v1.29.1

Compare Source

Release date: May 8, 2026

Security and Supply Chain

• CVE-2026-44477 / GHSA-423p-g724-fr39: metrics exporter privilege escalation: the metrics exporter no longer authenticates as the postgres superuser. It now uses a dedicated cnpg_metrics_exporter role with pg_monitor privileges only, closing a chain that let a low-privilege database user gain PostgreSQL superuser. (GHSA-423p-g724-fr39)

  Upgrade impact: custom monitoring queries that read user-owned tables, or use target_databases: '*' against databases where PUBLIC CONNECT has been revoked, need explicit GRANT statements to cnpg_metrics_exporter. See "Custom query privileges and safety" and "Manually creating the metrics exporter role" in the monitoring documentation.

  For replica clusters, upgrade the source primary cluster before any replica clusters that consume from it. The cnpg_metrics_exporter role is created on the source primary and replicates downstream; a replica cluster upgraded first will scrape against a missing role until the source primary upgrades. The manual-recovery section linked above also covers replica clusters.

• Schema-qualified catalog references in default monitoring queries: hardened the shipped monitoring configuration and documentation samples by qualifying every pg_catalog object explicitly. Unqualified references resolve through search_path, which a database user can manipulate to shadow built-in objects. (#​10576)

• Discoverable SBOM and provenance attestations: SBOM and SLSA provenance attached to operator container images now follow the OCI 1.1 Referrers spec, so standard registry tooling and supply-chain scanners can discover them automatically. (#​10601)

• CVE remediation in github.com/jackc/pgx/v5: bumped to v5.9.2 to pick up upstream fixes for CVE-2026-33816 (memory-safety in pgproto3) and GHSA-j88v-2chj-qfwx (SQL injection via simple-protocol dollar-quoted string handling). (#​10437, #​10499)

• CVE remediation in the Go runtime: built with Go 1.26.3 to pick up upstream fixes in crypto/x509, crypto/tls, net/http, and net (CVE-2026-32280, CVE-2026-32281, CVE-2026-33810, CVE-2026-33814, CVE-2026-33811, CVE-2026-39825). (#​10463, #​10647)

• Build pipeline hardening: the Go 1.26.3 bump also addresses CVE-2026-42501 (cmd/go module-checksum validation), reducing supply-chain exposure during release builds. The affected code paths are not reachable from the running operator. (#​10647)

Changes

• Switched TLS peer verification from VerifyPeerCertificate to VerifyConnection, which runs on every completed handshake (the former is skipped on resumed TLS 1.3 sessions). Session resumption is not enabled in CloudNativePG today, so this has no observable effect, but it future-proofs verification if session caching is introduced later. (#​10478)

Fixes

• Fixed a failover window where the former primary kept its primary label. If it returned during failover (for example, after a transient network partition), the -rw service kept routing to it, replicas could reconnect, and committed writes were lost to pg_rewind. The old primary is now labeled unhealthy to isolate it from service traffic during failover. (#​10409)

• Fixed failover not being triggered when the node hosting the primary becomes unreachable. The operator now reads the pod's Ready condition (flipped to False by the node controller when the kubelet stops reporting) instead of ContainersReady, which stays stale as True in that scenario. Combined with the spurious-failover guard (#​10445), failover triggers only when Kubernetes itself marks the pod not Ready. (#​10448)

• Fixed spurious failovers caused by transient failures on the primary's HTTP status endpoint. (#​10445)

• Fixed escaping of backslashes and control characters in PostgreSQL configuration values. Previously, such characters in parameters like log_line_prefix could corrupt the configuration file or be silently stripped at runtime. (#​10515)

• Fixed restore_command construction to shell-quote each argument. Values such as a destinationPath containing whitespace (for example, s3://my bucket/wal) were word-split by the POSIX shell and passed to the WAL restore tool as separate arguments. (#​10518)

• Tightened recoveryTarget validation in the admission webhook: targetXID must now be a non-negative 32-bit integer, and targetName must be shorter than 64 bytes and free of ASCII control characters. Malformed values are rejected at admission instead of failing later during PostgreSQL recovery. (#​10565)

• Fixed snapshot restores failing when leftover pgsql_tmp* directories were present in the data directory. (#​10447)

• Fixed a deadlock occurring when PVC storage size and resource requests are changed simultaneously. (#​10427)

v1.29.0

Compare Source

Release date: Mar 31, 2026

Important changes

• Updated the deprecation notice for native (in-tree) Barman Cloud support to reflect that it will now be removed in CloudNativePG 1.30.0, rather than 1.29.0. Users are still encouraged to migrate to the Barman Cloud Plugin. (#​10167)

Features

• PostgreSQL extensions in image catalogs: extended the ImageCatalog functionality to support PostgreSQL extensions. This allows users to define and manage extension-specific images within a catalog, simplifying the deployment of customized PostgreSQL builds. (#​9781)

• Dynamic network access control via pod selectors: introduced the declarative definition of podSelectorRefs to manage pg_hba.conf rules dynamically. By using label selectors to identify client pods, the operator automatically resolves their ephemeral IP addresses and updates the PostgreSQL host-based authentication rules accordingly. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the need for manual IP management or static CIDR ranges. (#​10148)

• Shared ServiceAccount support: added an optional serviceAccountName field to both Cluster and Pooler specifications. This allows multiple resources to share a pre-existing ServiceAccount, facilitating one-time IAM configurations (such as AWS IRSA, GCP Workload Identity, or Azure Workload Identity) across all clusters and poolers. Contributed by @​bozkayasalihx. (#​9287)

Enhancements

• Improved the Pooler CRD with support for granular configuration of TLS cipher suites and minimum/maximum TLS versions. This enables administrators to meet strict security compliance requirements for pooler-to-client and pooler-to-server connections. Contributed by @​alex1989hu. (#​9571)

• Improved the reliability of major upgrades by setting BackoffLimit=0 on the upgrade job, preventing unnecessary retries of a failed pg_upgrade. The operator now automatically deletes the failed job when a user reverts the container image, allowing the cluster to restart gracefully on the original version. (#​10104, #​10298)

• Improved the operator's observability by emitting native Kubernetes events during key phases of the reconciliation loop, providing visibility into the operator's decision-making process and the lifecycle of managed resources directly through kubectl get events. (#​10040)

• Extended support for the cnpg.io/reconciliationDisabled annotation on Backup resources. This allows administrators to temporarily freeze the operator's reconciliation logic for specific backup objects. Contributed by @​GabriFedi97. (#​10020)

• Added a bin_path field to the postgresql.extensions stanza, as well as in ImageCatalog and ClusterImageCatalog resources. This allows extensions to specify directory paths for external binaries, which are automatically appended to the PATH environment variable of the Postgres process. (#​10250)

• Added an env field to the postgresql.extensions stanza, as well as in ImageCatalog and ClusterImageCatalog resources. This allows cluster administrators to define custom environment variables for the Postgres process. This field supports the ${image_root} placeholder to dynamically resolve to the extension's absolute mount path. (#​10375)

• Implemented a finalizer for plugins to ensure that resources managed by a plugin are gracefully cleaned up when the corresponding service is deleted. (#​9560)

• Improved role management by verifying the instance is the primary before each reconciliation cycle, avoiding unnecessary reconciliation attempts and spurious error messages on read-only replicas. (#​9971)

• The operator now honors the primaryUpdateMethod when adding new PVCs to a cluster, ensuring that the rollout strategy (e.g., switchover vs. restart) is respected during storage expansion or additions. (#​9720)

• Refined the alpha.cnpg.io/unrecoverable annotation logic to allow it to function even on pods that have not yet reached the Ready state, facilitating the recovery of stuck instances. (#​9968)

• Introduced a "Terminal Error" phase for backups that encounter unrecoverable issues (such as invalid credentials or non-existent cloud buckets). This ensures the operator stops retrying doomed operations, preventing resource exhaustion and providing immediate, clear feedback in the status. (#​9353)

• Improved monitoring of long-running backups by introducing reconciliationStartedAt and reconciliationTerminatedAt fields to the Backup status. This change separates the operator's internal lifecycle from the actual backup tool's execution timing (startedAt/stoppedAt), allowing users to track when the operator begins processing a request. (#​9351)

• Added a Pending phase to the Backup status to explicitly indicate when a backup is queued and waiting for an available worker or instance availability. (#​9364)

Security and Supply Chain

• Security best practices integration: integrated the OpenSSF baseline scanner and added a SECURITY-INSIGHTS.yaml file to the repository to align with industry-standard security reporting. (#​10054, #​10062)

• SLSA provenance and SBOMs: added SLSA (Supply-chain Levels for Software Artifacts) provenance to release binaries and container images. Additionally, enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency. (#​10048, #​10074)

• Password leak prevention: fixed a potential security risk where PostgreSQL could leak role passwords in the logs during specific reconciliation phases. (#​9950)

Changes

• Updated the default PostgreSQL version to 18.3 (image 18.3-system-trixie). (#​10090)

Fixes

• Fixed a deadlock during operator upgrades affecting clusters using synchronous replication, where pods running the old and new operator versions computed different PostgreSQL configuration hashes, causing the uniformity check to block indefinitely and preventing both rolling updates and in-place upgrades from proceeding. (#​10342)

• Fixed an issue where fencing annotations could not be processed when the WAL disk was full, because the disk space check blocked the instance manager from starting. The check is now performed later in the lifecycle loop, after fencing is evaluated. (#​10302)

• Fixed an issue where replicas would get stuck in a Pending state if the VolumeSnapshot used for the initial bootstrap had been deleted. The operator now validates snapshot existence before use; if a snapshot is missing, it attempts to use the next available candidate or falls back to pg_basebackup. (#​10192)

• Prevented the "supervised primary" rollout strategy from consuming all available rollout slots, which previously caused delays in scheduled updates. Contributed by @​ermakov-oleg. (#​9977)

• Fixed an issue where certain hot-standby parameter changes were not being correctly applied to replica clusters. (#​9952)

• Fixed a bug in the CNPG-I reconciler hook that could lead to skipping subsequent plugins when a "continue" result was returned. Contributed by @​sharifmshaker. (#​9978)

• Fixed a deadlock scenario that occurred when attempting to resize a filesystem on a PVC that was not currently attached to a Pod. Contributed by @​jmealo. (#​9981)

• Fixed webhook validation of bootstrap recovery sources to accept external clusters configured with ConnectionParameters (for pg_basebackup-based recovery). Previously, these were incorrectly rejected unless a Barman object store or CNPG-i plugin was also configured. (#​10268)

• Volume names for extensions and tablespaces are now prefixed to avoid naming collisions with standard cluster volumes. (#​9973)

• When hibernating a non-healthy cluster, the operator now reports a WaitingForHealthy condition, making the deferred hibernation state visible through cnpg status. (#​10193)

• Fixed fencing to work correctly even when the target pod does not exist. Fencing operates on a cluster-level annotation and should not depend on pod existence; instance name validation is now performed only in the cnpg fencing on command. (#​10035)

• Fixed the cluster and pooler service reconcilers to correctly handle changes to all spec fields when using the patch update strategy. The reconciler now uses RFC 7386 JSON Merge Patching, preventing cloud-provider-set fields (such as loadBalancerClass) from being inadvertently removed. (#​10190, #​10311)

• Fixed a race condition in the deprecated in-tree Barman Cloud backup implementation affecting parallel WAL restore, where prefetched files could be read while still being downloaded, causing PostgreSQL recovery to fail with "invalid checkpoint record" errors. (#​10285)

• Fixed the timeline history file validation to also apply to plugin-based WAL restore. Previously, the protection introduced in #​9650 only covered in-tree restores, allowing plugins to bypass the check and download future timeline history files, causing timeline mismatch errors on replicas. (#​9849)

• cnpg plugin:

  • The cnpg plugin now correctly propagates ImagePullSecrets to the pgbench Job pod template. (#​10174)

Supported versions

• Kubernetes 1.35, 1.34, and 1.33
• PostgreSQL 18, 17, 16, 15, and 14
  • PostgreSQL 18.3 is the default image
  • PostgreSQL 14 support ends on November 12, 2026