Confluent for Kubernetes Release Notes
Confluent for Kubernetes is continuously updated with new features and enhancements. This topic highlights significant new and updated features, bug fixes, and known limitations in each release.
For Confluent Platform and CFK compatibility information, see Confluent Platform.
For CFK image tags by version, see Confluent for Kubernetes image tags.
To learn how to install CFK and Confluent Platform, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.
Note
For the list of security and vulnerability issues fixed in any release, see Security Advisories and Security Release Notes.
[23 June, 2026] Confluent for Kubernetes 3.3.0 Release Notes
Compatibility and container images
CFK 3.3.0 allows you to deploy and manage Confluent Platform versions from 7.5.x to 8.3.x on Kubernetes versions 1.28 - 1.36 (OpenShift 4.15 - 4.22).
The images released in CFK 3.3.0 are:
confluentinc/confluent-operator:0.1718.10confluentinc/confluent-init-container:3.3.0confluentinc/confluent-observer-container:3.3.0
Breaking changes
There are no breaking changes in this release.
New features
Adds preview support for managing Confluent Platform Flink SQL objects through CFK with six new custom resources. See Manage Flink SQL Statements Using Confluent for Kubernetes.
Expands the FlinkEnvironment and FlinkApplication schemas with new configuration and status fields. See Create a Flink environment.
Adds support for the migration pre-check utility for single-cluster KRaft migrations. See Step 3.2: Enable the ZooKeeper metadata preflight check.
Supports ZooKeeper to KRaft migration for 2.5 datacenter (2.5DC) deployments. See Two-and-a-half datacenter (2.5DC) considerations.
Supports scaling up KRaftController replicas on dynamic quorum clusters without rolling existing controllers or co-located Kafka brokers. See Scale up the controller quorum.
Adds opt-in hot-reload for eligible Gateway configuration changes.
Adds
mountedSecretsandmountedVolumesto the Gateway CR for mounting custom secrets and volumes.Supports running the Gateway with
readOnlyRootFilesystem: trueby provisioning writableemptyDirvolumes for the log and temporary file paths.Supports OAuth-to-OAuth authentication swap through the Gateway. See Configure authentication swapping.
Runs the liveness probe as an
execprobe backed by thecfkproberbinary. See Liveness probe change to exec in CFK 3.3.0.Pauses a maintenance-mode pod inside its main container instead of the init container, giving direct access to the component’s command-line tools. See Configure maintenance mode.
Enhancements
Masks sensitive credentials in CFK log output through a centralized redaction wrapper, so plaintext credentials are sanitized before reaching any log sink.
Generates the KRaft admin-client properties file for dynamic quorum deployments.
Revokes the corresponding Metadata Service (MDS) role binding when you remove an entry from
spec.resourcePatternson the ConfluentRolebinding CR, preventing orphaned bindings from persisting. See Update a rolebinding.Supports a new
useProcNetPortCheckliveness and readiness probe method that reports liveness from the/proc/net/tcpfile instead of performing an actual handshake. This helps avoid TLS-related errors.
Bug fixes
Fixed incorrect
advertised.listenersports when multiple user-defined listeners share the same static or nodePort offset.Fixed dynamic per-listener TLS certificate rotation triggering unnecessary Kafka broker rolling restarts. CFK now correctly classifies derived
PKCS12secrets as dynamic-config secrets.Fixed the
zk-node-removalplugin for RBAC and MRC deployments.Fixed MRC KRaft migration requiring a manual
zookeeper.connectoverride on the KRaftController. For 2.5DC topologies, the manual ZooKeeper endpoint on the 0.5DCKRaftControlleris still required. See Configure the IBP version.Fixed an orphaned connector when a Connector CR is deleted after a failed create or update. CFK now issues the
REST DELETEinstead of skipping it.Fixed Jolokia file-reference password resolution to trim whitespace so passwords read from mounted secret files no longer fail.
Fixed client-side
OAUTHBEARERauthentication failing through the Gateway.
Known limitations
Components that authenticate to Kafka using OAuth client assertions, such as Schema Registry, Connect, ksqlDB, Control Center, and REST Proxy, fail to start on Confluent Platform 8.3.x. Kafka 4.3 enforces an empty, deny-by-default allowlist for the files used in the OAuth client-assertion flow, so the configured private-key file is rejected. As a workaround, set the
-Dorg.apache.kafka.sasl.oauthbearer.allowed.filesJVM system property on the affected component through its*_OPTSenvironment variable orpodTemplate. If you configure issuer or JSON Web Key Set (JWKS) endpoint URLs, also set-Dorg.apache.kafka.sasl.oauthbearer.allowed.urls.
In Multi-Region Cluster (MRC) deployments, the co-ownership check only considers
ConfluentRolebindingresources visible to the operator managing that cluster. A co-owningConfluentRolebindingon another region’s cluster is not visible, so removing a pattern from (or deleting) aConfluentRolebindingmight revoke a binding that aConfluentRolebindingin another region still declares. Use caution when removing patterns or deletingConfluentRolebindingresources in MRC if the same(principal, role, scope, resourcePattern)might be declared on another region’s cluster. For details, see Update a rolebinding.A Confluent Gateway passthrough route that configures
cluster.extensionHeadersfails admission validation. Injecting extension headers requires settingclient.authentication.typetooauth, which triggers a CRD validation rule that mandatesoauthSettings.jwksEndpointUriandoauthSettings.audience. Although Confluent Gateway ignores these fields at runtime on passthrough routes and forwards tokens unmodified, the validation rule still rejects the resource. As a workaround, you must provide placeholder values for the required OAuth fields. For details, see OAUTHBEARER passthrough limitation.
Deprecations
There are no new deprecations in this release.
