[gardener]
Action Required
- [USER] The Kibana service showing control plane logs per shoot cluster is no longer available. The logs are now available in the Grafana dashboard next to the monitoring. For more details, check this document. (#2515, @vlvasilev)
- [OPERATOR] The shoot reconciliation does now create
DNSOwner
objects in the seed cluster to manage the ownership of the DNS entries. You should run at leastv0.7.16
of the external-dns-management extension. (#2576, @swilen-iwanow) - [OPERATOR] Gardener API Server has a new mandatory flag for defining desired cluster identity of the Garden cluster that is
--cluster-identity
. In case gardener is operated by helm - charts for the identity of the clusters are also provided without default values, meaning that they should be filled by the Gardener operators/admin. (#2471, @swilen-iwanow) - [DEVELOPER] Extension developers that use the webhook framework with the
url
mode do now have to explicitly specify the port as part of their supplied--webhook-config-url
flag (earlier, the webhook server port was implicitly used). (#2665, @rfranzke) - [DEVELOPER] The
local-garden
's kube-apiserver cert has been updated to includehost.docker.internal
as an alternative DNS Name, so clients running in docker containers can successfully validate the TLS cert when talking to the local garden. If you have copied thelocal-garden
kubeconfig to somewhere else, please update your copy with the newly generate one. (#2641, @timebertt) - [DEVELOPER] The contents of the
extensions/hack
folder have been merged into thehack
folder. (#2623, @rfranzke)
Most notable changes
- [USER] It is now possible to configure the kube-apiserver's
--default-watch-cache-size
and--watch-cache-sizes
flags via the Shoot API (spec.kubernetes.kubeAPIServer.watchCacheSizes
). Please see this document for an example and consult the kube-apiserver command-line reference in case you plan on configuring it for your Shoot. (#2668, @timebertt) - [USER] A new
uam
role was introduced forProject
s (next toowner
,admin
, andviewer
). Members with this role will be bound to theuam
custom RBAC verb for the respectiveProject
. Only users bound to this verb are now allowed to add/modify/remove human users or groups from the.spec.members[]
list of theProject
. Please find more information here. (#2611, @rfranzke) - [USER] Already deprecated
dns.garden.sapcloud.io/provider
,dns.garden.sapcloud.io/domain
,shoot.garden.sapcloud.io/expirationTimestamp
,shoot.garden.sapcloud.io/tasks
,garden.sapcloud.io/createdBy
,shoot.garden.sapcloud.io/sync-period
,shoot.garden.sapcloud.io/ignore
annotations andshoot.garden.sapcloud.io/status
label are now removed. (#2603, @ialidzhikov) - [USER] When the
NodeLocalDNS
feature gate is enabled and a migration from IPTables to IPVS is performed then newer pods will be configured to use the node-local DNS while older pods will still use the non-cached CoreDNS server in the cluster. To enable older pods to use the node-local you have to restart the pods. (#2528, @zanetworker) - [OPERATOR] The label used to list the internal-domain, default-domain and openvpn Secrets is now
gardener.cloud/role
. If you manually manage these Secrets (e.g you are not using the controlplane chart), please make sure that they have the required label. (#2603, @ialidzhikov) - [OPERATOR] The logging stack deployed by Gardener in the seed clusters is now using Loki and Grafana instead of Elasticsearch and Kibana. Once Gardener is updated to this version, the old logging solution will stop working as each shoot will get the new solution with the next reconciliation. Note, old logs will not be preserved. For more details, check this document. (#2515, @vlvasilev)
- [OPERATOR] Clusters in the Gardener topology (Garden, Seed and Shoot), now have ConfigMaps deployed in the
kube-system
namespace, that hold the cluster identity. Cluster identities for the Shoot and Seed are also visible in theirstatus.clusterIdentity
fields. (#2471, @swilen-iwanow) - [DEVELOPER] A utility function that reconciles the shoot webhook configurations has been added to the generic
ControlPlane
actuator package. It is recommended for all extensions that have shoot webhooks to call this function before starting the control loops to ensure that the webhook configurations are updated in case the ports change. (#2663, @rfranzke) - [DEVELOPER] A bug has been fixed causing the
BackupEntry
deletion to stuck infinitely if the referred secret does not exist. (#2659, @rfranzke) - [DEVELOPER] You can now use the controller-runtime cache of our ClientSets (
kubernetes.Interface.Cache()
) to obtain informers for arbitrary API objects (viaGetInformer/GetInformerForKind
) to construct controllers. (#2581, @timebertt)
Improvements
- [USER] A bug has been fixed which prevented the server certificate of the shoot kube-apiservers that run on a seed with disabled shoot DNS from being generated correctly. (#2643, @rfranzke)
- [USER] A bug has been fixed that could lead to stuck shoot reconciliations in case the
.spec.provider.infrastructureConfig
was changed multiple times while another shoot reconciliation operation was still in progress. (#2619, @rfranzke) - [USER] Users can now specify values for
systemReserved
andkubeReserved
in the kubelet configuration as documented here: https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ (#2574, @guydaichs) - [USER] Add grafana dashboard for VPA when the shoot VPA feature is enabled (#2571, @wyb1)
- [OPERATOR] The leader election performed by the
gardener-resource-manager
deployments in shoot namespaces in the seed is now happening less frequently to prevent overloading the seed's API server unnecessarily. (#2667, @rfranzke) - [OPERATOR] The default webhook server port for
gardener-seed-admission-controller
andvpa-admission-controller
is now changed to 10250. (#2660, @stoyanr) - [OPERATOR]
gardener-apiserver
Deployment does now define a liveness probe. (#2647, @ialidzhikov) - [OPERATOR] It is now allowed to set an expiration date for the latest machine image version in the
CloudProfile
s. (#2640, @ialidzhikov) - [OPERATOR] An issue causing the seed controller to delete VPA RBAC for ShootedSeed is now fixed. (#2639, @ialidzhikov)
- [OPERATOR] The cached controller-runtime clients have been disabled for Shoot clients to decrease the gardenlet's memory footprint in case the
CachedRuntimeClients
feature gate is enabled. (#2637, @timebertt) - [OPERATOR] The control plane migration task order is rearranged to ensure the deletion of all objects. (#2636, @kris94)
- [OPERATOR] The Shoot care controller has been optimized to leverage the cached Seed client instead of talking directly to the API server. (#2635, @timebertt)
- [OPERATOR]
gardener-apiserver
does now support a field selector forControllerInstallation
s byspec.registrationRef.name
andspec.seedRef.name
. (#2634, @ialidzhikov) - [OPERATOR] Fixes a bug in the maintenance controller that could lead to machine images to not be updated if the Shoot has multiple worker pools. (#2630, @danielfoehrKn)
- [OPERATOR] During deletion of a Shoot, the
gardenlet
does not redeploy theWorker
extension resource anymore, as this sometimes caused leaking resources that blocked the deletion of the Shoot's namespace. (#2626, @timebertt) - [OPERATOR] added machineclasses CRD for out-of-tree machine controllers (#2625, @MartinWeindel)
- [OPERATOR] A bug has been fixed that could cause the gardener-controller-manager to panic if it tries to maintain a
Shoot
whose.metadata.annotations=nil
. (#2617, @rfranzke) - [OPERATOR] A bug was fixed that prevented the log collection for control plane components that belong to shoots whose purpose was changed from
testing
to something else or for those that were woken up. (#2615, @rfranzke) - [OPERATOR] Fixed a bug where
istiod
cannot listen on443
due to insufficient privileges. (#2613, @mvladev) - [OPERATOR] An issue has been fixed which prevented not required ControllerInstallations from being deleted. As a side effect, it also blocked the deletion of Seed resources. (#2610, @timuthy)
- [OPERATOR] Gardener now validates the extension kinds configured in
.spec.resources[].kind
in ControllerRegistrations. (#2610, @timuthy) - [OPERATOR] The gardenlet's
/healthz
endpoint has been improved to be more stable under certain circumstances like CPU throttling. (#2609, @timebertt) - [OPERATOR] The VPA for shoots running in the seed is now correctly scaled down when the shoot is being hibernated. (#2606, @rfranzke)
- [OPERATOR] Fix a bug where creation of a shoot with ingress addon might fail because of still not created worker. (#2599, @vpnachev)
- [OPERATOR] A bug has been fixed, which caused the
cloud-config
secret in the Shoot to not get updated correctly after a change to the worker config in case theCachedRuntimeClients
feature gate was activated. (#2591, @timebertt) - [OPERATOR] A bug has been fixed, which caused Seed clients not to be invalidated properly on Seed deletion. (#2587, @timebertt)
- [OPERATOR] An issue causing fluent-bit Pods to be restarted because of a new ConfigMap checksum when the CachedRuntimeClients feature gate is enabled, is now fixed. (#2583, @vlvasilev)
- [OPERATOR] A bug has been fixed, which caused the discovered Plant region to alternate between region and zone of the Nodes. (#2582, @timebertt)
- [OPERATOR] Wait until MCM deployment is rolled out before proceeding with other reconciliation tasks. (#2579, @prashanth26)
- [OPERATOR] A bug was fixed that caused the machine image version to be overwritten in case a Shoot was updated with a specified image name but with an unspecified image version. (#2570, @timebertt)
- [OPERATOR] A bug has been fixed, that caused that newly created
BackupBuckets
/BackupEntries
where not reconciled by thegardenlet
immediately when theCachedRuntimeClients
feature gate was enabled. (#2568, @timebertt) - [OPERATOR] The default QPS setting for Seed Clients in the gardenlet has been increased to adapt to the actual amount concurrent of API calls. (#2567, @timebertt)
- [OPERATOR] Shoot resource now allows configuring following machine-controller parameters: DrainTimeout, HealthTimeout, CreationTimeout, MaxEvictRetries, NodeConditions. (#2563, @hardikdr)
- [OPERATOR] Fixed a bug, that caused the tunnel secrets not to be deleted, in case the used tunnel has changed. (#2562, @timebertt)
- [OPERATOR] Fix secret to backupBucket and backupEntry extension resource mapper. (#2560, @swapnilgm)
- [OPERATOR] Update Istio to
1.6.4
. Fix CVE-2020-8663 by settingoverload.global_downstream_max_connections
on the istio-ingress gateway. (#2556, @mvladev) - [OPERATOR] Node-local DNS is now supported and can be enabled with the
NodeLocalDNS
feature gate in the gardenlet's component configuration. More information can be found in the documentation (https://github.com/gardener/gardener/blob/master/docs/usage/node-local-dns.md). (#2528, @zanetworker) - [OPERATOR] Introduces a
RollingUpdate
condition in the generic worker actuator (condition.TypeRollingUpdate
) . Gardener provider extensions write this condition to the Worker CRD. (#2459, @danielfoehrKn) - [OPERATOR] The generic worker actuator more reliably waits for rolling updates to finish. Waits until all updated machines joined the cluster and until old machines are deleted. Also fixes a stale cache bug that leads to not waiting for the rolling update to complete. (#2459, @danielfoehrKn)
- [OPERATOR] The generic worker actuator detects and restarts 'stuck' machine controller manager pods. (#2459, @danielfoehrKn)
- [OPERATOR] If automatic cross provider scheduling is desired, it is possible know to specify a new seed selector field
providers
for a cloud profile to enable scheduling on seeds running on different providers. (#2169, @mandelsoft)- It is observed if the scheduling method
Selector
has been chosen, which is the new default now.
- It is observed if the scheduling method
- [DEVELOPER] Extension developers who want to use different ports for their provider extension webhook server and the corresponding server port can now specify the service port with the new
--webhook-config-service-port
command line flag. If it's not present the service port is defaulted to the webhook server port (i.e., old behaviour is preserved). (#2665, @rfranzke) - [DEVELOPER] The version information in docker images has been updated to correctly display
version.major
without thev
-Prefix andversion.gitTreeState
asclean
. (#2608, @timebertt) - [DEVELOPER] It is possible now to add a
values-test.yaml
file to helm charts to specify default values for chart checks, which will be merged into the defaultvalues.yaml
when runninghack/check-charts.sh
. This is useful for the case, that charts have a{{ required ... }}
statement, but don't specify default values invalues.yaml
. (#2584, @timebertt) - [DEVELOPER] The Nodeless Development Environment also works on windows, using WSL2 and docker for windows (#2578, @guydaichs)
- [DEVELOPER] Adds Migrator/Restorer interfaces to the botanist shoot components (#2511, @plkokanov)
- [DEVELOPER] Added GEP-12 for dynamic OIDC webhook authenticator. (#2481, @mvladev)
[autoscaler]
Improvements
- [OPERATOR] Add topology.kubernetes.io labels to be ignored when comparing similar node groups. (gardener/autoscaler#50, @hardikdr)
- [OPERATOR] Prepended
v
in the version. (gardener/autoscaler#42, @hardikdr)
[gardener-resource-manager]
Most notable changes
- [OPERATOR] It is now possible to specify the leader election settings via the following command line parameters:
--leader-election-lease-duration
(default:15s
),--leader-election-renew-deadline
(default:10s
),--leader-election-retry-period
(default:2s
). (gardener/gardener-resource-manager#72, @rfranzke) - [DEVELOPER] Resources annotated with
resources.gardener.cloud/delete-on-invalid-update=true
will now be deleted in case the Gardener-Resource-Manager fails to update them and receives an422 Unprocessable Entity
error. This error is usually sent by the Kubernetes API server in case its static validation fails. (gardener/gardener-resource-manager#69, @rfranzke)
Docker Images
gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.8.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.8.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.8.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.8.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.8.0