[gardener]
⚠️ Breaking Changes
- [USER] Shoot addons are now only allowed on evaluation shoots if the Kubernetes version is >= 1.22. (#4213, @stoyanr)
- [OPERATOR] The obsolete fields
SchedulerConfiguration.schedulers.*.retrySyncPeriod
have been removed. (#4285, @timebertt) - [OPERATOR] Gardenlet feature gate NodeLocalDNS was removed and replaced by a shoot specific annotation. (#4249, @ScheererJ)
- [DEVELOPER]
make start-gardenlet
does not use seedSelector anymore, making the dev gardenlet single-seed only. If you have multiple Seeds in your local setup, you can specify the seed to act on via theSEED_NAME
make variable (e.g.make start-gardenlet SEED_NAME=local-foo
). (#4270, @xrstf) - [DEVELOPER] The already deprecated
DirectClient
has been removed from the codebase entirely. (#4225, @timebertt)
✨ New Features
- [USER] Makes it possible to disable deploying kube-proxy for newly created clusters. Depending on the used networking extension switching off kube-proxy might not be supported yet. Please consult the respective documentation of the used networking extension before disabling kube-proxy. (#4260, @ScheererJ)
- [USER] Do not trigger a node rollout when switching from
CRI.Name==nil
toCRI.Name==docker
. (#4237, @voelzmo) - [USER] Shoots created with or updated to Kubernetes version >= 1.22 will get
containerd
as default container runtime. If you upgrade an existing shoot which doesn't specify acri.name
property in its worker pools, this will trigger a graceful node rollout and the container runtime is switched fromdocker
tocontainerd
. (#4222, @voelzmo) - [USER] It's now possible to override the grace periods for the cleanup steps in the shoot deletion by specifying the following annotations on the
Shoot
: (#4212, @rfranzke)shoot.gardener.cloud/cleanup-webhooks-finalize-grace-period-seconds
(default behaviour:"300"
)shoot.gardener.cloud/cleanup-extended-apis-finalize-grace-period-seconds
(default behaviour:"3600"
)shoot.gardener.cloud/cleanup-kubernetes-resources-finalize-grace-period-seconds
(default behaviour:"300"
)shoot.gardener.cloud/cleanup-namespaces-finalize-grace-period-seconds
(default behaviour:"300"
)- If
"0"
is provided then all resources are finalized immediately without waiting for any graceful deletion. Please be aware that this might lead to orphaned infrastructure artefacts.
- [OPERATOR] A new
ProjectValidator
admission plugin has been added (enabled by default). It prevents creatingProject
s with non-empty.spec.namespace
fields if the value in.spec.namespace
does not start withgarden-
. Please note that this admission plugin will be removed in a future release again in favor of the static validation in thegardener-apiserver
. (#4228, @rfranzke) - [OPERATOR] Allow explicit configuration of
docker
as a container runtime (.spec.provider.workers[].cri.name
field inShoot
s) for backwards compatibility. Select this only if your workload doesn't run nicely withcontainerd
. This configuration option will be removed in the future! (#4218, @voelzmo)
🐛 Bug Fixes
- [OPERATOR] An issue causing the SNI transition step to fail for a cluster that still didn't transitioned to SNI is now fixed. (#4268, @ialidzhikov)
🏃 Others
- [OPERATOR] The blueprint of the Gardenlet landscaper has been fixed to properly reference the gardenlet-landscaper OCI image (#4283, @danielfoehrKn)
- [OPERATOR] Labels and annotations on the
ResourceQuota
config
get merged with the respective fields on existingResourceQuota
s (#4264, @petersutter) - [OPERATOR] Martian packets are now explicitly enabled in the kernel settings of the shoot clusters nodes. (#4250, @DockToFuture)
- [OPERATOR] Optimize gardenlet's shoot controller to issue less calls to gardener-apiserver for the highly frequent status updates during reconciliations and normal care operations. (#4246, @timebertt)
- [OPERATOR] Split
EnvoyFilter
resources from SNI and ReversedVPN into separate resources. (#4242, @DockToFuture) - [OPERATOR]
ManagedIstio
version is upgraded to1.10.1
(#4241, @mvladev) - [OPERATOR] Error messages containing
RequestLimitExceeded
are now treated asERR_INFRA_RATE_LIMITS_EXCEEDED
(instead ofERR_INFRA_QUOTA_EXCEEDED
before). (#4236, @rfranzke) - [OPERATOR] gardener-controller-manager's Seed controller now checks the seed namespace's
ownerReferences
before adopting it. (#4232, @timebertt) - [OPERATOR] Dashboards use UTC instead of browser time by default (#4229, @wyb1)
- [DEVELOPER] Switch from
*metav1.LabelSelector
tometav1.LabelSelector
in thegardenercore.SeedSelector
type in our APIs. This doesn't impose a breaking change for users of the API, however users of the golang types, will have to adapt accordingly. (#4299, @timebertt)
📰 Noteworthy
- [USER] Added a document with recommendations when custom CSI components are deployed into shoot clusters. (#4211, @rfranzke)
- [OPERATOR] The
MountHostCADirectories
feature gate in thegardenlet
has been promoted to beta and is now enabled by default. (#4223, @ialidzhikov) - [OPERATOR] The gardenlet chart now defines fine-grained RBAC resources for the gardenlet in the Seed cluster. Previously the gardenlet's ServiceAccount was granted with all privileges. With this change the gardenlet's
ServiceAccount
privileges are limited as much as possible. (#4129, @ialidzhikov)
Docker Images
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.26.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.26.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.26.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.26.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.26.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.26.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.26.0