Confluent for Kubernetes Release Notes
Confluent for Kubernetes is continuously updated with new features and enhancements. This topic highlights significant new and updated features, bug fixes, and known limitations in each release.
For Confluent Platform and CFK compatibility information, see Confluent Platform.
For CFK image tags by version, see Confluent for Kubernetes image tags.
To learn how to install CFK and Confluent Platform, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.
Note
For the list of security and vulnerability issues fixed in any release, see Security Advisories and Security Release Notes.
[30 April, 2026] Confluent for Kubernetes 3.2.2 Release Notes
New features
Locks Kafka, ZooKeeper, and KRaftController CRs during KRaft migration to prevent accidental modifications or deletions. See CR lock enforcement.
Supports KRaft migration rollback from the
SETUPandMIGRATEphases (previouslyDUAL-WRITEonly). See Roll Back to ZooKeeper.Adds
kubectl confluent cluster kraft-migrationplugin for managing KRaft migration lifecycle operations: status, finalize, rollback, and CR lock release. See KRaft Migration Plugin Commands.Adds mTLS authentication support between ksqlDB and MDS.
Enhancements
Validates
configOverrides.serverfor blocklisted keys (for example,zookeeper.connect) before starting KRaft migration; blocks migration with an actionable error on conflicts. See Step 3: Start migration.
Bug fixes
Fixed duplicate OpenShift Route hostname between
TOKEN_SASLandREPLICATIONlisteners when MDS mTLS is enabled.Fixed propagation of
podTemplate.affinityto Confluent Gateway deployments so CR-defined affinity rules apply correctly to pods.
Known limitations
There are no new known limitations in this release.
Deprecations
There are no new deprecations in this release.
[27 March, 2026] Confluent for Kubernetes 3.2.1 Release Notes
New features
Adds JMX authentication and access control configuration using CR specifications to secure exposed JMX ports for all Confluent Platform components. This is a breaking change for existing deployments that access the JMX port remotely for metrics queries. See JMX Metrics.
Supports dynamic quorum configuration for KRaft deployments, including multi-region cluster (MRC) deployments. MRC requires Confluent Platform 7.9.6 or later (7.9.x) and 8.1.2 or later (8.1.x). Migrating existing MRC deployments from static to dynamic quorum requires Confluent Platform 8.0 or later. See Configure Dynamic KRaft Quorum for Confluent Platform Using Confluent for Kubernetes.
Enhancements
There are no new enhancements in this release.
Bug fixes
Fixed custom OAuth listener validation failure when JAAS configurations were omitted.
Fixed metrics TLS configuration to correctly resolve keystore passwords from vault-injected files when
DirectoryPathInContaineris used.
Known limitations
There are no new known limitations in this release.
Deprecations
There are no new deprecations in this release.
[11 March, 2026] Confluent for Kubernetes 3.2.0 Release Notes
Breaking changes
There are no breaking changes in this release.
New features
Adds an Observer container for self-contained readiness monitoring of Kafka and KRaft controller pods. See Configure Observer container for Confluent Platform.
Supports dynamic quorum configuration for KRaft deployments, including MRC deployments. MRC requires Confluent Platform 7.9.6 or later (7.9.x) and 8.1.2 or later (8.1.x). See Configure Dynamic KRaft Quorum for Confluent Platform Using Confluent for Kubernetes.
Supports bidirectional cluster linking for data replication in both directions between two Kafka clusters. See Bidirectional cluster linking.
Supports deploying FIPS 140-3 compliant Confluent Platform components. See Security Compliance in Confluent for Kubernetes.
Supports increasing the partition count for existing Kafka topics by editing
spec.partitionCounton the KafkaTopic CR (decreasing is not supported). Before upgrading brownfield deployments, verifyspec.partitionCountmatches the live cluster to avoid an unintended partition increase on first reconcile. See Update Kafka topic.Supports adding or rotating external SASL/PLAIN client credentials without broker restarts. CFK hot-reloads credential changes when
jaasConfiguses the defaultFileBasedLoginModule. Enabled by default. See Update Kafka or KRaft SASL/PLAIN external client users.Adds
spec.listeners.advertisedListenersEnabledto the KRaftController CR; set totruefor MRC deployments to prevent controller endpoint registration issues. See Configure KRaft in MRC.
Enhancements
Derives the inter-broker protocol (IBP) version automatically for standard Confluent Platform images during ZooKeeper to KRaft migration. Custom images still require the
platform.confluent.io/kraft-migration-ibp-versionannotation. See Step 1: Configure IBP version.Triggers operator-controlled rolling restarts on secret updates with under-replicated partition (URP) safety checks for Kafka and KRaft components, preventing cluster instability during certificate rotation. See Secret updates and safe rolling restarts.
Validates required init-container environment variables and supports appending custom environment variables to init containers using the common
podTemplatespec.Optimizes the Unified Stream Manager Schema Registry automation workflow for improved performance.
Bug fixes
Fixed an issue where CFK ignored the
platform.confluent.io/roll-delay-interval-secondsannotation during upgrades, causing pods to roll immediately instead of waiting for the configured delay.Fixed connector reconciliation to properly handle Connect’s credential masking in the REST API, preventing unnecessary connector updates or restarts when sensitive configuration fields are masked.
Fixed an issue where CFK did not add the Unified Stream Manager (USM) extension class when RBAC authorization was enabled.
Fixed an issue where CFK issued
DELETE_TOPICSrequests for auto-mirrored topics during reconciliation. This causes brokers to repeatedly logTopicDeletionDisabledExceptionerrors and the destination cluster link to enter aClusterLinkUpdateFailedcondition. However, the data flow and mirroring were not affected. This is tracked in CFK-3888. For details on the symptoms in earlier versions, see Troubleshoot Confluent for Kubernetes.
Known limitations
There are no new known limitations in this release.
Deprecations
There are no new deprecations in this release.