chore(deps): update kubernetes components (ansible/playbooks)

[renovate]

This PR contains the following updates:

Package	Update	Change
cri-o/cri-o	minor	1.35.2 → 1.36.0
kubernetes/kubernetes	minor	1.35.4 → 1.36.1

---

Release Notes

cri-o/cri-o (cri-o/cri-o)

v1.36.0

Compare Source

CRI-O v1.36.0

The release notes have been generated for the commit range
v1.35.0...v1.36.0 on Tue, 05 May 2026 18:27:19 UTC.

Downloads

Release Bundles

Download one of our static release bundles via our Google Cloud Bucket.
Each bundle includes a SHA-256 checksum, a cosign signature (.bundle), and a SPDX bill of materials (.spdx) with its own signature:

• cri-o.amd64.v1.36.0.tar.gz
  • cri-o.amd64.v1.36.0.tar.gz.sha256sum
  • cri-o.amd64.v1.36.0.tar.gz.bundle
  • cri-o.amd64.v1.36.0.tar.gz.spdx
  • cri-o.amd64.v1.36.0.tar.gz.spdx.bundle
• cri-o.arm64.v1.36.0.tar.gz
  • cri-o.arm64.v1.36.0.tar.gz.sha256sum
  • cri-o.arm64.v1.36.0.tar.gz.bundle
  • cri-o.arm64.v1.36.0.tar.gz.spdx
  • cri-o.arm64.v1.36.0.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.36.0.tar.gz
  • cri-o.ppc64le.v1.36.0.tar.gz.sha256sum
  • cri-o.ppc64le.v1.36.0.tar.gz.bundle
  • cri-o.ppc64le.v1.36.0.tar.gz.spdx
  • cri-o.ppc64le.v1.36.0.tar.gz.spdx.bundle
• cri-o.s390x.v1.36.0.tar.gz
  • cri-o.s390x.v1.36.0.tar.gz.sha256sum
  • cri-o.s390x.v1.36.0.tar.gz.bundle
  • cri-o.s390x.v1.36.0.tar.gz.spdx
  • cri-o.s390x.v1.36.0.tar.gz.spdx.bundle

Supply Chain Artifacts

The OpenVEX vulnerability report:

• cri-o.v1.36.0.openvex.json
  • cri-o.v1.36.0.openvex.json.bundle

The SLSA provenance attestation:

• cri-o.v1.36.0.provenance.json
  • cri-o.v1.36.0.provenance.json.bundle

OCI Distribution

All release artifacts are also available as signed OCI artifacts at ghcr.io/cri-o/bundle:v1.36.0.

Verification

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.36.0.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.36.0.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.36.0.tar.gz
> bom validate -e cri-o.amd64.v1.36.0.tar.gz.spdx -d cri-o

To verify the OpenVEX vulnerability report, run:

> cosign verify-blob cri-o.v1.36.0.openvex.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.openvex.json.bundle

To verify the SLSA provenance attestation, run:

> cosign verify-blob cri-o.v1.36.0.provenance.json \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.v1.36.0.provenance.json.bundle

Changelog since v1.35.0

Changes by Kind

Feature

• Add OpenVEX vulnerability report generation for releases (#​9767, @​saschagrunert)
• Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#​9870, @​haircommander)
• Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#​9860, @​harche)
• Added tls_min_version and tls_cipher_suites configuration options to [crio.api] for configuring TLS settings on streaming and metrics servers. Supports TLS 1.2 (default) and TLS 1.3. (#​9723, @​asahay19)
• Added support for configuring additional read-only artifact stores via the additional_artifact_stores configuration option. (#​9702, @​pauloappbr)
• CRI-O now continuously monitors CNI plugin health using the STATUS verb. If a plugin becomes unhealthy after initial readiness, the node is reported as NetworkReady=false, preventing pod scheduling on affected nodes. The node self-heals when the plugin recovers. (#​9855, @​tsorya)
• Implement StreamContainers, StreamContainerStats, StreamPodSandboxes, StreamPodSandboxStats, StreamPodSandboxMetrics, StreamImages (#​9761, @​bitoku)

Dependency-Change

• Fix CVE-2026-35469 by updating spdystream dependency (#​9880, @​haircommander)

Bug or Regression

• Fix concurrent RemoveImage race condition by handling ErrNotAnImage as an idempotent deletion result. (#​9803, @​jnovy)
• Fixed UpdateContainerResources to apply cgroupv2 unified settings (#​9820, @​PannagaRao)
• Fixed a bug where CRI-O didn't return all metrics when "all" is set. (#​9719, @​bitoku)
• Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#​9799, @​sabujmaity)
• Fixed a regression in v1.35.0 where systemd containers with hostUsers: false (user namespaces enabled) would fail with "Permission denied" errors when systemd attempted to create cgroups. (#​9712, @​saschagrunert)
• Fixed cases where regular container images could accidentally be pulled into the OCI artifact store (#​9782, @​bitoku)
• Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#​9846, @​bitoku)
• PullImage now returns the image ID directly, ensuring compatibility with Kubernetes credential verification for image pulls. (#​9728, @​saschagrunert)
• Respect the same pinned_images configuration used by regular container images (#​9836, @​bitoku)

Other

• Nri: pass any container POSIX rlimits to NRI plugins as input. (#​9707, @​klihub)
• Nri: pass any container user ID/group ID information to NRI plugins as input (#​9708, @​klihub)
• Nri: pass more complete container status to NRI, including PID, exit code, and timestamps fro container creation, start, and exit events (#​9706, @​klihub)
• Skip the OCI artifact pull fallback when the initial image pull fails due to a retryable error (#​9778, @​bitoku)

Dependencies

Added

• cyphar.com/go-pathrs: v0.2.1
• github.com/checkpoint-restore/go-criu/v8: v8.2.0
• github.com/clipperhouse/displaywidth: v0.6.0
• github.com/clipperhouse/stringish: v0.1.1
• github.com/clipperhouse/uax29/v2: v2.3.0
• github.com/mistifyio/go-zfs/v4: v4.0.0
• github.com/olekukonko/cat: 50322a0
• k8s.io/cri-streaming: v0.36.0-rc.0
• k8s.io/streaming: v0.36.0-rc.0

Changed

• capnproto.org/go/capnp/v3: v3.1.0-alpha.1 → v3.1.0-alpha.2
• cel.dev/expr: v0.24.0 → v0.25.1
• github.com/BurntSushi/toml: v1.5.0 → v1.6.0
• github.com/avast/retry-go/v4: v4.6.1 → v4.7.0
• github.com/checkpoint-restore/checkpointctl: v1.4.0 → v1.5.0
• github.com/cncf/xds/go: 0feb691 → ee656c7
• github.com/containerd/console: v1.0.4 → v1.0.5
• github.com/containerd/containerd: v1.7.29 → v1.7.30
• github.com/containerd/stargz-snapshotter/estargz: v0.17.0 → v0.18.2
• github.com/containers/conmon-rs: 737e4d6 → v0.7.3
• github.com/coreos/go-systemd/v22: v22.6.0 → v22.7.0
• github.com/cyphar/filepath-securejoin: v0.4.1 → v0.6.1
• github.com/docker/cli: v28.5.1+incompatible → v29.1.5+incompatible
• github.com/docker/docker-credential-helpers: v0.9.4 → v0.9.5
• github.com/docker/docker: v28.5.1+incompatible → v28.5.2+incompatible
• github.com/emicklei/go-restful/v3: v3.12.2 → v3.13.0
• github.com/envoyproxy/go-control-plane/envoy: v1.35.0 → v1.36.0
• github.com/envoyproxy/go-control-plane: 75eaa19 → v0.14.0
• github.com/envoyproxy/protoc-gen-validate: v1.2.1 → v1.3.0
• github.com/go-chi/chi/v5: v5.2.3 → v5.2.5
• github.com/godbus/dbus/v5: v5.2.0 → v5.2.2
• github.com/google/go-containerregistry: v0.20.6 → v0.20.7
• github.com/google/pprof: f64d9cf → 294ebfa
• github.com/grpc-ecosystem/grpc-gateway/v2: v2.27.3 → v2.28.0
• github.com/klauspost/compress: v1.18.0 → v1.18.3
• github.com/mattn/go-runewidth: v0.0.16 → v0.0.19
• github.com/mattn/go-sqlite3: v1.14.32 → v1.14.33
• github.com/maxbrunsfeld/counterfeiter/v6: v6.12.0 → v6.12.1
• github.com/moby/spdystream: v0.5.0 → v0.5.1
• github.com/olekukonko/ll: v0.0.9 → v0.1.3
• github.com/olekukonko/tablewriter: v1.1.0 → v1.1.2
• github.com/onsi/ginkgo/v2: v2.27.3 → v2.28.1
• github.com/onsi/gomega: v1.38.3 → v1.39.1
• github.com/opencontainers/runc: v1.3.2 → v1.4.0
• github.com/opencontainers/runtime-tools: edf4cb3 → 5e63903
• github.com/opencontainers/selinux: v1.12.0 → v1.13.1
• github.com/pkg/sftp: v1.13.9 → v1.13.10
• github.com/proglottis/gpgme: v0.1.5 → v0.1.6
• github.com/prometheus/common: v0.67.4 → v0.67.5
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/secure-systems-lab/go-securesystemslib: v0.9.1 → v0.10.0
• github.com/sergi/go-diff: 5b0b94c → v1.4.0
• github.com/sigstore/sigstore: v1.10.0 → v1.10.3
• github.com/sirupsen/logrus: v1.9.3 → v1.9.4
• github.com/urfave/cli: v1.22.16 → v1.22.17
• github.com/vbauerster/mpb/v8: v8.10.2 → v8.11.3
• go.opentelemetry.io/contrib/detectors/gcp: v1.38.0 → v1.39.0
• go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc: v0.64.0 → v0.66.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.63.0 → v0.65.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc: v1.39.0 → v1.41.0
• go.opentelemetry.io/otel/exporters/otlp/otlptrace: v1.39.0 → v1.41.0
• go.opentelemetry.io/otel/metric: v1.39.0 → v1.41.0
• go.opentelemetry.io/otel/sdk/metric: v1.39.0 → v1.41.0
• go.opentelemetry.io/otel/sdk: v1.39.0 → v1.41.0
• go.opentelemetry.io/otel/trace: v1.39.0 → v1.41.0
• go.opentelemetry.io/otel: v1.39.0 → v1.41.0
• go.podman.io/common: v0.66.1 → 1e46b07
• go.podman.io/storage: v1.61.0 → b0f86df
• golang.org/x/crypto: v0.46.0 → v0.48.0
• golang.org/x/mod: v0.30.0 → v0.32.0
• golang.org/x/net: v0.48.0 → v0.51.0
• golang.org/x/oauth2: v0.33.0 → v0.35.0
• golang.org/x/sys: v0.39.0 → v0.41.0
• golang.org/x/telemetry: bc8e575 → bd525da
• golang.org/x/term: v0.38.0 → v0.40.0
• golang.org/x/text: v0.32.0 → v0.34.0
• golang.org/x/tools: v0.39.0 → v0.41.0
• google.golang.org/genproto/googleapis/api: ff82c1b → 4cfbd41
• google.golang.org/genproto/googleapis/rpc: ff82c1b → 4cfbd41
• google.golang.org/grpc: v1.77.0 → v1.79.3
• google.golang.org/protobuf: v1.36.10 → f2248ac
• k8s.io/api: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/apimachinery: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/apiserver: v0.35.0-rc.0 → v0.26.2
• k8s.io/client-go: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/component-base: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/cri-api: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/cri-client: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/klog/v2: v2.130.1 → v2.140.0
• k8s.io/kube-openapi: 589584f → 43fb72c
• k8s.io/kubelet: v0.35.0-rc.0 → v0.36.0-rc.0
• k8s.io/utils: bc988d5 → b8788ab
• sigs.k8s.io/knftables: v0.0.19 → v0.0.20
• sigs.k8s.io/release-utils: v0.12.2 → v0.12.3
• sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

• github.com/antlr4-go/antlr/v4: v4.13.0
• github.com/checkpoint-restore/go-criu/v6: v6.3.0
• github.com/coreos/go-oidc: v2.3.0+incompatible
• github.com/coreos/go-semver: v0.3.1
• github.com/google/cel-go: v0.26.0
• github.com/gregjones/httpcache: 901d907
• github.com/jonboulle/clockwork: v0.5.0
• github.com/klauspost/cpuid/v2: v2.0.4
• github.com/minio/sha256-simd: v1.0.0
• github.com/pquerna/cachecontrol: v0.1.0
• github.com/stoewer/go-strcase: v1.3.0
• github.com/tmc/grpc-websocket-proxy: 673ab2c
• github.com/xiang90/probing: a49e3df
• go.etcd.io/etcd/api/v3: v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.5
• go.etcd.io/raft/v3: v3.6.0
• gopkg.in/go-jose/go-jose.v2: v2.6.3
• gopkg.in/natefinch/lumberjack.v2: v2.2.1
• k8s.io/kms: v0.35.0-rc.0
• sigs.k8s.io/apiserver-network-proxy/konnectivity-client: v0.31.2

v1.35.3

Compare Source

• CRI-O v1.35.3
  • Downloads
  • Changelog since v1.35.2
    • Changes by Kind
      • Feature
      • Uncategorized
  • Dependencies
    • Added
    • Changed
    • Removed

CRI-O v1.35.3

The release notes have been generated for the commit range
v1.35.2...v1.35.3 on Tue, 05 May 2026 00:45:32 UTC.

Downloads

Download one of our static release bundles via our Google Cloud Bucket:

• cri-o.amd64.v1.35.3.tar.gz
  • cri-o.amd64.v1.35.3.tar.gz.sha256sum
  • cri-o.amd64.v1.35.3.tar.gz.bundle
  • cri-o.amd64.v1.35.3.tar.gz.spdx
  • cri-o.amd64.v1.35.3.tar.gz.spdx.bundle
• cri-o.arm64.v1.35.3.tar.gz
  • cri-o.arm64.v1.35.3.tar.gz.sha256sum
  • cri-o.arm64.v1.35.3.tar.gz.bundle
  • cri-o.arm64.v1.35.3.tar.gz.spdx
  • cri-o.arm64.v1.35.3.tar.gz.spdx.bundle
• cri-o.ppc64le.v1.35.3.tar.gz
  • cri-o.ppc64le.v1.35.3.tar.gz.sha256sum
  • cri-o.ppc64le.v1.35.3.tar.gz.bundle
  • cri-o.ppc64le.v1.35.3.tar.gz.spdx
  • cri-o.ppc64le.v1.35.3.tar.gz.spdx.bundle
• cri-o.s390x.v1.35.3.tar.gz
  • cri-o.s390x.v1.35.3.tar.gz.sha256sum
  • cri-o.s390x.v1.35.3.tar.gz.bundle
  • cri-o.s390x.v1.35.3.tar.gz.spdx
  • cri-o.s390x.v1.35.3.tar.gz.spdx.bundle

To verify the artifact signatures via cosign, run:

> export COSIGN_EXPERIMENTAL=1
> cosign verify-blob cri-o.amd64.v1.35.3.tar.gz \
    --certificate-identity https://github.com/cri-o/packaging/.github/workflows/obs.yml@refs/heads/main \
    --certificate-oidc-issuer https://token.actions.githubusercontent.com \
    --certificate-github-workflow-repository cri-o/packaging \
    --certificate-github-workflow-ref refs/heads/main \
    --bundle cri-o.amd64.v1.35.3.tar.gz.bundle

To verify the bill of materials (SBOM) in SPDX format using the bom tool, run:

> tar xfz cri-o.amd64.v1.35.3.tar.gz
> bom validate -e cri-o.amd64.v1.35.3.tar.gz.spdx -d cri-o

Changelog since v1.35.2

Changes by Kind

Feature

• CRI-O now continuously monitors CNI plugin health using the STATUS
  verb. If a plugin becomes unhealthy after initial readiness, the node
  is reported as NetworkReady=false, preventing pod scheduling on
  affected nodes. The node self-heals when the plugin recovers. (#​9903, @​haircommander)

Uncategorized

• Add container_runtime_crio_default_runtime metric to display which default runtime the node is configured to use (#​9897, @​openshift-cherrypick-robot)
• Add min_injected_gomaxprocs option, which allows a user to specify GOMAXPROCS in every container CRI-O creates. The config field itself is an integer that represents the floor of GOMAXPROCS. CRI-O will inject max(floor, cpu.request), if the pod is not a guaranteed pod or is part of a partitioned workload (#​9876, @​openshift-cherrypick-robot)
• Fix CVE-2026-35469 by updating spdystream dependency (#​9883, @​openshift-cherrypick-robot)
• Fixed a panic when concurrent StopContainer calls race against the stop lifecycle completing. (#​9814, @​openshift-cherrypick-robot)
• Fixed the race condition where cri-o reports exitCode 255 when the container exits fast. (#​9871, @​openshift-cherrypick-robot)
• Revert CRI-O CNI monitoring, as it has caused node bootstrapping regressions (#​9908, @​haircommander)

Dependencies

Added

Nothing has changed.

Changed

• github.com/moby/spdystream: v0.5.0 → v0.5.1

Removed

Nothing has changed.

kubernetes/kubernetes (kubernetes/kubernetes)

v1.36.1

Compare Source

See kubernetes-announce@. Additional binary downloads are linked in the CHANGELOG.

See the CHANGELOG for more details.

v1.36.0

Compare Source

See kubernetes-announce@. Additional binary downloads are linked in the CHANGELOG.

See the CHANGELOG for more details.

v1.35.5

Compare Source

See kubernetes-announce@. Additional binary downloads are linked in the CHANGELOG.

See the CHANGELOG for more details.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.