denis256 notes and projects

Kubernetes v1.33.13 is out today, providing a critical security patch for stream multiplexing and fixing a cluster initialization bug in kubeadm. As the v1.33 series approaches end of life later this month, this update ensures stability for production clusters running on the Octarine release line.

The full release notes and downloads are on the GitHub release page.

Kubernetes v1.33.13 represents one of the final patch releases for the v1.33 branch. With the end of life date set for late June 2026, the focus of this update is strictly on stability, security hardening, and addressing regressions that impact cluster operators. This release is built using the Go 1.25.11 toolchain, ensuring that the core binaries benefit from the latest compiler optimizations and security improvements in the Go runtime.

Security Hardening: spdystream and RBAC

The most significant change in this release is the resolution of CVE-2026-35469. This vulnerability impacted the spdystream library, which Kubernetes uses for stream multiplexing in various components. The issue could potentially allow for resource exhaustion or unauthorized stream access in specific configurations. The fix has been applied across the core components and propagated to related runtimes like CRI-O to ensure comprehensive protection for the entire stack.

Beyond the specific CVE fix, the maintainers have introduced a dedicated ClusterRole named system:kubelet-api-admin. This change is part of a broader effort to harden the communication between the kube-apiserver and individual kubelet instances. By moving toward a more granular RBAC model for internal API access, the project reduces the blast radius in the event of a component compromise. Operators should review their custom RBAC policies to ensure they align with these new system defaults.

Kubeadm: Stability for External Load Balancers

A common pain point during cluster initialization with kubeadm involved timing problems when external load balancers were not yet ready. In previous versions, kubeadm init would often fail if the controlPlaneEndpoint was not reachable at the moment the tool attempted to generate kubeconfigs for the control plane.

In v1.33.13, the tool has been updated to use the localAPIEndpoint for initial in memory configuration instead of the external load balancer address. This change allows the initialization process to complete locally even if the external load balancer is still being provisioned or is temporarily unavailable. Once the control plane is healthy, the external endpoint can be used as expected. This improvement is particularly useful for automated provisioning scripts in cloud environments where load balancer availability can lag behind instance startup.

Additionally, kubeadm now uses a quorum based approach for checking etcd health. This ensures that cluster status checks do not fail if only a minority of members are unhealthy, provided the cluster as a whole remains functional and can maintain quorum.

Cloud Provider and Runtime Fixes

Azure operators will find an important fix for the backendPoolUpdater logic. In environments with multiple standard load balancers, concurrent write conflicts were causing service reconciliation failures. The maintainers have serialized this process to ensure that updates to the backend pools happen in a predictable and safe manner. Furthermore, this release adds support for IP sharing across multiple services in multi SLB setups, allowing for more efficient use of load balancer resources.

In the container runtime layer, CRI-O received fixes for a race condition that could cause panics during StopContainer calls. There was also a fix for a bug where containers exiting very quickly would incorrectly report a generic exit code instead of their actual status. For operators monitoring image persistence, a bug was fixed where the ImageRef in container status would sometimes revert to a raw image ID hash after a runtime restart instead of keeping the more useful repository digest.

Upgrade Notes and Maintenance Mode

As a reminder, the v1.33 series is now in maintenance mode. This means that after v1.33.13, there will be very few updates before the branch reaches its official end of life on June 28, 2026. Operators are strongly encouraged to begin planning their upgrades to v1.34 or v1.35 to ensure continued support and access to security patches.

When upgrading to this patch release, ensure that your container runtime and other cluster components are also updated to their corresponding latest versions to benefit from the full range of security fixes, especially those related to stream multiplexing.

Where to get it

The release is available via the usual channels, including container images and binary downloads.

• Release page: v1.33.13
• Repository: kubernetes/kubernetes
• Tag: v1.33.13