[gardener]

⚠️ Breaking Changes

• [USER] Shoots with failure tolerance type node can be scheduled on seeds with .spec.highAvailability != nil only. (gardener/gardener#6833, @oliver-goetz)
• [OPERATOR] HAControlPlanes feature flag is removed from gardener-scheduler. (gardener/gardener#6833, @oliver-goetz)
• [OPERATOR] Remove DNSProvider from supported extension kinds. (gardener/gardener#6840, @MartinWeindel)
• [DEPENDENCY] Health checks performed by the healthcheck library no longer update the extensions resources' status.conditions[].LastUpdateTime on each reconciliation. Instead, a new heartbeat controller was added to the extensions library that will renew a dedicated Lease resource named gardener-extensions-heartbeat every 30 seconds by default. Extension controllers have to enable this controller as the gardener-extensions-heartbeat Lease will be used when gardenlet checks whether the extension resources' conditions are stale or not. gardenlet expects to find this Lease inside the namespace where the extension controller is installed by the corresponding ControllerInstallation. (gardener/gardener#6626, @plkokanov)

✨ New Features

• [USER] The kubelets running on shoot worker nodes are now requesting server certificates via the CertificateSigningRequest API. They have the default validity of 30d and are auto-rotated when 80% of their lifetime expires. (gardener/gardener#6784, @rfranzke)
• [USER] It is now possible to configure the seccompDefault field for the kubelet configuration in the Shoot API via .spec.{provider.workers[]}.kubernetes.kubelet.seccompDefault. This configuration is only available for k8s version >= 1.25 and it is not turned on by default. (gardener/gardener#6741, @AleksandarSavchev)
• [OPERATOR] Short names for machine (mc), machineclass (mcc), machinedeployment (mcd), and machineset (mcs) resources are now added. (gardener/gardener#6787, @rishabh-11)
• [OPERATOR] log-level, log-format and verbosity of gardener-apiserver can now be configured. (gardener/gardener#6817, @oliver-goetz)
• [OPERATOR] It is now possible to disable PodSecurityPolicy admission plugin, please make sure you have updated the extensions to a version which supports this change. (gardener/gardener#6700, @shafeeqes)
• [OPERATOR] log-level and log-format of gardener-resource-manager can now be configured. (gardener/gardener#6830, @oliver-goetz)
• [OPERATOR] log-level and log-format of gardener-seed-admission-controller can now be configured. (gardener/gardener#6831, @oliver-goetz)
• [OPERATOR] High availability for seed system components can be defined by specifying spec.highAvailability.failureTolerance.type (gardener/gardener#6723, @unmarshall)
  • Additional validation is added which checks for the value of seed label seed.gardener.cloud/multi-zonal which was not existing before. The allowed values will be:empty string or a valid boolean value true | false
• [OPERATOR] Gardenlet can now be deployed with multiple replicas and a failureToleranceType of either node or zone. This is supported by the gardenlet Helm chart as well as through deployment options in managedseed objects. The replica spread is implemented via TopologySpreadConstraints. (gardener/gardener#6750, @timuthy)
• [OPERATOR] The ManagedResource health status for objects on the seed cluster is now updated immediately on health status changes (switched from periodic checks to proper watching). (gardener/gardener#6770, @timebertt)
• [OPERATOR] Updated machine CRD, allowing the display of node name and providerID(using -owide flag) when listing machines in the control plane of the shoot (gardener/gardener#6779, @rishabh-11)
• [OPERATOR] Gardenlet will not start in case the seed configuration is incorrect, i.e. if the node, pod or service network specified in the Seed resource do not match to the cluster reality. (gardener/gardener#6782, @ScheererJ)
• [DEVELOPER] The local setup has been improved to support tests for HA scenarios (single-zone with node failure tolerance and multi-zone with zone failure tolerance). (gardener/gardener#6719, @seshachalam-yv)
• [DEVELOPER] ConditionBuilder interface is extended by a WithClock(...) function. (gardener/gardener#6729, @oliver-goetz)
  • ...WithClock(...) condition helper functions are introduced.
  • WithNowFunc(...) function is removed from ConditionBuilder interface.

🐛 Bug Fixes

• [USER] Shoot worker definitions are now validated using .spec.kubernetes.kubelet when .spec.provider.workers[].kubernetes.kubelet is not specified. (gardener/gardener#6741, @AleksandarSavchev)
• [OPERATOR] The broken preStop hook from Gardener API Server deployment has been removed. (gardener/gardener#6793, @vpnachev)
• [OPERATOR] An issue causing the gardener-shoot-controlplane PriorityClass to be deleted too early when there are still Deployments (vpn-seed-server) that reference it is now mitigated. (gardener/gardener#6799, @ialidzhikov)
• [OPERATOR] The gardenlet is no longer put under time pressure during its start-up procedure by preventing its liveness probe from falsely failing. (gardener/gardener#6808, @rfranzke)
• [OPERATOR] kube-scheduler and cluster-autoscaler Pods now run with the appropriate priority set according to the following document. Previously these Pods were running without a priority class set and were preempted in favour of less important Pods. (gardener/gardener#6838, @ialidzhikov)
• [OPERATOR] Remove /scale subresource from etcd CRD. (gardener/gardener#6850, @shreyas-s-rao)

📖 Documentation

• [OPERATOR] The documentation for triggering control-plane migration is updated with a slight change. (gardener/gardener#6843, @shafeeqes)

🏃 Others

• [OPERATOR] The following image is updated: (gardener/gardener#6790, @ialidzhikov)
  • grafana/grafana: 7.5.16 -> 7.5.17
• [OPERATOR] The following image is updated: (gardener/gardener#6820, @Kristian-ZH)
  • quay.io/brancz/kube-rbac-proxy: v0.13.0 -> v0.13.1
• [OPERATOR] The following image is updated: (gardener/gardener#6824, @rickardsjp)
  • quay.io/prometheus/prometheus: v2.38.0 -> v2.39.1
• [OPERATOR] kubernetes.io/arch label can now be used for scaling the worker pools from 0 based on CPU architecture. (gardener/gardener#6825, @acumino)
• [OPERATOR] Deploy network policies to namespace istio-system to only allow traffic to configured endpoints inside the cluster and the seed api-server. (gardener/gardener#6826, @axel7born)
• [OPERATOR] The gardener.cloud/purpose: kube-system label is now added to the kube-system namespace by the gardenlet's Seed controller. (gardener/gardener#6829, @bd3lage)
• [OPERATOR] The following image is updated: (gardener/gardener#6828, @ialidzhikov)
  • eu.gcr.io/gardener-project/gardener/apiserver-proxy-pod-webhook: v0.6.0 -> v0.7.0
• [OPERATOR] Latency metrics of the attach subresource are not considered for the KubeApiServerLatency alert and API Server / Request Latency dashboard panel. (gardener/gardener#6844, @istvanballok)
• [OPERATOR] The ShootBinding admission plugin is removed in favour of existing ShootValidator plugin. All the checks are moved to the latter. (gardener/gardener#6727, @shafeeqes)
• [OPERATOR] When gardenlet checks the conditions of extension resources as part of the shoot health check, it checks if the gardener-extensions-heartbeat Lease maintained by the extension controllers has been renewed within the ShootCare controller's staleExtensionHealthChecks.thresholds[] settings and sets the corresponding Shoot condition to Unknown if that is not the case. If the Lease is not found, the status.conditions[].LastUpdateTime of the extension resource is checked as well for backwards compatibility. (gardener/gardener#6626, @plkokanov)
• [OPERATOR] Deploy network policies to namespace istio-ingress to only allow egress traffic to configured endpoints inside the cluster. (gardener/gardener#6765, @axel7born)
• [OPERATOR] Replace vpa-exporter with kube-state-metrics. (gardener/gardener#6771, @istvanballok)
  • The vpa-exporter is no longer used in Gardener.
  • The kube-state-metrics component is exposing the VPA related metrics.
• [DEVELOPER] Go is updated to 1.19.2 (gardener/gardener#6789, @oliver-goetz)

[hvpa-controller]

🏃 Others

• [DEPENDENCY] The version of golang used by hvpa-controller was updated from 1.15 to 1.18 (gardener/hvpa-controller#109, @andrerun)

[logging]

🏃 Others

• [OPERATOR] Published docker images for Logging are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/logging#156, @acumino)
• [OPERATOR] Upgrade the Telegraf version from 1.23.4 to 1.24.2 (gardener/logging#157, @vlvasilev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.58.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.58.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.58.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.58.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.58.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.58.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.58.0