Documentation survey

v1.32.X

Upgrade Notice

Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.
Version Release date Kubernetes Etcd Containerd Runc Metrics-server CoreDNS Ingress-Nginx Helm-controller Canal (Default) Calico Cilium Multus

v1.32.8+rke2r1

Aug 23 2025

v1.32.8

v3.5.21-k3s1

v2.0.5-k3s2

v1.2.6

v0.8.0

v1.12.3

v1.12.4-hardened7

v0.16.13

Flannel v0.27.2
Calico v3.30.2

v3.30.2

v1.18.0

v4.2.2

v1.32.7+rke2r1

Jul 25 2025

v1.32.7

v3.5.21-k3s1

v2.0.5-k3s2

v1.2.6

v0.8.0

v1.12.2

v1.12.4-hardened2

v0.16.13

Flannel v0.27.1
Calico v3.30.2

v3.30.1

v1.17.6

v4.2.1

v1.32.6+rke2r1

Jun 27 2025

v1.32.6

v3.5.21-k3s1

v2.0.5-k3s1

v1.2.6

v0.7.2

v1.12.2

v1.12.2-hardened2

v0.16.11

Flannel v0.27.0
Calico v3.30.1

v3.30.1

v1.17.4

v4.2.1

v1.32.5+rke2r1

May 21 2025

v1.32.5

v3.5.21-k3s1

v2.0.5-k3s1

v1.2.6

v0.7.2

v1.12.1

v1.12.1-hardened6

v0.16.10

Flannel v0.26.7
Calico v3.30.0

v3.30.0

v1.17.3

v4.2.0

v1.32.4+rke2r1

May 01 2025

v1.32.4

v3.5.21-k3s1

v2.0.4-k3s2

v1.2.5

v0.7.2

v1.12.1

v1.12.1-hardened3

v0.16.10

Flannel v0.26.6
Calico v3.29.3

v3.29.3

v1.17.3

v4.2.0

v1.32.3+rke2r1

Mar 26 2025

v1.32.3

v3.5.19-k3s1

v2.0.4-k3s2

v1.2.5

v0.7.2

v1.12.0

v1.12.1-hardened1

v0.16.6

Flannel v0.26.5
Calico v3.29.2

v3.29.2

v1.17.1

v4.1.4

v1.32.2+rke2r1

Feb 27 2025

v1.32.2

v3.5.18-k3s1

v2.0.2-k3s2

v1.2.4

v0.7.2

v1.12.0

v1.12.0-hardened6

v0.16.6

Flannel v0.26.4
Calico v3.29.2

v3.29.2

v1.17.0

v4.1.4

v1.32.1+rke2r1

Jan 27 2025

v1.32.1

v3.5.16-k3s1

v1.7.23-k3s2

v1.2.4

v0.7.2

v1.12.0

v1.12.0-hardened2

v0.16.5

Flannel v0.26.3
Calico v3.29.1

v3.29.1

v1.16.5

v4.1.4

v1.32.0+rke2r1

Jan 03 2025

v1.32.0

v3.5.16-k3s1

v1.7.23-k3s2

v1.1.14

v0.7.1

v1.12.0

v1.10.5-hardened6

v0.16.5

Flannel v0.26.1
Calico v3.29.1

v3.29.1

v1.16.4

v4.1.3

Release v1.32.8+rke2r1

This release updates Kubernetes to v1.32.8.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.7+rke2r1

  • Add.utils test (#8651) - backport 1.32 (#8661)

  • CNI Bumps for Aug 25 release (#8693)

  • Bump rancher vsphere csi to 3.3.1-rancher10 (#8677)

  • Bump rke2-coredns to 1.43.100 (#8723)

  • Update to cilium v1.18.000 (#8717)

  • Bump ingress-nginx to v1.12.4-hardened6 (#8733)

  • Update Kubernetes Metrics Server chart 3.13.000 (#8742)

  • Separate pod template generation and static pod execution code (#8747)

  • Bump k3s (#8750)

  • Add prime ribs index upload and cache invalidation (#8710)

  • Bump K3s version for certificate startup check fix (#8763)

  • Update K8s to v1.32.8 and Go 1.23.11 (#8772)

  • Fix missing ECM config (#8777)

  • Fix uploader authentication (#8782)

  • Bump k3s for metric and event fixes (#8786)

  • Bump ingress-nginx to hardened7 (#8790)

  • Bump coredns chart and image (#8736) (#8796)

  • Fix static pod cleanup (#8807)

Charts Versions

Component Version

rke2-cilium

1.18.000

rke2-canal

v3.30.2-build2025073100

rke2-calico

v3.30.200

rke2-calico-crd

v3.30.200

rke2-coredns

1.43.101

rke2-ingress-nginx

4.12.404

rke2-metrics-server

3.13.000

rancher-vsphere-csi

3.3.1-rancher1000

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.1000

harvester-csi-driver

0.1.2400

rke2-snapshot-controller

4.0.003

rke2-snapshot-controller-crd

4.0.003

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.7+rke2r1

This release updates Kubernetes to v1.32.7.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.6+rke2r1

  • Update Canal chart to latest version (#8530)

  • Prepend defaults to extra kube args (#8514)

  • Bump multus and whereabouts chart (#8538)

  • Update Kubernetes Metrics Server chart 3.12.203 (#8556)

  • Change structure and set namespace for ctr command (#8543)

  • Bump ingress-nginx to v1.12.4-hardened1 (#8569)

  • Charts: Bump Harvester CSI driver 0.1.24 (#8506)

    • Support online resize

    • Support external storage

  • Allow for zypper remove 104 code on uninstall (#8578)

    • Fix snapshot controller backwards compatibility (#8592)

  • Update flannel chart v0.27.100 (#8602)

  • Backports for 2025-07 (#8607)

  • Update K8s to v1.32.7 (#8624)

  • Bump ingress-nginx to hardened2 (#8635)

  • Update to cilium v1.17.6 (#8644)

Charts Versions

Component Version

rke2-cilium

1.17.600

rke2-canal

v3.30.2-build2025071100

rke2-calico

v3.30.100

rke2-calico-crd

v3.30.100

rke2-coredns

1.42.302

rke2-ingress-nginx

4.12.401

rke2-metrics-server

3.12.203

rancher-vsphere-csi

3.3.1-rancher900

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.1000

harvester-csi-driver

0.1.2400

rke2-snapshot-controller

4.0.003

rke2-snapshot-controller-crd

4.0.003

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.6+rke2r1

This release updates Kubernetes to v1.32.6.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.5+rke2r1

  • June 2025 CNI bumps (#8326)

  • Windows: Allow for silent/non confirmation use of uninstall.ps1 (#8341)

  • Testing Overhaul Backports (#8363)

  • Bump canal, flannel and cilium charts (#8359) (#8383)

  • Bump multus and whereabouts (#8360) (#8389)

  • Support profile: etcd (#8370)

  • Bumps for etcd, cloud provider, crictl, containerd and runc (#8404)

  • Backports for 2025-06 (#8418)

  • Update Kubernetes Metrics Server chart 3.12.2 (#8422)

  • Update CoreDNS chart 1.42.3 (#8426)

  • Bump ingress-nginx to v1.12.2 and hardened-dns-node for CVE fixes (#8401)

  • Bump K3s version (#8435)

  • June K8s v1.32.6 patch (#8445)

  • Update runc to the newest image (#8470)

Charts Versions

Component Version

rke2-cilium

1.17.401

rke2-canal

v3.30.1-build2025061101

rke2-calico

v3.30.100

rke2-calico-crd

v3.30.100

rke2-coredns

1.42.302

rke2-ingress-nginx

4.12.201

rke2-metrics-server

3.12.202

rancher-vsphere-csi

3.3.1-rancher900

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.1000

harvester-csi-driver

0.1.2300

rke2-snapshot-controller

4.0.002

rke2-snapshot-controller-crd

4.0.002

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.5+rke2r1

This release updates Kubernetes to v1.32.5.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.4+rke2r1

  • Upload prime ribs assets (#8171)

  • Feat: bump harvester-cloud-provider to v0.2.10 (#8182)

  • Backports for 2025-05 (#8196)

  • Udpate calico chart to v3.30.0 and Canal image (#8202)

  • Bump nginx version (#8177)

  • Update to Kubernetes Metrics Server 3.12.201 (#8211)

  • Update to flannel v0.26.700 (#8219)

  • Update cilium and multus to cni-plugins v1.7.1 (#8227)

  • Upgrade nginx chart (#8233)

  • Update to flannel v0.26.701 and canal v3.30.0-build2025051500 (#8258)

  • Update to CoreDNS 1.42.000 (#8266)

  • Update K8s to v1.32.5 and Go to v1.23.8 (#8242)

  • Fix race conditions in startup readiness checks (#8276)

  • Fix secrets syntax (#8282)

Charts Versions

Component Version

rke2-cilium

1.17.301

rke2-canal

v3.30.0-build2025051500

rke2-calico

v3.30.001

rke2-calico-crd

v3.30.001

rke2-coredns

1.42.000

rke2-ingress-nginx

4.12.103

rke2-metrics-server

3.12.201

rancher-vsphere-csi

3.3.1-rancher900

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.1000

harvester-csi-driver

0.1.2300

rke2-snapshot-controller

4.0.002

rke2-snapshot-controller-crd

4.0.002

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.4+rke2r1

This release updates Kubernetes to v1.32.4.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.3+rke2r1

  • Bump multus version (#7989)

  • Update CNI charts (#7996)

  • Bump whereabouts to v0.9.0 (#8005)

  • Update to coredns 1.39.201 (#8010)

  • Bump flannel and canal versions (#8023)

  • Chore: Bump nginx to v1.12.1-hardened3 (#8056)

  • K3s bump and backports for 2025-04 (#8038)

  • Update to flannel v0.26.601 and canal v3.29.3-build2025040801 (#8061)

  • Update to cilium v1.17.3 (#8083)

  • Bump kine for nats-server/v2 CVE-2025-30215 (#8089)

  • Bump K3s version (#8102)

  • Bump traefik to v3.3.6 (#8108)

  • Update k8s to v1.32.4 (#8116)

Charts Versions

Component Version

rke2-cilium

1.17.300

rke2-canal

v3.29.3-build2025040801

rke2-calico

v3.29.300

rke2-calico-crd

v3.29.101

rke2-coredns

1.39.201

rke2-ingress-nginx

4.12.101

rke2-metrics-server

3.12.200

rancher-vsphere-csi

3.3.1-rancher900

rancher-vsphere-cpi

1.10.000

harvester-csi-driver

0.1.2300

harvester-cloud-provider

0.2.900

rke2-snapshot-controller

4.0.002

rke2-snapshot-controller-crd

4.0.002

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.3+rke2r1

This release updates Kubernetes to v1.33.5, and upgrades rke2-ingress-nginx to controller v1.12.1-hardened1 (chart version 4.12.1). This addresses CVE-2025-1974 as well as all other recently announced vulnerabilities in ingress-nginx.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.2+rke2r1

  • Update to cilium v1.17.1 (#7849)

  • Bump coredns to v1.39.100 (#7858)

  • Update multus with new CNI plugin image with bond included (#7864)

  • Update to flannel v0.26.500 and canal v3.29.2-build2025030601 (#7874)

  • Bump ingress-nginx to hardened10 (#7885)

  • Backports for 2025-03 (#7890)

  • Bump K3s for apiserver addresses fix (#7912)

  • Update k8s (#7927)

  • Bump containerd to v2.0.4 (#7948)

  • Bump ingress-nginx to v1.12.1-hardened1, chart to 4.12.1 (#7961)

Charts Versions

Component Version

rke2-cilium

1.17.100

rke2-canal

v3.29.2-build2025030601

rke2-calico

v3.29.200

rke2-calico-crd

v3.29.101

rke2-coredns

1.39.100

rke2-ingress-nginx

4.12.100

rke2-metrics-server

3.12.200

rancher-vsphere-csi

3.3.1-rancher900

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.900

harvester-csi-driver

0.1.2300

rke2-snapshot-controller

4.0.002

rke2-snapshot-controller-crd

4.0.002

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.2+rke2r1

This release updates Kubernetes to v1.32.2.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.1+rke2r1

  • Update to cilium v1.16.6 (#7680)

  • Charts: bump Harvester CSI Driver v0.1.23 (#7667)

    • Enhance the Harvester CSI controller affinity/anti-affinity

  • Bump canal, flannel and multus charts (#7712)

  • Update cilium to v1.17.0 (#7708)

  • Update Calico and Canal to v3.29.2 (#7723)

  • Bump k3s, containerd, traefik, etcd, crictl (#7738)

    • Update k3s to fix registry auth in containerd config template

    • Update containerd to v2.0.2

    • Update traefik to v3.3.2

    • Update etcd to v3.5.18

    • Update crictl to v1.32.0

    • Update rke2-ingress-nginx chart to fix typo in default backend image template

  • Bump vsphere CSI to v3.3.1-rancher9 (#7734)

  • Update to v1.32.2 and Go to 1.23.6 (#7760)

  • Update version (#7769)

  • Bump ingress-nginx to v1.12.0-hardened6 (#7773)

  • Bump canal and flannel images to build20250218 (#7787)

  • Sync images to Prime registry (#7799)

  • Bump K3s version for release-1.32 (#7804)

  • Bump containerd for go-cni deadlock fix (#7811)

Charts Versions

Component Version

rke2-cilium

1.17.000

rke2-canal

v3.29.2-build2025021800

rke2-calico

v3.29.200

rke2-calico-crd

v3.29.101

rke2-coredns

1.36.102

rke2-ingress-nginx

4.12.005

rke2-metrics-server

3.12.200

rancher-vsphere-csi

3.3.1-rancher900

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.900

harvester-csi-driver

0.1.2300

rke2-snapshot-controller

4.0.002

rke2-snapshot-controller-crd

4.0.002

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.1+rke2r1

This release updates Kubernetes to v1.32.1.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.32.0+rke2r1

  • Charts: bump Harvester CSI Driver v0.1.2 (#7470)

    • Bump Harvester-csi-driver v0.1.22

  • Bump flannel, canal and multus charts (#7499)

  • Update to Cilium v1.16.5 (#7526)

  • Feat: bump harvester-cloud-provider to v0.2.9 (#7493)

    • Bump Harvester-cloud-provider v0.2.9

  • Updated calico chart to fix IP autodetect in case of IPv6 only (#7535)

  • Update metrics-server to 3.2.12 (#7550)

  • Update canal to v3.29.1-build2025011000 (#7566)

  • Add runtime classes hook and runtimes chart (#7578)

  • Backports for 2025-01 (#7587)

  • Bump ingress-nginx v1.12.0 (#7561)

  • Add Release downstream components in release workflow (#7597)

  • Bump k3s version for master and add/enhance tests (#7605)

  • Update k8s (#7603)

  • Bump ingress-nginx to v1.12.0-hardened2 (#7623)

  • Bump K3s version for split-role fix (#7635)

Charts Versions

Component Version

rke2-cilium

1.16.501

rke2-canal

v3.29.1-build2025011000

rke2-calico

v3.29.101

rke2-calico-crd

v3.29.101

rke2-coredns

1.36.102

rke2-ingress-nginx

4.12.003

rke2-metrics-server

3.12.200

rancher-vsphere-csi

3.3.1-rancher800

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.900

harvester-csi-driver

0.1.2200

rke2-snapshot-controller

4.0.002

rke2-snapshot-controller-crd

4.0.002

rke2-snapshot-validation-webhook

0.0.0

Release v1.32.0+rke2r1

This release is RKE2’s first in the v1.32 line. It updates Kubernetes to v1.32.0.

Important Note

If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.

You may retrieve the token value from any server already joined to the cluster:

cat /var/lib/rancher/rke2/server/token

Changes since v1.31.4+rke2r1

  • Bump K3s version for release-1.32 (#7445)

  • Validate single branch for tag (#7451)

  • Update rke2-cloud-controller for v1.32.0 (#7461)

Charts Versions

Component Version

rke2-cilium

1.16.400

rke2-canal

v3.29.1-build2024121100

rke2-calico

v3.29.100

rke2-calico-crd

v3.29.100

rke2-coredns

1.36.102

rke2-ingress-nginx

4.10.503

rke2-metrics-server

3.12.004

rancher-vsphere-csi

3.3.1-rancher800

rancher-vsphere-cpi

1.10.000

harvester-cloud-provider

0.2.600

harvester-csi-driver

0.1.2100

rke2-snapshot-controller

3.0.601

rke2-snapshot-controller-crd

3.0.601

rke2-snapshot-validation-webhook

1.9.001