Patch Argo CD now or expose every secret

Argo CD v3.3.9 and etcd v3.6.11: Two Critical Control Plane CVEs

  • GHSA-3v3m-wc6v-x4x3 (critical): Argo CD's ServerSideDiff endpoint returns unmasked PredictedLive and NormalizedLive states, bypassing secret masking when an Application carries the argocd.argoproj.io/compare-options: IncludeMutationWebhook=true annotation and the secret is owned by a non-Argo CD SSA field manager (e.g., kube-controller-manager). Any authenticated Argo CD user — including the default catch-all role — can extract plaintext Kubernetes secrets from etcd. Affects v3.2.0–v3.3.8; no workaround. Upgrade to v3.3.9 immediately and audit Applications for the IncludeMutationWebhook=true annotation.
  • etcd v3.6.11 patches an RBAC bypass: Put requests inside transactions using PrevKv or lease attachment were skipping authorization checks entirely — a write-permissioned user could read data outside their policy scope. Requires etcd auth to be enabled; affects self-managed clusters. Managed providers (EKS, GKE, AKS) patch etcd independently — verify patch status before assuming coverage.
  • etcd v3.6.11 also fixes a member-add failure when one node is down as long as quorum holds — resolves a blocking edge case for production node replacement workflows.

containerd v2.3.0 Stable: First Annual LTS, Direct v1.7 Upgrade Opens

  • containerd v2.3.0 stable shipped April 30 as the first annual LTS release, aligned to the Kubernetes release cadence with a minimum two-year support window. Direct upgrades from v1.7 to v2.3 are explicitly supported — no intermediate hop to an earlier v2.x required, ending the wait for teams still on the old stable branch.
  • EROFS native container image support with zstd-wrapped layers, dmverity integrity verification, and fsmount API to overcome PAGE_SIZE limits — enabling immutable, integrity-verified image distribution at the filesystem layer.
  • NRI plugins gain access to seccomp policies, POSIX rlimits, sysctls, Linux network devices, CDI-injected devices, and kernel scheduling policies; OTel trace propagation ships in outgoing plugin client RPCs. Breaking change: commas are no longer allowed in NRI plugin names.
  • containerd API 1.11.0 ships alongside v2.3.0, adding a spec field to the sandbox API and transfer types for container filesystem copy — tools managing container filesystems can now operate through the containerd API rather than bypassing it.
  • CRI HostNetwork + UserNamespaces support is included (previously noted as beta.2 in Issue #12), making v2.3.0 the first stable containerd release to satisfy the HostNetwork + UserNamespaces alpha prerequisite in Kubernetes v1.36.

CVE-2026-31431 "Copy Fail": CISA KEV Confirmed, FCEB Patches Due May 15

GKE 2026-R17 and AKS: In-Place Resize GA, Windows Retirement Deadline

  • In-place Pod Resize is GA in GKE 1.35 — CPU and memory requests/limits modifiable without pod restart; Writable cgroups is also GA in GKE 1.35, allowing workloads to manage child process resources via the Linux cgroups API directly (GKE release notes).
  • Gateway API v1.5 is supported from GKE 1.35.2-gke.1842000 — the first GKE version to ship all five features promoted to Standard channel (covered in Issue #3 for the upstream spec; this is the first GKE rollout).
  • C4A bare metal (Axion) instances entered Public Preview for Standard clusters on GKE 1.35.0-gke.2232000 or later. Windows nodes upgrade to containerd 2.1 in GKE 1.35 (from 1.7 in 1.34); auto-upgrades for Windows-node clusters are delayed until 1.34 EOL.
  • GKE Cloud Storage FUSE CSI CreateContainer error delay fix: upgrade to 1.34.6-gke.1154000 or 1.35.2-gke.1691000 — an inefficient bucket access check was replaced with the GetStorageLayout API call, resolving significant pod startup delays.
  • AKS Windows Server Annual Channel retires May 15, 2026 — no new images or security patches after that date; new Annual Channel node pools blocked after May 15, 2027. Migrate to Long Term Servicing Channel (LTSC) now.
  • AKS K8s v1.35 is GA and the new default for new clusters; Ubuntu 24.04 is the default node OS for v1.35+. K8s 1.32 deprecated, 1.31 deprecated. Container Network Insights Agent entered Public Preview in five regions — an AI-powered diagnostic add-on that accepts natural-language network problem descriptions and returns structured root cause evidence.

Kyverno v1.18.0 and Chainguard FIPS EKS Add-ons

  • Kyverno v1.18.0 adds an HTTP context blocklist (FLAG_HTTP_BLOCKLIST env var) with scoped token authorization — policies can only reach explicitly allowlisted hosts, blocking supply-chain attack vectors against external context sources.
  • Namespaced image registry credentials: imageRegistryCredentials can now reference namespaced secrets and pod-level imagePullSecrets — enabling per-namespace image verification in multi-tenant clusters without cluster-level credential sharing.
  • Three CVEs patched in v1.18.0: CVE-2026-32280 (intermediate cert validation bypass in image verification — priority for supply-chain teams), CVE-2026-32283 (Go toolchain), CVE-2026-24686 (go-tuf). No breaking changes; kyverno apply/kyverno test now support cleanup policies and mutateExisting policies for full local test coverage.
  • Chainguard published five FIPS 140-3 validated EKS add-ons to AWS Marketplace: kube-proxy, CoreDNS, VPC CNI, EBS CSI, and EFS CSI — all built from source with zero known CVEs, SBOMs, and verifiable signatures. Targets FedRAMP/HIPAA/PCI-DSS environments where per-add-on cryptographic compliance is required without adopting EKS Auto Mode wholesale.

Get Platform and Infra Briefing in your inbox

Subscribe to receive new issues as they're published.