CRI-O v1.35.0
The release notes have been generated for the commit range
v1.34.0…73246f5 on Thu, 04 Dec 2025 20:49:29 UTC.
Downloads
Download one of our static release bundles via our Google Cloud Bucket:
To verify the artifact signatures via cosign, run:
> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.73246f596547dc39c46041aa249f3f90db26afe1.tar.gz \
--certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-github-workflow-repository cri-o/packaging \
--certificate-github-workflow-ref refs/heads/main \
--signature cri-o.amd64.73246f596547dc39c46041aa249f3f90db26afe1.tar.gz.sig \
--certificate cri-o.amd64.73246f596547dc39c46041aa249f3f90db26afe1.tar.gz.cert
To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:
> tar xfz cri-o.amd64.73246f596547dc39c46041aa249f3f90db26afe1.tar.gz
> bom validate -e cri-o.amd64.73246f596547dc39c46041aa249f3f90db26afe1.tar.gz.spdx -d cri-o
Changelog since v1.34.0
Urgent Upgrade Notes
- Add container_spec* and container_last_seen metrics
Action required: container_spec_memory_limit_bytes has moved from the memory
metrics category to the new spec category. Update your CRI-O configuration to include
spec in included_pod_metrics if you rely on this metric. (#9531, @haircommander)
Changes by Kind
Ci
- Require go 1.25 for building CRI-O. (#9489, @saschagrunert)
Deprecation
- Deprecated –insecure-registries option, and made it ineffective. (#9511, @bitoku)
Feature
- Add DiskIO metrics to collected container metrics (#9571, @haircommander)
- Add
container_start_time_seconds metric, nested under the spec metrics family (#9567, @haircommander)
- Added
container_create_timeout option to control timeout duration of container creation (#9499, @snir911)
- Added disk metrics (
container_fs_inodes_free, container_fs_inodes_total, container_fs_limit_bytes, container_fs_usage_bytes) (#9344, @R3hankhan123)
- Added new metric container_file_descriptors to expose the number of open file descriptors for each container from CRI-O metrics (#9329, @sreeram-venkitesh)
- Added support for the namespaced pull secret credential provider. (#9463, @saschagrunert)
- This commit introduces a new
housekeeping value for the irq-load-balancing.crio.io annotation.
When housekeeping is set:
- The housekeeping CPU set is injected into the container’s environment variables as
OPENSHIFT_HOUSEKEEPING_CPUS
- IRQ SMP affinity bits are not disabled on the housekeeping CPUs when adding a new container
- The housekeeping CPUs are chosen as the first CPU within each container plus its thread siblings (#9223, @andreaskaris)
Bug or Regression
- Fix a bug where CRI metrics had the incorrect metadata. Now, instead of the metrics being populated with the sandbox metadata, they are populated with the container metadata. (#9535, @haircommander)
- Fixed CVE-2025-58183: Updated tar-split to v0.12.2 to fix unbounded memory allocation vulnerability when parsing malicious container images with GNU sparse tar files. (#9589, @saschagrunert)
- Fixed a bug where includedPodMetrics are not respected in ListMetricDescriptors (#9565, @bitoku)
- Fixed memory leak with CRI connection when using the systemd watchdog feature. (#9448, @saschagrunert)
- Fixed static build gpgme issue resulting in an “Invalid crypto engine” error on various platforms. (#9479, @saschagrunert)
- LoadSandbox now validates critical metadata fields (name, namespace, uid) to prevent restoring sandboxes with corrupt configurations. (#9633, @saschagrunert)
- Server: Fix network cleanup failures when NetNS path is empty (#9410, @sohankunkerkar)
Other (Cleanup or Flake)
- Changed GRPC debug log format to be more informative (#9501, @bitoku)
- Use system dbus when running as UID 0 regardless of rootless detection (#9626, @sohankunkerkar)
Uncategorized
- Cleaned up duplicate signature policy path logic in server image pull (#9509, @gouthamhusky)
Dependencies
Added
- github.com/Masterminds/goutils: v1.1.1
- github.com/Masterminds/sprig/v3: v3.3.0
- github.com/cri-o/crio-credential-provider: v0.1.1
- github.com/gkampitakis/ciinfo: v0.3.2
- github.com/gkampitakis/go-diff: v1.3.2
- github.com/gkampitakis/go-snaps: v0.5.15
- github.com/go-openapi/swag/cmdutils: v0.24.0
- github.com/go-openapi/swag/conv: v0.24.0
- github.com/go-openapi/swag/fileutils: v0.24.0
- github.com/go-openapi/swag/jsonname: v0.24.0
- github.com/go-openapi/swag/jsonutils: v0.24.0
- github.com/go-openapi/swag/loading: v0.24.0
- github.com/go-openapi/swag/mangling: v0.24.0
- github.com/go-openapi/swag/netutils: v0.24.0
- github.com/go-openapi/swag/stringutils: v0.24.0
- github.com/go-openapi/swag/typeutils: v0.24.0
- github.com/go-openapi/swag/yamlutils: v0.24.0
- github.com/goccy/go-yaml: v1.18.0
- github.com/google/go-github/v75: v75.0.0
- github.com/hashicorp/golang-lru/v2: v2.0.7
- github.com/huandu/xstrings: v1.5.0
- github.com/joho/godotenv: v1.5.1
- github.com/joshdk/go-junit: v1.0.0
- github.com/maruel/natural: v1.1.1
- github.com/mfridman/tparse: v0.18.0
- github.com/mitchellh/copystructure: v1.2.0
- github.com/mitchellh/reflectwalk: v1.0.2
- github.com/shopspring/decimal: v1.4.0
- github.com/tidwall/gjson: v1.18.0
- github.com/tidwall/match: v1.1.1
- github.com/tidwall/pretty: v1.2.1
- github.com/tidwall/sjson: v1.2.5
- go.podman.io/common: v0.66.0
- go.podman.io/image/v5: v5.38.0
- go.podman.io/storage: v1.61.0
- goa.design/goa/v3: v3.20.1
- golang.org/x/tools/go/expect: v0.1.0-deprecated
- golang.org/x/tools/go/packages/packagestest: v0.1.1-deprecated
Changed
- chainguard.dev/go-grpc-kit: v0.17.7 → v0.17.10
- chainguard.dev/sdk: v0.1.29 → v0.1.32
- cloud.google.com/go/auth: v0.16.2 → v0.16.5
- cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
- cloud.google.com/go/iam: v1.4.0 → v1.5.0
- cloud.google.com/go/kms: v1.21.0 → v1.21.1
- cloud.google.com/go/longrunning: v0.6.4 → v0.6.6
- cloud.google.com/go/security: v1.18.3 → v1.18.5
- cloud.google.com/go: v0.118.3 → v0.120.0
- github.com/Azure/azure-sdk-for-go/sdk/azidentity: v1.8.0 → v1.8.2
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys: v1.3.0 → v1.3.1
- github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal: v1.1.0 → v1.1.1
- github.com/AzureAD/microsoft-authentication-library-for-go: v1.3.1 → v1.3.3
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
- github.com/ProtonMail/go-crypto: v1.1.6 → v1.3.0
- github.com/aws/aws-sdk-go-v2/config: v1.29.16 → v1.31.0
- github.com/aws/aws-sdk-go-v2/credentials: v1.17.69 → v1.18.4
- github.com/aws/aws-sdk-go-v2/feature/ec2/imds: v1.16.31 → v1.18.3
- github.com/aws/aws-sdk-go-v2/internal/configsources: v1.3.35 → v1.4.3
- github.com/aws/aws-sdk-go-v2/internal/endpoints/v2: v2.6.35 → v2.7.3
- github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding: v1.12.3 → v1.13.0
- github.com/aws/aws-sdk-go-v2/service/internal/presigned-url: v1.12.16 → v1.13.3
- github.com/aws/aws-sdk-go-v2/service/kms: v1.37.8 → v1.38.2
- github.com/aws/aws-sdk-go-v2/service/sso: v1.25.4 → v1.28.0
- github.com/aws/aws-sdk-go-v2/service/ssooidc: v1.30.2 → v1.33.0
- github.com/aws/aws-sdk-go-v2/service/sts: v1.33.21 → v1.37.0
- github.com/aws/aws-sdk-go-v2: v1.36.4 → v1.38.0
- github.com/aws/aws-sdk-go: v1.55.5 → v1.55.6
- github.com/aws/smithy-go: v1.22.3 → v1.22.5
- github.com/chainguard-dev/clog: v1.5.1 → v1.7.0
- github.com/cncf/xds/go: 2ac532f → 0feb691
- github.com/containerd/cgroups/v3: v3.0.5 → v3.0.3
- github.com/containerd/containerd/api: v1.9.0 → v1.10.0
- github.com/containerd/containerd: v1.7.28 → v1.7.29
- github.com/containerd/nri: v0.10.0 → 649a151
- github.com/containerd/stargz-snapshotter/estargz: v0.16.3 → v0.17.0
- github.com/containers/conmon-rs: v0.7.2 → 737e4d6
- github.com/cri-o/ocicni: v0.4.3 → v0.5.0
- github.com/danieljoos/wincred: v1.2.2 → v1.2.3
- github.com/docker/cli: v28.3.2+incompatible → v28.5.1+incompatible
- github.com/docker/docker-credential-helpers: v0.9.3 → v0.9.4
- github.com/docker/docker: v28.3.3+incompatible → v28.5.1+incompatible
- github.com/docker/go-connections: v0.5.0 → v0.6.0
- github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
- github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
- github.com/go-git/go-git/v5: v5.16.2 → v5.16.3
- github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
- github.com/go-logfmt/logfmt: v0.5.0 → v0.4.0
- github.com/go-openapi/errors: v0.22.1 → v0.22.2
- github.com/go-openapi/swag: v0.23.1 → v0.24.1
- github.com/go-viper/mapstructure/v2: v2.3.0 → v2.4.0
- github.com/godbus/dbus/v5: 7623695 → v5.2.0
- github.com/golang-jwt/jwt/v5: v5.2.2 → v5.3.0
- github.com/googleapis/gax-go/v2: v2.14.2 → v2.15.0
- github.com/hashicorp/vault/api: v1.15.0 → v1.16.0
- github.com/intel/goresctrl: v0.9.0 → v0.10.0
- github.com/magiconair/properties: v1.8.9 → v1.8.10
- github.com/mattn/go-sqlite3: v1.14.28 → v1.14.32
- github.com/maxbrunsfeld/counterfeiter/v6: v6.11.3 → v6.12.0
- github.com/mistifyio/go-zfs/v3: v3.0.1 → v3.1.0
- github.com/moby/sys/sequential: v0.5.0 → v0.6.0
- github.com/olekukonko/tablewriter: v1.0.9 → v1.1.0
- github.com/onsi/ginkgo/v2: v2.25.3 → v2.27.2
- github.com/opencontainers/cgroups: v0.0.5 → v0.0.6
- github.com/opencontainers/runc: v1.3.1 → v1.3.2
- github.com/opencontainers/runtime-spec: v1.2.1 → v1.3.0
- github.com/opencontainers/runtime-tools: 0ea5ed0 → edf4cb3
- github.com/proglottis/gpgme: v0.1.4 → v0.1.5
- github.com/sebdah/goldie/v2: v2.5.5 → v2.7.1
- github.com/secure-systems-lab/go-securesystemslib: v0.9.0 → v0.9.1
- github.com/sigstore/fulcio: v1.6.6 → v1.7.1
- github.com/sigstore/rekor: v1.4.0 → v1.4.2
- github.com/sigstore/sigstore/pkg/signature/kms/aws: v1.8.12 → v1.9.3
- github.com/sigstore/sigstore/pkg/signature/kms/azure: v1.8.12 → v1.9.3
- github.com/sigstore/sigstore/pkg/signature/kms/gcp: v1.8.12 → v1.9.3
- github.com/sigstore/sigstore/pkg/signature/kms/hashivault: v1.8.12 → v1.9.3
- github.com/skeema/knownhosts: v1.3.1 → v1.3.2
- github.com/spf13/cobra: v1.9.1 → v1.10.1
- github.com/spf13/pflag: v1.0.9 → v1.0.10
- github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
- github.com/sylabs/sif/v2: v2.21.1 → v2.22.0
- github.com/vbatts/tar-split: v0.12.1 → v0.12.2
- go.etcd.io/bbolt: v1.4.2 → v1.4.3
- go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
- go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
- go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
- go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
- golang.org/x/crypto: v0.42.0 → v0.45.0
- golang.org/x/exp: 7e4ce0a → b7579e2
- golang.org/x/mod: v0.27.0 → v0.29.0
- golang.org/x/net: v0.44.0 → v0.47.0
- golang.org/x/oauth2: v0.30.0 → v0.32.0
- golang.org/x/sync: v0.17.0 → v0.18.0
- golang.org/x/sys: v0.36.0 → v0.38.0
- golang.org/x/telemetry: 1a19826 → 078029d
- golang.org/x/term: v0.35.0 → v0.37.0
- golang.org/x/text: v0.29.0 → v0.31.0
- golang.org/x/tools: v0.36.0 → v0.38.0
- google.golang.org/api: v0.242.0 → v0.248.0
- google.golang.org/genproto/googleapis/api: c5933d9 → 3a174f9
- google.golang.org/genproto/googleapis/rpc: c5933d9 → 3a174f9
- google.golang.org/grpc: v1.75.1 → v1.77.0
- google.golang.org/protobuf: v1.36.9 → v1.36.10
- gopkg.in/evanphx/json-patch.v4: v4.12.0 → v4.13.0
- k8s.io/api: v0.34.1 → v0.35.0-beta.0
- k8s.io/apimachinery: v0.34.1 → v0.35.0-beta.0
- k8s.io/apiserver: v0.34.1 → v0.35.0-beta.0
- k8s.io/client-go: v0.34.1 → v0.35.0-beta.0
- k8s.io/component-base: v0.34.1 → v0.35.0-beta.0
- k8s.io/cri-api: v0.34.1 → v0.35.0-beta.0
- k8s.io/cri-client: v0.34.1 → v0.35.0-beta.0
- k8s.io/kms: v0.34.1 → v0.35.0-beta.0
- k8s.io/kube-openapi: f3f2b99 → 589584f
- k8s.io/kubelet: v0.34.1 → v0.35.0-beta.0
- k8s.io/utils: 4c0f3b2 → bc988d5
- sigs.k8s.io/json: cfa47c3 → 2d32026
- sigs.k8s.io/knftables: v0.0.18 → v0.0.19
- sigs.k8s.io/release-sdk: v0.12.4 → v0.12.5
- sigs.k8s.io/release-utils: v0.12.1 → v0.12.2
- tags.cncf.io/container-device-interface/specs-go: v1.0.0 → 16a1328
- tags.cncf.io/container-device-interface: v1.0.1 → 16a1328
Removed
- github.com/Microsoft/cosesign1go: v1.4.0
- github.com/Microsoft/didx509go: v0.0.3
- github.com/OneOfOne/xxhash: v1.2.8
- github.com/akavel/rsrc: v0.10.2
- github.com/benbjohnson/clock: v1.1.0
- github.com/census-instrumentation/opencensus-proto: v0.2.1
- github.com/client9/misspell: v0.3.4
- github.com/cncf/udpa/go: 269d4d4
- github.com/containerd/protobuild: v0.3.0
- github.com/containers/common: v0.64.2
- github.com/containers/image/v5: v5.36.2
- github.com/decred/dcrd/dcrec/secp256k1/v4: v4.2.0
- github.com/go-chi/chi: v4.1.2+incompatible
- github.com/go-kit/log: v0.1.0
- github.com/goadesign/goa: v2.2.5+incompatible
- github.com/goccy/go-json: v0.10.2
- github.com/golang/mock: v1.1.1
- github.com/google/go-github/v72: v72.0.0
- github.com/hashicorp/golang-lru: v1.0.2
- github.com/josephspurrier/goversioninfo: v1.4.0
- github.com/lestrrat-go/backoff/v2: v2.0.8
- github.com/lestrrat-go/blackmagic: v1.0.2
- github.com/lestrrat-go/httpcc: v1.0.1
- github.com/lestrrat-go/iter: v1.0.2
- github.com/lestrrat-go/jwx: v1.2.29
- github.com/lestrrat-go/option: v1.0.1
- github.com/linuxkit/virtsock: f8cee7d
- github.com/prashantv/gostub: v1.1.0
- github.com/sagikazarmark/slog-shim: v0.1.0
- github.com/veraison/go-cose: v1.1.0
- go.uber.org/atomic: v1.7.0
- goa.design/goa: v2.2.5+incompatible
- golang.org/x/lint: 1621716
- google.golang.org/appengine: v1.4.0
- google.golang.org/grpc/cmd/protoc-gen-go-grpc: v1.5.1
- honnef.co/go/tools: ea95bdf