NVIDIA/ais-k8s v3.0.0

Release: NVIDIA/ais-k8s v3.0.0

• Repository: NVIDIA/ais-k8s | Kubernetes Operator, Helm Charts, Ansible Playbooks, and utility scripts for large-scale AIStore deployments on Kubernetes. | 132 stars | Go
• Author: [@github-actions[bot]](https://github.com/github-actions[bot])
• Created: 2026-06-08T21:31:56Z
• Published: 2026-06-08T21:45:00Z

v3.0.0

WARNING: This release will result in an AIStore cluster rollout to sync pod templates.

Added

• Default pod-level security context applied when securityContext is unset, with runtime-default seccomp profiles.
• AIS-container security context spec option aisContainerSecurityContext to replace capabilities. Keeps the same underlying K8s type.

• Default when aisContainerSecurityContext is unset: drop all capabilities and disallow privilege escalation.

Changed

• Admission webhook

• Rejects specs that set both spec.tls and any of configToUpdate.net.http.{server_crt,server_key,client_ca_tls}. The operator owns these paths (/var/certs/{tls.crt,tls.key,ca.crt}) whenever spec.tls is configured.
• Allows updates to both proxy and target capabilities, mapped to container security context.

• Target rollouts now tolerate Kubernetes-unschedulable pending pods.

• Container spec comparison and sync are now unified across init, primary, and sidecar containers, with a per-kind rollout-trigger policy:

• Sidecars (e.g. ais-logs): resources and securityContext diffs now trigger a rollout in addition to image.
• Init containers: all init containers are compared. securityContext diffs now trigger a rollout in addition to image; env and probe diffs no longer trigger.
• Renaming a container at the same index now triggers a rollout.

• Pod template field removals cause a rollout to sync (previously only env respected removals).
• All label-based selection will use prefixed labels app.kubernetes.io/name and app.kubernetes.io/component

• Labels applied to pods are NOT changed.
• Newly-created StatefulSets select only on prefixed labels. Existing StatefulSets continue to select on all labels and are not updated in place.
• Replaces selector usage of app and component. Legacy labels remain on pods and StatefulSets for compatibility with existing selectors.
• User labels cannot override app.kubernetes.io/name and app.kubernetes.io/component.

• Deprecated the capabilities spec option, replaced with a more accurate aisContainerSecurityContext.
• Deprecated the stateStorageClass and hostPathPrefix root-level spec options. Use stateStorage.pvc.storageClass and stateStorage.hostPath.prefix, respectively.
• Updated default manager args set by the operator kustomize overlay and resulting helm chart:

• Enable leader election by default.
• Set explicit bind addresses for health probe and metrics.
• Metrics server will now use the certificate from the metrics-server-cert secret.

Removed

• Removed StatsD ConfigMap, volume, and mounts

• StatsD support was deprecated in AIStore in v3.28 and dropped in v4.0

• Removed deprecated TLS spec fields: spec.tlsCertificate, spec.tlsSecretName, spec.tlsCertManagerIssuerName.

• Migrate to spec.tls.certificate, spec.tls.secretName, or spec.tls.certificate with mode: csi respectively before upgrading. Existing CRs that still use the old fields will be rejected by the new schema.

• Removed deprecated log-sidecar spec fields: spec.logSidecarImage, spec.logSidecarResources.

• Migrate to spec.logSidecar.image and spec.logSidecar.resources before upgrading.

• Removed backwards-compatible env-var rollout skips: AIS_PUBLIC_HOSTNAME removals on the AIS container and AIS_PUBLIC_DNS_MODE/HOST_IPS additions on the init container will now trigger a rollout instead of being ignored.
• Removed the rollout-skip for adding resources.requests.ephemeral-storage; resource diffs are now compared in full.

---

Assets

| File | Size | Downloads | | --- | --- | --- | | ais-operator.yaml | 401 KB | 0 downloads |