Kubernetes v1.32.6 is live!

[Marko Mudrinić]

Kubernetes Community,

Kubernetes v1.32.6 has been built and pushed using Golang version 1.23.10.

The release notes have been updated in CHANGELOG-1.32.md, with a pointer to them on GitHub:

---

v1.32.6

Downloads for v1.32.6

Source Code

filename	sha512 hash
kubernetes.tar.gz	f726a5cc54c0607157143bb79ec09e717838916963ca434b615277d0ee4f5ccdb2ec4a20a4e9bf28a8d6f66c910fc38d882e8990e0ca30aaf91f6d40f7c83b32
kubernetes-src.tar.gz	f1abf645eef28c23b57943d6c469c2f1eacd03695ce0cf21dca71278c06bdc32a38859fdae2f6437689cd508ccf2bbb7e4e646462d6ffcbdc90b413bf02172a0

Client Binaries

filename	sha512 hash
kubernetes-client-darwin-amd64.tar.gz	fd69d3615557fe806484ff1fcee1d26a94faa9109e93169ae3d77d9565cf7d3940514f9a2db78a9a374b36caa7a1f0b265f674decf0549a4729e213ed61f66d6
kubernetes-client-darwin-arm64.tar.gz	5da119d487c5915e2f0e994e8e66a21ea2f74fd20c8bb3cc5bd8c148b0f5ea58ef0a5647be9c7a7c7b7fafd7defaaaf8102059a4dd61504b0376a0fe0b392be6
kubernetes-client-linux-386.tar.gz	a834d760ad5ca7f38e536fec2b6f3a16b8694599c34c8b428bc9a9429849aac7babe7dd3c545f5f0c072eddd6ca0337ca14c6f72fb340d73d48591efef8b0c69
kubernetes-client-linux-amd64.tar.gz	03ce21ae8158e7a40a433368301d7f67e91383136d1549cd80eb0593edcbe57c10eb5639a52b301d0cd6ef0647a63fa095c8234bc1377834e3236c78c4e834c6
kubernetes-client-linux-arm.tar.gz	945307fe27da10d7e2ffce89cd09bc92e5709501997e85520820d53ca8eab2e7de1e6ba7f6084403331047fd8b9cafd1529d34eff362e48b0aff9f5b72c11c4a
kubernetes-client-linux-arm64.tar.gz	2313253d2f84415c4e7e118ef095a7bcd91e7118bc9c38e2d7d39fbfaec1bd1fe78e2c72bf27079d01d876f6e444d7f70faca26019ba2bd32ef97f5bef304646
kubernetes-client-linux-ppc64le.tar.gz	511f2f91661fecd44e64306dfd7c22ff69ed04efb6ce2d878ea9a0f9b091ccbab152347d9036bba4c2e691d45c93e6f38d15fb67255ba47504f9d2756d807c70
kubernetes-client-linux-s390x.tar.gz	514e232b6eb2e9b10455f95dd34129532152818a1c0764fa35630a65e61f8738641a640b1605767157075c62d5308e5d6b9581f9722053e80310c9818e89e41f
kubernetes-client-windows-386.tar.gz	1976a67e1502ed9b13cd79dfe7bb4b995caa4cc18dcef3929faa2cec8fcca9ea38f693342539ce1c215d9e133ddf04fa8153f6656736696c32a7580d20bb319d
kubernetes-client-windows-amd64.tar.gz	52ffaceb46fb48413293f568bdc664221c0210424036bc776f951051aef3df060079de7325775cdba5dfb289bf59b647560169b1b72cf272f4cc20e874687114
kubernetes-client-windows-arm64.tar.gz	1ad61a4d34e65193896cb37c31e2be19c7d9a56a62c1228870367a8fd02dc43265319b8fab305ce106521d02c5898b1ed4ea6647e4607ecafb67f885029fc2bd

Server Binaries

filename	sha512 hash
kubernetes-server-linux-amd64.tar.gz	1fe044e8815327422fce7dab916d25fa016ad3cd61fd0d9c2d1c874f96a4af07950a2cb6ca0bd6615fc5c2cd749b182b5f22fdd99ae57d6e59a99d9d6497668d
kubernetes-server-linux-arm64.tar.gz	3801e8f64a3a74bdbedd1dbee11cfa156c2a16f433a9c097d048a4461a879c479a8212c83420c15ef7152bee1d96ec479b5b7f1e6829851bfaafacfad5544730
kubernetes-server-linux-ppc64le.tar.gz	e2ae68b117172d52f84dcb3313d8fb2ed52bf047a1a3fb759d5df41a3103c6bf8a1213832f4e0795244ddd42c390836f59b6093ced2b8c4fe41e95759090c6de
kubernetes-server-linux-s390x.tar.gz	a193b4d506051fc07b29484bb04dac7a7ef919c661aad13cb8234b8f483503914b48e6ff0689ea8d7c0db604792763cf28446b8796703488d1c4b59af9199cbf

Node Binaries

filename	sha512 hash
kubernetes-node-linux-amd64.tar.gz	7b27f2d35372991a66ca84b62d9cd96f51bd33afe58221f8a4f6d36b87be992c541976a4b6072d5f8aa7843853fb2c706d3e155ad42c0a4841d0dacffb264f28
kubernetes-node-linux-arm64.tar.gz	3d88e4662bd10a6903221aee981f1b1813a5f5fa115beadc69b905f021e417f7b24680f66fc194cd6de915b3a3947fb59dfdd6452cbe87ae974f4cc029f82dc8
kubernetes-node-linux-ppc64le.tar.gz	ad17fabc515f96fce983ae7f2e37ad9ca6b842d3dc5d1b1369edec7deba7ce8f1e5c98f5e84bb7034d18d64aca3bee02600fedd2df628b013eca1f984b804b1d
kubernetes-node-linux-s390x.tar.gz	33b49ecb68ec57d23f0e677808490b3221f324e286e0ace3bfe4d1094e9b5c8594a69a95003178f7d886dc137bdcafea145d78e551ad95a331470d02383b33fb
kubernetes-node-windows-amd64.tar.gz	1d946086602ce4316c03e9b66f93c58069e779515c04d58dc47d15609216aca065d607896c0e79068b086e65eabfd375d0c7aa201a8e63eeca318c377f381480

Container Images

All container images are available as manifest lists and support the described architectures. It is also possible to pull a specific architecture directly by adding the "-$ARCH" suffix to the container image name.

name	architectures
registry.k8s.io/conformance:v1.32.6	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-apiserver:v1.32.6	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-controller-manager:v1.32.6	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-proxy:v1.32.6	amd64, arm64, ppc64le, s390x
registry.k8s.io/kube-scheduler:v1.32.6	amd64, arm64, ppc64le, s390x
registry.k8s.io/kubectl:v1.32.6	amd64, arm64, ppc64le, s390x

Changelog since v1.32.5

Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2025-4563: Nodes can bypass dynamic resource allocation authorization checks

A vulnerability exists in the NodeRestriction admission controller where nodes can bypass dynamic resource allocation authorization checks. When the DynamicResourceAllocation feature gate is enabled, the controller properly validates resource claim statuses during pod status updates but fails to perform equivalent validation during pod creation. This allows a compromised node to create mirror pods that access unauthorized dynamic resources, potentially leading to privilege escalation.

Affected Versions:

• kube-apiserver v1.32.0 - v1.32.5
• kube-apiserver v1.33.0 - v1.33.1

Fixed Versions:

• kube-apiserver v1.32.6
• kube-apiserver v1.33.2

This vulnerability was reported by amitschendel.

CVSS Rating: Low (2.7) CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L

Changes by Kind

Feature

• Kubernetes is now built using Go 1.23.10 (#132225, @cpanato) [SIG Release and Testing]
• Kubernetes is now built using Go 1.23.9 (#131936, @cpanato) [SIG Release and Testing]

Bug or Regression

• Do not expand volume on the node, if controller expansion is finished (#132010, @gnufied) [SIG Storage]
• Do not log error event when waiting for expansion on the kubelet (#132099, @gnufied) [SIG Storage]
• Fixes an issue where Windows kube-proxy's ModifyLoadBalancer API updates did not match HNS state in version 15.4. ModifyLoadBalancer policy is supported from Kubernetes 1.31+. (#131652, @princepereira) [SIG Windows]
• Kubelet: close a loophole where static pods could reference arbitrary ResourceClaims. The pods created by the kubelet then don't run due to a sanity check, but such references shouldn't be allowed regardless. (#131875, @pohly) [SIG Apps, Auth and Node]
• Removed a warning around Linux user namespaces and kernel version. If the feature gate UserNamespacesSupport was enabled, the kubelet previously warned when detecting a Linux kernel version earlier than 6.3.0. User namespace support on Linux typically does still need kernel 6.3 or newer, but it can work in older kernels too. (#131784, @rata) [SIG Node]

Other (Cleanup or Flake)

• Improve error message when a pod with user namespaces is created and the runtime doesn't support user namespaces. (#131782, @rata) [SIG Node]

Dependencies

Added

Nothing has changed.

Changed

• github.com/Microsoft/hnslib: v0.0.8 → v0.1.1

Removed

Nothing has changed.

---

Contributors, the CHANGELOG-1.32.md has been bootstrapped with v1.32.6 release notes and you may edit now as needed.

Published by your Kubernetes Release Managers.