Confluent for Kubernetes Release Notes

Confluent for Kubernetes is continuously updated with new features and enhancements. This topic highlights significant new and updated features, bug fixes, and known limitations in each release.

Note

For the list of security and vulnerability issues fixed in any release, see Security Advisories and Security Release Notes.

[23 June, 2026] Confluent for Kubernetes 3.3.0 Release Notes

Breaking changes

There are no breaking changes in this release.

New features

  • Adds preview support for managing Confluent Platform Flink SQL objects through CFK with six new custom resources. See Manage Flink SQL objects (preview).

  • Expands the FlinkEnvironment and FlinkApplication schemas with new configuration and status fields. See Create a Flink environment.

  • Adds support for the migration pre-check utility during KRaft migration. See Step 3.2: Enable the ZooKeeper metadata preflight check.

  • Supports ZooKeeper to KRaft migration for 2.5 datacenter (2.5DC) deployments. See Two-and-a-half datacenter (2.5DC) considerations.

  • Supports scaling up KRaftController replicas on dynamic quorum clusters without rolling existing controllers or co-located Kafka brokers.

  • Adds opt-in hot-reload for eligible Gateway configuration changes.

  • Adds mountedSecrets and mountedVolumes to the Gateway CR for mounting custom secrets and volumes.

  • Supports running the Gateway with readOnlyRootFilesystem: true by provisioning writable emptyDir volumes for the log and temporary file paths.

  • Supports OAuth-to-OAuth authentication swap through the Gateway. See Configure authentication swapping.

Enhancements

  • Masks sensitive credentials in CFK log output through a centralized redaction wrapper, so plaintext credentials are sanitized before reaching any log sink.

  • Generates the KRaft admin-client properties file for dynamic quorum deployments.

  • Revokes the corresponding Metadata Service (MDS) role binding when you remove an entry from spec.resourcePatterns on the ConfluentRolebinding CR, preventing orphaned bindings from persisting. See Update a rolebinding.

  • Supports a new useProcNetPortCheck liveness and readiness probe method that reports liveness from the /proc/net/tcp file instead of performing an actual handshake. This helps avoid TLS-related errors.

Bug fixes

  • Fixed incorrect advertised.listeners ports when multiple user-defined listeners share the same static or nodePort offset.

  • Fixed dynamic per-listener TLS certificate rotation triggering unnecessary Kafka broker rolling restarts. CFK now correctly classifies derived PKCS12 secrets as dynamic-config secrets.

  • Fixed the zk-node-removal plugin for RBAC and MRC deployments.

  • Fixed MRC KRaft migration requiring a manual zookeeper.connect override on the KRaftController.

  • Fixed an orphaned connector when a Connector CR is deleted after a failed create or update. CFK now issues the REST DELETE instead of skipping it.

  • Fixed Jolokia file-reference password resolution to trim whitespace so passwords read from mounted secret files no longer fail.

  • Fixed client-side OAUTHBEARER authentication failing through the Gateway.

Known limitations

  • Components that authenticate to Kafka using OAuth client assertions, such as Schema Registry, Connect, ksqlDB, Control Center, and REST Proxy, fail to start on Confluent Platform 8.3.x. Kafka 4.3 enforces an empty, deny-by-default allowlist for the files used in the OAuth client-assertion flow, so the configured private-key file is rejected. As a workaround, set the -Dorg.apache.kafka.sasl.oauthbearer.allowed.files JVM system property on the affected component through its *_OPTS environment variable or podTemplate. If you configure issuer or JSON Web Key Set (JWKS) endpoint URLs, also set -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls.

  • In Multi-Region Cluster (MRC) deployments, the co-ownership check only considers ConfluentRolebinding resources visible to the operator managing that cluster. A co-owning ConfluentRolebinding on another region’s cluster is not visible, so removing a pattern from (or deleting) a ConfluentRolebinding might revoke a binding that a ConfluentRolebinding in another region still declares. Use caution when removing patterns or deleting ConfluentRolebinding resources in MRC if the same (principal, role, scope, resourcePattern) might be declared on another region’s cluster. For details, see Update a rolebinding.

Deprecations

There are no new deprecations in this release.