Vault
Important changes
Last updated: 2025-10-04
Always review important or breaking changes and remediation recommendations before upgrading Vault.
Breaking changes
Audiences required for Kubernetes authentication roles
| Change | Affected version | Vault edition |
|---|---|---|
| Breaking | 1.21.0 | All |
All tokens for Kubernetes authentication roles must provide explicit audience details. Vault validates the audience claim in the JWT token to ensure that the token is actually intended for Vault and not another service.
If you do not provide an audience, authentication fails.
Recommendation
Update your Kubernetes authentication roles to include the audience parameter. For example:
vault write auth/kubernetes/role/demo \
bound_service_account_names=myapp \
bound_service_account_namespaces=default \
policies=default \
ttl=1h
Refer to the Kubernetes authentication docs for more information.
New behavior
None.
Known issues
Missed events with multiple event clients Enterprise
| Change | Affected version | Fixed version |
|---|---|---|
| Known issue | 1.21.0+ent | None |
Users may miss events when multiple clients subscribe to the same performance standby node in a cluster with the same namespace and event type filters because one client disconnecting effectively unsubscribes the remaining clients who no longer receive events.
Recommendation
If you have multiple event subscribers with the same namespace and event type filters you have two options:
- Spread them out among the nodes of the Vault cluster.
- Only subscribe to events on the active node of the cluster.