etcd 3.6 Released with Downgrade Support and Livez/Readyz Endpoints

Figure 1: Visual representation of the BeyondTrust vulnerability chain

The etcd maintainers published version 3.6.0 on May 15, 2025, according to the project's official blog. The release follows an extended development cycle that included multiple release candidates and community testing periods.

Key features in etcd 3.6.0 include cluster downgrade support, which allows operators to revert to etcd 3.5.x if issues arise after upgrading. The downgrade capability requires specific procedures and has documented limitations, but provides a recovery path that was previously unavailable.

The release introduces /livez and /readyz HTTP endpoints that mirror Kubernetes health check conventions. The livez endpoint indicates whether the etcd process is running, while readyz provides information about whether the node is ready to serve traffic. Both endpoints support verbose output for debugging.

etcd 3.6 removes the v2 API that was deprecated in version 3.4. The v2 store and associated endpoints are no longer available. Organizations using v2 API clients must complete migration to v3 before upgrading.

Additional changes include improvements to the watch mechanism, enhanced metrics, and various bug fixes accumulated during the development cycle. The release notes document breaking changes that may affect existing deployments.

The etcd project claims that downgrade support addresses one of the most requested features from operators. According to the release announcement, the capability enables reverting from 3.6.x to 3.5.x following documented procedures.

The livez and readyz endpoints provide more granular health information than the previous /health endpoint, according to the project documentation. The endpoints support query parameters that enable checking specific subsystems.

Performance characteristics remain consistent with etcd 3.5, according to the maintainers. The release does not introduce significant changes to the consensus protocol or storage engine that would affect throughput or latency.

The v2 API removal follows the deprecation timeline announced with etcd 3.4. The project provided migration tools including etcdctl migrate and documentation for converting v2 data to v3 format.

etcd 3.6 requires Go 1.22 or later for building from source. Binary releases are available for Linux, macOS, and Windows across multiple architectures.

Figure 2: How the authentication bypass vulnerability works

Downgrade support provides operational flexibility that reduces upgrade risk. Operators can proceed with upgrades knowing that a rollback path exists if problems emerge in production.

The Kubernetes-aligned health endpoints simplify monitoring configuration for organizations running both systems. Consistent endpoint naming and behavior reduces cognitive overhead for operations teams.

Removal of the v2 API reduces code complexity and maintenance burden. The streamlined codebase enables maintainers to focus development effort on v3 features and improvements.

The extended development cycle allowed thorough testing across diverse deployment scenarios. Community feedback during release candidate phases identified and resolved issues before the stable release.

Organizations running Kubernetes benefit from etcd improvements that enhance cluster reliability. The backing datastore's stability directly impacts Kubernetes control plane availability.

The v2 API removal creates a hard migration requirement for organizations still using v2 clients. Deployments that have not completed migration cannot upgrade to etcd 3.6 without first addressing v2 dependencies.

Downgrade support has documented limitations and requires specific procedures. Not all upgrade scenarios support clean downgrades, and data written using 3.6-specific features may not be compatible with 3.5.

The extended development cycle means some features have been available in release candidates for extended periods. Organizations that deployed release candidates may need to address differences between RC and stable releases.

etcd's role as Kubernetes' backing datastore means upgrade issues can impact cluster availability. Organizations should thoroughly test upgrades in non-production environments before production deployment.

The project's graduated CNCF status indicates maturity but does not guarantee compatibility with all deployment scenarios. Edge cases and unusual configurations may encounter issues not covered by standard testing.

Figure 3: Privilege escalation from user to SYSTEM level

etcd implements the Raft consensus algorithm to maintain consistency across a distributed cluster. Multiple etcd nodes form a cluster that elects a leader responsible for coordinating writes. Followers replicate the leader's log to maintain consistency.

The key-value store provides a hierarchical namespace for storing configuration data. Clients interact with etcd through gRPC APIs that support operations including get, put, delete, and watch. The watch mechanism enables clients to receive notifications when keys change.

etcd persists data to disk using a write-ahead log and periodic snapshots. The storage engine uses bbolt, an embedded key-value database, for persistent storage. Compaction removes historical revisions to manage storage growth.

The livez endpoint checks whether the etcd process is responsive and can handle basic operations. The readyz endpoint performs more comprehensive checks including leader election status and backend health. Both endpoints return HTTP 200 for healthy status and HTTP 503 for unhealthy conditions.

Technical context (optional): etcd's Raft implementation uses a heartbeat mechanism to maintain leader authority. The default election timeout of 1000ms and heartbeat interval of 100ms balance responsiveness against network partition sensitivity. Operators can tune these parameters based on network characteristics, though the project recommends conservative settings for production deployments.

etcd's release cadence and feature development reflect the maturation of cloud-native infrastructure. The focus on operational improvements rather than fundamental architectural changes indicates a stable foundation.

The Kubernetes ecosystem's dependence on etcd creates pressure for reliability and backward compatibility. Breaking changes require careful coordination with Kubernetes release cycles and operator upgrade procedures.

Alternative distributed key-value stores exist, but etcd's integration with Kubernetes creates significant switching costs. The project's CNCF governance provides assurance of continued development and community oversight.

Cloud providers offering managed Kubernetes services must incorporate etcd upgrades into their platform maintenance. The downgrade capability may influence how providers approach upgrade rollout strategies.

The v2 API removal demonstrates the project's willingness to remove deprecated functionality. Organizations should monitor deprecation announcements and plan migrations proactively.

The specific timeline for etcd 3.7 development has not been announced. The project's development roadmap provides general direction but not specific release dates.

Performance characteristics under various workload patterns may differ from 3.5. Organizations should conduct their own benchmarking for workloads that differ from standard Kubernetes usage patterns.

The interaction between etcd 3.6 and future Kubernetes versions requires ongoing compatibility testing. Kubernetes release notes will document supported etcd versions for each release.

Long-term support policies for etcd 3.5 have not been fully articulated. Organizations planning upgrade timelines should monitor project announcements regarding 3.5 maintenance.

Kubernetes release notes will indicate when etcd 3.6 becomes the recommended or required version. The Kubernetes project typically supports multiple etcd versions during transition periods.

Community feedback on downgrade procedures will inform best practices. Early adopters' experiences will help establish operational patterns for using the new capability.

The etcd project's GitHub repository tracks issues and feature requests that may influence future development. Monitoring the repository provides insight into upcoming changes.

Cloud provider announcements regarding managed Kubernetes etcd versions will indicate broader ecosystem adoption. Provider upgrade timelines often lag upstream releases by several months.

Performance benchmarks from the community will provide data points for capacity planning. Organizations considering upgrades should review benchmark results relevant to their workload characteristics.