Skip to main content
2026-03-30
Kubernetes Operator v2.4.0

Restate Operator v2.4.0 Release Notes

Highlights

  • Trusted CA certificates - RestateCluster now supports custom trusted CA certificates via spec.security.trustedCaCerts, removing the need for custom Restate images when using internal CAs.
  • Configurable canary image - The canary job image is now configurable via Helm, supporting air-gapped and restricted registry environments.
  • IPv6 support - The operator now binds to a dual-stack address, fixing readiness probe failures on IPv6-only clusters.
  • Faster drain cleanup - Old deployment versions are now polled every 10 seconds during drain, instead of waiting up to 5 minutes.

New Features

Trusted CA certificates

You can now configure custom trusted CA certificates for RestateCluster via spec.security.trustedCaCerts. This is useful when Restate needs to trust internal CAs, for example when calling services behind an internal load balancer with a private certificate.The operator adds an init container that concatenates the system CA bundle with your custom certificates into a single PEM file, and sets SSL_CERT_FILE on the Restate container to point to the combined bundle.Changing the Secret references (name or key) triggers a pod rollout.
spec:
  security:
    trustedCaCerts:
      - secretName: internal-ca
        key: ca.pem
Related: PR #111

Configurable canary image

The container image used for PIA and Workload Identity canary jobs is now configurable via the canaryImage Helm value, CANARY_IMAGE environment variable, or --canary-image CLI flag. Previously busybox:uclibc was hardcoded, which fails in environments that cannot pull from Docker Hub.
canaryImage: my-registry.example.com/busybox:uclibc
The simplest approach is to mirror the default image:
docker pull busybox:uclibc
docker tag busybox:uclibc my-registry.example.com/busybox:uclibc
docker push my-registry.example.com/busybox:uclibc
If using a different image, it must provide cat, grep, and wget.Related: Issue #94, PR #106

Bug Fixes

IPv6 dual-stack support

The operator now binds its HTTP server to [::] instead of 0.0.0.0, supporting both IPv4 and IPv6 clusters. Previously, the readiness probe failed on IPv6-only clusters because the operator only listened on IPv4.Related: Issue #93, PR #107

Faster drain cleanup polling

When old deployment versions still have active invocations (draining), the operator now requeues every 10 seconds instead of waiting for the default 5-minute reconcile interval. This means old versions are cleaned up within seconds of drain completion rather than up to 5 minutes.Related: PR #112

Upgrading

CRD Update Required: Helm does not automatically upgrade CRDs. After upgrading the operator, you must manually apply the updated CRDs:
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.4.0/restateclusters.yaml
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.4.0/restatedeployments.yaml
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.4.0/restatecloudenvironments.yaml
Then upgrade the operator via Helm:
helm upgrade restate-operator restatedev/restate-operator --version 2.4.0
View on GitHub
2026-03-20
Kubernetes Operator v2.3.1

Restate Operator v2.3.1 Release Notes

This contains an important fix for a bug introduced v2.3.0. If you’re using v2.3.0 you will need to upgrade to this version.

Highlights

  • Fix: GCP Workload Identity now requires explicit opt-in via gcpWorkloadIdentity: true Helm value, fixing a 403 error loop on non-GCP clusters introduced in v2.3.0.

Bug Fixes

IAMPolicyMember cleanup causes 403 on non-GCP clusters

In v2.3.0, the operator unconditionally attempted to delete IAMPolicyMember resources during reconciliation, even on non-GCP clusters where the RBAC rules were not granted. This caused a 403 Forbidden error loop on every reconcile.The operator now requires the gcpWorkloadIdentity Helm value to be explicitly set before it will create or delete IAMPolicyMember resources. The iam.gke.io/gcp-service-account annotation is ignored with a warning unless the flag is enabled.Impact on Users:
  • Non-GCP clusters: The 403 reconcile loop is fixed. No action needed.
  • GCP clusters using Workload Identity: You must now set gcpWorkloadIdentity: true in your Helm values.
Migration Guidance:If you are using GCP Workload Identity with Config Connector, add to your Helm values:
gcpWorkloadIdentity: true
Related: Issue #103, PR #104

Upgrading

Upgrade the operator via Helm:
helm upgrade restate-operator restatedev/restate-operator --version 2.3.1
No CRD changes in this release.View on GitHub
2026-03-19
Kubernetes Operator v2.3.0

Restate Operator v2.3.0

✨ New Features

  • GCP Workload Identity via Config Connector — The operator now automatically creates IAMPolicyMember resources to bind Kubernetes service accounts to GCP service accounts via Workload Identity. This is triggered when a RestateCluster has iam.gke.io/gcp-service-account in serviceAccountAnnotations. The GCP project ID is extracted from the service account email, so no additional configuration is needed beyond the annotation. A canary job validates that credentials are available before the StatefulSet proceeds. This mirrors the existing AWS Pod Identity Association pattern and requires Config Connector to be installed on the GKE cluster.
  • Configurable cluster DNS suffix — The operator now supports configuring the Kubernetes cluster DNS suffix via the --cluster-dns CLI flag, CLUSTER_DNS environment variable, or Helm clusterDns value. Previously cluster.local was hardcoded in all internal service URLs. This is needed for multi-cluster setups, federated environments, and clusters with custom DNS naming.
  • Configurable drain delay — Added drainDelaySeconds to the RestateDeployment CRD’s spec.restate section. This controls how long the operator waits after a deployment is drained before removing the old version. Default remains 300 seconds (5 minutes). (https://github.com/restatedev/restate-operator/pull/96)

🐛 Bug Fixes

  • Improved admin API error messages — When a deployment registration is rejected by the admin API (e.g. breaking changes without --force), the error message now includes the response from Restate and is logged and emitted as a Kubernetes event, making failures much easier to diagnose. (#100)
  • Fixed canary job completion detection — Fixed a bug where a completed canary job was treated as still pending, causing the operator to loop indefinitely with a NotReady status condition. (#102)

⚙️ Configuration Changes

  • New Helm value clusterDns for configuring the cluster DNS suffix (default: cluster.local)
  • Conditional RBAC for IAMPolicyMember CRDs when GCP Workload Identity is enabled

⚠️ Upgrading Notes

CRD Update Required: Helm does not automatically upgrade CRDs. After upgrading the operator, you must manually apply the updated CRDs:
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.3.0/restateclusters.yaml
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.3.0/restatedeployments.yaml
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.3.0/restatecloudenvironments.yaml
Then upgrade the operator via Helm:
helm upgrade restate-operator restatedev/restate-operator --version 2.3.0
Full release notes: release-notes/v2.3.0.mdView on GitHub
2026-02-12
Kubernetes Operator v2.2.0

Restate Operator v2.2.0

✨ New Features

  • Knative Serving deployment modeRestateDeployment now supports Knative Serving as an alternative to traditional ReplicaSets. This enables:
    • Scale-to-zero: Services automatically scale down when idle, saving resources
    • Automatic scaling: Replicas scale based on concurrent request load
    • In-place updates: Update service implementation without changing Restate deployment identity
    • Tag-based identity: Control versioning behavior with the tag field — same tag means in-place update, changed tag means versioned update, no tag means auto-versioning
    See the Knative Serving Mode documentation for details. (https://github.com/restatedev/restate-operator/pull/64)

🐛 Bug Fixes

  • Fix DNS network policy for NodeLocal DNSCache — The operator now creates DNS egress policies that work with both traditional kube-dns and NodeLocal DNSCache (169.254.20.10). This fixes DNS resolution issues on GKE Autopilot and other Kubernetes environments using node-local DNS caching. (https://github.com/restatedev/restate-operator/pull/88)

⚙️ Configuration Changes

📝 Documentation

⚠️ Upgrading Notes

CRD Update Required: Helm does not automatically upgrade CRDs. After upgrading the operator, you must manually apply the updated CRDs:
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.2.0/restateclusters.yaml
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.2.0/restatedeployments.yaml
kubectl apply --server-side -f https://github.com/restatedev/restate-operator/releases/download/v2.2.0/restatecloudenvironments.yaml
Note: The restatedeployments CRD update is especially important for this release as it includes the new Knative Serving deployment mode fields.
Then upgrade the operator via Helm:
helm upgrade restate-operator restatedev/restate-operator --version 2.2.0

New Contributors

View on GitHub
2026-01-12
Kubernetes Operator v2.1.0

✨ New Features

  • Operator-driven cluster provisioning - Added support for automatic cluster provisioning via the new spec.cluster.autoProvision field. When enabled, the operator will automatically provision the Restate cluster by calling the gRPC ProvisionCluster API after pods are running. This is particularly useful for multi-node clusters where manual provisioning was previously required. The provisioning status is tracked in status.provisioned to prevent repeated provisioning attempts. (#55)
    ⚠️ Important: When using cluster.autoProvision: true, you must set auto-provision = false in your Restate config to avoid split brain situations.
    🎯 cluster.autoProvision: true is the recommended approach for provisioning Restate clusters.

🔧 Improvements

  • Simplified example configurations by removing default values that are no longer needed (replicated loglet and replicated metadata server are now defaults)

🏗️ CRD Changes

  • Added spec.cluster.autoProvision field to enable operator-managed cluster provisioning
  • Added status.provisioned field to track provisioning state

⬆️ Upgrading

CRD Update Required: Helm does not automatically upgrade CRDs. After upgrading the operator, you must manually apply the new CRDs:
kubectl apply -f https://github.com/restatedev/restate-operator/releases/download/v2.1.0/restateclusters.yaml
kubectl apply -f https://github.com/restatedev/restate-operator/releases/download/v2.1.0/restatedeployments.yaml
kubectl apply -f https://github.com/restatedev/restate-operator/releases/download/v2.1.0/restatecloudenvironments.yaml
View on GitHub
2026-01-05
Kubernetes Operator v2.0.0

What’s Changed

View on GitHub
2025-12-15
Kubernetes Operator v1.9.2

What’s Changed

View on GitHub
2025-12-05
Kubernetes Operator v1.9.1

What’s Changed

View on GitHub
2025-11-28
Kubernetes Operator v1.9.0

What’s Changed

View on GitHub
2025-11-25
Kubernetes Operator v1.8.4

What’s Changed

View on GitHub
2025-11-18
Kubernetes Operator v1.8.3

What’s Changed

New Contributors

View on GitHub
2025-11-05
Kubernetes Operator v1.8.2

What’s Changed

View on GitHub
2025-10-14
Kubernetes Operator v1.7.5

What’s Changed

New Contributors

View on GitHub
2025-10-14
Kubernetes Operator v1.8.1

What’s Changed

New Contributors

View on GitHub
2025-09-26
Kubernetes Operator v1.8.0
This release introduces a new crd (restatecloudenvironment). Helm won’t install new crds when upgrading so if you update you’ll need to install the new crd, which is attached to this release.

What’s Changed

View on GitHub
2025-07-24
Kubernetes Operator v1.7.4

What’s Changed

New Contributors

View on GitHub
2025-07-17
Kubernetes Operator v1.7.3

What’s Changed

New Contributors

View on GitHub
2025-06-17
Kubernetes Operator v1.7.2

What’s Changed

View on GitHub
2025-06-16
Kubernetes Operator v1.7.1
Fixes network policy enforcement for distributed clustersSee the release notes for 1.6.0 if you’re upgrading from a pre 1.6.0 version.

What’s Changed

View on GitHub
2025-06-11
Kubernetes Operator v1.7.0
This release adds PodDisruptionBudgets for clusters, and a new CRD, RestateDeployment, which manages versioning for your Restate SDK services automatically.See the release notes for 1.6.0 if you’re upgrading from a pre 1.6.0 version.

What’s Changed

View on GitHub
2025-05-22
Kubernetes Operator v1.6.0
When upgrading to v1.6.0, you may need to delete the operator-managed StatefulSets so that the operator can recreate them with the new pod management policy, as Kubernetes enforces this as an immutable field. You can do this with kubectl -n your-restate-namespace delete statefulset restate --cascade=orphan, without causing any interruption to your cluster.

What’s Changed

View on GitHub
2025-05-07
Kubernetes Operator v1.5.0

What’s Changed

New Contributors

View on GitHub
2025-05-07
Kubernetes Operator v1.4.0

What’s Changed

New Contributors

View on GitHub
2025-02-25
Kubernetes Operator v1.3.0

What’s Changed

View on GitHub
2024-12-11
Kubernetes Operator v1.2.0

What’s Changed

View on GitHub
2024-12-03
Kubernetes Operator v1.1.1
Avoid spurious updates from namespaces and service accountsView on GitHub
2024-12-02
Kubernetes Operator v1.1.0

What’s Changed

View on GitHub
2024-07-12
Kubernetes Operator v1.0.2

What’s Changed

New Contributors

View on GitHub
2024-06-07
Kubernetes Operator v1.0.0
1.0 release coincides with the release of Restate 1.0View on GitHub
2024-06-07
Kubernetes Operator v0.9.0

What’s Changed

View on GitHub
2024-05-16
Kubernetes Operator v0.8.0

What’s Changed

View on GitHub
2024-05-07
Kubernetes Operator v0.7.2
No release notes provided.View on GitHub
2024-05-03
Kubernetes Operator v0.7.1
No release notes provided.View on GitHub
2024-05-03
Kubernetes Operator v0.7.0

What’s Changed

View on GitHub
2024-04-30
Kubernetes Operator v0.6.1
No release notes provided.View on GitHub
2024-04-24
Kubernetes Operator v0.6.0

What’s Changed

View on GitHub
2024-04-18
Kubernetes Operator v0.5.2

What’s Changed

View on GitHub
2024-04-16
Kubernetes Operator v0.5.0
No release notes provided.View on GitHub
2024-04-16
Kubernetes Operator v0.4.3

What’s Changed

New Contributors

View on GitHub
2024-03-13
Kubernetes Operator v0.4.2
No release notes provided.View on GitHub
2024-03-08
Kubernetes Operator v0.4.1

What’s Changed

View on GitHub
2024-03-08
Kubernetes Operator v0.4.0

What’s Changed

View on GitHub
2024-03-06
Kubernetes Operator v0.3.3
No release notes provided.View on GitHub
2024-03-06
Kubernetes Operator v0.3.2
No release notes provided.View on GitHub
2024-03-05
Kubernetes Operator v0.3.1
No release notes provided.View on GitHub
2024-02-29
Kubernetes Operator v0.3.0
No release notes provided.View on GitHub
2024-02-29
Kubernetes Operator v0.2.6
No release notes provided.View on GitHub
2024-02-29
Kubernetes Operator v0.2.5
No release notes provided.View on GitHub
2024-02-28
Kubernetes Operator v0.2.4
No release notes provided.View on GitHub
2024-02-26
Kubernetes Operator v0.2.3
No release notes provided.View on GitHub
2024-02-26
Kubernetes Operator v0.2.2
No release notes provided.View on GitHub
2024-02-26
Kubernetes Operator v0.2.1
No release notes provided.View on GitHub
2024-02-20
Kubernetes Operator v0.2.0
No release notes provided.View on GitHub
2024-02-16
Kubernetes Operator v0.1.0
No release notes provided.View on GitHub
2024-02-16
Kubernetes Operator v0.0.5
No release notes provided.View on GitHub
2024-02-14
Kubernetes Operator v0.0.4
No release notes provided.View on GitHub
2024-02-14
Kubernetes Operator v0.0.3
No release notes provided.View on GitHub
2024-02-13
Kubernetes Operator v0.0.2
No release notes provided.View on GitHub
2024-02-12
Kubernetes Operator v0.0.1
🚀View on GitHub