Skip to content

Announcing Knative 1.12 Release

Published on: 2023-10-30 ,  Revised on: 2023-11-22

Announcing Knative 1.12 Release

A new version of Knative is now available across multiple components.

Follow the instructions in Installing Knative to install the components you require.

This release brings a number of smaller improvements to the core Knative Serving and Eventing components, and several improvements to specific plugins.

Table of Contents


Release Notes

🚨 Breaking or Notable

  • net-http01 component has been deprecated (see:
  • Label the webhook service with "app: webhook" label (#14258, @JordanDeBeer)
  • auto-tls is now named external-domain-tls (#14472, @ReToCode)
  • internal-encryption is now named system-internal-tls (#14472, @ReToCode)
  • cluster-local-domain-tls is introduced as a new alpha state flag to control TLS certificates for cluster-local domains (#14472, @ReToCode)
  • Traffic from Ingress to Activator/QP uses TLS 1.3 when system-internal-tls is enabled. (#14074, @nak3)
  • Validating webhook will now allow adding the NET_BIND_SERVICE or nil capabilities when secure pods defaults feature is enabled (#14445, @kauana)

💫 New Features & Changes

  • Allow shareProcessNamespace to be set for a Knative Service (feature flag: kubernetes.podspec-shareprocessnamespace). Disabled by default. (#14454, @rhuss)
  • Internal encryption verifies a new SAN kn-user-<ns>. (#14452, @nak3)
  • ReadinessProbe with path contains a query string is supported now. (#14273, @nak3)
  • Support gRPC probe. (#14134, @seongpyoHong)
  • When system-internal-tls is enabled, queue-proxy mounts the certificate secret as projected-volume and automatically reloads the certificates on change. (#14189, @ReToCode)

🐞Bug Fixes

  • Activator correctly propagates pod health when triggered by changes other than pod probes. (#14347, @arsenetar)
  • Activator no longer cancels all probes when one fails (#14303, @arsenetar)
  • Applied an upper bound to the statistics data read from the queue-proxy by the autoscaler. (#14523, @evankanderson)
  • Certificate generation errors are bubbled up to its parent Route. (#14496, @gabo1208)
  • Fix secure 'secure-pod-defaults' to work with restricted namespaces (#14363, @KauzClay)


Release Notes

New Features

  • The filters field in Triggers is now beta and enabled by default
    • New Event Filters are now only created once, rather than on each event (#7213, @Cali0707)
    • The Any filter now dynamically optimizes the order of nested filters for optimal performance. (#7205, @Cali0707)
    • The all filter now dynamically optimizes its ordering to improve performance (#7300, @Cali0707)
    • The exact filter now uses less memory and is faster! (#7311, @Cali0707)
    • The prefix filter just got a whole lot faster! (#7309, @Cali0707)
    • The suffix filter is now faster! (#7312, @Cali0707)
  • OIDC authentication feature
    • Add Audience field in CRDs (#7244, @xiangpingjiang)
    • Expose OIDC audience of a Broker in its status (#7237, @creydr)
    • Expose OIDC audience of an InMemoryChannel in its status (#7371, @creydr)
    • Expose the APIServerSource OIDC service account name in the APIServerSource .status.auth.serviceAccountName (#7330, @Leo6Leo)
    • Expose the PingSource OIDC service account name in the PingSource .status.auth.serviceAccountName (#7344, @Leo6Leo)
    • Expose the SinkBinding OIDC service account name in the SinkBinding .status.auth.serviceAccountName (#7327, @rahulii)
    • Expose the SubscriptionsOIDC service account name in the Subscriptions.status.auth.serviceAccountName (#7338, @xiangpingjiang)
    • Expose the Triggers OIDC service account name in the Triggers .status.auth.serviceAccountName (#7299, @creydr)
    • Mt-broker-ingress: verify the audience of the received JWT if OIDC authentication is enabled (#7336, @creydr)
    • OIDC tokens are now cached to improve performance. (#7335, @Cali0707)
  • It is now possible to specify a subset of features in config-features without overriding default values (#7379, @pierDipi)

Bug Fixes

  • Fix unique name generator for auto-created EventType (#7160, @dsimansk)
  • Correctly handle networking errors when ApiServerSource adapter can't retrieve resources when starts. (#7279, @pierDipi)
  • Event Types are now only created once when using a MTChannelBasedBroker. (#7161, @Cali0707)
  • Set cluster domain suffix in TLS records correctly. (#7145, @creydr)
  • 🐛 Memory leak in the not filter was fixed. (#7310, @Cali0707)
  • 🐛 The filters field now only overrides the filter field on a trigger if there are filters in the filters field. (#7286, @Cali0707)
  • Fixed bug where eventtypes for builtin sources were created and deleted in a loop (#7245, @Cali0707)
  • Fix of the rule aggregation of the knative-eventing-namespaced-edit role to only give view permissions on knative eventing resources. (#7124, @creydr)
  • Update go x/net dependency to help mitigate CVE-2023-44487 (#7348, @Cali0707)


Release Notes

Breaking or Notable

  • 🐣 Upgrade deprecated v1alpha1 DomainMapping API to v1beta1 (#1856, @xiangpingjiang)

New Features

  • Context Sharing POC (#1855, @dsimansk)

Bug or Regression

  • Remove unusable --broker flag from trigger update cmd (#1847, @dsimansk)

Other (Cleanup or Flake)

  • Fix shellcheck warnings in hack/ script (#1860, @xiangpingjiang)
  • Remove deprecated --inject-broker flag from kn trigger cmd group (#1853, @xiangpingjiang)
  • Update core cli dependencies (#1851, @dsimansk)


Release Notes

Bug or Regression

  • Fix: parsing of registries with more complex hierarchy (sub-paths) (#1929, @matejvasek)
  • Fix: version semantic (#1933, @lkingland)

Other (Cleanup or Flake)

  • Chore: Update client-go dependency to aligned version (#1957, @dsimansk)
  • Fix: OnCluster builds of Golang functions (#1445, @Shashankft9)


  • Chore: using nodejs-16-minimal instead of nodejs-16 as default builder for JS/TS (#2015, @matejvasek)
  • Chore: Use custom jammy paketo builder (#1911, @matejvasek)
  • Chore: update maven profile buildEnv in springboot templates (#2014, @trisberg)


Release Notes


  • Add more env vars for pingsource adapter env var preservation to prevent the eventing-controller and the operator fighting to set env var values. (#1534, @aliok)
  • Added http-port and https-port for the ServiceType NodePort (kourier config) (#1541, @eBeyond)
  • Autoscaling/v2beta1 and policy/v1beta1 are no longer supported. Please use autoscaling/v2 and policy/v1 if you are using custom manifests. (#1579, @nak3)
  • Disable probe when explicitly settting the empty overrideProbe. (#1519, @nak3)
  • Support Eventing transport-encryption (TLS), for more information, see (#1582, @pierDipi)
  • The operator now sets HorizontalPodAutoscaler replicas (on resources with HPAs) when workload overrides are defined. (#1548, @ReToCode)

Thank you, contributors

Release Leads:

Learn more

Knative is an open source project that anyone in the community can use, improve, and enjoy. We'd love you to join us!

We use analytics and cookies to understand site traffic. Information about your use of our site is shared with Google for that purpose. Learn more.

× OK