--- title: ForgeOps release notes description: Subscribe to the ForgeOps 2026.2.0 RSS feed to get notification when there's an update to the latest ForgeOps documentation. component: forgeops version: 2026.2 page_id: forgeops:rn:rn canonical_url: https://docs.pingidentity.com/forgeops/2026.2/rn/rn.html section_ids: 2026: 2026 highlights-2026-2: ForgeOps 2026.2 release features --- # ForgeOps release notes Subscribe to the [icon: rss-square, set=fa][ForgeOps 2026.2.0 RSS feed](https://docs.pingidentity.com/forgeops/latest/rn/rn.xml) to get notification when there's an update to the latest ForgeOps documentation. | | | | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | | Learn more about configuring GitHub notifications [here](https://docs.github.com/en/account-and-profile/managing-subscriptions-and-notifications-on-github/setting-up-notifications/configuring-notifications) so you can get notified on ForgeOps releases. | | | | | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------ | | Validated Kubernetes, Ingress-NGINX Controller, HAProxy Ingress, cert-manager, and operator versions for deploying Ping Identity Platform 2026.2 | [Link](versions.html) | | Limitations when deploying Ping Identity Platform `2026.2` on Kubernetes | [Link](limitations.html) | | More information about the evolving nature of the `forgeops` repository, including technology previews, legacy features, and feature deprecation and removal | [Link](evolution.html) | | Legal notices | [Link](legal.html) | | Archive of release notes in ForgeOps 2026.1 are available from ForgeOps release 2026.1 documentation. | [Link](https://docs.pingidentity.com/forgeops/2026.1/rn/rn.html) | | Archive of release notes in ForgeOps 2025.1 and 2025.2 are available from ForgeOps release 2025.2 documentation. | [Link](https://docs.pingidentity.com/forgeops/2025.2/rn/rn.html) | | Archive of release notes in 2024 and before are available from ForgeOps release 7.5 documentation. | [Link](https://docs.pingidentity.com/forgeops/7.5/rn/rn.html#2024) | | Archive of release notes in 2023 and before are available from ForgeOps release 7.4 documentation | [Link](https://docs.pingidentity.com/forgeops/7.4/rn/rn.html#2023) | ## 2026 ### ForgeOps 2026.2 release features * Read-only root filesystem for init containers (Helm only) The init containers of all pods have been reconfigured to enable `readOnlyRootFilesystem` security context. This has no impact on deployments, but requires that DS stateful sets be recreated. To enable the `readOnlyRootFilesystem` security context, follow [these steps](#enable-sec-features). * Flags to enable or disable security features (Helm only) You can enable or disable the new security features in your ForgeOps environment using the `--secure` or `--insecure` flags. By default, new environments are created with the `--secure` flag, so the new security features are enabled. | | | | - | ----------------------------------------------------------------------------------------- | | | These flags can be enabled or disabled only in ForgeOps environments deployed using Helm. | To enable the security features in an existing environment: 1. Run the `forgeops` command: ``` $ cd /path/to/forgeops $ ./bin/forgeops env --env-name my-env --secure ``` 2. Recreate the DS stateful set using the instructions in the [how to recreate an STS article](https://github.com/ForgeRock/forgeops/blob/2026.2.0/how-tos/recreating-ds-sts.md). * The platform pods deployed as non-root user using user ID The AM, DS, and IDM pods are now deployed as the standard non-root user ID `11111` and the username is no longer referred to. The user ID `11111` is a security standard across the platform. This user ID is set in the pod security context as the `runAsUser` property. * `PodDisruptionBudgets` for product components You can enable `PodDisruptionBudgets` for platform product components in the Helm charts for Ping Identity Platform including PingGateway. This feature is disabled by default. You can enable it for each component by setting component.pdb.enabled: true\` in your values file. The default policy keeps at least one pod available by setting `minAvailable: 1`. You can change this value by appropriately changing the value of `[.var] component.pdb.minAvailable` or `component.pdb.maxUnavailable`. The affected components are: `am`, `idm`, `admin-ui`, `end-user-ui`, `login-ui`, `ds-idrepo`, `ds-cts` and `ig` (ping-gateway). * Supported Ping Identity Platform images ForgeOps supports the last three major or minor versions of the Ping Identity Platform images. With the availability of 8.1 images, ForgeOps supports 8.1, 8.0, and 7.5 versions of the platform images, and **7.4 images are no longer supported**. We recommend customers that upgrade to a newer version of the platform images. Use the [upgrade guide](https://docs.pingidentity.com/forgeops/2026.2/upgrade/upgrade-product.html) to upgrade to the latest image. The older tags remain available on until the next major/minor release. * New `ttl` options for use with `amster` and `ds-set-passwords` jobs The `amster` and `ds-set-passwords` jobs now have a time-to-live (TTL) option that you can set to retain these jobs for a specified time. This is useful for jobs that are run manually need and to be retained to run to completion. To use this feature, set the `ttlSecondsAfterFinished` option. The default is 7200 seconds. | | | | - | --------------------------------------------------- | | | This feature is available in new environments only. | * Ability to define `apiVersion`, `kind`, and `spec` for a secret You can now define the `apiVersion`, `kind`, and `spec` for secrets defined in the `platform.secrets`. This allows you to define secrets using `external-secrets`.