CloudNativePG 1.29.0 Released!

Gabriele Bartolini

March 31, 2026 • 3 minutes

The CloudNativePG Community is excited to announce the immediate availability of CloudNativePG 1.29.0!

This minor release introduces a paradigm shift in how PostgreSQL extensions are managed on Kubernetes and brings powerful new capabilities for enterprise identity and network security, further establishing CloudNativePG as the standard for cloud-native PostgreSQL.

We are also pleased to announce the release of maintenance versions 1.28.2 and 1.27.4, the latter of which is the final planned release in the 1.27.x series. We encourage users on 1.27 to plan their upgrade to 1.28 or 1.29.

With the release of CloudNativePG 1.29.0, the End-of-Life (EOL) date for the CloudNativePG 1.28.x series is confirmed as June 30, 2026.

Highlights in 1.29.0

PostgreSQL Extensions Ecosystem and Image Catalogs

The headline feature of 1.29 is the integration of Image Catalogs with a new, dedicated ecosystem for PostgreSQL extensions. By leveraging the postgres-extensions-containers project, CloudNativePG now provides a structured, automated way to distribute and manage extension-specific images.

This approach ensures that the database engine and its modules are version-aligned, secure, and treated as a single cohesive unit. It centralizes the image supply chain, effectively removing the need for users to manually build and maintain complex custom PostgreSQL images just to add required functionality.

Dynamic Network Access Control via Pod Selectors

We have introduced a major enhancement to PostgreSQL network security. Using the new podSelectorRefs field, you can now define pg_hba.conf rules that dynamically resolve the ephemeral IP addresses of client pods based on label selectors. This ensures that only authorized workloads in the same namespace can connect to the database, eliminating the friction of manual IP management or static CIDR ranges.

Shared ServiceAccount Support

CloudNativePG 1.29 now supports referencing a pre-existing ServiceAccount in Cluster and Pooler resources. This enables a much smoother integration with cloud provider IAM services. Platform engineers can now manage identity and permissions once at the infrastructure level and share them across multiple clusters. This work was contributed by Salih Bozkaya (@bozkayasalihx).

Notable Enhancements

Supply Chain Security & Artifact Signing: We have significantly strengthened the project’s security posture by signing all release artifacts and container images. This release also includes:
- SLSA Provenance: Added Supply-chain Levels for Software Artifacts provenance to release binaries and images.
- SBOM Generation: Enabled Software Bill of Materials (SBOM) generation within the GoReleaser pipeline for improved dependency transparency.
- OpenSSF Integration: Integrated the OpenSSF baseline scanner and added a SECURITY-INSIGHTS.yaml file to the repository to align with industry-standard security reporting.
Advanced TLS for PgBouncer: Added support for granular configuration of TLS cipher suites and minimum/maximum TLS versions for both client-to-pooler and pooler-to-server connections. Contributed by @alex1989hu.

Dive into the full list of changes and fixes in the Release notes for CloudNativePG 1.29.

Maintenance Releases: 1.28.2 & 1.27.4

In parallel with the 1.29 release, we have also shipped maintenance updates for previous stable series:

CloudNativePG 1.28.2: Includes various fixes and improvements backported from 1.29, including improved resilience for volume resizes and stability fixes for the cnpg plugin.
CloudNativePG 1.27.4: The final planned maintenance release for the 1.27.x series. We strongly recommend planning an upgrade to 1.28 or 1.29.

We encourage all users to upgrade to the latest stable versions to benefit from the latest features, security enhancements, and bug fixes.

Follow the upgrade instructions for a smooth transition.