[gardener]
⚠️ Breaking Changes
- [OPERATOR] Gardener's component configuration APIs have been changed in the following breaking ways: (gardener/gardener#6333, @timebertt)
kubernetesLogLevel
has been removed from all component configsControllerManagerConfiguration.server.http
has been split intoserver.{healthProbes,metrics}
(health endpoints and metrics are now served on different ports)ControllerManagerConfiguration.server.https
has been removed
- [OPERATOR]
gardener-controller-manager
serves health endpoints and metrics on different ports now. Adapt your scrape configs accordingly to portmetrics
. (gardener/gardener#6333, @timebertt) - [OPERATOR] The
DisableDNSProviderManagement
feature gate has been promoted to GA and is now unconditionally enabled. If theshoot-dns-service
extension is deployed, please make sure following prerequistes are given for a smoothly transition: (gardener/gardener#6341, @MartinWeindel)- The
shoot-dns-service
extension must be installed in a version >=v1.20.0
. - The controller deployment of the
shoot-dns-service
setsproviderConfig.values.dnsProviderManagement.enabled=true
- Its admission controller (
gardener-extension-admission-shoot-dns-service
) is deployed on the garden cluster - the
dns-external
extension must still be installed
- The
- [OPERATOR] The already deprecated
shoot.gardener.cloud/use-as-seed
annotation (since v1.18.0) is no longer supported for creating Shooted Seed clusters. Please check the following documentation on how to migrate from theuse-as-seed
annotation toManagedSeeds
. Before updating to this version of Gardener, make sure that you migrated toManagedSeeds
and that you no longer have usages of theuse-as-seed
annotation on the landscape. (gardener/gardener#6379, @ialidzhikov) - [DEPENDENCY] Extension health check types are moved from
github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config
togithub.com/gardener/gardener/extensions/pkg/apis/config
(gardener/gardener#6276, @oliver-goetz) - [DEPENDENCY]
hack/install-requirements.sh
is removed. You can usehack/tools.mk
to install tools needed for development and CI. (gardener/gardener#6323, @timebertt) - [DEPENDENCY] All
Actuator
interfaces for extension controllers have been extended and now receive alogr.Logger
passed from the reconciler with the proper context of the reconciled object. (gardener/gardener#6332, @rfranzke) - [DEPENDENCY] Some signatures in
pkg/controllerutils/mapper
have changed to support the simple injection of a proper context and logger. (gardener/gardener#6358, @rfranzke)
✨ New Features
- [USER] The machine image defaulting does now work based on the CPU architecture of the machine in a given worker pool. (gardener/gardener#6324, @acumino)
- [USER] The
Shoot
maintenance controller has been enhanced to auto-update the machine image of the worker pool in aShoot
based on the CPU architecture of the machines. (gardener/gardener#6327, @acumino) - [DEVELOPER] Allow passing custom REST configuration settings (QPS, Burst, Timeout) to extension shoot clients. (gardener/gardener#6276, @oliver-goetz)
- [DEVELOPER] If a resource in the
ManagedResource
is annotated withresources.gardener.cloud/skip-health-check=true
then the resource will be skipped during health checks by the health controller. The ManagedResource conditions will not reflect the health condition of this resource anymore. TheResourcesProgressing
condition will also be set toFalse
. (gardener/gardener#6309, @shafeeqes)
🐛 Bug Fixes
- [USER] Fixed a bug that prevented Shoots from being able to use
expander: priority
for cluster-autoscaler (gardener/gardener#6372, @voelzmo) - [USER] A bug that prevented Shoot deletion when the OS image version or kubernetes version was beyond its expiration date is now fixed. (gardener/gardener#6389, @voelzmo)
- [OPERATOR] An issue causing a panel in the
Node/Worker Pool Overview
dashboard to fail to load due to invalid query is now fixed. (gardener/gardener#6406, @Sallyan) - [OPERATOR] A bug causing
gardenlet
to panic in case of shoot using namespace which doesn't have the required project label is fixed. (gardener/gardener#6408, @acumino) - [DEVELOPER] Downloading several tools vial
./hack/tools.mk
has been fixed for ARM64 based Linux machines. (gardener/gardener#6314, @timuthy)
🏃 Others
- [USER] Strict schema validation is now performed for VerticalPodAutoscaler resources. (gardener/gardener#6299, @andrerun)
- [OPERATOR] Gardenlet now uses PriorityClass: gardener-system-critical (gardener/gardener#6235, @kris94)
- [OPERATOR] Update istio to v1.14.1. (gardener/gardener#6271, @ScheererJ)
- [OPERATOR] The following images are updated: (gardener/gardener#6295, @himanshu-kun)
eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler
:v1.20.1
->v1.20.2
(for Kubernetes< 1.21
)eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler
:v1.21.1
->v1.21.2
(for Kubernetes1.21
)eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler
:v1.21.1
->v1.22.2
(for Kubernetes>= 1.22
)
- [OPERATOR] Update envoy proxy to v1.21.4 (used in reversed vpn and apiserver-proxy) (gardener/gardener#6320, @ScheererJ)
- [OPERATOR] Additional dashboards for monitoring conntrack insertion failures most likely due to conntrack races (gardener/gardener#6329, @ScheererJ)
- [OPERATOR] The loki/telegraf container no longer runs in privileged mode. (gardener/gardener#6334, @ialidzhikov)
- [OPERATOR] The following images are updated: (gardener/gardener#6336, @istvanballok)
- quay.io/prometheus/blackbox-exporter: v0.20.0 -> v0.21.1
- [OPERATOR] The vpn-seed-server/vpn-seed-server container no longer runs in privileged mode. (gardener/gardener#6346, @ScheererJ)
- [OPERATOR] The vpn-shoot/vpn-shoot container no longer runs in privileged mode (when ReversedVPN feature gate is enabled). As it still needs to still modify some kernel settings, this part is moved to init container that still has to run in privileged but the risk to cluster security is minimal because of the ephemeral nature of init containers. (gardener/gardener#6352, @ScheererJ)
- [OPERATOR] The GA-ed
WorkerPoolKubernetesVersion
feature gate is now removed. (gardener/gardener#6354, @rfranzke) - [OPERATOR] The
API Server
dashboard in Grafana now shows the actual DB size per instance (etcd-main
,etcd-events
). Earlier those values were summed up and distorted if more than one kube-apiserver replica existed in the control plane. (gardener/gardener#6376, @timuthy) - [OPERATOR] A warning in vpn-shoot about the private key being group/other accessible is now addressed. (gardener/gardener#6381, @ScheererJ)
- [OPERATOR] The Loki, Prometheus, and the VPN seed server envoy proxy parsers parse timezone and milliseconds from the timestamp. (gardener/gardener#6387, @vlvasilev)
- [OPERATOR] It is now possible to disable an admission plugin for the shoot kube-apiserver in the
ShootSpec
by setting the AdmissionPlugin.Disabled field totrue
. (gardener/gardener#6403, @shafeeqes) - [OPERATOR] Updating CRD for
DNSEntries
to allow specifying routing policy (gardener/gardener#6414, @MartinWeindel) - [DEVELOPER] Golang version is updated to 1.18.4 (gardener/gardener#6300, @oliver-goetz)
- [DEVELOPER] gardenlet's base image is updated from
alpine:3.15.4
toalpine:3.16.0
. (gardener/gardener#6321, @ialidzhikov) - [DEPENDENCY]
metric-server
image is updated tov0.6.1
(gardener/gardener#6338, @oliver-goetz)
[apiserver-proxy]
🏃 Others
- [OPERATOR] The
apiserver-proxy-pod-webhook
now usesdistroless
instead ofalpine
as a base image. (gardener/apiserver-proxy#18, @dimityrmirchev) - [OPERATOR] Minimize apiserver-proxy-sidecar image by using a scratch image. (gardener/apiserver-proxy#19, @ScheererJ)
[etcd-backup-restore]
⚠️ Breaking Changes
- [DEVELOPER] Added new package
membergarbagecollector
to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to listpods
andstatefulsets
. (gardener/etcd-backup-restore#403, @aaronfern)
🐛 Bug Fixes
- [OPERATOR] Temp fix: skip the single member restoration if data-dir found to be invalid. (gardener/etcd-backup-restore#501, @ishan16696)
- [OPERATOR] Fixed a bug in Scaleup feature in func:
IsMemberInCluster()
which can cause Scaleup feature to get fail. (gardener/etcd-backup-restore#501, @ishan16696)
🏃 Others
- [OPERATOR] Added new package
membergarbagecollector
to remove superfluous members from the ETCD cluster. (gardener/etcd-backup-restore#403, @aaronfern) - [OPERATOR] Fixed a bug where etcd calls related to multi node operation were used in single node operation (gardener/etcd-backup-restore#504, @aaronfern)
- [OPERATOR] Assigned the correct Peer address to the Etcd after it restores from backup-bucket. (gardener/etcd-backup-restore#505, @ishan16696)
- [OPERATOR] No attempt is made to update member Peer URL when trying to promote a member (gardener/etcd-backup-restore#506, @aaronfern)
📰 Noteworthy
- [OPERATOR] Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support
linux/amd64
andlinux/arm64
. (gardener/etcd-backup-restore#499, @timuthy) - [OPERATOR] The Etcd-Backup-Restore image has been updated to
Alpine 3.15.4
. (gardener/etcd-backup-restore#499, @timuthy) - [OPERATOR] Etcd can now scale up itself from a single member cluster to a multi member cluster (gardener/etcd-backup-restore#487, @aaronfern)
[etcd-custom-image]
🏃 Others
- [OPERATOR] Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-custom-image#19, @timuthy)
[etcd-druid]
🏃 Others
- [OPERATOR] livenessProbe of etcd container has been updated to
ETCDCTL_API=3 etcdctl get foo --consistency=s
making the consistencyserializable
. (gardener/etcd-druid#357, @ishan16696) - [OPERATOR] failureThreshold has been updated to
5
for both livenessProbe and readinessProbe of etcd. (gardener/etcd-druid#357, @ishan16696) - [OPERATOR] The
etcd-druid
now usesdistroless
instead ofalpine
as a base image. (gardener/etcd-druid#360, @dimityrmirchev) - [OPERATOR]
etcd-druid
will now also add statefulset permissions to the etcd role (gardener/etcd-druid#366, @aaronfern) - [OPERATOR] Published docker images for Etcd-Druid are now multi-arch ready. They support
linux/amd64
andlinux/arm64
. (gardener/etcd-druid#367, @timuthy) - [OPERATOR] Added a new condition
BackupReady
to the etcd status (gardener/etcd-druid#271, @aaronfern) - [OPERATOR] Added pod permission in etcd_role that now enable
etcd-backup-restore
to get/list/watch pods (gardener/etcd-druid#372, @aaronfern)
[hvpa-controller]
🏃 Others
- [USER] Fix an issue where the HVPA would set Requests higher than Limits if
ControlledValues: RequestsOnly
is set (gardener/hvpa-controller#98, @voelzmo) - [OPERATOR] Published docker images for HVPA-Controller are now multi-arch ready. They support
linux/amd64
andlinux/arm64
. (gardener/hvpa-controller#101, @timuthy)
[vpn2]
📰 Noteworthy
- [OPERATOR] VPN shoot client can now be run with a privileged init container and a non-privileged runtime container (gardener/vpn2#12, @ScheererJ)
- [OPERATOR] vpn-seed-server and vpn-shoot-client container images now contain only a reduced set of binary/libaries. (gardener/vpn2#14, @ScheererJ)
- [OPERATOR] Add missing sleep command to minimized container image. (gardener/vpn2#16, @ScheererJ)
- [OPERATOR] Switched openvpn topology to subnet and ensured that the chosen cipher is always selected. (gardener/vpn2#15, @ScheererJ)
Docker Images
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.52.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.52.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.52.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.52.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.52.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.52.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.52.0