Confluent for Kubernetes Release Notes

Confluent for Kubernetes is continuously updated with new features and enhancements. This topic highlights significant new and updated features, bug fixes, and known limitations in each release.

Note

For the list of security and vulnerability issues fixed in any release, see Security Advisories and Security Release Notes.

[23 June, 2026] Confluent for Kubernetes 3.3.0 Release Notes

Compatibility and container images

CFK 3.3.0 allows you to deploy and manage Confluent Platform versions from 7.5.x to 8.3.x on Kubernetes versions 1.28 - 1.36 (OpenShift 4.15 - 4.22).

The images released in CFK 3.3.0 are:

  • confluentinc/confluent-operator:0.1718.10

  • confluentinc/confluent-init-container:3.3.0

  • confluentinc/confluent-observer-container:3.3.0

Breaking changes

There are no breaking changes in this release.

New features

Enhancements

  • Masks sensitive credentials in CFK log output through a centralized redaction wrapper, so plaintext credentials are sanitized before reaching any log sink.

  • Generates the KRaft admin-client properties file for dynamic quorum deployments.

  • Revokes the corresponding Metadata Service (MDS) role binding when you remove an entry from spec.resourcePatterns on the ConfluentRolebinding CR, preventing orphaned bindings from persisting. See Update a rolebinding.

  • Supports a new useProcNetPortCheck liveness and readiness probe method that reports liveness from the /proc/net/tcp file instead of performing an actual handshake. This helps avoid TLS-related errors.

Bug fixes

  • Fixed incorrect advertised.listeners ports when multiple user-defined listeners share the same static or nodePort offset.

  • Fixed dynamic per-listener TLS certificate rotation triggering unnecessary Kafka broker rolling restarts. CFK now correctly classifies derived PKCS12 secrets as dynamic-config secrets.

  • Fixed the zk-node-removal plugin for RBAC and MRC deployments.

  • Fixed MRC KRaft migration requiring a manual zookeeper.connect override on the KRaftController. For 2.5DC topologies, the manual ZooKeeper endpoint on the 0.5DC KRaftController is still required. See Configure the IBP version.

  • Fixed an orphaned connector when a Connector CR is deleted after a failed create or update. CFK now issues the REST DELETE instead of skipping it.

  • Fixed Jolokia file-reference password resolution to trim whitespace so passwords read from mounted secret files no longer fail.

  • Fixed client-side OAUTHBEARER authentication failing through the Gateway.

Known limitations

  • Components that authenticate to Kafka using OAuth client assertions, such as Schema Registry, Connect, ksqlDB, Control Center, and REST Proxy, fail to start on Confluent Platform 8.3.x. Kafka 4.3 enforces an empty, deny-by-default allowlist for the files used in the OAuth client-assertion flow, so the configured private-key file is rejected. As a workaround, set the -Dorg.apache.kafka.sasl.oauthbearer.allowed.files JVM system property on the affected component through its *_OPTS environment variable or podTemplate. If you configure issuer or JSON Web Key Set (JWKS) endpoint URLs, also set -Dorg.apache.kafka.sasl.oauthbearer.allowed.urls.

  • In Multi-Region Cluster (MRC) deployments, the co-ownership check only considers ConfluentRolebinding resources visible to the operator managing that cluster. A co-owning ConfluentRolebinding on another region’s cluster is not visible, so removing a pattern from (or deleting) a ConfluentRolebinding might revoke a binding that a ConfluentRolebinding in another region still declares. Use caution when removing patterns or deleting ConfluentRolebinding resources in MRC if the same (principal, role, scope, resourcePattern) might be declared on another region’s cluster. For details, see Update a rolebinding.

  • A Confluent Gateway passthrough route that configures cluster.extensionHeaders fails admission validation. Injecting extension headers requires setting client.authentication.type to oauth, which triggers a CRD validation rule that mandates oauthSettings.jwksEndpointUri and oauthSettings.audience. Although Confluent Gateway ignores these fields at runtime on passthrough routes and forwards tokens unmodified, the validation rule still rejects the resource. As a workaround, you must provide placeholder values for the required OAuth fields. For details, see OAUTHBEARER passthrough limitation.

Deprecations

There are no new deprecations in this release.