Kubernetes-native system managing the full lifecycle of conformant Kubernetes clusters as a service on Alicloud, AWS, Azure, GCP, OpenStack, vSphere, KubeVirt, Hetzner, EquinixMetal, MetalStack, and OnMetal with minimal TCO.
OTHER License
Bot releases are visible (Hide)
Published by gardener-robot-ci-1 almost 2 years ago
Shoot
s whose domains were not unique in the system. (gardener/gardener#7135, @gardener-ci-robot)BackupEntry
to become ready. The issue could occur if the gardenlet
configration specifies controllers.backupEntry.deletionGracePeriodHours
larger than 0 and the Shoot
's control plane is migrated twice within that timeframe. (gardener/gardener#7127, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.60.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.60.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.60.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.60.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.60.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.60.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.60.3
Published by gardener-robot-ci-1 almost 2 years ago
Shoot
s whose domains were not unique in the system. (gardener/gardener#7136, @gardener-ci-robot)gardener-operator
image is now successfully build and pushed with this release. With the 1.61.0 release the gardener-operator
image was not build and pushed by the CI/CD.admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.61.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.61.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.61.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.61.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.61.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.61.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.61.1
Published by gardener-robot-ci-3 almost 2 years ago
Shoot
s whose domains were not unique in the system. (gardener/gardener#7090, @gardener-ci-robot)gardenlet
is scraped again by seed-prometheus
. (gardener/gardener#6984, @timebertt)TokenRequest
API. (gardener/gardener#6995, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.58.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.58.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.58.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.58.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.58.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.58.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.58.3
Published by gardener-robot-ci-2 almost 2 years ago
token
field. The token can be still fetched from the kubeconfig that is present in the kubeconfig
field. (gardener/gardener#6987, @dimitar-kostadinov)SeedKubeScheduler
feature gate is now removed. Before upgrading to this version, if you had the SeedKubeScheduler
feature enabled, make sure to disable it and to run gardenlet
to properly clean up any deployed resources related to the feature. Starting this version of Gardener, the feature gate and all related functionally is removed. Instead, use the bin-packing
scheduling profile. (gardener/gardener#7052, @ialidzhikov)managedSeed.spec.seedTemplate
has been removed from the ManagedSeed API. Please check your ManagedSeed
s and ManagedSeedSet
s and remove any usage (switch to spec.gardenlet.config
) before upgrading to this Gardener version. (gardener/gardener#6972, @timuthy)kube-apiserver
is now verifying the server certificates presented by kubelet
s. (gardener/gardener#7047, @rfranzke)gardener-operator
does now also manage hvpa-controller
(if HVPA
feature gate is enabled) and etcd-druid
. (gardener/gardener#7048, @rfranzke)ResourceReferenceManager
admission plugin in the gardener-apiserver now validates the BackupBuckets
and BackupEntries
for their resource references. Also, the deletion of BackupBucket
is rejected if there are existing BackupEntries
referencing it. (gardener/gardener#7065, @shafeeqes)gardener-operator
component responsible for reconciling the new Garden
CRD. Read more about it here. (gardener/gardener#7009, @rfranzke)Shoot
s whose domains were not unique in the system. (gardener/gardener#7086, @rfranzke)nginx-ingress-controller
now runs with 2 replicas to make it compatible with its pod disruption budget. (gardener/gardener#7042, @oliver-goetz)Pending
state when scheduled on seed clusters with multiple zones. (gardener/gardener#7061, @timuthy)BackupEntry
to become ready. The issue could occur if the gardenlet
configration specifies controllers.backupEntry.deletionGracePeriodHours
larger than 0 and the Shoot
's control plane is migrated twice within that timeframe. (gardener/gardener#7126, @plkokanov)net.ipv4.conf.{all,default}.forwarding = 1
. (gardener/gardener#7046, @timebertt)gardener-seed-admission-controller
binary has been dropped from the code. Its logic has been merged into gardener-resource-manager
. (gardener/gardener#7053, @rfranzke)Etcd
resources in all cases. Previously they were only configured for the etcd-main
Etcd
resource when the corresponding StatefulSet
was deployed with 1 replica. (gardener/gardener#6988, @plkokanov)EtcdCopyBackupsTask
waits until a final snapshot of the ETCD
backups is made before copying backups from the source Seed
to the destination Seed
during control plane migration to 5 minutes. (gardener/gardener#7018, @plkokanov)garden.sapcloud.io/role
was finally removed from all Gardener components and from the API constants. (gardener/gardener#7036, @timuthy)probeEtcd func()
to use shorter timeout. (gardener/etcd-backup-restore#532, @ishan16696)Etcd-custom-image
will now retry fetching etcd configuration in case of any error (gardener/etcd-custom-image#26, @aaronfern)PodDisruptionBudget
s have been removed. Already existing PodDisruptionBudget
objects cannot be adopted anymore (gardener/etcd-druid#430, @aaronfern)CronJob
s created by etcd-druid:v0.6.0
has been removed. Please deploy a lower version of etcd-druid
before upgrading if you still have any leftover CronJob
s or manually delete them (gardener/etcd-druid#430, @aaronfern)druid.gardener.cloud/ignore-reconciliation
on the ETCD CR will stop etcd-druid from reconciling it. (gardener/etcd-druid#446, @abdasgupta)
BackupReady
condition to show Unknown
when the cluster is newly created. (gardener/etcd-druid#469, @timuthy)gardener.cloud/scaled-to-multi-node
annotation is added (gardener/etcd-druid#455, @aaronfern)minAvailable
configuration being calculated for multi-node etcd PodDisruptionBudget
. (gardener/etcd-druid#441, @timuthy)policy/v1
for PodDisruptionBudget
s for kubernetes >= 1.21. However, for kubernetes < 1.21, PodDisruptionBudget
s will still default to policy/v1beta1
(gardener/etcd-druid#430, @aaronfern)1.18.6
(gardener/etcd-druid#431, @aaronfern)v3.4.13-bootstrap-8
(gardener/etcd-druid#432, @aaronfern)etcd.Spec.Etcd.clientService
(gardener/etcd-druid#438, @aaronfern)
BackupReady
condition is not considered anymore when the PodDisruptionBudget
configuration is calculated. This earlier blocked rolling out fixes that potentially solved problems with backup procedures. (gardener/etcd-druid#441, @timuthy)BackupReady
condition to take into account statefulset being scaled down and the backup section not being defined (gardener/etcd-druid#415, @aaronfern)1.19.3
. (gardener/logging#160, @dimityrmirchev)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.61.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.61.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.61.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.61.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.61.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.61.0
Published by gardener-robot-ci-2 almost 2 years ago
Shoot
s whose domains were not unique in the system. (gardener/gardener#7091, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.60.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.60.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.60.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.60.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.60.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.60.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.60.2
Published by gardener-robot-ci-3 almost 2 years ago
Shoot
s whose domains were not unique in the system. (gardener/gardener#7092, @gardener-ci-robot)TokenRequest
API. (gardener/gardener#6994, @gardener-ci-robot)gardenlet
is scraped again by seed-prometheus
. (gardener/gardener#6981, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.59.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.59.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.59.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.59.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.59.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.59.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.59.2
Published by gardener-robot-ci-3 almost 2 years ago
Pending
state when scheduled on seed clusters with multiple zones. (gardener/gardener#7063, @gardener-ci-robot)nginx-ingress-controller
now runs with 2 replicas to make it compatible with its pod disruption budget. (gardener/gardener#7058, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.60.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.60.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.60.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.60.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.60.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.60.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.60.1
Published by gardener-robot-ci-3 almost 2 years ago
alpha.control-plane.shoot.gardener.cloud/high-availability
has been deprecated and is not respected anymore. We ask you to check your automation and to remove any usage of this annotation. (gardener/gardener#6998, @timuthy)
.spec.highAvailability
field has been removed from the Seed
API. Instead, operators now MUST ensure to enter the names of all availability zones the seed worker nodes run in .spec.zones
(ideally, before upgrading to this Gardener version). (gardener/gardener#6960, @rfranzke)failureToleranceType
field has been removed from .spec.gardenlet.deployment
in the seedmanagement.gardener.cloud/v1alpha1.ManagedSeed
API. (gardener/gardener#6967, @rfranzke)managedSeed.spec.seedTemplate
has been deprecated and will be removed very soon in a future release of Gardener. Please adapt your ManagedSeedSet or ManagedSeed objects and transfer any seed configuration to managedSeed.spec.gardenlet.config
(see example example/55-managedseed-gardenlet.yaml
). (gardener/gardener#7006, @timuthy)
docs/usage/managed_seed.md
for more information).DNSRecords
is no longer required by extension controllers (other than DNSRecords
) and should be removed where applicable. (gardener/gardener#6973, @plkokanov)kubeconfig
of the local kind
cluster has changed from example/gardener-local/kind/kubeconfig
to example/gardener-local/kind/local/kubeconfig
. (gardener/gardener#6976, @rfranzke)node-local-dns
. (gardener/gardener#6942, @axel7born)gardener-resource-manager
serves a new high-availability-config
webhook for automatically mutating the HA-related configuration of Deployment
s and StatefulSet
s. Please refer to this and this document. (gardener/gardener#6967, @rfranzke)Deployment
s or StatefulSet
s deployed by extensions in seed or shoot clusters can now benefit from the new high-availability-config
webhook for automatically mutating the HA-related configuration of these resources. Please refer to this document. (gardener/gardener#6967, @rfranzke)CertificateSigningRequest
s created by kubelet
s for their server certificates are now also auto-approved when their Node
object contains addresses of type InternalDNS
, ExternalDNS
, or ExternalIP
. (gardener/gardener#6958, @rfranzke)Shoot
on deletion because their Namespace
s in the seed cluster were not cleaned up properly. It only affected clusters created prior gardener/[email protected]
. (gardener/gardener#6964, @rfranzke)TokenRequest
API. (gardener/gardener#6977, @vpnachev)gardenlet
is scraped again by seed-prometheus
. (gardener/gardener#6979, @timebertt)systemd-journald
and does not rely on a directory existence check. (gardener/gardener#6980, @vlvasilev)kube-apiserver
was deleted during shoot deletion flow even though there were still shoot managed resources present. (gardener/gardener#7008, @dimityrmirchev)Shoot{C,S}ARotation
feature gates are now removed. (gardener/gardener#6930, @rfranzke)DisableDNSProviderManagement
feature gate is now removed. (gardener/gardener#6959, @rfranzke)DNSRecord
at the start of their reconciliations. (gardener/gardener#6973, @plkokanov)gardenlet
pods from coming up in case the podtopologyspreadconstraints
webhook served by gardener-resource-manager
is unavailable or broken. (gardener/gardener#7015, @plkokanov)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.60.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.60.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.60.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.60.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.60.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.60.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.60.0
Published by gardener-robot-ci-3 almost 2 years ago
CertificateSigningRequest
s created by kubelet
s for their server certificates are now also auto-approved when their Node
object contains addresses of type InternalDNS
, ExternalDNS
, or ExternalIP
. (gardener/gardener#6963, @gardener-ci-robot)Shoot
on deletion because their Namespace
s in the seed cluster were not cleaned up properly. It only affected clusters created prior gardener/[email protected]
. (gardener/gardener#6966, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.59.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.59.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.59.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.59.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.59.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.59.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.59.1
Published by gardener-robot-ci-3 almost 2 years ago
CertificateSigningRequest
s created by kubelet
s for their server certificates are now also auto-approved when their Node
object contains addresses of type InternalDNS
, ExternalDNS
, or ExternalIP
. (gardener/gardener#6962, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.58.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.58.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.58.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.58.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.58.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.58.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.58.2
Published by gardener-robot-ci-2 almost 2 years ago
.spec.highAvailability
field in the Seed
is deprecated and no longer respected. It will be removed in a future release. The seed.gardener.cloud/multi-zonal
label is removed and no longer respected. Instead, the Seed
API now has .spec.provider.zones
. Operators should enter the names of all availability zones the seed worker nodes run in. (gardener/gardener#6914, @rfranzke)HAControlPlanes
feature gate is added to gardener-apiserver
and removed from gardenlet
. (gardener/gardener#6915, @oliver-goetz)gardenlet
Helm chart are no longer put below .global.gardenlet
. For example, before this PR the replica count was controlled via the global.gardenlet.replicaCount
value while it's now controlled via replicaCount
directly. Please adapt your values files accordingly. (gardener/gardener#6876, @rfranzke)validate-namespace-deletion
ValidatingWebhookConfiguration
is renamed to gardener-admission-controller
. You might need to cleanup the existing validate-namespace-deletion
ValidatingWebhookConfiguration
. (gardener/gardener#6894, @AleksandarSavchev)gardener-shoot-controlplane
PriorityClass
is now deleted by gardenlet
. Before updating to this version of Gardener, make sure that there are no extensions or external components still using this PriorityClass
. Refer to this documentation to find out which PriorityClass
should be used instead. (gardener/gardener#6899, @ialidzhikov)gardener-resource-manager
component has been reworked entirely. It now uses a component config instead of CLI flags. Also, its Helm chart has been reworked entirely. (gardener/gardener#6865, @rfranzke)protectKernelDefaults
field for the kubelet configuration in the Shoot
API via .spec.{provider.workers[]}.kubernetes.kubelet.protectKernelDefaults
. This will be unset by default for shoots with k8s version < 1.26 and will be defaulted to true
for shoots with k8s version >= 1.26 once Gardener releases support for these versions. (gardener/gardener#6919, @dimityrmirchev)streamingConnectionIdleTimeout
field for the kubelet configuration in the Shoot
API via .spec.{provider.workers[]}.kubernetes.kubelet.streamingConnectionIdleTimeout
. This is implicitly defaulted to 4h
for shoots with k8s version < 1.26 and will be defaulted to 5m
for shoots with k8s version >= 1.26 once Gardener releases support for these versions. (gardener/gardener#6937, @dimityrmirchev)containerLogMaxSize
and containerLogMaxFiles
are now supported in the corresponding Shoot
resource. Those properties manage rotation policy of the container logs. Under heavy load the default values may result in frequent log rotations. (gardener/gardener#6702, @nickytd)HAControlPlanes
feature gate controls if it is possible to create shoots with a HighAvailability
configuration in the landscape. (gardener/gardener#6915, @oliver-goetz)provider-local
can now be configured. (gardener/gardener#6875, @oliver-goetz)extensions/pkg/util.{DetermineError,DetermineErrorCodes}
functions for conveniently handling errors with codes. (gardener/gardener#6912, @acumino)gardener-extensions-controller
package includes CLI parameter for --log-level
and --log-format
now. (gardener/gardener#6875, @oliver-goetz)gardenlet
pods from coming up in case the seccomp-profile
webhook served by gardener-resource-manager
is unavailable or broken. (gardener/gardener#6953, @dimityrmirchev)KubeApiServerTooManyAuditlogFailures
alert is now fixed to fire also when the audit plugins buffered
and truncate
are failing to process an audit event. (gardener/gardener#6871, @vpnachev)nginx-ingress-controller
installed via the shoot's nginx-ingress
addon to fail to start when cluster-wide seccomp defaulting is enabled is now fixed. (gardener/gardener#6895, @dimityrmirchev)ServiceAccount
token signing key has been improved. (gardener/gardener#6943, @rfranzke)kube-controller-manager
for shoots that have Kubernetes version >= 1.19. (gardener/gardener#6922, @dimityrmirchev)Shoot
s are getting reconciled successfully or deleted in case they still have either the etcd-encryption-secret
or service-account-key
secrets in their namespaces in the seed cluster. (gardener/gardener#6929, @rfranzke)DNSProvider
from supported extension kinds until v1.60.0
or later. (gardener/gardener#6951, @MartinWeindel)ManagedResource
s related to seed system components are now labeled with gardener.cloud/role=system-component
. (gardener/gardener#6836, @rfranzke)gardenlet
now waits for all managed resources referring the shoot to be deleted before continuing with the deletion of the shoot's kube-apiserver
during shoot deletion or controlplane migration. (gardener/gardener#6853, @dimityrmirchev)ApiserverRequestsFailureRate
for API Server failure rate. (gardener/gardener#6736, @cathyzhang05)gardenlet
no longer tries to delete Ingress
resources for a Seed
via the extensions/v1beta1
API (no longer served as of K8s 1.22). As Gardener supports only Seed
clusters with K8s >= 1.20, it is enough to delete the Ingress
resources via the networking.k8s.io/v1
API (available since v1.19). (gardener/gardener#6866, @ialidzhikov)Kubernetes Control Plane Status
dashboard has been updated to show correct values for kube-controller-manager
and kube-scheduler
once they are deployed with multiple replicas for HA shoots. (gardener/gardener#6874, @timuthy)golangci
to v1.50.1
. (gardener/gardener#6916, @oliver-goetz)1.19.3
(gardener/gardener#6941, @oliver-goetz)bazel
is no longer used for builds ands tests. As alternative a Makefile with equivalent targets is now provided. (gardener/apiserver-proxy#25, @ialidzhikov)apiserver-proxy-pod-webhook
to wrongly remove the grpc
field from livenessProbe
s, readinessProbe
s and startupProbe
s when defaulting a Pod is now fixed. (gardener/apiserver-proxy#24, @ialidzhikov)1.19.2
. (gardener/apiserver-proxy#22, @ialidzhikov)Published by gardener-robot-ci-2 almost 2 years ago
KubeApiServerTooManyAuditlogFailures
alert is now fixed to fire also when the audit plugins buffered
and truncate
are failing to process an audit event. (gardener/gardener#6886, @gardener-ci-robot)ServiceAccount
token signing key has been improved. (gardener/gardener#6945, @gardener-ci-robot)DNSProvider
from supported extension kinds until v1.60.0
or later. (gardener/gardener#6952, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.58.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.58.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.58.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.58.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.58.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.58.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.58.1
Published by gardener-robot-ci-3 almost 2 years ago
KubeApiServerTooManyAuditlogFailures
alert is now fixed to fire also when the audit plugins buffered
and truncate
are failing to process an audit event. (gardener/gardener#6887, @gardener-ci-robot)ServiceAccount
token signing key has been improved. (gardener/gardener#6946, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.57.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.57.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.57.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.57.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.57.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.57.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.57.2
Published by gardener-robot-ci-3 almost 2 years ago
KubeApiServerTooManyAuditlogFailures
alert is now fixed to fire also when the audit plugins buffered
and truncate
are failing to process an audit event. (gardener/gardener#6888, @gardener-ci-robot)preStop
hook from Gardener API Server deployment have been removed. (gardener/gardener#6796, @gardener-ci-robot)ServiceAccount
token signing key has been improved. (gardener/gardener#6947, @rfranzke)minAvailable
configuration being calculated for multi-node etcd PodDisruptionBudget
. (gardener/etcd-backup-restore#441, @timuthy)BackupReady
condition is not considered anymore when the PodDisruptionBudget
configuration is calculated. This earlier blocked rolling out fixes that potentially solved problems with backup procedures. (gardener/etcd-backup-restore#441, @timuthy)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.56.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.56.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.56.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.56.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.56.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.56.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.56.2
Published by gardener-robot-ci-2 about 2 years ago
node
can be scheduled on seeds with .spec.highAvailability != nil
only. (gardener/gardener#6833, @oliver-goetz)HAControlPlanes
feature flag is removed from gardener-scheduler
. (gardener/gardener#6833, @oliver-goetz)DNSProvider
from supported extension kinds. (gardener/gardener#6840, @MartinWeindel)healthcheck
library no longer update the extensions resources' status.conditions[].LastUpdateTime
on each reconciliation. Instead, a new heartbeat controller was added to the extensions library that will renew a dedicated Lease
resource named gardener-extensions-heartbeat
every 30 seconds by default. Extension controllers have to enable this controller as the gardener-extensions-heartbeat
Lease
will be used when gardenlet
checks whether the extension resources' conditions are stale or not. gardenlet
expects to find this Lease
inside the namespace where the extension controller is installed by the corresponding ControllerInstallation
. (gardener/gardener#6626, @plkokanov)kubelet
s running on shoot worker nodes are now requesting server certificates via the CertificateSigningRequest
API. They have the default validity of 30d
and are auto-rotated when 80%
of their lifetime expires. (gardener/gardener#6784, @rfranzke)seccompDefault
field for the kubelet configuration in the Shoot
API via .spec.{provider.workers[]}.kubernetes.kubelet.seccompDefault
. This configuration is only available for k8s version >= 1.25 and it is not turned on by default. (gardener/gardener#6741, @AleksandarSavchev)PodSecurityPolicy
admission plugin, please make sure you have updated the extensions to a version which supports this change. (gardener/gardener#6700, @shafeeqes)spec.highAvailability.failureTolerance.type
(gardener/gardener#6723, @unmarshall)
seed.gardener.cloud/multi-zonal
which was not existing before. The allowed values will be:empty string
or a valid boolean value true | false
failureToleranceType
of either node
or zone
. This is supported by the gardenlet
Helm chart as well as through deployment options in managedseed
objects. The replica spread is implemented via TopologySpreadConstraints. (gardener/gardener#6750, @timuthy)ManagedResource
health status for objects on the seed cluster is now updated immediately on health status changes (switched from periodic checks to proper watching). (gardener/gardener#6770, @timebertt)node
failure tolerance and multi-zone with zone
failure tolerance). (gardener/gardener#6719, @seshachalam-yv)WithClock(...)
function. (gardener/gardener#6729, @oliver-goetz)
...WithClock(...)
condition helper functions are introduced.WithNowFunc(...)
function is removed from ConditionBuilder interface..spec.kubernetes.kubelet
when .spec.provider.workers[].kubernetes.kubelet
is not specified. (gardener/gardener#6741, @AleksandarSavchev)preStop
hook from Gardener API Server deployment has been removed. (gardener/gardener#6793, @vpnachev)gardener-shoot-controlplane
PriorityClass to be deleted too early when there are still Deployments (vpn-seed-server
) that reference it is now mitigated. (gardener/gardener#6799, @ialidzhikov)gardenlet
is no longer put under time pressure during its start-up procedure by preventing its liveness probe from falsely failing. (gardener/gardener#6808, @rfranzke)kube-scheduler
and cluster-autoscaler
Pods now run with the appropriate priority set according to the following document. Previously these Pods were running without a priority class set and were preempted in favour of less important Pods. (gardener/gardener#6838, @ialidzhikov)/scale
subresource from etcd CRD. (gardener/gardener#6850, @shreyas-s-rao)kubernetes.io/arch
label can now be used for scaling the worker pools from 0
based on CPU architecture. (gardener/gardener#6825, @acumino)gardener.cloud/purpose: kube-system
label is now added to the kube-system
namespace by the gardenlet'
s Seed
controller. (gardener/gardener#6829, @bd3lage)ShootBinding
admission plugin is removed in favour of existing ShootValidator
plugin. All the checks are moved to the latter. (gardener/gardener#6727, @shafeeqes)gardenlet
checks the conditions of extension resources as part of the shoot health check, it checks if the gardener-extensions-heartbeat
Lease
maintained by the extension controllers has been renewed within the ShootCare
controller's staleExtensionHealthChecks.thresholds[]
settings and sets the corresponding Shoot
condition to Unknown
if that is not the case. If the Lease
is not found, the status.conditions[].LastUpdateTime
of the extension resource is checked as well for backwards compatibility. (gardener/gardener#6626, @plkokanov)1.19.2
(gardener/gardener#6789, @oliver-goetz)linux/amd64
and linux/arm64
. (gardener/logging#156, @acumino)Telegraf
version from 1.23.4 to 1.24.2 (gardener/logging#157, @vlvasilev)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.58.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.58.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.58.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.58.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.58.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.58.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.58.0
Published by gardener-robot-ci-2 about 2 years ago
gardener-shoot-controlplane
PriorityClass to be deleted too early when there are still Deployments (vpn-seed-server
) that reference it is now mitigated. (gardener/gardener#6800, @gardener-ci-robot)preStop
hook from Gardener API Server deployment have been removed. (gardener/gardener#6797, @gardener-ci-robot)gardenlet
is no longer put under time pressure during its start-up procedure by preventing its liveness probe from falsely failing. (gardener/gardener#6815, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.57.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.57.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.57.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.57.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.57.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.57.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.57.1
Published by gardener-robot-ci-3 about 2 years ago
ServiceAccount
s assigned to Project
members with the admin
role are now removed. Read permissions are preserved. In order to fully manage ServiceAccount
s in the project namespace, use the serviceaccountmanager
role. Please find more information here. (gardener/gardener#6740, @dimityrmirchev)DeprecatedDetermineError
and DeprecatedDetermineErrorCodes
will be dropped in the upcoming releases, extensions using these functions now need to use their own methods to get the error code from the errors. (gardener/gardener#6677, @acumino)gardenlet
s component configuration API has been changed in the following breaking ways: (gardener/gardener#6688, @rfranzke)
.server.http
has been split into server.{healthProbes,metrics}
(health endpoints and metrics are now served on different ports).server.https
has been removedgardenlet
serves health endpoints and metrics on different ports now. Adapt your scrape configs accordingly to port metrics
. (gardener/gardener#6688, @rfranzke)metrics
port of the gardener-scheduler
is no longer hard-coded to 9090
but now uses the same value as the container target port (configurable via the component configuration). (gardener/gardener#6690, @rfranzke)server.https
field of the gardener-admission-controller
configuration has been renamed to server.webhooks
. Likewise, the Gardener control plane Helm chart has been changed. Please adapt your values.yaml
files. (gardener/gardener#6706, @rfranzke)ShootCARotation
and ShootSARotation
feature gates have been promoted to beta and are now enabled by default. Make sure that all provider extensions registered to your system support these features before upgrading to this Gardener version. (gardener/gardener#6734, @rfranzke)/etc/containerd/conf.d
not to be loaded. (gardener/gardener#6754, @timebertt).spec.worker.machine.architecture
is set to nil. The issue could only occur if the version skew of Gardener is not respected and minor version is skipped during the Gardener update. (gardener/gardener#6716, @breuerfelix)Etcd
resources in the seed cluster. This can help if operators need to manually restore an ETCD cluster in exceptional cases. (gardener/gardener#6757, @timuthy)garden-resource-manager
will be scraped and stored in the shoot's Loki. (gardener/gardener#6748, @vlvasilev)charts
, are now considered when running gardener-up
. This results in a new CRI image (typically gardenlet
or provider-local
) that is deployed to the local garden cluster. (gardener/gardener#6735, @timuthy)provider-local
. (gardener/gardener#6753, @oliver-goetz)aws
and azure
. (gardener/gardener#6767, @ialidzhikov)minAvailable
configuration being calculated for multi-node etcd PodDisruptionBudget
. (gardener/etcd-backup-restore#441, @timuthy)BackupReady
condition is not considered anymore when the PodDisruptionBudget
configuration is calculated. This earlier blocked rolling out fixes that potentially solved problems with backup procedures. (gardener/etcd-backup-restore#441, @timuthy)fluent-bit's
plugin SortedClient
when closing it before the last batch is sent. (gardener/logging#153, @vlvasilev)fluent-bit-to-loki
plugin. (gardener/logging#154, @vlvasilev)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.57.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.57.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.57.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.57.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.57.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.57.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.57.0
Published by gardener-robot-ci-1 about 2 years ago
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.56.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.56.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.56.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.56.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.56.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.56.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.56.1
Published by gardener-robot-ci-1 about 2 years ago
v1alpha1
config of PodSecurity
admission plugin for clusters v1.22.x. (gardener/gardener#6663, @gardener-ci-robot)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.55.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.55.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.55.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.55.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.55.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.55.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.55.1
Published by gardener-robot-ci-3 about 2 years ago
multi-zonal
labelled seed and scheduled non-HA shoots onto it, this release of Gardener will potentially cause scheduling conflicts to the control-plane pods as it will try to locate all pods into a single zone only. Pods that can't be re-scheduled (mainly because of volume dependencies) will remain in Pending
state. (gardener/gardener#6579, @timuthy)spec.controlPlane
to allow enabling HA control planes with failure tolerance type of node
or zone
. Please consult docs/usage/shoot_high_availability.md
for more information. (gardener/gardener#6530, @shreyas-s-rao)StorageClass
in seeds used for control-plane components must have volumeBindingMode: WaitForFirstConsumer
to let the zone-pinning work properly. (gardener/gardener#6579, @timuthy)Seed
deletion works as expected. (gardener/gardener#6664, @plkokanov).spec.seedSelector
is matching Shoot's Seed when the .spec.seedName
field of the Shoot is set or modified. (gardener/gardener#6680, @ialidzhikov)v1alpha1
config of PodSecurity
admission plugin for clusters v1.22.x. (gardener/gardener#6649, @shafeeqes)node
and zone
. (gardener/gardener#6530, @shreyas-s-rao)non-HA
and single-zonal
shoots. (gardener/gardener#6530, @shreyas-s-rao)eu.gcr.io/gardener-project/3rd/node-problem-detector:v0.8.10-gardener.1
to registry.k8s.io/node-problem-detector/node-problem-detector:v0.8.12
. (gardener/gardener#6660, @ialidzhikov)make gardener-down
to fail when deleting the garden
Project
. (gardener/gardener#6664, @plkokanov)pod-template-hash
label. Gardener uses this webhook to circumvent imbalanced control plane deployments across nodes and zones. (gardener/gardener#6665, @timuthy)kube-apiserver
deployment was changed from pod anti-affinity to Topology Spread Constraints. Non-HA shoot clusters will still have the kube-apiserver
pods being scheduled on different nodes on a best-effort basis. For HA clusters, the Topology Spread Constraints make sure that a distribution across nodes (single-zone) and zones (multi-zonal) is guaranteed, in order to tolerate failures in these domains. (gardener/gardener#6674, @timuthy)gardener-resource-manager
deployment was changed from pod anti-affinity to Topology Spread Constraints. Non-HA shoot clusters will still have the gardener-resource-manager
pods being scheduled on different nodes on a best-effort basis. For HA clusters, the Topology Spread Constraints make sure that a distribution across nodes (single-zone) and zones (multi-zonal) is guaranteed, in order to tolerate failures in these domains. (gardener/gardener#6685, @timuthy)shoot.kubernetes.apiServer.admissionPlugins
are now validated aginst the kubernetes version of the shoot cluster. (gardener/gardener#6625, @plkokanov)targetName
and targetKind
labelslinux/amd64
and linux/arm64
.vpa-exporter
container now uses distroless
instead of alpine
as a base image.gardenlet
is now using gcr.io/distroless/static-debian11:nonroot
instead of versions of alpine
as a base image. (gardener/gardener#6641, @acumino)1.19.1
. (gardener/gardener#6650, @oliver-goetz)probeEtcd func()
to use shorter timeout. (gardener/etcd-backup-restore#532, @ishan16696)Etcd-custom-image
will now retry fetching etcd configuration in case of any error (gardener/etcd-custom-image#26, @aaronfern)1.18.6
(gardener/etcd-druid#431, @aaronfern)v3.4.13-bootstrap-8
(gardener/etcd-druid#432, @aaronfern)hvpa-controller
container image now uses a non root user by default. (gardener/hvpa-controller#103, @dimityrmirchev)admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.56.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.56.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.56.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.56.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.56.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.56.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.56.0