v1.32.X
Before upgrading from earlier releases, be sure to read the Kubernetes Urgent Upgrade Notes.
| Version | Release date | Kubernetes | Etcd | Containerd | Runc | Metrics-server | CoreDNS | Ingress-Nginx | Helm-controller | Canal (Default) | Calico | Cilium | Multus |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| v1.32.4+rke2r1 | May 01 2025 | v1.32.4 | v3.5.21-k3s1 | v2.0.4-k3s2 | v1.2.5 | v0.7.2 | v1.12.1 | v1.12.1-hardened3 | v0.16.10 | Flannel v0.26.6 Calico v3.29.3 | v3.29.3 | v1.17.3 | v4.2.0 |
| v1.32.3+rke2r1 | Mar 26 2025 | v1.32.3 | v3.5.19-k3s1 | v2.0.4-k3s2 | v1.2.5 | v0.7.2 | v1.12.0 | v1.12.1-hardened1 | v0.16.6 | Flannel v0.26.5 Calico v3.29.2 | v3.29.2 | v1.17.1 | v4.1.4 |
| v1.32.2+rke2r1 | Feb 27 2025 | v1.32.2 | v3.5.18-k3s1 | v2.0.2-k3s2 | v1.2.4 | v0.7.2 | v1.12.0 | v1.12.0-hardened6 | v0.16.6 | Flannel v0.26.4 Calico v3.29.2 | v3.29.2 | v1.17.0 | v4.1.4 |
| v1.32.1+rke2r1 | Jan 27 2025 | v1.32.1 | v3.5.16-k3s1 | v1.7.23-k3s2 | v1.2.4 | v0.7.2 | v1.12.0 | v1.12.0-hardened2 | v0.16.5 | Flannel v0.26.3 Calico v3.29.1 | v3.29.1 | v1.16.5 | v4.1.4 |
| v1.32.0+rke2r1 | Jan 03 2025 | v1.32.0 | v3.5.16-k3s1 | v1.7.23-k3s2 | v1.1.14 | v0.7.1 | v1.12.0 | v1.10.5-hardened6 | v0.16.5 | Flannel v0.26.1 Calico v3.29.1 | v3.29.1 | v1.16.4 | v4.1.3 |
Release v1.32.4+rke2r1
This release updates Kubernetes to v1.32.4.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.32.3+rke2r1:
- Bump multus version (#7989)
- Update CNI charts (#7996)
- Bump whereabouts to v0.9.0 (#8005)
- Update to coredns
1.39.201(#8010) - Bump flannel and canal versions (#8023)
- Chore: Bump nginx to v1.12.1-hardened3 (#8056)
- K3s bump and backports for 2025-04 (#8038)
- Update to flannel
v0.26.601and canalv3.29.3-build2025040801(#8061) - Update to cilium
v1.17.3(#8083) - Bump kine for nats-server/v2 CVE-2025-30215 (#8089)
- Bump K3s version (#8102)
- Bump traefik to v3.3.6 (#8108)
- Update k8s to v1.32.4 (#8116)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.17.300 |
| rke2-canal | v3.29.3-build2025040801 |
| rke2-calico | v3.29.300 |
| rke2-calico-crd | v3.29.101 |
| rke2-coredns | 1.39.201 |
| rke2-ingress-nginx | 4.12.101 |
| rke2-metrics-server | 3.12.200 |
| rancher-vsphere-csi | 3.3.1-rancher900 |
| rancher-vsphere-cpi | 1.10.000 |
| harvester-cloud-provider | 0.2.900 |
| harvester-csi-driver | 0.1.2300 |
| rke2-snapshot-controller | 4.0.002 |
| rke2-snapshot-controller-crd | 4.0.002 |
| rke2-snapshot-validation-webhook | 0.0.0 |
Release v1.32.3+rke2r1
This release updates Kubernetes to v1.32.3, and upgrades rke2-ingress-nginx to controller v1.12.1-hardened1 (chart version 4.12.1). This addresses CVE-2025-1974 as well as all other recently announced vulnerabilities in ingress-nginx.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.32.2+rke2r1:
- Update to cilium
v1.17.1(#7849) - Bump coredns to v1.39.100 (#7858)
- Update multus with new CNI plugin image with bond included (#7864)
- Update to flannel v0.26.500 and canal v3.29.2-build2025030601 (#7874)
- Bump ingress-nginx to hardened10 (#7885)
- Backports for 2025-03 (#7890)
- Bump K3s for apiserver addresses fix (#7912)
- Update k8s (#7927)
- Bump containerd to v2.0.4 (#7948)
- Bump ingress-nginx to v1.12.1-hardened1, chart to 4.12.1 (#7961)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.17.100 |
| rke2-canal | v3.29.2-build2025030601 |
| rke2-calico | v3.29.200 |
| rke2-calico-crd | v3.29.101 |
| rke2-coredns | 1.39.100 |
| rke2-ingress-nginx | 4.12.100 |
| rke2-metrics-server | 3.12.200 |
| rancher-vsphere-csi | 3.3.1-rancher900 |
| rancher-vsphere-cpi | 1.10.000 |
| harvester-cloud-provider | 0.2.900 |
| harvester-csi-driver | 0.1.2300 |
| rke2-snapshot-controller | 4.0.002 |
| rke2-snapshot-controller-crd | 4.0.002 |
| rke2-snapshot-validation-webhook | 0.0.0 |
Release v1.32.2+rke2r1
This release updates Kubernetes to v1.32.2.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.32.1+rke2r1:
- Update to cilium
v1.16.6(#7680) - Charts: bump Harvester CSI Driver v0.1.23 (#7667)
- Enhance the Harvester CSI controller affinity/anti-affinity
- Bump canal, flannel and multus charts (#7712)
- Update cilium to v1.17.0 (#7708)
- Update Calico and Canal to v3.29.2 (#7723)
- Bump k3s, containerd, traefik, etcd, crictl (#7738)
- Update k3s to fix registry auth in containerd config template
- Update containerd to v2.0.2
- Update traefik to v3.3.2
- Update etcd to v3.5.18
- Update crictl to v1.32.0
- Update rke2-ingress-nginx chart to fix typo in default backend image template
- Bump vsphere CSI to v3.3.1-rancher9 (#7734)
- Update to v1.32.2 and Go to 1.23.6 (#7760)
- Update version (#7769)
- Bump ingress-nginx to v1.12.0-hardened6 (#7773)
- Bump canal and flannel images to build20250218 (#7787)
- Sync images to Prime registry (#7799)
- Bump K3s version for release-1.32 (#7804)
- Bump containerd for go-cni deadlock fix (#7811)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.17.000 |
| rke2-canal | v3.29.2-build2025021800 |
| rke2-calico | v3.29.200 |
| rke2-calico-crd | v3.29.101 |
| rke2-coredns | 1.36.102 |
| rke2-ingress-nginx | 4.12.005 |
| rke2-metrics-server | 3.12.200 |
| rancher-vsphere-csi | 3.3.1-rancher900 |
| rancher-vsphere-cpi | 1.10.000 |
| harvester-cloud-provider | 0.2.900 |
| harvester-csi-driver | 0.1.2300 |
| rke2-snapshot-controller | 4.0.002 |
| rke2-snapshot-controller-crd | 4.0.002 |
| rke2-snapshot-validation-webhook | 0.0.0 |
Release v1.32.1+rke2r1
This release updates Kubernetes to v1.32.1.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.32.0+rke2r1:
- Charts: bump Harvester CSI Driver v0.1.2 (#7470)
- Bump Harvester-csi-driver v0.1.22
- Bump flannel, canal and multus charts (#7499)
- Update to Cilium
v1.16.5(#7526) - Feat: bump harvester-cloud-provider to v0.2.9 (#7493)
- Bump Harvester-cloud-provider v0.2.9
- Updated calico chart to fix IP autodetect in case of IPv6 only (#7535)
- Update metrics-server to
3.2.12(#7550) - Update canal to
v3.29.1-build2025011000(#7566) - Add runtime classes hook and runtimes chart (#7578)
- Backports for 2025-01 (#7587)
- Bump ingress-nginx v1.12.0 (#7561)
- Add Release downstream components in release workflow (#7597)
- Bump k3s version for master and add/enhance tests (#7605)
- Update k8s (#7603)
- Bump ingress-nginx to v1.12.0-hardened2 (#7623)
- Bump K3s version for split-role fix (#7635)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.16.501 |
| rke2-canal | v3.29.1-build2025011000 |
| rke2-calico | v3.29.101 |
| rke2-calico-crd | v3.29.101 |
| rke2-coredns | 1.36.102 |
| rke2-ingress-nginx | 4.12.003 |
| rke2-metrics-server | 3.12.200 |
| rancher-vsphere-csi | 3.3.1-rancher800 |
| rancher-vsphere-cpi | 1.10.000 |
| harvester-cloud-provider | 0.2.900 |
| harvester-csi-driver | 0.1.2200 |
| rke2-snapshot-controller | 4.0.002 |
| rke2-snapshot-controller-crd | 4.0.002 |
| rke2-snapshot-validation-webhook | 0.0.0 |
Release v1.32.0+rke2r1
This release is RKE2's first in the v1.32 line. It updates Kubernetes to v1.32.0.
Important Note
If your server (control-plane) nodes were not started with the --token CLI flag or config file key, a randomized token was generated during initial cluster startup. This key is used both for joining new nodes to the cluster, and for encrypting cluster bootstrap data within the datastore. Ensure that you retain a copy of this token, as is required when restoring from backup.
You may retrieve the token value from any server already joined to the cluster:
cat /var/lib/rancher/rke2/server/token
Changes since v1.31.4+rke2r1:
- Bump K3s version for release-1.32 (#7445)
- Validate single branch for tag (#7451)
- Update rke2-cloud-controller for v1.32.0 (#7461)
Charts Versions
| Component | Version |
|---|---|
| rke2-cilium | 1.16.400 |
| rke2-canal | v3.29.1-build2024121100 |
| rke2-calico | v3.29.100 |
| rke2-calico-crd | v3.29.100 |
| rke2-coredns | 1.36.102 |
| rke2-ingress-nginx | 4.10.503 |
| rke2-metrics-server | 3.12.004 |
| rancher-vsphere-csi | 3.3.1-rancher800 |
| rancher-vsphere-cpi | 1.10.000 |
| harvester-cloud-provider | 0.2.600 |
| harvester-csi-driver | 0.1.2100 |
| rke2-snapshot-controller | 3.0.601 |
| rke2-snapshot-controller-crd | 3.0.601 |
| rke2-snapshot-validation-webhook | 1.9.001 |