github gardener/gardener v1.71.0

latest releases: v1.72.0, v1.71.3, v1.71.2...
14 days ago


⚠️ Breaking Changes

  • [USER] Since Namespaces are no longer deleted (and forcefully finalized after some grace period), the annotation does no longer have any effect. Relevant Kubernetes resources are still cleaned up (see this document) for more information. (gardener/gardener#7864, @rfranzke)
  • [USER] Using internal API versions in providerConfig fields is no longer permitted (deprecated since more than 2y). Ensure that you always use a versioned API. (gardener/gardener#7868, @rfranzke)
  • [USER] As of Kubernetes v1.27, Gardener enforces a worker.maximum configuration for system component worker pools. The value must be greater or equal to the number of zones configured for this pool. This ensures, that the pool has the minimum required nodes to schedule system component across nodes. (gardener/gardener#7878, @timuthy)
  • [USER] The static token kubeconfig can no longer be enabled for Shoot clusters using Kubernetes version 1.27 and higher. (gardener/gardener#7883, @ary1992)
  • [USER] For Shoot clusters using Kubernetes version 1.27 and higher, the .spec.kubernetes.kubeControllerManager.podEvictionTimeout field has no effect anymore since the backing --pod-eviction-timeout CLI flag has been removed. (gardener/gardener#7883, @ary1992)
  • [USER] ⚠️ The deprecated field .spec.kubernetes.kubeAPIServer.enableBasicAuthentication has been removed from the Shoot API. Please check your Shoots manifests and remove the .spec.kubernetes.kubeAPIServer.enableBasicAuthentication field. (gardener/gardener#7886, @dimitar-kostadinov)
  • [USER] Gardener denies setting Shoot.Spec.ControlPlane.HighAvailability.FailureTolerance.Type if shoot is hibernated. (gardener/gardener#7894, @aaronfern)
  • [OPERATOR] All fluent-bit-related configuration options have been removed from gardenlet's component configuration. (gardener/gardener#7568, @Kristian-ZH)
  • [OPERATOR] The FullNetworkPoliciesInRuntimeCluster feature gate has been promoted to beta and is now turned on by default. Before deploying this Gardener version, make sure that all your registered extensions support this feature gate. (gardener/gardener#7866, @rfranzke)
  • [OPERATOR] The HAControlPlanes feature gate has been promoted to beta and is now turned on by default. (gardener/gardener#7867, @timuthy)
  • [OPERATOR] The deprecated allow-{to,from}-shoot-apiserver NetworkPolicys have been dropped. Ensure that all registered extensions have been adapted. (gardener/gardener#7868, @rfranzke)
  • [OPERATOR] The deprecated identity value is no longer passed when ControllerInstallation Helm charts are deployed. (gardener/gardener#7868, @rfranzke)
  • [OPERATOR] The lastUpdateTime of extension conditions is no longer considered. Ensure that all registered extensions populate the lastHeartbeatTime field instead. (gardener/gardener#7868, @rfranzke)
  • [DEVELOPER] The pkg/operation/botanist/component/* resources have been moved to pkg/component/*. (gardener/gardener#7938, @rfranzke)
  • [DEVELOPER] gardenlet will no longer respect ConfigMaps labeled with The way to deploy a new filter or parser configuration is to create ClusterFilters or ClusterParsers custom resources in the seed cluster. (gardener/gardener#7568, @Kristian-ZH)
  • [DEVELOPER] Extensions vendoring this gardener/gardener version need to provide RBAC privileges for PATCH apps/depoyments/scale. (gardener/gardener#7868, @rfranzke)
  • [DEPENDENCY] Extensions that wish to be scraped by the seed-prometheus must annotate their pods with along with<name>. See for more details. (gardener/gardener#7885, @shafeeqes)

✨ New Features

  • [USER] It is possible now to create a workerless shoot cluster when the WorkerlessShoots feature gate in the gardener-apiserver is enabled. Please see this document for more details. (gardener/gardener#7882, @shafeeqes)
  • [OPERATOR] fluent-operator is now installed in the garden namespace of seed clusters and will take care of the entire lifecycle of the fluent-bit DaemonSet. (gardener/gardener#7568, @Kristian-ZH)
  • [OPERATOR] The gardener-operator now enables full NetworkPolicy protection for the garden cluster. In case your garden cluster is a seed at the same time, make sure to keep the values of the FullNetworkPoliciesInRuntimeCluster feature gate in sync for both gardener-operator and gardenlet. (gardener/gardener#7859, @rfranzke)
  • [OPERATOR] gardenlet and gardener-operator managed deployments and statefulsets can now be equipped with toleration seconds for taints and (gardener/gardener#7861, @timuthy)
  • [OPERATOR] The gardenlet and gardener-operator Helm charts allow to define toleration seconds for and This configuration considered for their own Deployment as well as the Gardenlet's or Operator's config. The values are set to 60s by default. (gardener/gardener#7861, @timuthy)
  • [OPERATOR] An optional field workerlessSupported is added under spec.resources in the ControllerRegistration API. (gardener/gardener#7863, @ary1992)
  • [OPERATOR] gardener-operator is now managing the gardener-resource-manager instance as part of the virtual garden cluster control plane. It provides a TokenRequest API-based kubeconfig for gardener-operator to access the virtual garden cluster. The static token kubeconfig is now unconditionally disabled. (gardener/gardener#7881, @oliver-goetz)
  • [OPERATOR] It is now possible to provide namespace selectors for additional namespaces which should be covered by the NetworkPolicy controllers of gardener-operator or gardenlet. The selectors must be provided via their component configs. Please consult this document for further insights. (gardener/gardener#7929, @rfranzke)
  • [OPERATOR] gardener-operator is now managing the kube-controller-manager instance as part of the virtual garden cluster control plane. (gardener/gardener#7931, @rfranzke)
  • [DEVELOPER] In order to allow kube-apiserver pods of shoot or garden clusters to reach webhook servers, they must no longer be explicitly labeled with<service-name>-<protocol>-<port>=allowed. Instead, it is enough to annotate the Service of the webhook server with<ports>. (gardener/gardener#7907, @rfranzke)
  • [DEPENDENCY] To support workerless Shoots, extensions reconciling resources need to make adaptions if needed and then set spec.resources[].workerlessSupported to true in the ControllerRegistration for their respective extension type. (gardener/gardener#7863, @ary1992)

🐛 Bug Fixes

  • [USER] An issue has been fixed which might have caused the deletion of Shoot clusters to stuck when a namespace was forcefully removed before all relevant resources have been cleaned up. (gardener/gardener#7864, @rfranzke)
  • [USER] A bug has been fixed which could cause kube-proxys from being missing after a Shoot has been woken up from hibernation. (gardener/gardener#7912, @rfranzke)
  • [OPERATOR] An issue causing VPN Seed (CPU| Memory) Usage dashboards not showing data is now fixed. (gardener/gardener#7865, @Sallyan)
  • [OPERATOR] A bug has been fixed which prevented components using the annotation from being reached from internal IP addresses when the cluster was using Cilium as CNI. (gardener/gardener#7884, @ScheererJ)
  • [OPERATOR] A bug which was causing race conditions to occur during reconciliation of extension resources was fixed. (gardener/gardener#7906, @dimityrmirchev)
  • [OPERATOR] An issue causing panic in the health check for extension, when the health check result is empty, is fixed. (gardener/gardener#7908, @acumino)
  • [OPERATOR] An issue has been fixed that caused traffic from outside of the cluster to Istio-Ingress being blocked. This is only relevant if seed(s) specify additional load balancer annotations via seed.spec.settings.loadBalancerServices.annotations. (gardener/gardener#7910, @timuthy)

📖 Documentation

🏃 Others

  • [USER] The --node-monitor-grace-period flag of kube-controller-manager is now defaulted to 40s for Shoot clusters using Kubernetes version 1.27 and higher. (gardener/gardener#7883, @ary1992)
  • [USER] The following images are updated: (gardener/gardener#7897, @himanshu-kun)
    • v1.21.5 -> v1.21.6 (for Kubernetes 1.21)
    • v1.22.5 -> v1.22.6 (for Kubernetes 1.22)
    • v1.23.3 -> v1.23.4 (for Kubernetes 1.23)
    • v1.24.2 -> v1.24.3 (for Kubernetes 1.24)
    • v1.25.2 -> v1.25.3 (for Kubernetes 1.24)
    • v1.26.1 -> v1.26.2 (for Kubernetes 1.26)
  • [OPERATOR] Default log level in fluent-bit is changed from info to error (gardener/gardener#7942, @nickytd)
  • [OPERATOR] Grafana and Loki are replaced with the fork of their last Apache 2.0 licensed releases: Plutono and Vali, that will continue to receive security updates. (gardener/gardener#7318, @istvanballok)
  • [OPERATOR] The following image is updated: (gardener/gardener#7892, @rickardsjp)
    • v2.41.0 -> v2.43.1
  • [OPERATOR] nginx-ingress-controller-seed image is updated to v1.7.1 for 1.24.x+ seeds. (gardener/gardener#7904, @shafeeqes)
  • [OPERATOR] Allow the kubelet configuration to define swap behaviour {LimitedSwap / UnlimitedSwap} for k8s >= 1.22 (gardener/gardener#7913, @danielfoehrKn)
  • [OPERATOR] Updated cluster-proportional-autoscaler to v1.8.8 (gardener/gardener#7927, @ScheererJ)
  • [OPERATOR] The gardenlet and the gardener-operator will now use the new annotation when enabling topology-aware routing for a Service when the Kubernetes version of the runtime cluster is >= 1.27. In Kubernetes 1.27, the annotation is deprecated in favor of the newly introduced (gardener/gardener#7933, @ialidzhikov)
  • [DEVELOPER] The check-apidiff check was changed to only report incompatible and critical changes which need inspection from the developer's side. (gardener/gardener#7936, @timuthy)
  • [DEVELOPER] The and annotations are now deprecated and will be removed in the future. Use<pod-label-selector>-allowed-ports=<ports> instead. (gardener/gardener#7907, @rfranzke)
  • [DEPENDENCY] Shoot addon nginx-ingress-controller image is updated to v1.3.0 for v1.22+ shoots. (gardener/gardener#7932, @shafeeqes)


🏃 Others

📰 Noteworthy


✨ New Features


🏃 Others


🏃 Others

Docker Images


Don't miss a new gardener release

NewReleases is sending notifications on new releases.