[gardener]
⚠️ Breaking Changes
- [OPERATOR] Gardener's component configuration APIs have been changed in the following breaking ways: (gardener/gardener#6333, @timebertt)
kubernetesLogLevelhas been removed from all component configsControllerManagerConfiguration.server.httphas been split intoserver.{healthProbes,metrics}(health endpoints and metrics are now served on different ports)ControllerManagerConfiguration.server.httpshas been removed
- [OPERATOR]
gardener-controller-managerserves health endpoints and metrics on different ports now. Adapt your scrape configs accordingly to portmetrics. (gardener/gardener#6333, @timebertt) - [OPERATOR] The
DisableDNSProviderManagementfeature gate has been promoted to GA and is now unconditionally enabled. If theshoot-dns-serviceextension is deployed, please make sure following prerequistes are given for a smoothly transition: (gardener/gardener#6341, @MartinWeindel)- The
shoot-dns-serviceextension must be installed in a version >=v1.20.0. - The controller deployment of the
shoot-dns-servicesetsproviderConfig.values.dnsProviderManagement.enabled=true - Its admission controller (
gardener-extension-admission-shoot-dns-service) is deployed on the garden cluster - the
dns-externalextension must still be installed
- The
- [OPERATOR] The already deprecated
shoot.gardener.cloud/use-as-seedannotation (since v1.18.0) is no longer supported for creating Shooted Seed clusters. Please check the following documentation on how to migrate from theuse-as-seedannotation toManagedSeeds. Before updating to this version of Gardener, make sure that you migrated toManagedSeedsand that you no longer have usages of theuse-as-seedannotation on the landscape. (gardener/gardener#6379, @ialidzhikov) - [DEPENDENCY] Extension health check types are moved from
github.com/gardener/gardener/extensions/pkg/controller/healthcheck/configtogithub.com/gardener/gardener/extensions/pkg/apis/config(gardener/gardener#6276, @oliver-goetz) - [DEPENDENCY]
hack/install-requirements.shis removed. You can usehack/tools.mkto install tools needed for development and CI. (gardener/gardener#6323, @timebertt) - [DEPENDENCY] All
Actuatorinterfaces for extension controllers have been extended and now receive alogr.Loggerpassed from the reconciler with the proper context of the reconciled object. (gardener/gardener#6332, @rfranzke) - [DEPENDENCY] Some signatures in
pkg/controllerutils/mapperhave changed to support the simple injection of a proper context and logger. (gardener/gardener#6358, @rfranzke)
✨ New Features
- [USER] The machine image defaulting does now work based on the CPU architecture of the machine in a given worker pool. (gardener/gardener#6324, @acumino)
- [USER] The
Shootmaintenance controller has been enhanced to auto-update the machine image of the worker pool in aShootbased on the CPU architecture of the machines. (gardener/gardener#6327, @acumino) - [DEVELOPER] Allow passing custom REST configuration settings (QPS, Burst, Timeout) to extension shoot clients. (gardener/gardener#6276, @oliver-goetz)
- [DEVELOPER] If a resource in the
ManagedResourceis annotated withresources.gardener.cloud/skip-health-check=truethen the resource will be skipped during health checks by the health controller. The ManagedResource conditions will not reflect the health condition of this resource anymore. TheResourcesProgressingcondition will also be set toFalse. (gardener/gardener#6309, @shafeeqes)
🐛 Bug Fixes
- [USER] Fixed a bug that prevented Shoots from being able to use
expander: priorityfor cluster-autoscaler (gardener/gardener#6372, @voelzmo) - [USER] A bug that prevented Shoot deletion when the OS image version or kubernetes version was beyond its expiration date is now fixed. (gardener/gardener#6389, @voelzmo)
- [OPERATOR] An issue causing a panel in the
Node/Worker Pool Overviewdashboard to fail to load due to invalid query is now fixed. (gardener/gardener#6406, @Sallyan) - [OPERATOR] A bug causing
gardenletto panic in case of shoot using namespace which doesn't have the required project label is fixed. (gardener/gardener#6408, @acumino) - [DEVELOPER] Downloading several tools vial
./hack/tools.mkhas been fixed for ARM64 based Linux machines. (gardener/gardener#6314, @timuthy)
🏃 Others
- [USER] Strict schema validation is now performed for VerticalPodAutoscaler resources. (gardener/gardener#6299, @andrerun)
- [OPERATOR] Gardenlet now uses PriorityClass: gardener-system-critical (gardener/gardener#6235, @kris94)
- [OPERATOR] Update istio to v1.14.1. (gardener/gardener#6271, @ScheererJ)
- [OPERATOR] The following images are updated: (gardener/gardener#6295, @himanshu-kun)
eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler:v1.20.1->v1.20.2(for Kubernetes< 1.21)eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler:v1.21.1->v1.21.2(for Kubernetes1.21)eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler:v1.21.1->v1.22.2(for Kubernetes>= 1.22)
- [OPERATOR] Update envoy proxy to v1.21.4 (used in reversed vpn and apiserver-proxy) (gardener/gardener#6320, @ScheererJ)
- [OPERATOR] Additional dashboards for monitoring conntrack insertion failures most likely due to conntrack races (gardener/gardener#6329, @ScheererJ)
- [OPERATOR] The loki/telegraf container no longer runs in privileged mode. (gardener/gardener#6334, @ialidzhikov)
- [OPERATOR] The following images are updated: (gardener/gardener#6336, @istvanballok)
- quay.io/prometheus/blackbox-exporter: v0.20.0 -> v0.21.1
- [OPERATOR] The vpn-seed-server/vpn-seed-server container no longer runs in privileged mode. (gardener/gardener#6346, @ScheererJ)
- [OPERATOR] The vpn-shoot/vpn-shoot container no longer runs in privileged mode (when ReversedVPN feature gate is enabled). As it still needs to still modify some kernel settings, this part is moved to init container that still has to run in privileged but the risk to cluster security is minimal because of the ephemeral nature of init containers. (gardener/gardener#6352, @ScheererJ)
- [OPERATOR] The GA-ed
WorkerPoolKubernetesVersionfeature gate is now removed. (gardener/gardener#6354, @rfranzke) - [OPERATOR] The
API Serverdashboard in Grafana now shows the actual DB size per instance (etcd-main,etcd-events). Earlier those values were summed up and distorted if more than one kube-apiserver replica existed in the control plane. (gardener/gardener#6376, @timuthy) - [OPERATOR] A warning in vpn-shoot about the private key being group/other accessible is now addressed. (gardener/gardener#6381, @ScheererJ)
- [OPERATOR] The Loki, Prometheus, and the VPN seed server envoy proxy parsers parse timezone and milliseconds from the timestamp. (gardener/gardener#6387, @vlvasilev)
- [OPERATOR] It is now possible to disable an admission plugin for the shoot kube-apiserver in the
ShootSpecby setting the AdmissionPlugin.Disabled field totrue. (gardener/gardener#6403, @shafeeqes) - [OPERATOR] Updating CRD for
DNSEntriesto allow specifying routing policy (gardener/gardener#6414, @MartinWeindel) - [DEVELOPER] Golang version is updated to 1.18.4 (gardener/gardener#6300, @oliver-goetz)
- [DEVELOPER] gardenlet's base image is updated from
alpine:3.15.4toalpine:3.16.0. (gardener/gardener#6321, @ialidzhikov) - [DEPENDENCY]
metric-serverimage is updated tov0.6.1(gardener/gardener#6338, @oliver-goetz)
[apiserver-proxy]
🏃 Others
- [OPERATOR] The
apiserver-proxy-pod-webhooknow usesdistrolessinstead ofalpineas a base image. (gardener/apiserver-proxy#18, @dimityrmirchev) - [OPERATOR] Minimize apiserver-proxy-sidecar image by using a scratch image. (gardener/apiserver-proxy#19, @ScheererJ)
[etcd-backup-restore]
⚠️ Breaking Changes
- [DEVELOPER] Added new package
membergarbagecollectorto remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to listpodsandstatefulsets. (gardener/etcd-backup-restore#403, @aaronfern)
🐛 Bug Fixes
- [OPERATOR] Temp fix: skip the single member restoration if data-dir found to be invalid. (gardener/etcd-backup-restore#501, @ishan16696)
- [OPERATOR] Fixed a bug in Scaleup feature in func:
IsMemberInCluster()which can cause Scaleup feature to get fail. (gardener/etcd-backup-restore#501, @ishan16696)
🏃 Others
- [OPERATOR] Added new package
membergarbagecollectorto remove superfluous members from the ETCD cluster. (gardener/etcd-backup-restore#403, @aaronfern) - [OPERATOR] Fixed a bug where etcd calls related to multi node operation were used in single node operation (gardener/etcd-backup-restore#504, @aaronfern)
- [OPERATOR] Assigned the correct Peer address to the Etcd after it restores from backup-bucket. (gardener/etcd-backup-restore#505, @ishan16696)
- [OPERATOR] No attempt is made to update member Peer URL when trying to promote a member (gardener/etcd-backup-restore#506, @aaronfern)
📰 Noteworthy
- [OPERATOR] Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support
linux/amd64andlinux/arm64. (gardener/etcd-backup-restore#499, @timuthy) - [OPERATOR] The Etcd-Backup-Restore image has been updated to
Alpine 3.15.4. (gardener/etcd-backup-restore#499, @timuthy) - [OPERATOR] Etcd can now scale up itself from a single member cluster to a multi member cluster (gardener/etcd-backup-restore#487, @aaronfern)
[etcd-custom-image]
🏃 Others
- [OPERATOR] Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-custom-image#19, @timuthy)
[etcd-druid]
🏃 Others
- [OPERATOR] livenessProbe of etcd container has been updated to
ETCDCTL_API=3 etcdctl get foo --consistency=smaking the consistencyserializable. (gardener/etcd-druid#357, @ishan16696) - [OPERATOR] failureThreshold has been updated to
5for both livenessProbe and readinessProbe of etcd. (gardener/etcd-druid#357, @ishan16696) - [OPERATOR] The
etcd-druidnow usesdistrolessinstead ofalpineas a base image. (gardener/etcd-druid#360, @dimityrmirchev) - [OPERATOR]
etcd-druidwill now also add statefulset permissions to the etcd role (gardener/etcd-druid#366, @aaronfern) - [OPERATOR] Published docker images for Etcd-Druid are now multi-arch ready. They support
linux/amd64andlinux/arm64. (gardener/etcd-druid#367, @timuthy) - [OPERATOR] Added a new condition
BackupReadyto the etcd status (gardener/etcd-druid#271, @aaronfern) - [OPERATOR] Added pod permission in etcd_role that now enable
etcd-backup-restoreto get/list/watch pods (gardener/etcd-druid#372, @aaronfern)
[hvpa-controller]
🏃 Others
- [USER] Fix an issue where the HVPA would set Requests higher than Limits if
ControlledValues: RequestsOnlyis set (gardener/hvpa-controller#98, @voelzmo) - [OPERATOR] Published docker images for HVPA-Controller are now multi-arch ready. They support
linux/amd64andlinux/arm64. (gardener/hvpa-controller#101, @timuthy)
[vpn2]
📰 Noteworthy
- [OPERATOR] VPN shoot client can now be run with a privileged init container and a non-privileged runtime container (gardener/vpn2#12, @ScheererJ)
- [OPERATOR] vpn-seed-server and vpn-shoot-client container images now contain only a reduced set of binary/libaries. (gardener/vpn2#14, @ScheererJ)
- [OPERATOR] Add missing sleep command to minimized container image. (gardener/vpn2#16, @ScheererJ)
- [OPERATOR] Switched openvpn topology to subnet and ensured that the chosen cipher is always selected. (gardener/vpn2#15, @ScheererJ)
Docker Images
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.52.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.52.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.52.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.52.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.52.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.52.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.52.0