github gardener/gardener v1.8.0
on GitHub

latest releases: v1.92.3, v1.93.1, v1.95.0...
3 years ago

[gardener]

Action Required

  • [USER] The Kibana service showing control plane logs per shoot cluster is no longer available. The logs are now available in the Grafana dashboard next to the monitoring. For more details, check this document. (#2515, @vlvasilev)
  • [OPERATOR] The shoot reconciliation does now create DNSOwner objects in the seed cluster to manage the ownership of the DNS entries. You should run at least v0.7.16 of the external-dns-management extension. (#2576, @swilen-iwanow)
  • [OPERATOR] Gardener API Server has a new mandatory flag for defining desired cluster identity of the Garden cluster that is --cluster-identity. In case gardener is operated by helm - charts for the identity of the clusters are also provided without default values, meaning that they should be filled by the Gardener operators/admin. (#2471, @swilen-iwanow)
  • [DEVELOPER] Extension developers that use the webhook framework with the url mode do now have to explicitly specify the port as part of their supplied --webhook-config-url flag (earlier, the webhook server port was implicitly used). (#2665, @rfranzke)
  • [DEVELOPER] The local-garden's kube-apiserver cert has been updated to include host.docker.internal as an alternative DNS Name, so clients running in docker containers can successfully validate the TLS cert when talking to the local garden. If you have copied the local-garden kubeconfig to somewhere else, please update your copy with the newly generate one. (#2641, @timebertt)
  • [DEVELOPER] The contents of the extensions/hack folder have been merged into the hack folder. (#2623, @rfranzke)

Most notable changes

  • [USER] It is now possible to configure the kube-apiserver's --default-watch-cache-size and --watch-cache-sizes flags via the Shoot API (spec.kubernetes.kubeAPIServer.watchCacheSizes). Please see this document for an example and consult the kube-apiserver command-line reference in case you plan on configuring it for your Shoot. (#2668, @timebertt)
  • [USER] A new uam role was introduced for Projects (next to owner, admin, and viewer). Members with this role will be bound to the uam custom RBAC verb for the respective Project. Only users bound to this verb are now allowed to add/modify/remove human users or groups from the .spec.members[] list of the Project. Please find more information here. (#2611, @rfranzke)
  • [USER] Already deprecated dns.garden.sapcloud.io/provider, dns.garden.sapcloud.io/domain, shoot.garden.sapcloud.io/expirationTimestamp, shoot.garden.sapcloud.io/tasks, garden.sapcloud.io/createdBy, shoot.garden.sapcloud.io/sync-period, shoot.garden.sapcloud.io/ignore annotations and shoot.garden.sapcloud.io/status label are now removed. (#2603, @ialidzhikov)
  • [USER] When the NodeLocalDNS feature gate is enabled and a migration from IPTables to IPVS is performed then newer pods will be configured to use the node-local DNS while older pods will still use the non-cached CoreDNS server in the cluster. To enable older pods to use the node-local you have to restart the pods. (#2528, @zanetworker)
  • [OPERATOR] The label used to list the internal-domain, default-domain and openvpn Secrets is now gardener.cloud/role. If you manually manage these Secrets (e.g you are not using the controlplane chart), please make sure that they have the required label. (#2603, @ialidzhikov)
  • [OPERATOR] The logging stack deployed by Gardener in the seed clusters is now using Loki and Grafana instead of Elasticsearch and Kibana. Once Gardener is updated to this version, the old logging solution will stop working as each shoot will get the new solution with the next reconciliation. Note, old logs will not be preserved. For more details, check this document. (#2515, @vlvasilev)
  • [OPERATOR] Clusters in the Gardener topology (Garden, Seed and Shoot), now have ConfigMaps deployed in the kube-system namespace, that hold the cluster identity. Cluster identities for the Shoot and Seed are also visible in their status.clusterIdentity fields. (#2471, @swilen-iwanow)
  • [DEVELOPER] A utility function that reconciles the shoot webhook configurations has been added to the generic ControlPlane actuator package. It is recommended for all extensions that have shoot webhooks to call this function before starting the control loops to ensure that the webhook configurations are updated in case the ports change. (#2663, @rfranzke)
  • [DEVELOPER] A bug has been fixed causing the BackupEntry deletion to stuck infinitely if the referred secret does not exist. (#2659, @rfranzke)
  • [DEVELOPER] You can now use the controller-runtime cache of our ClientSets (kubernetes.Interface.Cache()) to obtain informers for arbitrary API objects (via GetInformer/GetInformerForKind) to construct controllers. (#2581, @timebertt)

Improvements

  • [USER] A bug has been fixed which prevented the server certificate of the shoot kube-apiservers that run on a seed with disabled shoot DNS from being generated correctly. (#2643, @rfranzke)
  • [USER] A bug has been fixed that could lead to stuck shoot reconciliations in case the .spec.provider.infrastructureConfig was changed multiple times while another shoot reconciliation operation was still in progress. (#2619, @rfranzke)
  • [USER] Users can now specify values for systemReserved and kubeReserved in the kubelet configuration as documented here: https://kubernetes.io/docs/tasks/administer-cluster/reserve-compute-resources/ (#2574, @guydaichs)
  • [USER] Add grafana dashboard for VPA when the shoot VPA feature is enabled (#2571, @wyb1)
  • [OPERATOR] The leader election performed by the gardener-resource-manager deployments in shoot namespaces in the seed is now happening less frequently to prevent overloading the seed's API server unnecessarily. (#2667, @rfranzke)
  • [OPERATOR] The default webhook server port for gardener-seed-admission-controller and vpa-admission-controller is now changed to 10250. (#2660, @stoyanr)
  • [OPERATOR] gardener-apiserver Deployment does now define a liveness probe. (#2647, @ialidzhikov)
  • [OPERATOR] It is now allowed to set an expiration date for the latest machine image version in the CloudProfiles. (#2640, @ialidzhikov)
  • [OPERATOR] An issue causing the seed controller to delete VPA RBAC for ShootedSeed is now fixed. (#2639, @ialidzhikov)
  • [OPERATOR] The cached controller-runtime clients have been disabled for Shoot clients to decrease the gardenlet's memory footprint in case the CachedRuntimeClients feature gate is enabled. (#2637, @timebertt)
  • [OPERATOR] The control plane migration task order is rearranged to ensure the deletion of all objects. (#2636, @kris94)
  • [OPERATOR] The Shoot care controller has been optimized to leverage the cached Seed client instead of talking directly to the API server. (#2635, @timebertt)
  • [OPERATOR] gardener-apiserver does now support a field selector for ControllerInstallations by spec.registrationRef.name and spec.seedRef.name. (#2634, @ialidzhikov)
  • [OPERATOR] Fixes a bug in the maintenance controller that could lead to machine images to not be updated if the Shoot has multiple worker pools. (#2630, @danielfoehrKn)
  • [OPERATOR] During deletion of a Shoot, the gardenlet does not redeploy the Worker extension resource anymore, as this sometimes caused leaking resources that blocked the deletion of the Shoot's namespace. (#2626, @timebertt)
  • [OPERATOR] added machineclasses CRD for out-of-tree machine controllers (#2625, @MartinWeindel)
  • [OPERATOR] A bug has been fixed that could cause the gardener-controller-manager to panic if it tries to maintain a Shoot whose .metadata.annotations=nil. (#2617, @rfranzke)
  • [OPERATOR] A bug was fixed that prevented the log collection for control plane components that belong to shoots whose purpose was changed from testing to something else or for those that were woken up. (#2615, @rfranzke)
  • [OPERATOR] Fixed a bug where istiod cannot listen on 443 due to insufficient privileges. (#2613, @mvladev)
  • [OPERATOR] An issue has been fixed which prevented not required ControllerInstallations from being deleted. As a side effect, it also blocked the deletion of Seed resources. (#2610, @timuthy)
  • [OPERATOR] Gardener now validates the extension kinds configured in .spec.resources[].kind in ControllerRegistrations. (#2610, @timuthy)
  • [OPERATOR] The gardenlet's /healthz endpoint has been improved to be more stable under certain circumstances like CPU throttling. (#2609, @timebertt)
  • [OPERATOR] The VPA for shoots running in the seed is now correctly scaled down when the shoot is being hibernated. (#2606, @rfranzke)
  • [OPERATOR] Fix a bug where creation of a shoot with ingress addon might fail because of still not created worker. (#2599, @vpnachev)
  • [OPERATOR] A bug has been fixed, which caused the cloud-config secret in the Shoot to not get updated correctly after a change to the worker config in case the CachedRuntimeClients feature gate was activated. (#2591, @timebertt)
  • [OPERATOR] A bug has been fixed, which caused Seed clients not to be invalidated properly on Seed deletion. (#2587, @timebertt)
  • [OPERATOR] An issue causing fluent-bit Pods to be restarted because of a new ConfigMap checksum when the CachedRuntimeClients feature gate is enabled, is now fixed. (#2583, @vlvasilev)
  • [OPERATOR] A bug has been fixed, which caused the discovered Plant region to alternate between region and zone of the Nodes. (#2582, @timebertt)
  • [OPERATOR] Wait until MCM deployment is rolled out before proceeding with other reconciliation tasks. (#2579, @prashanth26)
  • [OPERATOR] A bug was fixed that caused the machine image version to be overwritten in case a Shoot was updated with a specified image name but with an unspecified image version. (#2570, @timebertt)
  • [OPERATOR] A bug has been fixed, that caused that newly created BackupBuckets/BackupEntries where not reconciled by the gardenlet immediately when the CachedRuntimeClients feature gate was enabled. (#2568, @timebertt)
  • [OPERATOR] The default QPS setting for Seed Clients in the gardenlet has been increased to adapt to the actual amount concurrent of API calls. (#2567, @timebertt)
  • [OPERATOR] Shoot resource now allows configuring following machine-controller parameters: DrainTimeout, HealthTimeout, CreationTimeout, MaxEvictRetries, NodeConditions. (#2563, @hardikdr)
  • [OPERATOR] Fixed a bug, that caused the tunnel secrets not to be deleted, in case the used tunnel has changed. (#2562, @timebertt)
  • [OPERATOR] Fix secret to backupBucket and backupEntry extension resource mapper. (#2560, @swapnilgm)
  • [OPERATOR] Update Istio to 1.6.4. Fix CVE-2020-8663 by setting overload.global_downstream_max_connections on the istio-ingress gateway. (#2556, @mvladev)
  • [OPERATOR] Node-local DNS is now supported and can be enabled with the NodeLocalDNS feature gate in the gardenlet's component configuration. More information can be found in the documentation (https://github.com/gardener/gardener/blob/master/docs/usage/node-local-dns.md). (#2528, @zanetworker)
  • [OPERATOR] Introduces a RollingUpdate condition in the generic worker actuator (condition.Type RollingUpdate) . Gardener provider extensions write this condition to the Worker CRD. (#2459, @danielfoehrKn)
  • [OPERATOR] The generic worker actuator more reliably waits for rolling updates to finish. Waits until all updated machines joined the cluster and until old machines are deleted. Also fixes a stale cache bug that leads to not waiting for the rolling update to complete. (#2459, @danielfoehrKn)
  • [OPERATOR] The generic worker actuator detects and restarts 'stuck' machine controller manager pods. (#2459, @danielfoehrKn)
  • [OPERATOR] If automatic cross provider scheduling is desired, it is possible know to specify a new seed selector field providers for a cloud profile to enable scheduling on seeds running on different providers. (#2169, @mandelsoft)
    • It is observed if the scheduling method Selector has been chosen, which is the new default now.
  • [DEVELOPER] Extension developers who want to use different ports for their provider extension webhook server and the corresponding server port can now specify the service port with the new --webhook-config-service-port command line flag. If it's not present the service port is defaulted to the webhook server port (i.e., old behaviour is preserved). (#2665, @rfranzke)
  • [DEVELOPER] The version information in docker images has been updated to correctly display version.major without the v-Prefix and version.gitTreeState as clean. (#2608, @timebertt)
  • [DEVELOPER] It is possible now to add a values-test.yaml file to helm charts to specify default values for chart checks, which will be merged into the default values.yaml when running hack/check-charts.sh. This is useful for the case, that charts have a {{ required ... }} statement, but don't specify default values in values.yaml. (#2584, @timebertt)
  • [DEVELOPER] The Nodeless Development Environment also works on windows, using WSL2 and docker for windows (#2578, @guydaichs)
  • [DEVELOPER] Adds Migrator/Restorer interfaces to the botanist shoot components (#2511, @plkokanov)
  • [DEVELOPER] Added GEP-12 for dynamic OIDC webhook authenticator. (#2481, @mvladev)

[autoscaler]

Improvements

[gardener-resource-manager]

Most notable changes

  • [OPERATOR] It is now possible to specify the leader election settings via the following command line parameters: --leader-election-lease-duration (default: 15s), --leader-election-renew-deadline (default: 10s), --leader-election-retry-period (default: 2s). (gardener/gardener-resource-manager#72, @rfranzke)
  • [DEVELOPER] Resources annotated with resources.gardener.cloud/delete-on-invalid-update=true will now be deleted in case the Gardener-Resource-Manager fails to update them and receives an 422 Unprocessable Entity error. This error is usually sent by the Kubernetes API server in case its static validation fails. (gardener/gardener-resource-manager#69, @rfranzke)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.8.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.8.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.8.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.8.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.8.0

Check out latest releases or
releases around gardener/gardener v1.8.0

Don't miss a new gardener release

NewReleases is sending notifications on new releases.

Get notifications