[gardener]
⚠️ Breaking Changes
- [OPERATOR] The admission plugin
ShootStateDeletionValidator
is removed. Explicitly enabling or disabling it via the gardener-api-server will cause the gardener-api-server to fail to start. This fixes an error caused by a not-in-time cleaned up ShootState resulting in Shoot creation to fail if a Shoot was deleted and created with the same name in quick succession. (#4100, @BeckerMax)
✨ New Features
- [USER] It is now possible to enable anonymous authentication on the kube-apiserver for shoots by setting
.spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication=true
. Anonymous authentication will be disabled by default. (#4072, @dimityrmirchev) - [USER] If enabled in the
gardener-apiserver
, AdminKubeConfigRequest can be used to issue a kubeconfig with cluster-admin privileges for shoot clusters. The default expiration for such request is one hour, but the expiration time can be configured by setting.spec.expirationSeconds
(minimum 10 minutes or 600 seconds). (#3932, @mvladev) - [OPERATOR] New
AdminKubeConfigRequest
alpha feature gate enables AdminKubeConfigRequest subresource on shoot resources. The feature gate is disabled by default in thegardener-apiserver
and must be explicitly enabled. (#3932, @mvladev) - [OPERATOR] New
--shoot-admin-kubeconfig-max-expiration
flag ingardener-apiserver
allows to specify the maximum validity duration of a credential requested to a Shoot by anAdminKubeconfigRequest
. If an otherwise validAdminKubeconfigRequest
with a validity duration larger than this value is requested, a credential will be issued with a validity duration of this value. This flag is only effective whenAdminKubeConfigRequest
feature gate is enabled. (#3932, @mvladev)
🐛 Bug Fixes
- [OPERATOR] The Gardener API server now allows
Bastion
to be specified for ControllerRegistration.spec.resources[].type
. (#4090, @ialidzhikov) - [DEPENDENCY] The
hack/generate-controller-registration.sh
script does now produce validControllerDeployment
resources. (#4088, @rfranzke)
🏃 Others
- [OPERATOR] Update coredns to
1.8.3
. (#4116, @DockToFuture) - [OPERATOR] The following images are updated: (#4104, @ialidzhikov)
- k8s.gcr.io/autoscaling/vpa-admission-controller: 0.9.0 -> 0.9.2
- k8s.gcr.io/autoscaling/vpa-recommender: 0.9.0 -> 0.9.2
- k8s.gcr.io/autoscaling/vpa-updater: 0.9.0 -> 0.9.2
- [OPERATOR] Istio, used by the
ManagedIstio
feature gate, is upgraded from1.8.0
to1.9.5
(#4101, @mvladev) - [OPERATOR] SNI feature gate: Prevent throttling by increasing requests and limits for the istio-ingressgateway envoy proxies & limit the used worker threads. (#4080, @danielfoehrKn)
- [OPERATOR] Fixed a race in shoot cluster deletion, which could affect other clusters as the envoy filter (as part of the kube-apiserver-sni) was not deleted before the kube-apiserver-service. This is now explicitly ensured. (#4068, @ScheererJ)
- [OPERATOR] Gardener now supports using worker-controller generated bootstrap-tokens for machines, see new flow here. ⚠️ If you maintain an infrastructure extension make sure to use a worker controller that supports generating a bootstrap token, see here and if you maintain an os-extension make sure to support the
transmitUnencoded
flag similar to os-gardenlinx. Currently, the old flow is still supported but we plan to deprecate it in the future. (#3902, @BeckerMax)
📰 Noteworthy
- [DEVELOPER] If a milestone for the next minor version exists then PRs to the
master
branch are only mergeable if they are assigned to this milestone. (#4085, @rfranzke)
[etcd-druid]
🏃 Others
- [OPERATOR] Updated number of chunks while uploading to never exceed the cloud provider limits. (gardener/etcd-druid#183, @amshuman-kr)
- [OPERATOR] Removed synchronisation before updating ETCD status. (gardener/etcd-druid#176, @amshuman-kr)
Docker Images
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.24.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.24.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.24.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.24.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.24.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.24.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.24.0