[{"data":1,"prerenderedAt":269},["ShallowReactive",2],{"blog-post-blog_de-kubernetes-patch-release-go-cve-update-februar-2026":3},{"id":4,"title":5,"body":6,"cover":254,"date":255,"description":256,"draft":257,"extension":258,"meta":259,"navigation":191,"path":260,"seo":261,"stem":262,"tags":263,"__hash__":268},"blog_de\u002Fde\u002Fblog\u002Fkubernetes-patch-release-go-cve-update-februar-2026.md","Kubernetes: Out-of-band Patch-Releases für Go-CVEs",{"type":7,"value":8,"toc":249},"minimark",[9,26,31,34,85,92,96,99,139,142,149,234,238,245],[10,11,12,13,17,18,21,22,25],"p",{},"Patch-Releases folgen in Kubernetes meist einem monatlichen Rhythmus. Ende Februar 2026 wurden jedoch mehrere Branches außerplanmäßig aktualisiert, um eine neue ",[14,15,16],"strong",{},"Go-Version"," einzuziehen und damit mehrere ",[14,19,20],{},"Go-CVEs"," zu beheben. Die Release-Notizen betonen: ",[14,23,24],{},"keine weiteren Änderungen",".",[27,28,30],"h2",{"id":29},"was-out-of-band-konkret-bedeutet","Was „out-of-band“ konkret bedeutet",[10,32,33],{},"Ein out-of-band Patch ist operational anders zu behandeln als ein regulärer Monats-Patch:",[35,36,37,44,51,61,76,82],"ul",{},[38,39,40,41],"li",{},"Release-Termin außerhalb des Patch-Kalenders, ausgelöst durch ",[14,42,43],{},"Security-Intake",[38,45,46,47,50],{},"Änderung ist im Wesentlichen ein ",[14,48,49],{},"Toolchain-Update"," (Go) statt Feature-Fixes",[38,52,53,54,57,58],{},"Neu gebaute Binaries und Images für Komponenten wie ",[14,55,56],{},"kube-apiserver"," und ",[14,59,60],{},"kubelet",[38,62,63,64,68,69,68,72,75],{},"Gleichzeitige Patches für mehrere Minor-Linien (z. B. ",[65,66,67],"code",{},"1.35.x",", ",[65,70,71],{},"1.34.x",[65,73,74],{},"1.33.x",")",[38,77,78,79],{},"Patches können auch dann notwendig sein, wenn Workloads unverändert bleiben - die Abhängigkeit ist die ",[14,80,81],{},"Go-Runtime",[38,83,84],{},"Managed-Angebote übernehmen solche Releases typischerweise in eigene Rollout-Zeitpläne und Wartungsfenster",[10,86,87],{},[88,89],"img",{"alt":90,"src":91},"Diagramm: Go-CVEs → Out-of-band Patch → Rollout","\u002Fimg\u002Fblog\u002Fkubernetes-patch-release-go-cve-update-februar-2026-diagram.svg",[27,93,95],{"id":94},"praktische-auswirkungen-auf-upgrade-prozesse","Praktische Auswirkungen auf Upgrade-Prozesse",[10,97,98],{},"Für Plattform-Teams ergeben sich klare Prozess-Anforderungen:",[35,100,101,108,115,122,129,136],{},[38,102,103,104,107],{},"Monitoring der offiziellen ",[14,105,106],{},"Patch-Release-Historie"," und Security-Announcements",[38,109,110,111,114],{},"Nutzung eines ",[14,112,113],{},"Staging-Clusters"," für schnelle Validierung bei engen Zeitfenstern",[38,116,117,118,121],{},"Abstimmung von ",[14,119,120],{},"Change Windows"," für Cluster, die in Sicherheits-SLAs laufen",[38,123,124,125,128],{},"Rebuilds für eigene Komponenten, falls Kubernetes aus ",[14,126,127],{},"Source Builds"," betrieben wird",[38,130,131,132,135],{},"Berücksichtigung von ",[14,133,134],{},"Version Skew"," (Control Plane vs. Nodes) beim Rollout",[38,137,138],{},"Node-Upgrades in Wellen (z. B. nach Node-Pools) mit PDBs und Kapazitätsplanung",[10,140,141],{},"Bei selbstverwalteten Clustern ist der Rebuild eigener Images und Artefakte oft Teil des Upgrades, sobald Kubernetes aus Source- oder Vendor-Builds abgeleitet wird.",[10,143,144,145,148],{},"Ein Minimalpfad für ein Patch-Upgrade mit ",[65,146,147],{},"kubeadm"," sieht typischerweise so aus:",[150,151,156],"pre",{"className":152,"code":153,"language":154,"meta":155,"style":155},"language-bash shiki shiki-themes github-light github-dark","kubectl version --short\nkubeadm upgrade plan\n\n# Beispiel: Upgrade auf ein konkretes Patch-Release\nsudo kubeadm upgrade apply v1.35.2\nkubectl get nodes -o wide\n","bash","",[65,157,158,175,186,193,200,217],{"__ignoreMap":155},[159,160,163,167,171],"span",{"class":161,"line":162},"line",1,[159,164,166],{"class":165},"sScJk","kubectl",[159,168,170],{"class":169},"sZZnC"," version",[159,172,174],{"class":173},"sj4cs"," --short\n",[159,176,178,180,183],{"class":161,"line":177},2,[159,179,147],{"class":165},[159,181,182],{"class":169}," upgrade",[159,184,185],{"class":169}," plan\n",[159,187,189],{"class":161,"line":188},3,[159,190,192],{"emptyLinePlaceholder":191},true,"\n",[159,194,196],{"class":161,"line":195},4,[159,197,199],{"class":198},"sJ8bj","# Beispiel: Upgrade auf ein konkretes Patch-Release\n",[159,201,203,206,209,211,214],{"class":161,"line":202},5,[159,204,205],{"class":165},"sudo",[159,207,208],{"class":169}," kubeadm",[159,210,182],{"class":169},[159,212,213],{"class":169}," apply",[159,215,216],{"class":169}," v1.35.2\n",[159,218,220,222,225,228,231],{"class":161,"line":219},6,[159,221,166],{"class":165},[159,223,224],{"class":169}," get",[159,226,227],{"class":169}," nodes",[159,229,230],{"class":173}," -o",[159,232,233],{"class":169}," wide\n",[27,235,237],{"id":236},"warum-das-wichtig-ist","Warum das wichtig ist",[10,239,240,241,244],{},"Security-Fixes sind nicht immer an den monatlichen Patch-Zyklus gebunden. Out-of-band Releases erfordern Upgrade-Fähigkeit auf ",[14,242,243],{},"kurzer Vorlaufzeit",", klare Kommunikation in Richtung Anwendungsteams und eine operationalisierte Pipeline für Validierung und Rollout.",[246,247,248],"style",{},"html pre.shiki code .sScJk, html code.shiki .sScJk{--shiki-default:#6F42C1;--shiki-dark:#B392F0}html pre.shiki code .sZZnC, html code.shiki .sZZnC{--shiki-default:#032F62;--shiki-dark:#9ECBFF}html pre.shiki code .sj4cs, html code.shiki .sj4cs{--shiki-default:#005CC5;--shiki-dark:#79B8FF}html pre.shiki code .sJ8bj, html code.shiki .sJ8bj{--shiki-default:#6A737D;--shiki-dark:#6A737D}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}",{"title":155,"searchDepth":177,"depth":177,"links":250},[251,252,253],{"id":29,"depth":177,"text":30},{"id":94,"depth":177,"text":95},{"id":236,"depth":177,"text":237},"\u002Fimg\u002Fblog\u002Fkubernetes-patch-release-go-cve-update-februar-2026-cover.jpg","2026-03-28","Am 26. Februar 2026 wurden mehrere Kubernetes-Patch-Releases außerhalb des Monatsrhythmus veröffentlicht, um Go-CVEs zu adressieren.",false,"md",{},"\u002Fde\u002Fblog\u002Fkubernetes-patch-release-go-cve-update-februar-2026",{"title":5,"description":256},"de\u002Fblog\u002Fkubernetes-patch-release-go-cve-update-februar-2026",[264,265,266,267],"Kubernetes","Security","Go","Operations","V78wDhgNuZtvo_tLYwCsfts4kn2Y7gtq557ql9ry3ys",1775892934242]