Mirantis k0rdent Enterprise v1.2.3 Release Notes#

Released: January 29, 2026

Mirantis k0rdent Enterprise builds on the upstream, community-driven k0rdent OSS project to provide a commercially supported, enterprise-grade environment for managing Kubernetes clusters, services, and observability. While the open source k0rdent delivers core functionality under the Apache 2.0 license, Mirantis k0rdent Enterprise adds hardened components, tested integrations, and enterprise-only features—including a fully-featured UI, the ability to add a custom certificate authority, and bare metal provisioning.

Component & Provider Versions#

Component / Provider	Version
Cluster API	v1.11.2
CAPI Provider AWS	v2.10.0
CAPI Provider Azure	v1.21.0
CAPI Provider Docker	v1.11.2
CAPI Provider GCP	v1.10.0
CAPI Provider Infoblox	v0.1.0
CAPI Provider IPAM	v1.1.0-rc.1
CAPI Provider k0smotron	v1.10.0
CAPI Provider OpenStack (ORC)	v0.12.5-mirantis.0 / v2.1.0
CAPI Provider vSphere	v1.14.0
Project Sveltos	v1.1.1

Grafana not Included#

Effective immediately, Mirantis will no longer distribute Grafana as part of its products or services. This change is being made to proactively avoid potential licensing, redistribution, or compliance considerations related to third-party software.

Grafana dashboards and grafana-operator (for installation and lifecycle management of Grafana on the k0rdent Enterprise management cluster or on child clusters) will still be shipped as part of k0rdent Observability & FinOps (KOF), an optional component of k0rdent Enterprise. For more information, please contact Mirantis.

For instructions on how to install Grafana locally and integrate with Mirantis Grafana dashboards and grafana-operator, please see Grafana in KOF.

Highlights#

ARM64 and Multi-Cluster Support Mirantis k0rdent Enterprise now runs on arm64 architectures and manages larger multi-cluster fleets without separate tooling. This removes hardware constraints and lets operators apply one consistent platform across datacenter, edge, and mixed-environment footprints.
Enterprise Identity & Authorization Management A unified identity layer now ships with Mirantis k0rdent Enterprise, offering built-in authentication, federation with enterprise IdPs, and the option to plug in a fully external identity system. This creates a single, scalable model for user access across management and child clusters without locking operators into one approach.
External Database Support for Hosted Control Planes Hosted control planes can now use Kine backed by an external relational database. Offloading state to a dedicated database increases resilience, smooths performance under load, and supports higher cluster density than embedded etcd permits.
Distributed Regional Management Control Planes Hosted control plane pods can be deployed on designated regional Kubernetes clusters instead of the primary management cluster. This adds clean separation between management and regional domains, improves failure isolation, and allows credential boundaries to match organizational or geographic requirements.
k0rdent Cluster Manager (KCM) Enhancements KCM now includes telemetry collection, configurable Helm operation timeouts, support for regional HCP placement, and label-based role aggregation. These updates reduce friction during upgrades, simplify RBAC integration, and make lifecycle automation more predictable at scale.
ServiceSet API & KSM Enhancements The new ServiceSet abstraction allows operators to define services with explicit dependencies and ordered upgrades, eliminating ad-hoc sequencing. Additional Helm options, dependency awareness, and improved IPAM observability make multi-component rollouts far more controlled and transparent.
Observability (KOF) Improvements KOF adds kube-state-metrics dashboards for k0rdent CRDs, a raw-metrics viewer, Promxy tuning for heavy queries, and monitoring for KSM objects. The result is clearer insight into cluster behavior and fewer blind spots when diagnosing deployment or reconciliation issues.
Regional and Fleet-Wide Operational Improvements Regions can now be restored from backup, clusters can migrate between management clusters, identity data can propagate across regions, and a dedicated RBAC manager standardizes permissions. Operators can also pause Sveltos reconciliation, giving them safer control during troubleshooting and disaster recovery workflows.
Access Management Resource The new AccessManagement resource provides a centralized, rule-based mechanism for distributing ClusterTemplates, ServiceTemplates, Credentials, and ClusterAuthentication objects across namespaces. It removes the need for manual object propagation and ensures that teams or tenants receive only the resources intended for them. This brings consistency to multi-namespace environments and reduces the risk of configuration drift when managing large numbers of clusters.
Bare Metal Management from the UI In addition to the command line, you can now manage Bare Metal machines and ClusterDeployments from the UI, enabling unified management from a single platform.
UI Upgrade The k0rdent UI has been upgraded to version 1.1.1 with numerous fixes and improvements.
Stability & UX: Multiple fixes to credential propagation, service status collection, hosted cluster templates, Helm repos, and cloud provider templates (OpenStack, Azure).

🚀 New Features 🚀#

feat: kube-state-metrics dashboards for k0rdent objects (#497) by @gmlexx
feat: child telemetry tracker (#1783) by @zerospiel
feat: expose services.policyRef in CD and MCS spec (#1725) by @wahabmk
feat: introduce local telemetry collector (#1845) by @zerospiel
feat: provider-agnostic KSM with built-in provider (#1670) by @BROngineer
feat: telemetry local storage configuration (#1857) by @zerospiel
feat: add http config for adopted regional cluster by @gmlexx
feat: add backend for internal observability of VictoriaMetrics/Logs (#463) by @AndrejsPon00
feat: add VictoriaMetrics and VictoriaLogs observability page to KOF UI (#480) by @AndrejsPon00
feat: allow full vm custom objects specs definition in values (#478) by @gmlexx
feat: add tooltip for metrics description in KOF UI (#483) by @AndrejsPon00
feat: update helm charts on storage secret change (#484) by @gmlexx
feat: add raw metrics tab in KOF UI (#487) by @AndrejsPon00
feat: add custom resources to kube-state-metrics (#489) by @gmlexx
feat: mothership components monitoring (#342) by @aglarendil
feat: add misconfiguration check for collector scrape in KOF UI (#490) by @AndrejsPon00
feat(backups): add region support (#2040) by @zerospiel
feat: adapt services reconciliation to regional clusters (#2011) by @eromanova
feat: add JSON Schema configmap for templates if available (#1972) by @Kshatrix
feat: add Region CRD and controller (#1958) by @eromanova
feat: add aggregate role for kcm manager (#1976) by @Kshatrix
feat: add helm options to service templates (#1969) by @kylewuolle
feat: cleanup orphaned cloud resources (#1973) by @zerospiel
feat: copy certificate secrets to regional clusters (#2025) by @eromanova
feat: deprecate the Provider Interface controller (#2001) by @eromanova
feat: implementation & validation of service dependencies (#1968) by @wahabmk
feat: introduce Region field for Credential (#1980) by @eromanova
feat: move provider rbac to corresponding provider templates (#2007) by @Kshatrix
feat: observability of events and metrics for ipam (#1882) by @kylewuolle
feat: rework ClusterTemplate valid status check (#2002) by @eromanova
feat: several minor Region improvements (#2010) by @eromanova
feat: add cluster deployment monitoring page to KOF UI (#502) by @AndrejsPon00
feat: add cluster summaries monitoring page to KOF UI (#505) by @AndrejsPon00
feat: Add multi cluster services monitoring page to KOF UI (#508) by @AndrejsPon00
feat: add state management provider monitoring to KOF UI (#509) by @AndrejsPon00
feat: add service set monitoring page to KOF UI (#519) by @AndrejsPon00
feat: migrate to receiver_creator for filelog/containers to support annotation-based discovery (#529) by @gmlexx
feat: add sveltos clusters monitoring page to KOF UI (#531) by @AndrejsPon00
feat: add k8s audit logs collector config (#539) by @AndrejsPon00
feat: add parser for key-value logs (#528) by @AndrejsPon00
feat: add filestore for filelogreceivers to store offsets (#544) by @gmlexx
feat: add alerts for CAPI Objects states (#526) by @AndrejsPon00
feat: add adopted clusters support for Istio (#551) by @gmlexx
feat: upgrade cluster-api@v1.11.2 (#2032) by @zerospiel
feat(restore): support regions restoration (#2073) by @zerospiel
feat: adapt existing validation for Regions (#2065) by @eromanova
feat: region validation (#2063) by @eromanova
feat: credential cluster identity distribution (#2075) by @eromanova
feat: support ClusterDeployment reference in Region spec (#2096) by @eromanova
feat: add RBAC manager as the KCM management component (#2109) by @eromanova
feat: pause reconciliation of sveltos profiles via ServiceSet annotation by @kylewuolle
feat: implement MultiClusterService dependencies (#2009) by @wahabmk
feat: regional telemetry collection (#2113) by @zerospiel

🐛 Notable Fixes 🐛#

fix: helm values are not updated correctly (#2362)
fix: prevent duplicate metric collection (#488) by @AndrejsPon00
fix: Mount CA cert as a volume to flux components (#1844) by @eromanova
fix: Mount CA secret to flux before installing kcm-templates (#1847) by @eromanova
fix: add default storage class for openstack standalone templates (#1871) by @bnallapeta
fix: allow configuration of the default HelmRelease timeout (#1830) by @eromanova
fix: continue e2e tests after deployment failure (#1840) by @eromanova
fix: credentials propagation (#1886) by @BROngineer
fix: drop subpath from the registry in hosted helm repositories (#1890) by @eromanova
fix: install yq before generating release.yaml (#1894) by @eromanova
fix: k0s image url for azure-hosted-cp (#1856) by @a13x5
fix: multiclusterservice requeue (#1899) by @BROngineer
fix: redundant servicetemplates fetching (#1832) by @zerospiel
fix: remote-cluster (hosted) respects useSudo (#1880) by @zerospiel
fix: service statuses (#1888) by @BROngineer
fix: services deployed & clusters matched in MCS kubectl output (#1779) by @wahabmk
fix: set kcm version in release.yaml before making the release (#1877) by @eromanova
fix: change opencost prometheus URL to HTTP for local cluster (#451) by @AndrejsPon00
fix: correct instrumentation exporter endpoint to resolve trace export error (#452) by @AndrejsPon00
fix: Replacing release notes with auto-generated ones, updated docs/release (#453) by @denis-ryzhkov
fix: slow KOF UI responses due to long proxy timeout (#448) by @AndrejsPon00
fix: Customized cert-manager-startupapicheck image registry (#457) by @denis-ryzhkov
fix: promxy server group doesn't update after http client config changes (#456) by @AndrejsPon00
fix: increase promxy memory requests/limits to prevent OOM (#458) by @AndrejsPon00
fix: move grafana operator to kof-operators helm chart (#461) by @gmlexx
fix: Jaeger authenticated endpoint exposed across clusters (#462) by @denis-ryzhkov
fix: istio/gateway chart repo compatibility with custom registry (#464) by @denis-ryzhkov
fix: add promxy suffix to promxy labels (no PR) by @gmlexx
fix: add missing env variable for goreleaser (#466) by @gmlexx
fix: Added ServiceTemplateChain cert-manager-v1-16-4-from-1-16-4 upgrade chain (#467) by @denis-ryzhkov
fix: override only defined properties with annotation on config update (#468) by @gmlexx
fix: Custom kcm.serviceMonitor.selector (#472) by @denis-ryzhkov
fix: "Cluster Deployments Events" dashboard vs management/regional case (#469) by @denis-ryzhkov
fix: Custom registryCredentialsConfig in helmCharts of kof-istio (#473) by @denis-ryzhkov
fix: use node name in node exporter dashboards (#470) by @gmlexx
fix: two chartName cases for cert-manager in kof-istio-network (no PR) by @denis-ryzhkov
fix: install kof-operators before kof-storage to avoid CRD not found ([#?]) by @denis-ryzhkov
fix: updated Jaeger secret name after refactor (#462) by @denis-ryzhkov
fix: ContainerHighMemUsage alert missing container label (#477) by @aglarendil
fix: typo in intervalFactor caused 500 in Istio Service Dashboard (#479) by @denis-ryzhkov
fix: incorrect log level parsing for uppercase codes (#481) by @AndrejsPon00
fix: correctly parse & render total metric values in KOF UI (#486) by @AndrejsPon00
fix: prevent OOM crash in promxy on large queries (#491) by @AndrejsPon00
fix: correct memory queries in Grafana dashboard panels (#494) by @AndrejsPon00
fix: collecting ksm service statuses (#1952) by @BROngineer
fix: enable multiclusterservice requeue on status update (#1946) by @BROngineer
fix: handle adopted cluster in ksm (#1948) by @BROngineer
fix: multiclusterservice cleanup (#1948) by @BROngineer
fix(infoblox): support arm64 (#1938) by @zerospiel
fix(templates): allow null location policy for GKE (#2036) by @zerospiel
fix(utils): patch object's component labels (#1949) by @zerospiel
fix: add configmap rbac permissions for controller (#2024) by @Kshatrix
fix: add regional section to the Release spec (#2027) by @eromanova
fix: add service as an available upgrade to itself (#2051) by @wahabmk
fix: drop regional section from Release (#1996) by @eromanova
fix: drop selector from dev aws credential (#2021) by @eromanova
fix: enable multiclusterservice requeue on status update (#1924) by @BROngineer
fix: increase default helm timeout for dev setup (#2030) by @eromanova
fix: missed registry creds config (#1974) by @BROngineer
fix: moved network configuration for standalone deployments into values.yaml (#1887) by @vtrenton
fix: network cfg in hosted tpls; fix standalone (#1895) by @zerospiel
fix: openstackclusteridentities permissions (#2046) by @Kshatrix
fix: reflect deletion status in Region conditions (#2014) by @eromanova
fix: set current kcm-regional version as kcm dependency (#1982) by @eromanova
fix: several fixes and improvements for regions (#2035) by @eromanova
fix: remove timestamp metrics from kube-state custom resources (#498) by @gmlexx
fix: typo grafana-operator.enabled/enables, dedup subchart, update descriptions (#506) by @denis-ryzhkov
fix: warnings on helm install/upgrade of kof-collectors (#504) by @denis-ryzhkov
fix: flatten event fields for better filtering (#510) by @gmlexx
fix: Auto-upgrade KOF CRD PromxyServerGroup (#546) by @denis-ryzhkov
fix: Security fix of vite (#548) by @denis-ryzhkov
fix: show log line field in dashboard (#559) by @gmlexx
fix: move collectors service extensions list to upper charts values (#558) by @gmlexx
fix: cert-manager-dependent regional components disabling (#2061) by @eromanova
fix: update Credential status when Region is not ready (#2066) by @eromanova
chore: remove multiclusterservice validation webhook (#2071) by @BROngineer
fix: self-management panics & incorrect profile type (#2074) by @wahabmk
fix(providerinterface): Azure ClusterIdentities (#2088) by @zerospiel
fix(templates): AWS-CSI image paths; Azure required parameters (#2111) by @a13x5
fix: drop kcm-regional version annotation from Release (#2117) by @eromanova

✨ Notable Changes ✨#

fix(os-tpls): correct identity name in identityref (#1901) by @zerospiel
refactor: reuse already defined statemanagementprovider name (#1883) by @wahabmk
test: check promxy metrics by @gmlexx
test: wait until vmauth creates ingress in kind-adopted-regional cluster (#471) by @gmlexx
test: add unit tests for Victoria pages (KOF UI) (#482) by @AndrejsPon00

❗ Upgrade Notes ❗#

If you have non-airgapped k0rdent cluster please apply the following steps before upgrading:
1. Get current k0sURL used in the system, by executing for any of cluster deployments you have:
```
kubectl -n kcm-system get hr <cluster deployment name> -o jsonpath='{.spec.values.global.k0sURL}'
```
  Note
  
  If the returned value is https://get.mirantis.com/k0rdent-enterprise/k0s you may skip all next steps and proceed with the upgrade.
2. Update the Management object by putting the value from the step a. to the .spec.core.kcm.config.controller.globalK0sURL parameter.
3. Proceed with the upgrade as normal
If upgrade in an airgapped environment is stuck with "waiting for capi" conditions in Management and theCoreProvider object has the config map not found condition, you have hit the known issue kubernetes-sigs/cluster-api-operator#966. To solve this problem, execute the following steps:
1. Download and re-upload the cluster-api-provider-k0sproject-k0smotron-components image (replace REGISTRY with the airgap registry hostname):
```
skopeo copy -a --insecure-policy docker://registry.mirantis.com/k0rdent-enterprise/capi/cluster-api-provider-k0sproject-k0smotron-components:v1.6.0 oci-archive:cluster-api-provider-k0sproject-k0smotron-components_v1.6.0.tar
skopeo copy -a --insecure-policy oci-archive:cluster-api-provider-k0sproject-k0smotron-components_v1.6.0.tar docker://${REGISTRY}/k0rdent-enterprise/capi/cluster-api-provider-k0sproject-k0smotron-components:v1.6.0
```
2. Delete the capi-operator pod to restart the reconcile process.
New/stricter Region validation may surface issues with configurations that were previously accepted. Dry-run manifests before rollout.
Region restoration flow is new; confirm backup/restore procedures for regional components.
CI images switched base images from scratch to gcr.io/distroless/static-debian12:nonroot

Known Issues#

Unexpected child cluster node rotation after upgrade (k0rdent-enterprise#159) caused by k0sURL update. Only non-airgap clusters are affected, please follow the upgrade notes to mitigate the issue.
kof-mothership chart may fail on removal in case if specific mcs are present. To avoid this, please delete all corresponding MultiClusterServices before uninstalling kof-mothership chart (kubectl delete mcs kof-storage-secrets kof-storage-secrets-remote-templates-copy).
k0rdent-istio requires two workarounds documented in Installing KOF - Istio section.
KOF UI shows false positive misconfiguration warnings, fixed in the next release.
Upgrade can get stuck indefinitely due to CAPI not upgrading, causing all components to show the "waiting for capi" condition. This is related to the upstream issue kubernetes-sigs/cluster-api-operator#966. Check upgrade notes for mitigation steps.

Release Metadata#

Key	Value
Helm Charts	kcm: 1.2.2, kof: 1.5.0
OCI Registry	registry.mirantis.com/k0rdent-enterprise/
SBOM	Included
OCI Signature Support	Included
Release Tags	v1.2.2 across all components

Contributors#

Huge thanks to the following contributors for making this release possible: @gmlexx, @denis-ryzhkov, @aglarendil, @kylewuolle, @a13x5, @eromanova, @zerospiel, @BROngineer, @Kshatrix, @dis-xcom, @wahabmk, @AndrejsPon00

Resources#

Documentation

Try It Out#

QuickStart guide: https://docs.k0rdent-enterprise.io/v1.2.2/quickstarts/