Confluent for Kubernetes Release Notes

Confluent for Kubernetes (CFK) provides a declarative API-driven control plane for deploying and managing Confluent Platform on Kubernetes.

The following sections summarize the technical details of the CFK 3.2 releases.

Confluent for Kubernetes 3.2.2 Release Notes

CFK 3.2.2 allows you to deploy and manage Confluent Platform versions from 7.4.x to 8.2.x on Kubernetes versions 1.27 - 1.35 (OpenShift 4.14 - 4.21).

The images released in CFK 3.2.2 are:

confluentinc/confluent-operator:0.1514.40
confluentinc/confluent-init-container:3.2.2
confluentinc/confluent-observer-container:3.2.2
confluentinc/<CP component images>:8.2.0

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

Notable fixes

During KRaft migration, CFK now locks the Kafka, ZooKeeper, and KRaftController CRs to prevent accidental modifications or deletions. Locking is enforced using ValidatingAdmissionPolicy (VAP) on Kubernetes 1.30 and later, or using a webhook on earlier versions.
See Enforce CR locks during KRaft migration.
Starting with CFK 3.2.1, CFK validates configOverrides.server for blocklisted keys (for example, zookeeper.connect) before starting KRaft migration and blocks migration with an actionable error if conflicts are found.
See Step 3: Start migration.
CFK now supports triggering KRaft migration rollback from the SETUP and MIGRATE phases as well. Previously, rollback was supported only from the DUAL-WRITE phase.
See Rollback to ZooKeeper.
A new kubectl confluent cluster kraft-migration plugin is available for managing KRaft migration lifecycle operations, including status monitoring, finalization, rollback, and CR lock release.
See KRaft Migration Plugin Commands.
Fixed duplicate OpenShift Route hostname between TOKEN_SASL and REPLICATION listeners when MDS mTLS is enabled.
Fixed propagation of podTemplate.affinity to Confluent Gateway deployments, ensuring affinity rules defined in the CR are correctly applied to pods.
Added support for mTLS authentication between ksqlDB and MDS.
For the list of security and vulnerability issues fixed in this release, see Security Advisories and Security Release Notes.

Confluent for Kubernetes 3.2.1 Release Notes

CFK 3.2.1 allows you to deploy and manage Confluent Platform versions from 7.4.x to 8.2.x on Kubernetes versions 1.27 - 1.35 (OpenShift 4.14 - 4.21).

The images released in CFK 3.2.1 are:

confluentinc/confluent-operator:0.1514.19
confluentinc/confluent-init-container:3.2.1
confluentinc/confluent-observer-container:3.2.1
confluentinc/<CP component images>:8.2.0

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

Notable updates

Multi-region cluster (MRC) support with dynamic quorum
CFK 3.2.0 or later supports dynamic quorum configuration for multi-region KRaft deployments when paired with Confluent Platform versions that include the fix for KMETA-2870, which addresses controller registration failure when advertised listeners are present from initial startup. Supported Confluent Platform versions are 7.9.6 or later (in 7.9 minor versions), and 8.1.2 or later (in 8.1 minor versions).
To migrate from static to dynamic quorum in existing MRC deployments, use Confluent Platform 8.0 or later with CFK 3.2.0 or later.
See Configure Dynamic KRaft Quorum for Confluent Platform Using Confluent for Kubernetes.

Notable fixes

Fixed an issue where the custom OAuth listeners failed to validate without JAAS configurations.
Fixed connector reconciliation for masked sensitive fields in Connect. Updated CFK’s connector reconciliation logic to properly handle Connect’s credential masking in the REST API, preventing unnecessary connector updates or restarts when sensitive configuration fields are masked.
Fixed metrics TLS configuration to correctly resolve keystore passwords from Vault-injected files when using DirectoryPathInContainer.
Added support for configuring JMX authentication and access control using CR specifications to secure exposed JMX ports for all Confluent Platform components.
Important
This is a breaking change to secure exposed JMX ports. This affects existing deployments that access the JMX port remotely for metrics queries.
For more information, see JMX Metrics.
For the list of security and vulnerability issues fixed in this release, see Security Advisories and Security Release Notes.

Confluent for Kubernetes 3.2.0 Release Notes

CFK 3.2.0 allows you to deploy and manage Confluent Platform versions from 7.4.x to 8.2.x on Kubernetes versions 1.27 - 1.35 (OpenShift 4.14 - 4.21).

The images released in CFK 3.2.0 are:

confluentinc/confluent-operator:0.1514.1
confluentinc/confluent-init-container:3.2.0
confluentinc/<CP component images>:8.2.0

For details on installing CFK and Confluent Platform using the above images, see Deploy Confluent for Kubernetes and Deploy Confluent Platform using Confluent for Kubernetes.

New features and enhancements

CFK 3.2.0 is a minor release with the following noteworthy new features and updates.

Observer container support

Observer container provides self-contained readiness monitoring for Kafka and KRaft controller pods.

See Configure Observer container for Confluent Platform.

Dynamic quorum support

CFK supports dynamic quorum configuration for KRaft deployments, including multi-region cluster (MRC) deployments when paired with Confluent Platform versions that include the fix for KMETA-2870, which addresses controller registration failure when advertised listeners are present from initial startup. Supported Confluent Platform versions are 7.9.6 or later (in 7.9 minor versions), and 8.1.2 or later (in 8.1 minor versions).

See Configure Dynamic KRaft Quorum for Confluent Platform Using Confluent for Kubernetes.

Bidirectional cluster linking support

CFK supports bidirectional cluster linking, allowing data replication in both directions between two Kafka clusters.

See Bidirectional cluster linking.

FIPS 140-3 compliance support

CFK supports deploying FIPS 140-3 compliant Confluent Platform components.

See Security Compliance in Confluent for Kubernetes.

Notable updates

Automatic inter-broker protocol (IBP) version derivation
Enhanced IBP version handling during ZooKeeper to KRaft migration:
- Improved validation for IBP version and added automatic derivation of IBP for standard Confluent Platform images.
- Added new subphase SubPhaseSetupDeriveIBPVersion in SETUP phase of KRaft migration job to automatically derive IBP value for standard Confluent Platform images and enforce annotation requirement for custom Confluent Platform images.
See Step 1: Derive Kafka IBP version.
Kafka topic partition count updates
You can increase the partition count for existing Kafka topics through the KafkaTopic custom resource.
Important
For brownfield deployments, verify partition counts across all topics before upgrading to CFK 3.2.0. If a drift exists between the partition count specified in the KafkaTopic custom resource and the actual partition count in the cluster, CFK will automatically reconcile the partition count on the first operator run after upgrade, which may result in unintended partition increase.
See Update Kafka topic.
Safe rolling restarts for secret updates
Secret updates now trigger operator-controlled rolling restarts with under-replicated partition (URP) safety checks for Kafka and KRaft components, preventing cluster instability during certificate rotation.
See Secret updates and safe rolling restarts.
SASL PLAIN user management without broker restarts
SASL/PLAIN credentials for external clients, such as producers or consumers, can now be added or rotated without triggering broker restarts. The CFK operator automatically hot-reloads credential changes when you use the default FileBasedLoginModule for jaasConfig, eliminating the operational overhead of rolling restarts for user management. This capability is enabled by default for all customers and supports zero-downtime onboarding for application-level users. The following are the scope and limitations:
- Hot-reload applies only to external SASL/PLAIN credentials on server side. Do not use this feature to upgrade inter-broker SASL/PLAIN credentials or Confluent component authentication.
- Not supported for SASL/PLAIN with LDAP or when using configOverrides.
- This feature requires FileBasedLoginModule. While this module is automatic with jaasConfig, you must explicitly configure it when you use jaasConfigPassthrough.
Init container environment variable validation
CFK validates required init-container environment variables and allows appending custom environment variables to init containers using the common podTemplate spec.
Unified Stream Manager Schema Registry automation workflow optimization
The Unified Stream Manager Schema Registry automation workflow has been optimized for improved performance.
advertisedListenersEnabled for KRaft MRC deployments
CFK 3.2.0 introduced the spec.listeners.advertisedListenersEnabled configuration option for the KRaftController custom resource. When set to true, it explicitly sets advertised.listeners for each controller based on the external access configuration. This setting is required for MRC deployments to prevent controller endpoint registration issues.
See Configure KRaft in MRC.

Notable fixes

Fixed an issue where the CFK operator ignored the platform.confluent.io/roll-delay-interval-seconds annotation during upgrades. This issue caused the pods to roll immediately instead of waiting for the configured delay.
Fixed connector reconciliation for masked sensitive fields in Connect. Updated CFK’s connector reconciliation logic to properly handle Connect’s credential masking in the REST API, preventing unnecessary connector updates or restarts when sensitive configuration fields are masked.
Fixed a issue where the CFK operator did not add the Unified Stream Manager (USM) extension class when RBAC authorization was enabled.