diff --git a/changelog/2.28.0.md b/changelog/2.28.0.md
new file mode 100644
index 00000000..3a48f6f1
--- /dev/null
+++ b/changelog/2.28.0.md
@@ -0,0 +1,46 @@
+# v2.28.0-ck8s1
+
+Released 2025-08-19
+<!-- -->
+> [!IMPORTANT]
+> **Platform Administrator Notice(s)**
+> - Node labels and taints can now be applied using the configuration file `node-labels-and-taints.yaml`.
+> - Our rook installation has moved to the [welkin-rook repository](https://github.com/elastisys/welkin-rook). If you are not part of the Elastisys organization and need access to this repository, [contact Elastisys](https://elastisys.com/contact/).
+
+## Release highlights
+
+- Welkin-kubespray now supports using Cilium as a network plugin for new clusters. Please refer to `docs/cilium.md` on how to enable it.
+
+## Changes by kind
+
+### Feature(s)
+
+- [#429](https://github.com/elastisys/compliantkubernetes-kubespray/pull/429) - rook: add option to enable cephfs csi @TorLdre
+- [#431](https://github.com/elastisys/compliantkubernetes-kubespray/pull/431) - Add containerd config template for private registry @HaoruiPeng
+- [#442](https://github.com/elastisys/compliantkubernetes-kubespray/pull/442) - Add dynamic inventory to label and taint nodes @simonklb
+- [#454](https://github.com/elastisys/compliantkubernetes-kubespray/pull/454) - Mainline Cilium support for Kubespray @rarescosma
+  - Welkin-kubespray now supports using Cilium as a network plugin for new clusters. Please refer to `docs/cilium.md` on how to enable it.
+
+### Improvement(s)
+
+- [#428](https://github.com/elastisys/compliantkubernetes-kubespray/pull/428) - rook: add calico vxlan ips to peers, and support ipv6 @kristiangronas
+- [#438](https://github.com/elastisys/compliantkubernetes-kubespray/pull/438) - fix: frontend port now uses port instead of target_port @Pavan-Gunda
+- [#449](https://github.com/elastisys/compliantkubernetes-kubespray/pull/449) - Define servicemonitors CRD early @rarescosma
+- [#450](https://github.com/elastisys/compliantkubernetes-kubespray/pull/450) - Avoid overwriting GPU containerd config  @HaoruiPeng
+- [#451](https://github.com/elastisys/compliantkubernetes-kubespray/pull/451) - config: update audit policy for valkey @Mlundm
+- [#452](https://github.com/elastisys/compliantkubernetes-kubespray/pull/452) - upgrade to kubepsray v2.28.0 @shafi-elastisys
+- [#457](https://github.com/elastisys/compliantkubernetes-kubespray/pull/457) - Adding default values for fs.inotify params @elastisys-staffan
+
+### Other(s)
+
+- [#423](https://github.com/elastisys/compliantkubernetes-kubespray/pull/423) - documentation: Port v2.26.0-ck8s4 @Ajarmar
+- [#430](https://github.com/elastisys/compliantkubernetes-kubespray/pull/430) - other: Port 2.27.0 ck8s1 @davidumea
+- [#432](https://github.com/elastisys/compliantkubernetes-kubespray/pull/432) - clean-up: Purge yq3 @rarescosma
+- [#433](https://github.com/elastisys/compliantkubernetes-kubespray/pull/433) - bug: rook-ceph: add exporter psp and fix dashboard @lunkan93
+- [#436](https://github.com/elastisys/compliantkubernetes-kubespray/pull/436) - other: Bump containerd-version image to v1.7.27 in origin fork v2.27.0 @lucianvlad
+- [#440](https://github.com/elastisys/compliantkubernetes-kubespray/pull/440) - other: Add changelog for release v2.27.0-ck8s2 @lucianvlad
+- [#441](https://github.com/elastisys/compliantkubernetes-kubespray/pull/441) - other: Add changelog for release v2.26.0-ck8s5 @lucianvlad
+- [#444](https://github.com/elastisys/compliantkubernetes-kubespray/pull/444) - bug: fix(calico): remove pinned version @FredrikCarlssn
+- [#447](https://github.com/elastisys/compliantkubernetes-kubespray/pull/447) - clean-up: all: remove rook folder @Ajarmar
+- [#448](https://github.com/elastisys/compliantkubernetes-kubespray/pull/448) - documentation: Update Git steps in migration template README @anders-elastisys
+- [#456](https://github.com/elastisys/compliantkubernetes-kubespray/pull/456) - other: chore: add security policy @rarescosma
diff --git a/kubespray b/kubespray
index ead3b002..9c618891 160000
--- a/kubespray
+++ b/kubespray
@@ -1 +1 @@
-Subproject commit ead3b0024701b75657d4cdcd9dee7c5a22c7094c
+Subproject commit 9c618891ea1053de6ac4cdf6e6fbdb5516ebca48
diff --git a/migration/v2.28/prepare/40-disable-openstack-lb.sh b/migration/v2.28/prepare/40-disable-openstack-lb.sh
new file mode 100755
index 00000000..f0837a7a
--- /dev/null
+++ b/migration/v2.28/prepare/40-disable-openstack-lb.sh
@@ -0,0 +1,37 @@
+#!/usr/bin/env bash
+
+HERE="$(dirname "$(readlink -f "${0}")")"
+ROOT="$(readlink -f "${HERE}/../../../")"
+
+# shellcheck source=scripts/migration/lib.sh
+source "${ROOT}/scripts/migration/lib.sh"
+
+log_info "disable openstack lbaas if infra provider is safespring"
+
+if [[ "${CK8S_CLUSTER}" =~ ^(sc|both)$ ]]; then
+  log_info "Replacing openstack_lbaas_enabled with external_openstack_lbaas_enabled in service cluster config"
+
+  CONFIG_FILE="${CK8S_CONFIG_PATH}/sc-config/group_vars/k8s_cluster/ck8s-k8s-cluster-openstack.yaml"
+
+  # Check if the key exists and equals false
+  if yq4 '.openstack_lbaas_enabled' "$CONFIG_FILE" | grep -q '^false$'; then
+    # Delete old key
+    yq4 -i 'del(.openstack_lbaas_enabled)' "$CONFIG_FILE"
+    # Add new key with same value
+    yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
+  fi
+fi
+
+if [[ "${CK8S_CLUSTER}" =~ ^(wc|both)$ ]]; then
+  log_info "Replacing openstack_lbaas_enabled with external_openstack_lbaas_enabled in workload cluster config"
+
+  CONFIG_FILE="${CK8S_CONFIG_PATH}/wc-config/group_vars/k8s_cluster/ck8s-k8s-cluster-openstack.yaml"
+
+  # Check if the key exists and equals false
+  if yq4 '.openstack_lbaas_enabled' "$CONFIG_FILE" | grep -q '^false$'; then
+    # Delete old key
+    yq4 -i 'del(.openstack_lbaas_enabled)' "$CONFIG_FILE"
+    # Add new key with same value
+    yq4 -i '.external_openstack_lbaas_enabled = false' "$CONFIG_FILE"
+  fi
+fi