[gardener]

⚠️ Breaking Changes

• [OPERATOR] The admission plugin ShootStateDeletionValidator is removed. Explicitly enabling or disabling it via the gardener-api-server will cause the gardener-api-server to fail to start. This fixes an error caused by a not-in-time cleaned up ShootState resulting in Shoot creation to fail if a Shoot was deleted and created with the same name in quick succession. (#4100, @BeckerMax)

✨ New Features

• [USER] It is now possible to enable anonymous authentication on the kube-apiserver for shoots by setting .spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication=true. Anonymous authentication will be disabled by default. (#4072, @dimityrmirchev)
• [USER] If enabled in the gardener-apiserver, AdminKubeConfigRequest can be used to issue a kubeconfig with cluster-admin privileges for shoot clusters. The default expiration for such request is one hour, but the expiration time can be configured by setting .spec.expirationSeconds (minimum 10 minutes or 600 seconds). (#3932, @mvladev)
• [OPERATOR] New AdminKubeConfigRequest alpha feature gate enables AdminKubeConfigRequest subresource on shoot resources. The feature gate is disabled by default in the gardener-apiserver and must be explicitly enabled. (#3932, @mvladev)
• [OPERATOR] New --shoot-admin-kubeconfig-max-expiration flag in gardener-apiserver allows to specify the maximum validity duration of a credential requested to a Shoot by an AdminKubeconfigRequest. If an otherwise valid AdminKubeconfigRequest with a validity duration larger than this value is requested, a credential will be issued with a validity duration of this value. This flag is only effective when AdminKubeConfigRequest feature gate is enabled. (#3932, @mvladev)

🐛 Bug Fixes

• [OPERATOR] The Gardener API server now allows Bastion to be specified for ControllerRegistration .spec.resources[].type. (#4090, @ialidzhikov)
• [DEPENDENCY] The hack/generate-controller-registration.sh script does now produce valid ControllerDeployment resources. (#4088, @rfranzke)

🏃 Others

• [OPERATOR] Update coredns to 1.8.3. (#4116, @DockToFuture)
• [OPERATOR] The following images are updated: (#4104, @ialidzhikov)
  • k8s.gcr.io/autoscaling/vpa-admission-controller: 0.9.0 -> 0.9.2
  • k8s.gcr.io/autoscaling/vpa-recommender: 0.9.0 -> 0.9.2
  • k8s.gcr.io/autoscaling/vpa-updater: 0.9.0 -> 0.9.2
• [OPERATOR] Istio, used by the ManagedIstio feature gate, is upgraded from 1.8.0 to 1.9.5 (#4101, @mvladev)
• [OPERATOR] SNI feature gate: Prevent throttling by increasing requests and limits for the istio-ingressgateway envoy proxies & limit the used worker threads. (#4080, @danielfoehrKn)
• [OPERATOR] Fixed a race in shoot cluster deletion, which could affect other clusters as the envoy filter (as part of the kube-apiserver-sni) was not deleted before the kube-apiserver-service. This is now explicitly ensured. (#4068, @ScheererJ)
• [OPERATOR] Gardener now supports using worker-controller generated bootstrap-tokens for machines, see new flow here. ⚠️ If you maintain an infrastructure extension make sure to use a worker controller that supports generating a bootstrap token, see here and if you maintain an os-extension make sure to support the transmitUnencoded flag similar to os-gardenlinx. Currently, the old flow is still supported but we plan to deprecate it in the future. (#3902, @BeckerMax)

📰 Noteworthy

• [DEVELOPER] If a milestone for the next minor version exists then PRs to the master branch are only mergeable if they are assigned to this milestone. (#4085, @rfranzke)

[etcd-druid]

🏃 Others

• [OPERATOR] Updated number of chunks while uploading to never exceed the cloud provider limits. (gardener/etcd-druid#183, @amshuman-kr)
• [OPERATOR] Removed synchronisation before updating ETCD status. (gardener/etcd-druid#176, @amshuman-kr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.24.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.24.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.24.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.24.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.24.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.24.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.24.0