[gardener]

⚠️ Breaking Changes

• [USER] Shoot addons are now only allowed on evaluation shoots if the Kubernetes version is >= 1.22. (#4213, @stoyanr)
• [OPERATOR] The obsolete fields SchedulerConfiguration.schedulers.*.retrySyncPeriod have been removed. (#4285, @timebertt)
• [OPERATOR] Gardenlet feature gate NodeLocalDNS was removed and replaced by a shoot specific annotation. (#4249, @ScheererJ)
• [DEVELOPER] make start-gardenlet does not use seedSelector anymore, making the dev gardenlet single-seed only. If you have multiple Seeds in your local setup, you can specify the seed to act on via the SEED_NAME make variable (e.g. make start-gardenlet SEED_NAME=local-foo). (#4270, @xrstf)
• [DEVELOPER] The already deprecated DirectClient has been removed from the codebase entirely. (#4225, @timebertt)

✨ New Features

• [USER] Makes it possible to disable deploying kube-proxy for newly created clusters. Depending on the used networking extension switching off kube-proxy might not be supported yet. Please consult the respective documentation of the used networking extension before disabling kube-proxy. (#4260, @ScheererJ)
• [USER] Do not trigger a node rollout when switching from CRI.Name==nil to CRI.Name==docker. (#4237, @voelzmo)
• [USER] Shoots created with or updated to Kubernetes version >= 1.22 will get containerd as default container runtime. If you upgrade an existing shoot which doesn't specify a cri.name property in its worker pools, this will trigger a graceful node rollout and the container runtime is switched from docker to containerd. (#4222, @voelzmo)
• [USER] It's now possible to override the grace periods for the cleanup steps in the shoot deletion by specifying the following annotations on the Shoot: (#4212, @rfranzke)
  • shoot.gardener.cloud/cleanup-webhooks-finalize-grace-period-seconds (default behaviour: "300")
  • shoot.gardener.cloud/cleanup-extended-apis-finalize-grace-period-seconds (default behaviour: "3600")
  • shoot.gardener.cloud/cleanup-kubernetes-resources-finalize-grace-period-seconds (default behaviour: "300")
  • shoot.gardener.cloud/cleanup-namespaces-finalize-grace-period-seconds (default behaviour: "300")
  • If "0" is provided then all resources are finalized immediately without waiting for any graceful deletion. Please be aware that this might lead to orphaned infrastructure artefacts.
• [OPERATOR] A new ProjectValidator admission plugin has been added (enabled by default). It prevents creating Projects with non-empty .spec.namespace fields if the value in .spec.namespace does not start with garden-. Please note that this admission plugin will be removed in a future release again in favor of the static validation in the gardener-apiserver. (#4228, @rfranzke)
• [OPERATOR] Allow explicit configuration of docker as a container runtime (.spec.provider.workers[].cri.name field in Shoots) for backwards compatibility. Select this only if your workload doesn't run nicely with containerd. This configuration option will be removed in the future! (#4218, @voelzmo)

🐛 Bug Fixes

• [OPERATOR] An issue causing the SNI transition step to fail for a cluster that still didn't transitioned to SNI is now fixed. (#4268, @ialidzhikov)

🏃 Others

• [OPERATOR] The blueprint of the Gardenlet landscaper has been fixed to properly reference the gardenlet-landscaper OCI image (#4283, @danielfoehrKn)
• [OPERATOR] Labels and annotations on the ResourceQuota config get merged with the respective fields on existing ResourceQuotas (#4264, @petersutter)
• [OPERATOR] Martian packets are now explicitly enabled in the kernel settings of the shoot clusters nodes. (#4250, @DockToFuture)
• [OPERATOR] Optimize gardenlet's shoot controller to issue less calls to gardener-apiserver for the highly frequent status updates during reconciliations and normal care operations. (#4246, @timebertt)
• [OPERATOR] Split EnvoyFilter resources from SNI and ReversedVPN into separate resources. (#4242, @DockToFuture)
• [OPERATOR] ManagedIstio version is upgraded to 1.10.1 (#4241, @mvladev)
• [OPERATOR] Error messages containing RequestLimitExceeded are now treated as ERR_INFRA_RATE_LIMITS_EXCEEDED (instead of ERR_INFRA_QUOTA_EXCEEDED before). (#4236, @rfranzke)
• [OPERATOR] gardener-controller-manager's Seed controller now checks the seed namespace's ownerReferences before adopting it. (#4232, @timebertt)
• [OPERATOR] Dashboards use UTC instead of browser time by default (#4229, @wyb1)
• [DEVELOPER] Switch from *metav1.LabelSelector to metav1.LabelSelector in the gardenercore.SeedSelector type in our APIs. This doesn't impose a breaking change for users of the API, however users of the golang types, will have to adapt accordingly. (#4299, @timebertt)

📰 Noteworthy

• [USER] Added a document with recommendations when custom CSI components are deployed into shoot clusters. (#4211, @rfranzke)
• [OPERATOR] The MountHostCADirectories feature gate in the gardenlet has been promoted to beta and is now enabled by default. (#4223, @ialidzhikov)
• [OPERATOR] The gardenlet chart now defines fine-grained RBAC resources for the gardenlet in the Seed cluster. Previously the gardenlet's ServiceAccount was granted with all privileges. With this change the gardenlet's ServiceAccount privileges are limited as much as possible. (#4129, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.26.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.26.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.26.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.26.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.26.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.26.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.26.0