Update dependencies.

  network-policies v0.1.1…v0.1.3

  Added

  • Add support for Kamaji.

  Fixed

  • Fixed broken templating.

  node-exporter v1.20.9…v1.20.10

  Removed

  • Repository: Remove integration tests.

  node-problem-detector v0.5.2

  Changed

  • Build: Switch to pushing to default instead of playground catalog as this app will be fully supported in production

  observability-bundle v2.3.2…v2.5.0

  Added

  • Add KSM metrics kube_servicemonitor_info and kube_podmonitor_info for ServiceMonitor and PodMonitor resources
  • Add KSM metrics kube_podlog_info for PodLog resource

  Changed

  • Upgrade kube-prometheus-stack-app to 19.0.0
  • Update alloy-app to 0.16.0
    • Bumps alloy to 1.12.0

  Fixed

  • Fixed KSM metrics for endpoints

  priority-classes v0.3.0

  Changed

  • Label now uses chart version instead of app version.

  Removed

  • Removed appVersion (only version is used now).

  security-bundle v1.15.0…v1.16.1

  Changed

  • Add missing dependency to all apps.
  • Allow to set multiple dependencies on the depends-on annotation.
  • Rename edgedb to gel.
  • Update cloudnative-pg (app) to v0.0.12.
  • Update gel (app) to v1.0.1.
• Jan 22, 2026 CAPA releases releases aws-33.1.4

  Allow volume expansion in GP3

  Changes compared to v33.1.3

  Apps

  • aws-ebs-csi-driver from v3.3.0 to v3.4.1

  aws-ebs-csi-driver v3.3.0…v3.4.1

  Fixed

  • Allow volume expansion by default on gp3
  • Correct boolean for volume expansion
• Jan 15, 2026 CAPA releases releases aws-33.1.3

  Fix Karpenter schema for extraConfigs

  Changes compared to v33.1.2

  Components

  • cluster-aws from v6.4.2 to v6.4.3

  cluster-aws v6.4.2…v6.4.3

  Fixed

  • Fix Karpenter schema: Use helmRelease schema instead of app schema. This corrects the extraConfigs[].kind field to accept ConfigMap and Secret (capitalized), and replaces the priority field with optional field, matching the HelmRelease resource structure.
• Jan 14, 2026 CAPA releases releases aws-33.1.2

  Improve karpenter subnet selection and extraConfig mounting.

  Changes compared to v33.1.1

  Components

  • cluster-aws from v6.4.1 to v6.4.2

  cluster-aws v6.4.1…v6.4.2

  Added

  • Add kubernetes.io/cluster/$clusterName: "owned" and sigs.k8s.io/cluster-api-provider-aws/cluster/$clusterName: "owned" tags to the IRSAClaim CR so that resources created by Crossplane contain the expected tags. This also allows to find the S3 buckets that need to be deleted when removing a cluster.

  Fixed

  • Fix Karpenter NodePool subnet filtering: when users define custom subnetTags, the default giantswarm.io/role: "nodes" filter is no longer applied, allowing full control over subnet selection. The cluster ownership tag (sigs.k8s.io/cluster-api-provider-aws/cluster/<cluster-name>: owned) is still enforced for security.
  • Fix Karpenter HelmRelease: add missing valuesFrom parent field for extraConfigs, enabling customers to use custom ConfigMaps and Secrets for Karpenter configuration.
• Jan 13, 2026 CAPA releases releases aws-32.2.0

  This release updates the cluster-aws chart to address an issue with Karpenter nodes not working properly with ingress load balancers.

  Changes compared to v32.1.0

  Components

  • cluster-aws from v5.3.0 to v5.4.0

  cluster-aws v5.3.0…v5.4.0

  Added

  • This change will roll the nodes on Karpenter node pools Attach the lb Security Group to Karpenter nodes.
  • This change will roll the nodes on Karpenter node pools Name instance on AWS after the nodepool name.
• Dec 16, 2025 CAPA releases releases aws-33.1.1

  This patch release fixes an issue with the installation of the Teleport Kube Agent app.

  Changes compared to v33.1.0

  Apps

  • coredns from v1.28.2 to v1.28.3

  coredns v1.28.2…v1.28.3

  Changed

  • Update coredns image to 1.13.2.
• Dec 3, 2025 CAPA releases releases aws-33.1.0

  Update Kubernetes to v1.33.6, Flatcar to v4459.2.1 and various component upgrades.

  Changes compared to v33.0.1

  Components

  • cluster-aws from v6.2.0 to v6.4.1
  • Flatcar from v4230.2.3 to v4459.2.1
  • Kubernetes from v1.33.5 to v1.33.6
  • os-tooling from v1.26.1 to v1.26.2

  cluster-aws v6.2.0…v6.4.1

  Added

  • This change will roll the nodes on Karpenter node pools Attach the lb Security Group to Karpenter nodes.
  • This change will roll the nodes on Karpenter node pools Name instance on AWS after the nodepool name.
  • Add node-problem-detector-app, disabled by default.

  Changed

  • Tidy up dependencies on azs-getter.
  • Make global.baseDomain and global.managementCluster required values. These values will be passed to the chart when deploying it from the cluster-app-installation-values ConfigMap in the default namespace.
  • Extract required values to its own central file to avoid repeating the required keyword and error messages. This is normally done automatically by a Kyverno policy.
  • Change the default root disk size for Karpenter node pools. Karpenter will choose the cheapest instances, and certain instances, like g6f.xlarge come with some drivers that require a larger disk.
  • Chart: Update cluster to v4.3.0.

  Apps

  • aws-ebs-csi-driver from v3.2.0 to v3.3.0
  • aws-pod-identity-webhook from v2.0.0 to v2.1.0
  • cert-exporter from v2.9.12 to v2.9.14
  • cert-manager from v3.9.3 to v3.9.4
  • cilium from v1.3.1 to v1.3.2
  • etcd-defrag from v1.2.1 to v1.2.3
  • etcd-k8s-res-count-exporter from v1.10.9 to v1.10.11
  • k8s-audit-metrics from v0.10.8 to v0.10.10
  • karpenter-crossplane-resources from v0.4.0 to v0.5.1
  • node-exporter from v1.20.7 to v1.20.9
  • observability-policies from v0.0.2 to v0.0.3
  • security-bundle from v1.13.1 to v1.15.0
  • teleport-kube-agent from v0.10.6 to v0.10.7

  aws-ebs-csi-driver v3.2.0…v3.3.0

  Changed

  • Chart: Sync to upstream. (#338)
    • Chart: Update AWS EBS CSI Driver from v1.41.0 to v1.51.0.
    • Chart: ⚠️ URGENT: XFS Compatibility Issue - Newly formatted XFS volumes may fail to mount on nodes with older kernels (Amazon Linux 2). Use node.legacyXFS: true as workaround.
    • Chart: ⚠️ URGENT: Controller Health Checks - Controller now performs AWS API dry-run checks. Ensure proper IAM permissions and network connectivity.
    • Chart: ⚠️ URGENT: StorageClass Parameter Deprecation* - blockExpress parameter is deprecated for io2 volumes (now always uses 256,000 IOPS cap).
    • Chart: Add support for creating instant, point-in-time copies of EBS volumes within the same Availability Zone.
    • Chart: Add debugLogs parameter for maximum verbosity logging and debugging.
    • Chart: Add metadataSources configuration option for node metadata handling.
    • Chart: Add disableMutation parameter for service account mutation control.
    • Chart: Add support for updating node’s max attachable volume count via MutableCSINodeAllocatableCount feature gate (Kubernetes 1.33+).
    • Chart: Update dependencies including AWS SDK, Prometheus, and various Go modules.
    • Chart: Add missing enablePrometheusAnnotations values for controller and node components.
    • Chart: Update sidecar container versions:
  • csi-provisioner: v5.2.0 → v5.3.0
  • csi-attacher: v4.8.1 → v4.9.0
  • csi-snapshotter: v8.2.1 → v8.3.0
  • livenessprobe: v2.14.0 → v2.16.0
  • csi-resizer: v1.13.2 → v1.14.0
  • csi-node-driver-registrar: v2.13.0 → v2.14.0
  • volume-modifier-for-k8s: v0.5.1 → v0.8.0

  aws-pod-identity-webhook v2.0.0…v2.1.0

  Changed

  • Set VPA minAllowed CPU to 50m. Otherwise VPA will set the CPU to tiny values that will cause CPU throttling.

  cert-exporter v2.9.12…v2.9.14

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.

  cert-manager v3.9.3…v3.9.4

  Added

  • Add E2E tests using apptest-framework for automated PR testing across multiple providers (CAPA, CAPV, CAPZ, CAPVCD).
    • Basic test suite: Validates fresh installations
    • Upgrade test suite: Tests upgrade scenarios and certificate reconciliation
  • Add certificate issuance integration test to cluster-test-suites.

  Changed

  • Upgrade cert-manager to v1.18.2.

  cilium v1.3.1…v1.3.2

  Changed

  • Upgrade Cilium to v1.18.4.

  etcd-defrag v1.2.1…v1.2.3

  Changed

  • Chart: Update dependency ahrtr/etcd-defrag to v0.36.0. (#69)
  • Chart: Update dependency ahrtr/etcd-defrag to v0.35.0. (#64)

  etcd-k8s-res-count-exporter v1.10.9…v1.10.11

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.

  k8s-audit-metrics v0.10.8…v0.10.10

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.

  karpenter-crossplane-resources v0.4.0…v0.5.1

  Added

  • Add new Helm value to configure the workers IAM role. When Karpenter launches worker instances, it will attach the worker instance profile.

  Fixed

  • Default the iam:PassRole resource to old worker role ARN (the one used before crossplane started managing the IAM Roles) when workersIamRole is not provided. This is needed to make our tests automation to work, regardless of the version of this app used.

  node-exporter v1.20.7…v1.20.9

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.

  observability-policies v0.0.2…v0.0.3

  Fixed

  • Missing RBAC for kyverno-report-controller

  security-bundle v1.13.1…v1.15.0

  Added

  • Add kubescape (app) version v0.0.4.

  Changed

  • Update kyverno (app) to v0.21.1.
  • Update kyverno-crds (app) to v1.15.0.
  • Update kyverno (app) to v0.20.1.
  • Update kyverno-crds (app) to v1.14.0.
  • Update kyverno-policies (app) to v0.24.0.
  • Update reports-server (app) to v0.0.3.

  teleport-kube-agent v0.10.6…v0.10.7

  Added

  • Add ephemeral-storage requests and limits to satisfy Kyverno policy require-emptydir-requests-and-limits.

  Changed

  • Enable upstream-provided Prometheus PodMonitor to scrape metrics from Teleport Kube Agent pods.
• Nov 2, 2025 CAPA releases releases aws-32.1.0

  This release updates Flatcar to v4230.2.4 and includes several app updates and improvements.

  Changes compared to v32.0.0

  Components

  • cluster-aws from v5.0.0 to v5.3.0
  • Flatcar from v4230.2.2 to v4230.2.4
  • os-tooling from v1.26.1 to v1.26.2

  cluster-aws v5.0.0…v5.3.0

  Added

  • Expose value to configure terminationGracePeriod in the karpenter node pools.

  Changed

  • Configure the following startupTaints to help karpenter ignore pending Pods due to these taints that will be removed after the node starts, avoiding unnecessary instance provisioning:
    • node.cluster.x-k8s.io/uninitialized:NoSchedule
    • node.cilium.io/agent-not-ready:NoSchedule
    • ebs.csi.aws.com/agent-not-ready:NoExecute
  • Reduce heartbeat timeout for ASG lifecycle hooks to from 30 minutes to 3 minutes since aws-node-termination-handler-app (NTH) can now send heartbeats

  Apps

  • aws-ebs-csi-driver from v3.0.5 to v3.3.0
  • aws-nth-bundle from v1.2.2 to v1.3.0
  • aws-pod-identity-webhook from v1.19.1 to v2.0.0
  • capi-node-labeler from v1.1.3 to v1.1.5
  • cert-exporter from v2.9.9 to v2.9.13
  • cert-manager from v3.9.2 to v3.9.4
  • cilium from v1.3.0 to v1.3.1
  • coredns from v1.27.0 to v1.28.2
  • etcd-defrag from v1.0.8 to v1.2.2
  • etcd-k8s-res-count-exporter from v1.10.7 to v1.10.10
  • k8s-audit-metrics from v0.10.6 to v0.10.9
  • node-exporter from v1.20.5 to v1.20.8
  • observability-bundle from v2.2.2 to v2.3.2
  • security-bundle from v1.12.0 to v1.14.0
  • vertical-pod-autoscaler from v6.0.1 to v6.1.1
  • vertical-pod-autoscaler-crd from v4.0.1 to v4.1.1

  aws-ebs-csi-driver v3.0.5…v3.3.0

  Changed

  • Chart: Sync to upstream. (#338)
    • Chart: Update AWS EBS CSI Driver from v1.41.0 to v1.51.0.
    • Chart: ⚠️ URGENT: XFS Compatibility Issue - Newly formatted XFS volumes may fail to mount on nodes with older kernels (Amazon Linux 2). Use node.legacyXFS: true as workaround.
    • Chart: ⚠️ URGENT: Controller Health Checks - Controller now performs AWS API dry-run checks. Ensure proper IAM permissions and network connectivity.
    • Chart: ⚠️ URGENT: StorageClass Parameter Deprecation* - blockExpress parameter is deprecated for io2 volumes (now always uses 256,000 IOPS cap).
    • Chart: Add support for creating instant, point-in-time copies of EBS volumes within the same Availability Zone.
    • Chart: Add debugLogs parameter for maximum verbosity logging and debugging.
    • Chart: Add metadataSources configuration option for node metadata handling.
    • Chart: Add disableMutation parameter for service account mutation control.
    • Chart: Add support for updating node’s max attachable volume count via MutableCSINodeAllocatableCount feature gate (Kubernetes 1.33+).
    • Chart: Update dependencies including AWS SDK, Prometheus, and various Go modules.
    • Chart: Add missing enablePrometheusAnnotations values for controller and node components.
    • Chart: Update sidecar container versions:
  • csi-provisioner: v5.2.0 → v5.3.0
  • csi-attacher: v4.8.1 → v4.9.0
  • csi-snapshotter: v8.2.1 → v8.3.0
  • livenessprobe: v2.14.0 → v2.16.0
  • csi-resizer: v1.13.2 → v1.14.0
  • csi-node-driver-registrar: v2.13.0 → v2.14.0
  • volume-modifier-for-k8s: v0.5.1 → v0.8.0
  • Configure gsoci.azurecr.io as the default container image registry.
  • Set default updateStrategy.rollingUpdate.maxUnavailable to 25% in DaemonSet to speed up rolling update.

  aws-nth-bundle v1.2.2…v1.3.0

  Changed

  • Upgrade aws-nth-crossplane-resources to v1.3.0, fixing support for multiple OIDC providers in the NTH IAM role as required for cleanup of migrated vintage clusters, and supporting heartbeat sending
  • Upgrade aws-node-termination-handler-app to v1.23.0, enabling heartbeats by default and upgrading to upstream application version v1.25.2 which fixes a resource leak bug relevant to heartbeat sending
  • Upgrade aws-nth-crossplane-resources to v1.1.1, supporting multiple OIDC providers in the NTH IAM role as required for cleanup of migrated vintage clusters

  aws-pod-identity-webhook v1.19.1…v2.0.0

  Changed

  • Upgrade IRSA to latest v0.6.9

  capi-node-labeler v1.1.3…v1.1.5

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.

  cert-exporter v2.9.9…v2.9.13

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.
  • Chart: Add value to toggle creation of Daemonset resources.
  • Go: Update dependencies.

  cert-manager v3.9.2…v3.9.4

  Added

  • Add E2E tests using apptest-framework for automated PR testing across multiple providers (CAPA, CAPV, CAPZ, CAPVCD).
    • Basic test suite: Validates fresh installations
    • Upgrade test suite: Tests upgrade scenarios and certificate reconciliation
  • Add certificate issuance integration test to cluster-test-suites.

  Changed

  • Upgrade cert-manager to v1.18.2.
  • Fix missing targetPort in cainjector-service

  cilium v1.3.0…v1.3.1

  Changed

  • Upgrade Cilium to v1.18.2.

  coredns v1.27.0…v1.28.2

  Changed

  • Update coredns image to 1.13.1.
  • Add value to toggle creation of controlplane deployment.
  • Update coredns image to 1.13.0.

  etcd-defrag v1.0.8…v1.2.2

  Changed

  • Chart: Update dependency ahrtr/etcd-defrag to v0.35.0. (#64)
  • Chart: Update dependency ahrtr/etcd-defrag to v0.34.0. (#62)
  • Chart: Update dependency ahrtr/etcd-defrag to v0.33.0. (#60)
  • Update Kyverno API to v2 for policy exceptions
  • Chart: Update dependency ahrtr/etcd-defrag to v0.32.0. (#57)

  etcd-k8s-res-count-exporter v1.10.7…v1.10.10

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.
  • Update Kyverno API to v2 for policy exceptions
  • Go: Update dependencies.

  k8s-audit-metrics v0.10.6…v0.10.9

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.
  • Update Kyverno API to v2 for policy exceptions
  • Go: Update dependencies.

  node-exporter v1.20.5…v1.20.8

  Changed

  • Go: Update dependencies.
  • Go: Update dependencies.
  • Update Kyverno API to v2 for policy exceptions
  • Go: Update dependencies.

  observability-bundle v2.2.2…v2.3.2

  Added

  • Add KSM metrics for cloudnative-pg Cluster objects

  Changed

  • Update alloy-app to 0.15.0
    • Bumps alloy to 1.11.0

  Fixed

  • Update alloy-app to 0.15.1
    • Bumps alloy to 1.11.2

  security-bundle v1.12.0…v1.14.0

  Changed

  • Update kyverno (app) to v0.20.1.
  • Update kyverno-crds (app) to v1.14.0.
  • Update kyverno-policies (app) to v0.24.0.
  • Update reports-server (app) to v0.0.3.
  • Revert previous kyverno update (#536, #531, #538).
  • Update kyverno-policy-operator (app) to v0.1.6.
  • Update kyverno (app) to v0.20.0.
  • Update kyverno-crds (app) to v1.14.0.
  • Update kyverno-policies (app) to v0.24.0.
  • Update kyverno-policy-operator (app) to v0.1.5.
  • Update trivy-operator (app) to v0.12.1.
  • Update trivy (app) to v0.14.1.
  • Update falco (app) to v0.11.0.

  vertical-pod-autoscaler v6.0.1…v6.1.1

  Changed

  • Chart: Update Helm release vertical-pod-autoscaler to v11.1.1. (#375)
  • Chart: Update Helm release vertical-pod-autoscaler to v11.1.0. (#372)

  vertical-pod-autoscaler-crd v4.0.1…v4.1.1

  Changed

  • Chart: Sync to upstream. (#166)
  • Chart: Sync to upstream. (#164)
• Oct 21, 2025 CAPA releases releases aws-33.0.1

  This release improves the stability of Karpenter node pools.

  Changes compared to v33.0.0

  Components

  • cluster-aws from v6.0.0 to v6.2.0

  cluster-aws v6.0.0…v6.2.0

  Added

  • Add capa-karpenter-taint-remover to handle CAPA - Karpenter taint race condition.

  Changed

  • Change default consolidation time to 6 hours to avoid constant node rolling.
  • Rename capa-karpenter-taint-remover app.
  • Set terminationGracePeriod default to 30m, to avoid having karpenter nodes stuck in Deleting state due to Pods blocking the deletion i.e. PDBs.

  Apps

  • aws-pod-identity-webhook from v1.19.1 to v2.0.0
  • karpenter from v1.3.0 to v1.4.0
  • Added karpenter-taint-remover v1.0.1
  • security-bundle from v1.12.0 to v1.13.1

  aws-pod-identity-webhook v1.19.1…v2.0.0

  Changed

  • Upgrade IRSA to latest v0.6.9

  karpenter v1.3.0…v1.4.0

  Changed

  • Updated karpenter to 1.8.1
  • Fixes RBAC issues when OwnerReferencesPermissionEnforcement featuregate is enabled by allowing finalizers sub’resource modification.

  karpenter-taint-remover v1.0.1

  Changed

  • Use default catalog

  security-bundle v1.12.0…v1.13.1

  Changed

  • Revert previous kyverno update (#536, #531, #538).
  • Update kyverno-policy-operator (app) to v0.1.6.
  • Update kyverno (app) to v0.20.0.
  • Update kyverno-crds (app) to v1.14.0.
  • Update kyverno-policies (app) to v0.24.0.
  • Update kyverno-policy-operator (app) to v0.1.5.
  • Update trivy-operator (app) to v0.12.1.
  • Update trivy (app) to v0.14.1.
  • Update falco (app) to v0.11.0.

• Older entries