Topics
Affected surfaces
ReleasePort's take
Light signalFlux v2.8.7 fixes a bug in kustomize-controller that caused non‑namespaced resources annotated with `kustomize.toolkit.fluxcd.io/ssa: IfNotPresent` to be deleted and recreated on each reconciliation.
Why it matters: Patch to v2.8.7 immediately if you use kustomize-controller with such annotations; the bug can cause unintended resource churn.
Summary
AI summaryFixed kustomize-controller deleting and recreating non‑namespaced resources annotated with kustomize.toolkit.fluxcd.io/ssa: IfNotPresent.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Security | Medium |
Update go-git to v5.19.0 fixing CVE-2026-45022 in source-controller and image-automation-controller Update go-git to v5.19.0 fixing CVE-2026-45022 in source-controller and image-automation-controller Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
Update fluxcd/pkg dependencies for source-controller, kustomize-controller, and image-automation-controller Update fluxcd/pkg dependencies for source-controller, kustomize-controller, and image-automation-controller Source: llm_adapter@2026-05-21 Confidence: high |
— |
| Dependency | Medium |
Update helm-controller to v1.5.4 Update helm-controller to v1.5.4 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
Update image-automation-controller to v1.1.3 Update image-automation-controller to v1.1.3 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
Update kustomize-controller to v1.8.5 Update kustomize-controller to v1.8.5 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
Update notification-controller to v1.8.4 Update notification-controller to v1.8.4 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Dependency | Medium |
Update source-controller to v1.8.4 Update source-controller to v1.8.4 Source: llm_adapter@2026-05-21 Confidence: low |
— |
| Bugfix | Medium |
Fix management of objects annotated with kustomize.toolkit.fluxcd.io/ssa:IfNotPresent to prevent non-namespaced resource deletion and recreation on each reconciliation (kustomize-controller) Fix management of objects annotated with kustomize.toolkit.fluxcd.io/ssa:IfNotPresent to prevent non-namespaced resource deletion and recreation on each reconciliation (kustomize-controller) Source: llm_adapter@2026-05-21 Confidence: high |
— |
Full changelog
Highlights
Flux v2.8.7 is a patch release that includes a bug fix in kustomize-controller, a CVE fix in source-controller and image-automation-controller via go-git v5.19.0, and dependency updates. Users are encouraged to upgrade for the best experience.
ℹ️ Please follow the Upgrade Procedure for Flux v2.7+ for a smooth upgrade from Flux v2.6 to the latest version.
Fixes:
- Fix management of objects annotated with
kustomize.toolkit.fluxcd.io/ssa: IfNotPresentwhere non-namespaced resources were being deleted and recreated on each reconciliation (kustomize-controller)
Improvements:
- Update go-git to v5.19.0 which fixes CVE-2026-45022 (source-controller, image-automation-controller)
- Update fluxcd/pkg dependencies (source-controller, kustomize-controller, image-automation-controller)
Components changelog
- helm-controller v1.5.4
- image-automation-controller v1.1.3
- kustomize-controller v1.8.5
- notification-controller v1.8.4
- source-controller v1.8.4
CLI changelog
- Update toolkit components by @fluxcdbot in https://github.com/fluxcd/flux2/pull/5891
Full Changelog: https://github.com/fluxcd/flux2/compare/v2.8.6...v2.8.7
Security Fixes
- GHSA-389r-gv7p-r3rp (CVE‑2026‑45022) – fixed in source-controller and image-automation-controller via go-git v5.19.0
- CVE-2026-45022
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
About flux2
Open and extensible continuous delivery solution for Kubernetes. Powered by GitOps Toolkit.
Beta — feedback welcome: [email protected]