[gardener]
⚠️ Breaking Changes
- [OPERATOR] Gardenlet does not support seedSelectors anymore; configure an explicit seedConfig in the GardenletConfiguration instead (#4306, @xrstf)
- [OPERATOR] The
KonnectivityTunnel
feature gate in gardenlet has been dropped and removed from the code. If you upgrade to this Gardener version make sure that the feature gate is disabled and that all shoots were reconciled after you disabled it. (#4247, @rfranzke)
✨ New Features
- [USER] It's now possible to configure the
imageGC{High,Low}ThresholdPercent
fields for the kubelet configuration (defaults:50
for the high threshold,40
for the low threshold) in theShoot
API via.spec.{provider.workers[].}kubernetes.kubelet.imageGC{High,Low}ThresholdPercent
. (#4282, @rfranzke) - [USER] Shoot clusters can now reference an ExposureClass to expose their control plane in various network environments via the
.spec.exposureClassName
. Find more information in this document. (#4244, @dkistner) - [OPERATOR] Similar to the
NodeAuthorizer
andNodeRestriction
features in Kubernetes (preventing kubelets from accessing resources which aren't associated with their responsibleNode
s), Gardener does now have aSeedAuthorizer
andSeedRestriction
feature (preventing gardenlets from accessing resources which aren't associated with theirSeed
s). If you want to enable it for your landscapes then please consult this document. (#4326, @rfranzke) - [OPERATOR] The external ip attached to the load balancer service belonging to a Seed ingress gateway can now be defined in the configuration for the Gardenlet. This is possible for the default ingress gateway and for the ExposureClass handler ingress gateways. For ExposureClass handler ingress gateways this will only work in combination with the
APIServerSNI
feature flag (default). (#4319, @dkistner) - [OPERATOR] Shoot clusters can now use ExposureClasses to expose the control plane in various network environments. The Gardenlet needs to realize the exposure strategy and is therefore required to have the ExposureClass handler configuration in its own config. This can be maintained in the
.exposureClassHandlers
list of the Gardenlet configuration. Find more information in this document. (#4244, @dkistner)
🐛 Bug Fixes
- [USER] Additional DNS provider Secret is now updated on Shoot deletion. This will allow users to update their invalid Secret data with valid one and now this change will be reflected to the Secret maintained in the Shoot namespace in the Seed. (#4337, @ialidzhikov)
- [USER] Updating to a MachineImageVersion which doesn't support the chosen CRI configuration will now result in a validation error. (#4332, @voelzmo)
- [OPERATOR] A bug that the shoot maintenance controller was upgrading the OS version to higher but deprecated version instead of using lower and supported has been fixed. (#4327, @vpnachev)
- [OPERATOR] A bug that the OS version of worker pool is defaulted to higher and deprecated version instead of lower and supported is now fixed. (#4327, @vpnachev)
🏃 Others
- [USER] Authenticated users can now read/list/watch
ExposureClass
resources. (#4334, @dkistner) - [OPERATOR] Envoy used apiserver-proxy and sidecar are upgraded to distroless
1.18.3
version. (#4304, @mvladev) - [OPERATOR]
ManagedIstio
now uses distroless images. (#4301, @mvladev) - [OPERATOR]
ManagedIstio
is now upgraded to1.10.2
(#4301, @mvladev) - [OPERATOR] The
MountHostCADirectories
feature gate in thegardenlet
has been promoted to GA. (#4279, @ialidzhikov) - [OPERATOR] Optional logging agent can be installed on the shoot nodes (#3813, @vlvasilev)
- [DEVELOPER] Envtests are now run in a dedicated make target (
make test-integration
). (#4265, @timebertt) - [DEPENDENCY] Envtests that require the control plane binaries now have to be run using
hack/test-integration.sh
. Please consult gardener's Makefile as a reference usage. (#4265, @timebertt)
📰 Noteworthy
- [USER] ⚠️ The kubelets on the shoot worker nodes will be restarted in the respective maintenance time windows of the shoot clusters. (#4321, @rfranzke)
- [OPERATOR] The
hyperkube
image is now only downloaded exactly once per shoot worker node to prevent repetitive, undesired downloads in case the kubelet garbage-collects the image due to excessive root disk usage. (#4321, @rfranzke)
Docker Images
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.0