[gardener]

Action Required

• [OPERATOR] With this version of Gardener, a validation for supported container runtimes (CR) and container runtime interfaces(CRI) per machine image version has been introduced. To prevent disruptions for creation and update of shoot cluster using non default CR and CRI, the CloudProfiles needs to be enhanced with the list of supported CR and CRI per machine image version. An example can be found here (#2137, @vpnachev)

Most notable changes

• [USER] Gardener now checks if referenced DNS provider secrets (.spec.dns.providers[*].secretName) exist in the project namespace during shoot creation and update requests. Requests will be denied if the referenced secret is not available. (#2761, @timuthy)
• [USER] The experimental Kyma addon has been removed from Gardener, i.e., the setting experimental.addons.shoot.gardener.cloud/kyma annotation has no effect anymore. Existing Kyma installations will remain deployed/untouched. (#2701, @rfranzke)
• [OPERATOR] A new controller for Events related to Shoot objects has been added to the Gardener Controller Manager (disabled by default). It can be used to extend the live-span of events regarding shoot clusters (the live-span of all other events can be configured separately). Please find more information in this document. (#2649, @BeckerMax)

Improvements

• [USER] A documentation for the Shoot status has been added. (#2765, @ialidzhikov)
• [USER] An issue that prevented regular project admins from managing non-human users has been resolved. (#2763, @rfranzke)
• [USER] An issue causing Shoot reconciliation to fail at Maintain shoot annotations with optimistic lock error message is now mitigated. (#2746, @ialidzhikov)
• [USER] The number of concurrent controller syncs of the kube-controller-manager of Shoot clusters has been increased to allow faster processing of events. (#2740, @rfranzke)
• [USER] When the VPA for shoots is disabled then the CustomResourceDefinitions are no longer deleted (they will remain in the system, together with all the VerticalPodAutoscaler objects - if you don't need them anymore you can remove them with kubectl delete crd <crd-names>). (#2715, @rfranzke)
• [USER] A bug showing 403 Forbidden responses when creating new Projects has been fixed. (#2699, @rfranzke)
• [OPERATOR] The gardenlet now reports leader election events to the Seed cluster instead of the Garden cluster. (#2772, @timebertt)
• [OPERATOR] The generic worker actuator now also reports failed machines from the corresponding machine deployment in case the shoot cluster is being hibernated. Earlier scale down issues during hibernation were not reported to users, e.g. if something was wrong with the configured cloud provider account and thus the machine deletion was denied. (#2759, @timuthy)
• [OPERATOR] The shoot task annotation is now updated as soon as the respective task has completed successfully to prevent recurring executions in case the whole shoot reconciliation flow fails. (#2757, @rfranzke)
• [OPERATOR] The kube-scheduler is now auto-restarted in the shoot maintenance time window, similar to other controllers. (#2756, @rfranzke)
• [OPERATOR] A bug has been fixed that caused the REST Mapper to rediscover the available API resources very often. (#2752, @timebertt)
• [OPERATOR] Deploy logging stack earlier in the reconciliation flow. (#2750, @Kristian-ZH)
• [OPERATOR] The explicit terminationGracePeriodSeconds configuration of the Gardener components has been removed. (#2749, @rfranzke)
• [OPERATOR] Konnectivity tunnel proxy agent and server are now on version v0.0.12 (#2748, @zanetworker)
• [OPERATOR] Add monitoring for API Server Watches (#2743, @wyb1)
• [OPERATOR] Remove gardener-seed-admission Mutationgwebhookconfiguration and the mutating pod functionality of the seed-admission-controller (#2735, @vlvasilev)
• [OPERATOR] Kubernetes dependencies are now updated to v0.17.11. (#2728, @ialidzhikov)
• [OPERATOR] gardener-apiserver Deployment does now define a readiness probe. (#2728, @ialidzhikov)
• [OPERATOR] The resource requests for the fluent-bit DaemonSet running in the seed clusters have been increased. (#2723, @vpnachev)
• [OPERATOR] An issues has been fixed which caused the Gardenlet to exit ungracefully during the shoot reconciliation. (#2708, @timuthy)
• [OPERATOR] The error code mapping has been extended to categorize certain common issues upfront and furnish them with error codes. (#2702, @rfranzke)
• [OPERATOR] The gardenlet now spreads Shoot health checks to avoid running into rate limits directly after startup. (#2700, @timebertt)
• [OPERATOR] Control plane health checks have been added for VPA components of shoot clusters. These are executed regularly as soon as the shoot uses the Vertical-Pod-Autoscaling feature (https://github.com/gardener/gardener/blob/master/docs/usage/shoot_autoscaling.md#vertical-pod-auto-scaling). (#2698, @timuthy)
• [OPERATOR] The VPA components in the seed are now vertically auto-scaled as well. (#2696, @rfranzke)
• [OPERATOR] A bug has been fixed that might have caused a 24h absence of the VPA for shooted seeds. (#2695, @rfranzke)
• [OPERATOR] Entries with empty data are no longer added to the ShootState. (#2694, @plkokanov)
• [OPERATOR] A bug in the OpenAPI specification exposed by the Gardener API server has been fixed. (#2682, @rfranzke)
• [OPERATOR] A bug has been fixed which could cause a nil pointer exception in case the v1.8 Gardenlet tries to delete a shoot that wasn't reconciled yet. (#2681, @rfranzke)
• [OPERATOR] Objects into which controllerinstallations and extensions are retrieved during reconciliation by the ControllerInstallation controller and ShootState Sync controller are now created for each reconciliation, instead of the same object being reused multiple times per resource kind. (#2679, @plkokanov)
• [OPERATOR] An issue has been fixed which caused the Gardenlet to exit ungracefully due to the missing shoot cluster identify in the .status. (#2678, @timuthy)
• [OPERATOR] An issues has been fixed which prevented the bootstrapping of new seed clusters. (#2676, @timuthy)
• [OPERATOR] The fluent-bit DaemonSet is now tolerating the taint node-role.kubernetes.io/master with effect NoSchedule. (#2671, @einfachnuralex)
• [OPERATOR] ControllerInstallations are no longer created for ControllerRegistrations that are in deletion. (#2612, @vpnachev)
• [OPERATOR] Now every machine image version in the CloudProfile can specify list of supported container runtime interfaces and container runtimes. (#2137, @vpnachev)
• [DEVELOPER] The kube-apiserver used for the local garden development does now properly forward the client information to the gardener-apiserver. (#2764, @rfranzke)

[gardener-resource-manager]

Most notable changes

• [DEVELOPER] The new resources.gardener.cloud/keep-object annotation can be used on resources managed by ManagedResource objects in order to keep them in the system in case they get removed from the ManagedResource or the ManagedResource itself is being deleted. (gardener/gardener-resource-manager#73, @rfranzke)

[hvpa-controller]

Most notable changes

• [DEVELOPER] Check if OOMKilled pod has latest resource values before overriding stabilisation (gardener/hvpa-controller#78, @ggaurav10)
• [DEVELOPER] Consider hpa scale out limited if hpa is not deployed (gardener/hvpa-controller#77, @ggaurav10)

[logging]

Improvements

• [OPERATOR] Add Timeout, MaxBackoff and MinBackoff wait settings to the fluent-bit-to-loki output plugin. (gardener/logging#60, @vlvasilev)
• [OPERATOR] logs routing depends on the cluster resources in the seed (gardener/logging#59, @vlvasilev)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.9.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.9.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.9.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.9.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.9.0