[gardener]

⚠️ Breaking Changes

• [USER] For Shoot clusters with kubernetes v1.25+ .spec.kubernetes.allowPrivilegedContainers should not be set. Please see here. (gardener/gardener#6570, @shafeeqes)

✨ New Features

• [USER] The KubeletConfiguration.Registry{PullQPS,Burst} fields are configurable via Shoot.spec.{provider.workers[]}.kubernetes.kubelet.registry{PullQPS,Burst} now. (gardener/gardener#6591, @timebertt)
• [OPERATOR] It is now possible to override the kubeconfig validity as well as the auto-rotation jitter boundaries for the gardenlet via its component configuration. By default, the --cluster-signing-duration value of the kube-controller-manager in the garden cluster still applies, and the kubeconfig is renewed when 70%-90% of its validity expires. (gardener/gardener#6568, @rfranzke)
• [OPERATOR] Gardenlet now checks that the seed network configuration conforms to the reality in the seed cluster in case the seed is a shoot itself. (gardener/gardener#6576, @ScheererJ)
• [OPERATOR] Add gardenlet feature gate to automatically rewrite some dns requests to reduce amount of requests being made due to dns search path and ndots=5. (gardener/gardener#6192, @ScheererJ)
• [OPERATOR] Adds prometheus metrics required for multi-node etcd. (gardener/gardener#6601, @ishan16696)
• [DEVELOPER] The existing ManagedSeed e2e test has been enhanced with verifications for the three gardenlet kubeconfig rotation scenarios. (gardener/gardener#6568, @rfranzke)
• [DEVELOPER] The local gardener setup includes pull-through cache registries now to speed up development and testing. (gardener/gardener#6591, @timebertt)

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which caused the EveryNodeReady condition on Shoots to become False and complaining about outdated cloud configs on nodes during rolling updates. (gardener/gardener#6555, @rfranzke)
• [OPERATOR] Operation of a seed using cilium as networking provider and node-local-dns is now working. (gardener/gardener#6583, @ScheererJ)
• [OPERATOR] A bug in the monitoring configuration that was scraping the deprecated metric etcd_object_counts even for k8s >= 1.21 has been fixed. (gardener/gardener#6584, @vpnachev)
• [OPERATOR] Fix worker group dropdown in "Node/Worker Pool Overview" dashboard. (gardener/gardener#6594, @rickardsjp)
• [OPERATOR] A bug in resourcemanager that not all truthy values were considered for the resources.gardener.cloud/ignore annotation value is fixed. (gardener/gardener#6603, @vpnachev)
• [OPERATOR] An issue that could potentially cause Pod to fail to be scheduled when the bin-packing scheduling profile is used is now fixed. When the kube-apiserver fails to call the pod-scheduler-name.resources.gardener.cloud webhook the corresponding Pod will be scheduled according to the default-scheduler. (gardener/gardener#6610, @ialidzhikov)
• [OPERATOR] Fix the network metrics for clusters with containerd. (gardener/gardener#6628, @istvanballok)
  • The "Kubernetes Pods" dashboard's "Network I/O" panel showed no data for clusters with containerd. Now it correctly shows the network metrics (sent and received bytes/s) for pods that are not in the host network namespace, also for clusters with containerd. For pods in the host network namespace no network metrics are shown because by definition the host network namespace's network stats include all the pods and system services and hence are not meaningful in the context of a specific pod. This explanation is as also included on the dashboard to avoid confusion due to missing data.
  • The "Node Details" dashboard's "Network I/O Pressure" panel showed incorrect readings for clusters with docker and no data for clusters with containerd. Both aspects are fixed.

🏃 Others

• [OPERATOR] If a config for PodSecurity admission plugin is provided in the Shoot spec, kube-system is added to the exempted namespace. (gardener/gardener#6549, @shafeeqes)
• [OPERATOR] The ExtensionsReady condition for Seeds will first be set to Progressing instead of being directly set to False when a ExtensionsReady condition threshold is specified in the controllers.seedExtensionsCheck.conditionThresholds configuration for the gardener controller manager and that threshold has not expired yet. (gardener/gardener#6551, @plkokanov)
• [OPERATOR] The container_oom_events_total metric is allow listed and added to the Kubernetes Pods dashboard (gardener/gardener#6564, @istvanballok)
• [OPERATOR] Gardener-managed webhooks are no longer considered by the shoot care controller when it comes to finding problematic webhooks. (gardener/gardener#6573, @rfranzke)
• [OPERATOR] Specify the kubelet flag runtime-cgroups when using containerd (gardener/gardener#6574, @istvanballok)
  • The node details dashboard shows the resource usage of the system services (kubelet and containerd) for containerd based clusters
• [OPERATOR] The BackupBucketsReady condition for Seeds will first be set to Progressing instead of being directly set to False when a BackupBucketsReady condition threshold is specified in the controllers.seedBackupBucketsCheck.conditionThresholds configuration for the gardener controller manager and that threshold has not expired yet. (gardener/gardener#6587, @plkokanov)
• [OPERATOR] Added condition with type Progressing to the ControllerInstallation resource, which is maintained based on the ResourcesProgressing condition of the ManagedResource created for the ControllerInstallation (gardener/gardener#6590, @plkokanov)
• [OPERATOR] When the ExtensionsReady condition is evaluated, the ControllerInstallations Progressing condition is now also taken into account. When the Progressing condition is not False, the ExtensionsReady condition will be evaluated to False (gardener/gardener#6590, @plkokanov)
• [OPERATOR] Kubernetes container images are now pulled from registry.k8s.io instead of k8s.gcr.io, see the announcement. (gardener/gardener#6591, @timebertt)
• [OPERATOR] The GA-ed SecretBindingProviderValidation feature gate is removed and can no longer be specified via the gardener-apiserver's --feature-gates flags . (gardener/gardener#6593, @ialidzhikov)
• [OPERATOR] Improve the Node/Worker Pool Overview dashboard (gardener/gardener#6595, @istvanballok)
• [OPERATOR] gardenlet's SeedKubeScheduler feature gate is now deprecated in favor of the bin-packing scheduling profile that can be configured for a Shoot referred by a ManagedSeed. (gardener/gardener#6599, @ialidzhikov)
• [OPERATOR] The gardener grafana dashboards are serialized with the "compact" JSON representation into the configmap to avoid reaching the configmap size limit. (gardener/gardener#6605, @istvanballok)
• [OPERATOR] Adapt blackbox exporter resource requests to VPA recommendations (gardener/gardener#6609, @istvanballok)
• [OPERATOR] Update envoy proxy to v1.23.1. (gardener/gardener#6366, @ScheererJ)

[etcd-backup-restore]

🐛 Bug Fixes

• [OPERATOR] Fix the probeEtcd func() to probe the corresponding Etcd by getting its Endpoint Status rather than just Get a key. (gardener/etcd-backup-restore#523, @ishan16696)

🏃 Others

• [OPERATOR] Handles the bolt database panic in case of database found to be corrupt. (gardener/etcd-backup-restore#521, @ishan16696)
• [OPERATOR] Added new metrics for multi-node etcd: etcdbr_defragmentation_duration_seconds, etcdbr_restoration_duration_seconds , etcdbr_cluster_size , etcdbr_is_learner , etcdbr_is_learner_count_total , etcdbr_add_learner_duration_seconds , etcdbr_member_remove_duration_seconds , etcdbr_member_promote_duration_seconds . (gardener/etcd-backup-restore#522, @ishan16696)
• [OPERATOR] Adds an annotation to etcd lease which indicates if the peer url is TLS enabled. (gardener/etcd-backup-restore#530, @unmarshall)

📰 Noteworthy

• [OPERATOR] Base alpine image upgraded from 3.15.4 to 3.15.6 (gardener/etcd-backup-restore#520, @aaronfern)

[etcd-custom-image]

🏃 Others

• [OPERATOR] Base alpine image upgraded from 3.15.4 to 3.15.6. (gardener/etcd-custom-image#24, @aaronfern)

[etcd-druid]

✨ New Features

• [OPERATOR] A Helm chart for deploying Etcd-Druid is now available in charts/druid. (gardener/etcd-druid#296, @timuthy)
• [DEVELOPER] Developers can now run Druid e2e tests via make test-e2e. Please see docs/development/local-e2e-tests.md for detailed information. (gardener/etcd-druid#296, @timuthy)

🐛 Bug Fixes

• [USER] Fix statefulset volumeClaimTemplate StorageClassName value population if etcd storageClass is an empty string. (gardener/etcd-druid#400, @shreyas-s-rao)
• [OPERATOR] This PR fixes an issue which caused the sts.spec.podManagementPolicy not to be updated to Parallel if an existing etcd cluster is scaled-up from 1 -> x. This can cause an issue if the cluster is afterwards completely scaled-down (aka hibernation) and scaled-up again. (gardener/etcd-druid#406, @timuthy)
• [OPERATOR] An issue has been fixed that caused Etcd-Druid to update immutable fields sts.spec.serviceName and sts.spec.podManagementPolicy for older etcd resources that had different values configured. These updates must only happen when a etcd cluster is scaled up for the first time (1 -> x) because (a) then these values are mandatory and (b) a disruption is accepted. (gardener/etcd-druid#408, @timuthy)
• [OPERATOR] An issue has been fixed that caused Etcd-Druid to not consider the hostPath configuration in the referenced backup secret etcd.spec.backup.store.secretRef. (gardener/etcd-druid#412, @timuthy)

🏃 Others

• [OPERATOR] Liveness and startup probes for etcd were removed. After activating them, we noticed that they cause more harm than good since the startup time for etcd clusters varies and isn't predicable. Killing the etcd container in such a case doesn't solve the situation and will rather end in an endless loop of restarts. This change will cause a restart of etcd clusters. (gardener/etcd-druid#424, @aaronfern)
• [OPERATOR] Liveness and startup probes for etcd were removed. After activating them in the last release, we noticed that they cause more harm than good since the startup time for etcd clusters varies and isn't predicable. Killing the etcd container in such a case doesn't solve the situation and will rather end in an endless loop of restarts. This change will cause a restart of etcd clusters. (gardener/etcd-druid#423, @timuthy)
• [OPERATOR] The Golang version used to compile Etcd-Druid has been updated to go 1.18.5. (gardener/etcd-druid#410, @timuthy)
• [OPERATOR] Adds a document mentioning the metrics for multi-node etcd. (gardener/etcd-druid#414, @ishan16696)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.55.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.55.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.55.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.55.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.55.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.55.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.55.0

[gardener]

🏃 Others

• [OPERATOR] Fix worker group dropdown in "Node/Worker Pool Overview" dashboard. (gardener/gardener#6597, @gardener-ci-robot)

[etcd-druid]

🐛 Bug Fixes

• [OPERATOR] This PR fixes an issue which caused the sts.spec.podManagementPolicy not to be updated to Parallel if an existing etcd cluster is scaled-up from 1 -> x. This can cause an issue if the cluster is afterwards completely scaled-down (aka hibernation) and scaled-up again. (gardener/etcd-druid#406, @timuthy)

🏃 Others

• [OPERATOR] Liveness and startup probes for etcd were removed. After activating them, we noticed that they cause more harm than good since the startup time for etcd clusters varies and isn't predicable. Killing the etcd container in such a case doesn't solve the situation and will rather end in an endless loop of restarts. This change will cause a restart of etcd clusters. (gardener/etcd-druid#424, @aaronfern)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.53.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.53.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.53.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.53.4
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.53.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.53.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.53.4

[gardener]

🏃 Others

• [OPERATOR] Fix worker group dropdown in "Node/Worker Pool Overview" dashboard. (gardener/gardener#6598, @gardener-ci-robot)

[etcd-druid]

🐛 Bug Fixes

• [OPERATOR] This PR fixes an issue which caused the sts.spec.podManagementPolicy not to be updated to Parallel if an existing etcd cluster is scaled-up from 1 -> x. This can cause an issue if the cluster is afterwards completely scaled-down (aka hibernation) and scaled-up again. (gardener/etcd-druid#406, @timuthy)

🏃 Others

• [OPERATOR] Liveness and startup probes for etcd were removed. After activating them, we noticed that they cause more harm than good since the startup time for etcd clusters varies and isn't predicable. Killing the etcd container in such a case doesn't solve the situation and will rather end in an endless loop of restarts. This change will cause a restart of etcd clusters. (gardener/etcd-druid#424, @aaronfern)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.54.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.54.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.54.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.54.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.54.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.54.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.54.1

[gardener]

🐛 Bug Fixes

• [USER] K8s dependencies are upgraded to v0.24.3 to adopt a fix in the k8s.io/apiserver module that causes gardener-apiserver to do not always return the expected result when the client requests resources with the --selector / --field-selector flags. (gardener/gardener#6448, @ialidzhikov)
• [USER] A bug that prevented Shoot deletion when the OS image version or kubernetes version was beyond its expiration date is now fixed. (gardener/gardener#6420, @gardener-ci-robot)
• [OPERATOR] Shoots are correctly labeled for globally enabled extensions now. (gardener/gardener#6538, @gardener-ci-robot)
• [OPERATOR] An issue causing a panel in the Node/Worker Pool Overview dashboard to fail to load due to invalid query is now fixed. (gardener/gardener#6410, @gardener-ci-robot)
• [OPERATOR] Fixed a bug where the Shoot reconciliation could get stuck due to DNSRecords not being reconciled. (gardener/gardener#6520, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.51.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.51.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.51.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.51.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.51.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.51.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.51.1

[gardener]

🐛 Bug Fixes

• [OPERATOR] Shoots are correctly labeled for globally enabled extensions now. (gardener/gardener#6537, @gardener-ci-robot)
• [OPERATOR] Fixed a bug where the Shoot reconciliation could get stuck due to DNSRecords not being reconciled. (gardener/gardener#6519, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.52.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.52.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.52.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.52.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.52.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.52.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.52.3

[gardener]

🐛 Bug Fixes

• [OPERATOR] Shoots are correctly labeled for globally enabled extensions now. (gardener/gardener#6536, @gardener-ci-robot)
• [OPERATOR] Fixed a bug where the Shoot reconciliation could get stuck due to DNSRecords not being reconciled. (gardener/gardener#6518, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.53.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.53.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.53.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.53.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.53.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.53.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.53.3

[gardener]

⚠️ Breaking Changes

• [USER] PodSecurityPolicy admission plugin should be disabled before upgrading the shoot cluster to kubernetes v1.25. Please refer Migrating to PodSecurity. (gardener/gardener#6431, @shafeeqes)
• [USER] For users who don't have the RBAC permissions to update shoots/binding subresource, it is not possible anymore to specify .spec.seedName during creation of Shoot. (gardener/gardener#6454, @shafeeqes)
• [OPERATOR] Plant API has been dropped, operators need to clean up Plant resources before upgrading the Gardener version to v1.54. (gardener/gardener#6472, @acumino)
• [OPERATOR] The DNSProvider extension kind was removed. Please make sure to remove any ControllerRegistrations that include the DNSProvider kind. If you are using the extension shoot-dns-service, make sure to deploy the dns-controller-manager by extending its ControllerDeployment (see Deployment of DNS controller manager). (gardener/gardener#6479, @MartinWeindel)
• [DEVELOPER] Gardener is using go1.19 now. Make sure to upgrade your go installation. (gardener/gardener#6522, @timebertt)

✨ New Features

• [OPERATOR] A new gardenlet feature gate called DefaultSeccompProfile is introduced. If enabled all Gardener managed workloads in the seed will have their seccomp profiles defaulted to "RuntimeDefault". (gardener/gardener#6450, @dimityrmirchev)
• [DEVELOPER] A new gomegacheck linter is now executed on make check. Find out more in the docs. (gardener/gardener#6455, @timebertt)
• [DEVELOPER] Gardener envtest now supports running against an existing gardener setup via USE_EXISTING_GARDENER, see doc. (gardener/gardener#6497, @timebertt)

🐛 Bug Fixes

• [OPERATOR] Shoots are correctly labeled for globally enabled extensions now. (gardener/gardener#6534, @timebertt)
• [OPERATOR] A race condition in the Seed deletion has been fixed, which could cause the deletion to be stuck in a deadlock. (gardener/gardener#6544, @timebertt)
• [OPERATOR] Fixed a bug where the Shoot reconciliation could get stuck due to DNSRecords not being reconciled. (gardener/gardener#6481, @nschad)
• [OPERATOR] An issue causing the loki PriorityClass to be deleted too early when there are still loki StatefulSets that reference it is now mitigated. (gardener/gardener#6511, @ialidzhikov)
• [DEVELOPER] The memory and CPU requests of the loki containers are capped to 50mi of CPU and 300Mi of memory for the logging test-machinery tests. (gardener/gardener#6571, @vlvasilev)
• [DEVELOPER] An issue causing the guestbook integration test to fail against alicloud Shoot clusters is now fixed. (gardener/gardener#6493, @ialidzhikov)

🏃 Others

• [OPERATOR] Gardener now evaluates the BackupReady condition of etcd resources when calculating the health of shoot control planes. In case of non-functioning backups, the state is reported in the ControlPlaneHealthy of the affected shoot. (gardener/gardener#6552, @timuthy)
• [OPERATOR] Access log of api-server proxy now only shows forwarded requests, but ignores readiness/liveness probes and metrics requests. (gardener/gardener#6553, @ScheererJ)
• [OPERATOR] gardenlet is now using scratch instead of alpine as a base image. (gardener/gardener#6556, @AleksandarSavchev)
• [OPERATOR] The default value for the --audit-log-path flag of Gardener API Server was changed from /tmp/audit.log to /tmp/audit/audit.log. (gardener/gardener#6557, @vpnachev)
• [OPERATOR] The apiserver-proxy, blackbox-exporter, node-exporter, kube-proxy, node-local-dns, node-problem-detector, vpn-shoot, coredns, metrics-server components now have their seccomp profiles set to "RuntimeDefault". (gardener/gardener#6450, @dimityrmirchev)
• [OPERATOR] Persist additional metrics to monitor disk device performance contention/saturation (gardener/gardener#6475, @bd3lage)
• [OPERATOR] Node-local-dns health check does not longer use port 8080 of the host, but uses port 8099 instead. (gardener/gardener#6477, @ScheererJ)
• [OPERATOR] The following image is updated: (gardener/gardener#6490, @rickardsjp)
  • quay.io/prometheus/prometheus: v2.36.1 -> v2.37.0
• [OPERATOR] The following image is updated: (gardener/gardener#6499, @rickardsjp)
  • quay.io/prometheus/blackbox-exporter: v0.21.1 -> v0.22.0
• [OPERATOR] The following image is updated: (gardener/gardener#6500, @ialidzhikov)
  • k8s.gcr.io/cpa/cluster-proportional-autoscaler: v1.8.5 -> v1.8.6
• [OPERATOR] The following image is updated: (gardener/gardener#6503, @rickardsjp)
  • quay.io/prometheus/alertmanager: v0.22.2 -> v0.24.0
• [OPERATOR] The following image is updated: (gardener/gardener#6508, @rishabh-11)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.23.1 -> v1.24.0 (for Kubernetes >= 1.24)
• [OPERATOR] The ingress default backend has been switched to eu.gcr.io/gardener-project/gardener/ingress-default-backend:0.11.0. (gardener/gardener#6521, @acumino)
• [OPERATOR] Improve the ApiServerUnreachableViaKubernetesService alert (gardener/gardener#6523, @istvanballok)
• [OPERATOR] The following image is updated: (gardener/gardener#6524, @istvanballok)
  • quay.io/prometheus/prometheus: v2.37.0 -> v2.38.0
• [OPERATOR] The following image is updated: (gardener/gardener#6525, @Kristian-ZH)
  • fluent/fluent-bit: 1.9.6 -> 1.9.7
• [OPERATOR] The following image is updated: (gardener/gardener#6526, @rickardsjp)
  • ghcr.io/prometheus-operator/prometheus-config-reloader: v0.56.2 -> v0.58.0
• [DEVELOPER] The machine-controller-manager version deployed by provider-local has been updated to v0.46.1. (gardener/gardener#6545, @timuthy)
• [DEVELOPER] The networking-calico version deployed by provider-local has been updated to v1.26.0. (gardener/gardener#6545, @timuthy)
• [DEVELOPER] The Golang version is updated to 1.18.5. (gardener/gardener#6491, @oliver-goetz)
• [DEVELOPER] gardenlet's base image is updated from alpine:3.16.1 to alpine:3.16.2. (gardener/gardener#6492, @oliver-goetz)
• [DEPENDENCY] terraformer pods now use PriorityClass gardener-system-300. (gardener/gardener#6515, @timebertt)

[ext-authz-server]

✨ New Features

• [USER] The ext-authz-server now uses distroless instead of alpine as a base image. (gardener/ext-authz-server#7, @DockToFuture)

🏃 Others

• [OPERATOR] Published docker images for ext-authz-server are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/ext-authz-server#6, @timuthy)

[logging]

✨ New Features

• [OPERATOR] The event-logger watches events of multiple namespaces specified by --seed-event-namespaces and --shoot-event-namespaces like comma-separated values. (gardener/logging#142, @vlvasilev)
  • The flags --seed-event-namespace and --shoot-event-namespace are dropped.

🐛 Bug Fixes

• [OPERATOR] Remove race condition in the multitenant client when labels set is not cloned. (gardener/logging#144, @vlvasilev)

🏃 Others

• [OPERATOR] All split logs between shoot and central Loki are packed before being sent to the central Loki. (gardener/logging#138, @vlvasilev)
• [OPERATOR] Remove the __gardener_multitenant_id__ label when it is not needed (gardener/logging#147, @vlvasilev)
• [OPERATOR] The name of the batch ID label can be set via IdLabelName from the plugin configuration. (gardener/logging#148, @vlvasilev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.54.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.54.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.54.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.54.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.54.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.54.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.54.0

[gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing the loki PriorityClass to be deleted too early when there are still loki StatefulSets that reference it is now mitigated. (gardener/gardener#6512, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.53.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.53.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.53.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.53.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.53.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.53.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.53.2

[gardener]

🐛 Bug Fixes

• [DEVELOPER] An issue causing the guestbook integration test to fail against alicloud Shoot clusters is now fixed. (gardener/gardener#6495, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.53.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.53.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.53.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.53.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.53.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.53.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.53.1

[gardener]

⚠️ Breaking Changes

• [OPERATOR] The SecretBindingProviderValidation feature gate of gardener-apiserver is promoted to GA and is now unconditionally enabled. (gardener/gardener#6429, @ialidzhikov)
• [OPERATOR] The logging.loki.garden.priority field is removed from gardenlet's component config as it is no longer used after the new concept for PriorityClasses in Gardener. (gardener/gardener#6465, @ialidzhikov)
• [OPERATOR] The Gardener API server now enforces the following configuration options for ManagedSeed resources: (gardener/gardener#6388, @ialidzhikov)
  • 1. The vertical pod autoscaler should be enabled from the Shoot specification.
  • 2. The nginx-ingress addon should not be enabled for a Shoot referred by a ManagedSeed.
  • Before upgrading to this version of Gardener make sure that all ManagedSeeds and the Shoots they refer to conform the newly enforced configuration options.

✨ New Features

• [OPERATOR] Add option to disable gardener shoot monitoring (gardener/gardener#6433, @nschad)
• [OPERATOR] Enhance pod permissions for etcd-druid. (gardener/gardener#6467, @shreyas-s-rao)
• [OPERATOR] A shoot event-logger is introduced, which collects logs from shoot control-plane and shoot kube-system. (gardener/gardener#6223, @vlvasilev)
  • Events older than 5 seconds are omitted. Thus when the event logger is restarted it will repeat only the logs few recent events.
  • The version of the event logger is well formatted and accurate.
• [DEVELOPER] A GEP proposing changes to support HA Shoot control planes is now added. (gardener/gardener#6287, @unmarshall)
• [DEVELOPER] Use single-zone HA shoot for e2e rotation tests. (gardener/gardener#6467, @shreyas-s-rao)

🐛 Bug Fixes

• [USER] K8s dependencies are upgraded to v0.24.3 to adopt a fix in the k8s.io/apiserver module that causes gardener-apiserver to do not always return the expected result when the client requests resources with the --selector / --field-selector flags. (gardener/gardener#6443, @ialidzhikov)
• [OPERATOR] A bug causing gardenlet helm chart deployment to fail is fixed. (gardener/gardener#6432, @acumino)
• [OPERATOR] A bug has been fixed for HA shoots and their underlying etcd clusters. In some occasions, Gardenlet didn't wait for changes to be completely rolled out to etcd. Especially in combination with the CA-rotation feature this could cause the cluster being stuck in an unrecoverable state. (gardener/gardener#6434, @timuthy)
• [OPERATOR] An issue causing the Seed nginx-ingress to fail on 1.22 GKE Seed cluster (or any 1.22 Seed cluster with K8s version that has a suffix - for example v1.22.12-gke.300) is now fixed. (gardener/gardener#6468, @ialidzhikov)

🏃 Others

• [OPERATOR] Owner checks (which are used by the backup-restore sidecar to determine whether the owner domain name resolves to the specified owner ID and if not, take a final full snapshot and disable the cluster), will no longer be enabled by gardenlet, if the HAControlPlanes feature gate is enabled, the Shoot is annotated with alpha.control-plane.shoot.gardener.cloud/high-availability and the Shoot's ETCDs are started as a cluster (with more than 1 replica). (gardener/gardener#6412, @plkokanov)
• [OPERATOR] node-problem-detector image is updated from k8s.gcr.io/node-problem-detector/node-problem-detector:v0.8.7 to eu.gcr.io/gardener-project/3rd/node-problem-detector:v0.8.10-gardener.1. (gardener/gardener#6415, @acumino)
• [OPERATOR] The node-exporter is configured to collect filesystem metrics for the /run mount point. (gardener/gardener#6424, @istvanballok)
• [OPERATOR] The following image is updated: (gardener/gardener#6428, @rishabh-11)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.22.2 -> v1.23.1 (for Kubernetes >= 1.23)
• [OPERATOR] Latency metrics of the proxy subresource are not considered for the KubeApiServerLatency alert and API Server / Request Latency dashboard panel. (gardener/gardener#6445, @istvanballok)
• [OPERATOR] The following images are updated: (gardener/gardener#6449, @rishabh-11)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.20.2 -> v1.20.3 (for Kubernetes 1.20)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.21.2 -> v1.21.3 (for Kubernetes 1.21)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.22.2 -> v1.22.3 (for Kubernetes 1.22)
• [OPERATOR] The node-local-dns/node-cache container no longer runs in privileged mode. (gardener/gardener#6451, @ialidzhikov)
• [OPERATOR] The SeedChange and CopyEtcdBackupsDuringControlPlaneMigration feature gates have been promoted to beta and are now enabled by default. (gardener/gardener#6452, @plkokanov)
• [OPERATOR] The following images is updated: (gardener/gardener#6456, @ScheererJ)
  • k8s.gcr.io/dns/k8s-dns-node-cache: 1.22.5 -> v1.22.8
• [OPERATOR] Workaround for https://issues.k8s.io/109286 is now only executed for < 1.25 Shoots. In K8s 1.25+ the issue is fixed with https://github.com/kubernetes/kubernetes/pull/109288 and we no longer need to execute the workaround. (gardener/gardener#6457, @ialidzhikov)
• [OPERATOR] Use priority class gardener-system-500 for etcd, as per https://github.com/gardener/gardener/issues/5634. (gardener/gardener#6467, @shreyas-s-rao)

[dependency-watchdog]

🐛 Bug Fixes

• [OPERATOR] A bug is fixed which allowed dependency-watchdog to not ignore scaling operations on deployment which are not enabled/deployed in a given cluster (gardener/dependency-watchdog#41, @ashwani2k)
  • A bug with uploading of a rotated dependency-watchdog-probe secrets is now fixed by refreshing the clients with updated secrets.

🏃 Others

• [OPERATOR] Switch default leader election resource lock for dependency-watchdog from endpointsleases to leases. (gardener/dependency-watchdog#44, @ary1992)
• [OPERATOR] Published docker images for Dependency-Watchdog are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/dependency-watchdog#57, @timuthy)
• [OPERATOR] DWD client shall no longer use long running TCP connections when attempting to probe Kube ApiServer via internal endpoint. (gardener/dependency-watchdog#62, @unmarshall)

📰 Noteworthy

• [OPERATOR] A dependent's scaling up/down can be ignored by DWD now by adding the annotation dependency-watchdog.gardener.cloud/ignore-scaling to the deployment (gardener/dependency-watchdog#48, @himanshu-kun)
• [OPERATOR] The dependency-watchdog now uses distroless instead of alpine as a base image. (gardener/dependency-watchdog#59, @dimityrmirchev)

[etcd-backup-restore]

⚠️ Breaking Changes

• [OPERATOR] Dropping the feature of passing storage container credentials through ENV for the following storage provider: S3, Swift, OCS, ABS, OSS. Please switch to pass the storage container credentials through volume file mount. (gardener/etcd-backup-restore#493, @ishan16696)
• [DEVELOPER] Added new package membergarbagecollector to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to list pods and statefulsets. (gardener/etcd-backup-restore#403, @aaronfern)

🏃 Others

• [OPERATOR] Fixed a bug where etcd calls related to multi node operation were used in single node operation (gardener/etcd-backup-restore#504, @aaronfern)
• [OPERATOR] Assigned the correct Peer address to the Etcd after it restores from backup-bucket. (gardener/etcd-backup-restore#505, @ishan16696)
• [OPERATOR] No attempt is made to update member Peer URL when trying to promote a member (gardener/etcd-backup-restore#506, @aaronfern)
• [OPERATOR] An issue has been fixed that caused the Backup-Restore component to connect to the wrong etcd cluster for initializing and member-add procedures. (gardener/etcd-backup-restore#510, @timuthy)
• [OPERATOR] A new flag --service-endpoints has been added to the etcdbrctl server command. These (Kubernetes) service URLs ensure that etcd-backup-restore only connects to etcd member which are ready to server traffic. Especially the MemberAdd and Init steps require this. (gardener/etcd-backup-restore#513, @timuthy)

📰 Noteworthy

• [USER] For multi-node etcd: Added a feature of single member etcd restoration in case of data/data-dir of etcd member found to be corrupted or invalid. (gardener/etcd-backup-restore#509, @ishan16696)
• [OPERATOR] Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-backup-restore#499, @timuthy)
• [OPERATOR] The Etcd-Backup-Restore image has been updated to Alpine 3.15.4. (gardener/etcd-backup-restore#499, @timuthy)
• [OPERATOR] Etcd can now scale up itself from a single member cluster to a multi member cluster (gardener/etcd-backup-restore#487, @aaronfern)

[etcd-custom-image]

🏃 Others

• [OPERATOR] Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-custom-image#19, @timuthy)

[etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] The entrypoint for etcd-druid in its container image has been modified. (gardener/etcd-druid#360, @dimityrmirchev)
• [OPERATOR] etcd Statefulsets are not claimed anymore based on labels. Instead, the statefulsets are fetched using Name and Namespace combination. Thus, etcd.spec.selector does not have an effect on statefulsets anymore. (gardener/etcd-druid#365, @abdasgupta)

✨ New Features

• [DEVELOPER] Add support for running envtest on M1 Macbooks. (gardener/etcd-druid#396, @timuthy)
• [DEVELOPER] Deploying the etcd StatefulSet through a Helm chart has been abandoned. A codified version (component concept) is now used for this purpose. (gardener/etcd-druid#365, @abdasgupta)

🐛 Bug Fixes

• [USER] Fix statefulset volumeClaimTemplate StorageClassName value population if etcd storageClass is an empty string. (gardener/etcd-druid#401, @shreyas-s-rao)
• [USER] Temporarily fix issue where PodManagementPolicy was trying to be updated from OrderedReady to Parallel for older shoots (created using etcd-druid:v0.8.5 and before), but the statefulset forbids updates to this field. (gardener/etcd-druid#402, @shreyas-s-rao)
• [USER] Temporarily fixes an issue where druid tries to set spec.ServiceName to PeerServiceName by default, although older single-node etcds would have this field set to ClientServiceName, and updation of statefulset spec.ServiceName field is forbidden. (gardener/etcd-druid#403, @shreyas-s-rao)
• [OPERATOR] A bug has been fixed that caused the etcd-backup-restore side-car to connect to the etcd cluster via the peer-service URL. The side-car is supposed to use the client-service instead since it a) exposes client port 2379 and b) redirects traffic only to members which are ready to service traffic. (gardener/etcd-druid#388, @timuthy)
• [OPERATOR] An issue has been fixed that caused the liveness and readiness probes of etcd to always succeed even though an error was reported. This prevented defective etcd pods from being restarted automatically and caused unready candidates being considered as ready to serve traffic via the etcd service. (gardener/etcd-druid#396, @timuthy)
• [OPERATOR] A startup probe has been added to etcd to allow 2 minutes of initialization time before checking for etcd liveness. (gardener/etcd-druid#396, @timuthy)

🏃 Others

• [OPERATOR] The definition of the etcd.status.ready field was defined more precisely due to changed semantics of multi-node etcd clusters. etcd.status.ready is true whenever all underlying etcd replicas are ready. Please note, that the implementation for this check was not changed. (gardener/etcd-druid#389, @timuthy)
• [OPERATOR] Fixed an issue in the release job needed to add the correct image version config/default/manager_image_patch.yaml. (gardener/etcd-druid#397, @aaronfern)
• [OPERATOR] Added a new condition BackupReady to the etcd status (gardener/etcd-druid#271, @aaronfern)
• [OPERATOR] livenessProbe of etcd container has been updated to ETCDCTL_API=3 etcdctl get foo --consistency=s making the consistency serializable. (gardener/etcd-druid#357, @ishan16696)
• [OPERATOR] failureThreshold has been updated to 5 for both livenessProbe and readinessProbe of etcd. (gardener/etcd-druid#357, @ishan16696)
• [OPERATOR] The etcd-druid now uses distroless instead of alpine as a base image. (gardener/etcd-druid#360, @dimityrmirchev)
• [OPERATOR] etcd-druid will now also add statefulset permissions to the etcd role (gardener/etcd-druid#366, @aaronfern)
• [OPERATOR] Published docker images for Etcd-Druid are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-druid#367, @timuthy)
• [OPERATOR] Added pod permission in etcd_role that now enable etcd-backup-restore to get/list/watch pods (gardener/etcd-druid#372, @aaronfern)
• [OPERATOR] Etcd-Druid's Golang version has been update to 1.18.4.. (gardener/etcd-druid#375, @timuthy)
• [OPERATOR] The correct image version has been set in config/default/manager_image_patch.yaml to match the current release. (gardener/etcd-druid#377, @timuthy)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.53.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.53.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.53.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.53.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.53.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.53.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.53.0

[gardener]

🐛 Bug Fixes

• [USER] K8s dependencies are upgraded to v0.24.3 to adopt a fix in the k8s.io/apiserver module that causes gardener-apiserver to do not always return the expected result when the client requests resources with the --selector / --field-selector flags. (gardener/gardener#6447, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.52.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.52.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.52.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.52.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.52.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.52.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.52.2

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug causing gardenlet helm chart deployment to fail is fixed. (gardener/gardener#6437, @acumino)

[gardener]

⚠️ Breaking Changes

• [OPERATOR] Gardener's component configuration APIs have been changed in the following breaking ways: (gardener/gardener#6333, @timebertt)
  • kubernetesLogLevel has been removed from all component configs
  • ControllerManagerConfiguration.server.http has been split into server.{healthProbes,metrics} (health endpoints and metrics are now served on different ports)
  • ControllerManagerConfiguration.server.https has been removed
• [OPERATOR] gardener-controller-manager serves health endpoints and metrics on different ports now. Adapt your scrape configs accordingly to port metrics. (gardener/gardener#6333, @timebertt)
• [OPERATOR] The DisableDNSProviderManagement feature gate has been promoted to GA and is now unconditionally enabled. If the shoot-dns-service extension is deployed, please make sure following prerequistes are given for a smoothly transition: (gardener/gardener#6341, @MartinWeindel)
  • The shoot-dns-service extension must be installed in a version >= v1.20.0.
  • The controller deployment of the shoot-dns-service sets providerConfig.values.dnsProviderManagement.enabled=true
  • Its admission controller (gardener-extension-admission-shoot-dns-service) is deployed on the garden cluster
  • the dns-external extension must still be installed
• [OPERATOR] The already deprecated shoot.gardener.cloud/use-as-seed annotation (since v1.18.0) is no longer supported for creating Shooted Seed clusters. Please check the following documentation on how to migrate from the use-as-seed annotation to ManagedSeeds. Before updating to this version of Gardener, make sure that you migrated to ManagedSeeds and that you no longer have usages of the use-as-seed annotation on the landscape. (gardener/gardener#6379, @ialidzhikov)
• [DEPENDENCY] Extension health check types are moved from github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config to github.com/gardener/gardener/extensions/pkg/apis/config (gardener/gardener#6276, @oliver-goetz)
• [DEPENDENCY] hack/install-requirements.sh is removed. You can use hack/tools.mk to install tools needed for development and CI. (gardener/gardener#6323, @timebertt)
• [DEPENDENCY] All Actuator interfaces for extension controllers have been extended and now receive a logr.Logger passed from the reconciler with the proper context of the reconciled object. (gardener/gardener#6332, @rfranzke)
• [DEPENDENCY] Some signatures in pkg/controllerutils/mapper have changed to support the simple injection of a proper context and logger. (gardener/gardener#6358, @rfranzke)

✨ New Features

• [USER] The machine image defaulting does now work based on the CPU architecture of the machine in a given worker pool. (gardener/gardener#6324, @acumino)
• [USER] The Shoot maintenance controller has been enhanced to auto-update the machine image of the worker pool in a Shoot based on the CPU architecture of the machines. (gardener/gardener#6327, @acumino)
• [DEVELOPER] Allow passing custom REST configuration settings (QPS, Burst, Timeout) to extension shoot clients. (gardener/gardener#6276, @oliver-goetz)
• [DEVELOPER] If a resource in the ManagedResource is annotated with resources.gardener.cloud/skip-health-check=true then the resource will be skipped during health checks by the health controller. The ManagedResource conditions will not reflect the health condition of this resource anymore. The ResourcesProgressing condition will also be set to False. (gardener/gardener#6309, @shafeeqes)

🐛 Bug Fixes

• [USER] Fixed a bug that prevented Shoots from being able to use expander: priority for cluster-autoscaler (gardener/gardener#6372, @voelzmo)
• [USER] A bug that prevented Shoot deletion when the OS image version or kubernetes version was beyond its expiration date is now fixed. (gardener/gardener#6389, @voelzmo)
• [OPERATOR] An issue causing a panel in the Node/Worker Pool Overview dashboard to fail to load due to invalid query is now fixed. (gardener/gardener#6406, @Sallyan)
• [OPERATOR] A bug causing gardenlet to panic in case of shoot using namespace which doesn't have the required project label is fixed. (gardener/gardener#6408, @acumino)
• [DEVELOPER] Downloading several tools vial ./hack/tools.mk has been fixed for ARM64 based Linux machines. (gardener/gardener#6314, @timuthy)

🏃 Others

• [USER] Strict schema validation is now performed for VerticalPodAutoscaler resources. (gardener/gardener#6299, @andrerun)
• [OPERATOR] Gardenlet now uses PriorityClass: gardener-system-critical (gardener/gardener#6235, @kris94)
• [OPERATOR] Update istio to v1.14.1. (gardener/gardener#6271, @ScheererJ)
• [OPERATOR] The following images are updated: (gardener/gardener#6295, @himanshu-kun)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.20.1 -> v1.20.2 (for Kubernetes < 1.21)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.21.1 -> v1.21.2 (for Kubernetes 1.21)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.21.1 -> v1.22.2 (for Kubernetes >= 1.22)
• [OPERATOR] Update envoy proxy to v1.21.4 (used in reversed vpn and apiserver-proxy) (gardener/gardener#6320, @ScheererJ)
• [OPERATOR] Additional dashboards for monitoring conntrack insertion failures most likely due to conntrack races (gardener/gardener#6329, @ScheererJ)
• [OPERATOR] The loki/telegraf container no longer runs in privileged mode. (gardener/gardener#6334, @ialidzhikov)
• [OPERATOR] The following images are updated: (gardener/gardener#6336, @istvanballok)
  • quay.io/prometheus/blackbox-exporter: v0.20.0 -> v0.21.1
• [OPERATOR] The vpn-seed-server/vpn-seed-server container no longer runs in privileged mode. (gardener/gardener#6346, @ScheererJ)
• [OPERATOR] The vpn-shoot/vpn-shoot container no longer runs in privileged mode (when ReversedVPN feature gate is enabled). As it still needs to still modify some kernel settings, this part is moved to init container that still has to run in privileged but the risk to cluster security is minimal because of the ephemeral nature of init containers. (gardener/gardener#6352, @ScheererJ)
• [OPERATOR] The GA-ed WorkerPoolKubernetesVersion feature gate is now removed. (gardener/gardener#6354, @rfranzke)
• [OPERATOR] The API Server dashboard in Grafana now shows the actual DB size per instance (etcd-main, etcd-events). Earlier those values were summed up and distorted if more than one kube-apiserver replica existed in the control plane. (gardener/gardener#6376, @timuthy)
• [OPERATOR] A warning in vpn-shoot about the private key being group/other accessible is now addressed. (gardener/gardener#6381, @ScheererJ)
• [OPERATOR] The Loki, Prometheus, and the VPN seed server envoy proxy parsers parse timezone and milliseconds from the timestamp. (gardener/gardener#6387, @vlvasilev)
• [OPERATOR] It is now possible to disable an admission plugin for the shoot kube-apiserver in the ShootSpec by setting the AdmissionPlugin.Disabled field to true. (gardener/gardener#6403, @shafeeqes)
• [OPERATOR] Updating CRD for DNSEntries to allow specifying routing policy (gardener/gardener#6414, @MartinWeindel)
• [DEVELOPER] Golang version is updated to 1.18.4 (gardener/gardener#6300, @oliver-goetz)
• [DEVELOPER] gardenlet's base image is updated from alpine:3.15.4 to alpine:3.16.0. (gardener/gardener#6321, @ialidzhikov)
• [DEPENDENCY] metric-server image is updated to v0.6.1 (gardener/gardener#6338, @oliver-goetz)

[apiserver-proxy]

🏃 Others

• [OPERATOR] The apiserver-proxy-pod-webhook now uses distroless instead of alpine as a base image. (gardener/apiserver-proxy#18, @dimityrmirchev)
• [OPERATOR] Minimize apiserver-proxy-sidecar image by using a scratch image. (gardener/apiserver-proxy#19, @ScheererJ)

[etcd-backup-restore]

⚠️ Breaking Changes

• [DEVELOPER] Added new package membergarbagecollector to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to list pods and statefulsets. (gardener/etcd-backup-restore#403, @aaronfern)

🐛 Bug Fixes

• [OPERATOR] Temp fix: skip the single member restoration if data-dir found to be invalid. (gardener/etcd-backup-restore#501, @ishan16696)
• [OPERATOR] Fixed a bug in Scaleup feature in func: IsMemberInCluster() which can cause Scaleup feature to get fail. (gardener/etcd-backup-restore#501, @ishan16696)

🏃 Others

• [OPERATOR] Added new package membergarbagecollector to remove superfluous members from the ETCD cluster. (gardener/etcd-backup-restore#403, @aaronfern)
• [OPERATOR] Fixed a bug where etcd calls related to multi node operation were used in single node operation (gardener/etcd-backup-restore#504, @aaronfern)
• [OPERATOR] Assigned the correct Peer address to the Etcd after it restores from backup-bucket. (gardener/etcd-backup-restore#505, @ishan16696)
• [OPERATOR] No attempt is made to update member Peer URL when trying to promote a member (gardener/etcd-backup-restore#506, @aaronfern)

📰 Noteworthy

• [OPERATOR] Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-backup-restore#499, @timuthy)
• [OPERATOR] The Etcd-Backup-Restore image has been updated to Alpine 3.15.4. (gardener/etcd-backup-restore#499, @timuthy)
• [OPERATOR] Etcd can now scale up itself from a single member cluster to a multi member cluster (gardener/etcd-backup-restore#487, @aaronfern)

[etcd-custom-image]

🏃 Others

• [OPERATOR] Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-custom-image#19, @timuthy)

[etcd-druid]

🏃 Others

• [OPERATOR] livenessProbe of etcd container has been updated to ETCDCTL_API=3 etcdctl get foo --consistency=s making the consistency serializable. (gardener/etcd-druid#357, @ishan16696)
• [OPERATOR] failureThreshold has been updated to 5 for both livenessProbe and readinessProbe of etcd. (gardener/etcd-druid#357, @ishan16696)
• [OPERATOR] The etcd-druid now uses distroless instead of alpine as a base image. (gardener/etcd-druid#360, @dimityrmirchev)
• [OPERATOR] etcd-druid will now also add statefulset permissions to the etcd role (gardener/etcd-druid#366, @aaronfern)
• [OPERATOR] Published docker images for Etcd-Druid are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/etcd-druid#367, @timuthy)
• [OPERATOR] Added a new condition BackupReady to the etcd status (gardener/etcd-druid#271, @aaronfern)
• [OPERATOR] Added pod permission in etcd_role that now enable etcd-backup-restore to get/list/watch pods (gardener/etcd-druid#372, @aaronfern)

[hvpa-controller]

🏃 Others

• [USER] Fix an issue where the HVPA would set Requests higher than Limits if ControlledValues: RequestsOnly is set (gardener/hvpa-controller#98, @voelzmo)
• [OPERATOR] Published docker images for HVPA-Controller are now multi-arch ready. They support linux/amd64 and linux/arm64. (gardener/hvpa-controller#101, @timuthy)

[vpn2]

📰 Noteworthy

• [OPERATOR] VPN shoot client can now be run with a privileged init container and a non-privileged runtime container (gardener/vpn2#12, @ScheererJ)
• [OPERATOR] vpn-seed-server and vpn-shoot-client container images now contain only a reduced set of binary/libaries. (gardener/vpn2#14, @ScheererJ)
• [OPERATOR] Add missing sleep command to minimized container image. (gardener/vpn2#16, @ScheererJ)
• [OPERATOR] Switched openvpn topology to subnet and ensured that the chosen cipher is always selected. (gardener/vpn2#15, @ScheererJ)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.52.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.52.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.52.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.52.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.52.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.52.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.52.0

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which prevented automatic remediation of webhooks in case there was at least one webhook with failurePolicy=Ignore. (gardener/gardener#6289, @gardener-ci-robot)
• [OPERATOR] Differentiate the vpa metrics for the seed and control planes to avoid conflicts in prometheus when the recording rules are evaluated. (gardener/gardener#6310, @gardener-ci-robot)

[gardener]

🐛 Bug Fixes

• [OPERATOR] Differentiate the vpa metrics for the seed and control planes to avoid conflicts in prometheus when the recording rules are evaluated. (gardener/gardener#6312, @gardener-ci-robot)

[gardener]

🐛 Bug Fixes

• [OPERATOR] Differentiate the vpa metrics for the seed and control planes to avoid conflicts in prometheus when the recording rules are evaluated. (gardener/gardener#6311, @gardener-ci-robot)

[gardener]

⚠️ Breaking Changes

• [USER] The kubeReserved and systemReserved specs of workers are now validated against the node allocatable resources of the corresponding machine type. (gardener/gardener#6198, @shafeeqes)
• [USER] The SecretBindingProviderValidation feature gate of gardener-apiserver is now promoted to beta and enabled by default. This enables the following validations: (gardener/gardener#6240, @ialidzhikov)
  • requires the provider type of a SecretBinding to be set (on SecretBinding creation)
  • requires the SecretBinding provider type to match the Shoot provider type (on Shoot creation)
  • enforces immutability on the provider type of a SecretBinding
• [OPERATOR] The TestMachinery-based ManagedSeed tests (including the related TestDefinitions in the .test-defs directory) have been deleted in favor of new e2e tests. (gardener/gardener#6293, @rfranzke)
• [OPERATOR] The GA-ed or deprecated ShootMaxTokenExpiration{Overwrite,Validation} and RotateSSHKeypairOnMaintenance feature gates have been removed. (gardener/gardener#6241, @rfranzke)
• [OPERATOR] The ShootCARotation and ShootSARotation feature gates have been promoted to beta and are now enabled by default. Make sure that all provider extensions registered to your system support these features before upgrading to this Gardener version. (gardener/gardener#6252, @rfranzke)
• [OPERATOR] The minimum Kubernetes version for garden and seed clusters is now 1.20. Make sure to upgrade your clusters to at least 1.20 before deploying this Gardener version. (gardener/gardener#6255, @rfranzke)
• [DEPENDENCY] Gardener extensions which contain a worker controller need to implement functions: PreReconcileHook, PostReconcileHook, PreDeleteHook, PostDeleteHook. The functions DeployMachineDependencies and CleanupMachineDependencies are now deprecated and will be removed in a future release. The logic of those deprecated functions can be moved to the respective pre/post hook functions. (gardener/gardener#6290, @dkistner)

✨ New Features

• [USER] It is now possible to provide additional containerd configuration for shoot worker nodes, please take a look at this document for more information. (gardener/gardener#6293, @rfranzke)
• [USER] The Shoot spec now supports selecting scheduling profiles. Apart from the "balanced" (aka "default") profile it is possible to configure a bin-packing profile (alpha feature). For more details see the usage docs. (gardener/gardener#6251, @ialidzhikov)
• [OPERATOR] The new ShootNodeLocalDNSEnabledByDefault admission plugin of the gardener-apiserver (disabled by default) controls whether the .spec.systemComponents.nodeLocalDNS.enabled field for newly created Shoot resources is defaulted to true. Existing Shoots are not modified. Shoot's can still explicitly disable the node local dns cache by setting .spec.systemComponents.nodeLocalDNS.enabled=false. See this document. (gardener/gardener#6279, @DockToFuture)
• [DEVELOPER] provider-local does now support ManagedSeeds in the Skaffold-based environment. (gardener/gardener#6293, @rfranzke)
• [DEVELOPER] A new testing strategy and developer guideline has been added. Make sure to check out the document if you want to learn more about the different kinds of tests we use and how to best write them! (gardener/gardener#6245, @timebertt)
• [DEPENDENCY] Add Bastion config validator (gardener/gardener#6197, @tedteng)

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which prevented automatic remediation of webhooks in case there was at least one webhook with failurePolicy=Ignore. (gardener/gardener#6277, @rfranzke)
• [OPERATOR] Health checks of ManagedResources are more reliable now when updating resources in the referenced secrets. (gardener/gardener#6136, @ary1992)
• [OPERATOR] Differentiate the vpa metrics for the seed and control planes to avoid conflicts in prometheus when the recording rules are evaluated. (gardener/gardener#6303, @istvanballok)
• [OPERATOR] Fixed an issue that could cause a Shoot's control plane namespace to be orphaned. This could happen when control plane migration is triggered, but does not start because the destination Seed is not Ready yet, and meanwhile the Shoot is deleted. (gardener/gardener#6206, @plkokanov)
• [DEPENDENCY] The recent changes to the "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config".HealthCheckConfig type that added client configuration settings are now reverted. (gardener/gardener#6248, @ialidzhikov)

🏃 Others

• [OPERATOR] The following images are updated: (gardener/gardener#6224, @istvanballok)
  • registry.k8s.io/kube-state-metrics/kube-state-metrics: v1.9.7 -> v2.1.1 (for kubernetes < 1.20)
  • registry.k8s.io/kube-state-metrics/kube-state-metrics: v1.9.7 -> v2.5.0 (for kubernetes >= 1.20)
• [OPERATOR] Updated vertical-pod-autoscaler to v0.11.0 (gardener/gardener#6243, @voelzmo)
• [DEVELOPER] Removed unnecessary PATCH to machine.status.node during restoration of machine objects. (gardener/gardener#6205, @plkokanov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.51.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.51.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.51.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.51.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.51.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.51.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.51.0

[gardener]

🐛 Bug Fixes

• [DEPENDENCY] The recent changes to the "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config".HealthCheckConfig type that added client configuration settings are now reverted. (gardener/gardener#6250, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.50.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.50.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.50.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.50.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.50.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.50.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.50.1

[gardener]

⚠️ Breaking Changes

• [USER] Changing the spec.seedName for Shoots is now possible only via the new shoots/binding subresource. Patches to spec.seedName in the Shoot will not have any effect anymore. Please see this document for more information. (gardener/gardener#6018, @shafeeqes)
• [OPERATOR] The WorkerPoolKubernetesVersion feature gate has been promoted to GA and is now unconditionally enabled. Make sure that all provider extensions registered to your system support this feature before upgrading to this Gardener version. (gardener/gardener#6166, @rfranzke)
• [OPERATOR] Patches to spec.seedName field in the shoot manifest will be rejected. Please use the shoots/binding subresource instead. (gardener/gardener#6179, @shafeeqes)
• [OPERATOR] The DisableDNSProviderManagement feature gate has been promoted to beta and is now enabled by default. If you are using the Gardener extension shoot-dns-service make sure to deploy version >= v1.20.0 and to set providerConfig.values.dnsProviderManagement.enabled=true in its controller deployment. The shoot DNS service admission controller (gardener-extension-admission-shoot-dns-service) must be deployed on the garden cluster. (gardener/gardener#6142, @MartinWeindel)
• [DEPENDENCY] Files in ./extensions/test have been moved to ./test package, Please adapt the import paths accordingly: (gardener/gardener#6158, @shafeeqes)
  • https://github.com/gardener/gardener/tree/master/extensions/test/testmachinery has been moved to https://github.com/gardener/gardener/tree/master/test/testmachinery/extensions
  • https://github.com/gardener/gardener/tree/master/extensions/test/integration has been moved to https://github.com/gardener/gardener/tree/master/test/integration/extensions/controller
• [DEPENDENCY] Gardenlet now manages fine-granular PriorityClasses that are supposed to be used by all components in order to improve the overall robustness of the system. (gardener/gardener#6186, @timebertt)
  • Find out more in the related documentation.
  • Extensions need to migrate all their extension controller pods as well as their shoot control plane and shoot system components to the newly defined PriorityClasses and drop custom ones.
  • Legacy PriorityClass gardener-shoot-controlplane is deprecated and will be removed in a future release.

✨ New Features

• [USER] In case at least one shoot cluster CA certificate is about to expire in less than 1y, a new constraint of type CACertificateValiditiesAcceptable will be visible in the .status.constraints to make end-users aware that a rotation should be performed. (gardener/gardener#6149, @rfranzke)
• [USER] The Shoot API now supports a new field spec.provider.workers[].machine.architecture. It specifies the CPU architecture of the machine in a given worker pool of shoot. It must match the architecture of the used machine type and machine image as defined in the referenced CloudProfile. (gardener/gardener#6233, @acumino)
• [USER] There are now client warnings for Shoot resources when credentials rotation is due or when the static token kubeconfig is used. (gardener/gardener#6110, @rfranzke)
• [USER] It is now possible to override the maximum delay seconds for the cloud-config user-data execution on shoot worker nodes by specifying the shoot.gardener.cloud/cloud-config-execution-max-delay-seconds annotation on the Shoot resource (default: 300). (gardener/gardener#6124, @rfranzke)
• [OPERATOR] Images in image vector now support a new field architectures. It is a list of CPU architecture of machines on which one image can be used. If not specified images are considered to support both amd64 and arm64 CPU architecture. (gardener/gardener#6156, @acumino)
• [OPERATOR] The --secure-port flag of the Gardener API Server can now be configured through the helm chart by setting .Values.global.apiserver.securePort. The default value is 8443. The service exposing the Gardener API Server deployment will continue to listen on port 443. (gardener/gardener#6170, @dimityrmirchev)
• [OPERATOR] SeedKubeScheduler: gardenlet does now support the SeedKubeScheduler feature gate to be enabled for K8s 1.24 Seed clusters. (gardener/gardener#6173, @ialidzhikov)
• [OPERATOR] CloudProfiles now supports two new fields .spec.machineImages[].architectures and .spec.machineTypes[].architecture. (gardener/gardener#6178, @acumino)
  • .spec.machineImages[].architectures - It is a list of CPU architectures of the machine image supported by the particular machine image version.
  • .spec.machineTypes[].architecture - It specifies the CPU architecture of the given machine type.
• [OPERATOR] Worker now supports a new field .spec.pools[].architecture. It specifies the CPU architecture of the machine in the given worker pool. (gardener/gardener#6178, @acumino)
• [OPERATOR] You can now make the gardenlet remediate problematic webhooks in shoot clusters by setting .controllers.shootCare.webhookRemediatorEnabled=true in its configuration file. (gardener/gardener#6090, @rfranzke)
• [OPERATOR] A disruption free CA rotation is now being supported for HA shoot clusters. (gardener/gardener#6099, @timuthy)
• [DEVELOPER] gardener-apiserver, gardener-controller-manager, gardener-scheduler, gardener-admission-controller, gardener-seed-admission-controller and gardener-resource-manager are now using gcr.io/distroless/static-debian11:nonroot instead of versions of alpine as a base image. (gardener/gardener#6159, @dimityrmirchev)
• [DEVELOPER] It is now possible to render charts from embedded file systems (embed.FS). The Render method of the chartrenderer.Interface in favour of RenderEmbeddedFS. The Apply/Delete methods of the kubernetes.ChartApplier interfaces are deprecated and in favor of {Apply,Delete}FromEmbeddedFS. They will be removed in a future version. You should consider adapting your code to the newly introduced methods. (gardener/gardener#6165, @rfranzke)
• [DEVELOPER] Seed prometheus: allow to overwrite scheme per annotation for job garden. (gardener/gardener#6180, @MartinWeindel)
• [DEVELOPER] Adds ability to create a second seed cluster in the local setup. (gardener/gardener#6059, @plkokanov)
• [DEVELOPER] Allow passing custom REST configuration settings (QPS, Burst, RateLimiter, Timeout) to extension shoot clients. (gardener/gardener#6113, @oliver-goetz)
• [DEVELOPER] Added e2e integration test for control plane migration (gardener/gardener#5987, @kris94)

🐛 Bug Fixes

• [USER] It is no longer possible to perform the following shoot operations when it is hibernated: rotate-{credentials,etcd-encryption-key,serviceaccount-key}-{start,complete}. (gardener/gardener#6148, @rfranzke)
• [USER] Allow cilium to be used on seeds with SNI enabled. (gardener/gardener#6130, @ScheererJ)
• [USER] Allow updates of old shoot clusters that were already created with an invalid default domain before the validation was introduced. (gardener/gardener#6139, @plkokanov)
• [OPERATOR] A bug has been fixed which could prevent gardenlet pods from coming up in case the projected-token-mount webhook served by gardener-resource-manager is unavailable or broken. (gardener/gardener#6175, @rfranzke)
• [OPERATOR] A bug has been fixed which prevented the etcd defragmentation from running properly. This fix will cause a restart of all etcd instances during the next maintenance time window. (gardener/gardener#6182, @timuthy)
• [OPERATOR] A bug has been fixed which prevented the assignment of the ERR_CLEANUP_CLUSTER_RESOURCES error code to Shoots. (gardener/gardener#6202, @rfranzke)

📖 Documentation

• [OPERATOR] In order to trigger control-plane migration using the shoots/binding subresource, please see https://github.com/gardener/gardener/blob/master/docs/usage/control_plane_migration.md#triggering-the-migration (gardener/gardener#6179, @shafeeqes)

🏃 Others

• [USER] Upgrade node-exporter to v1.3.1 (gardener/gardener#6171, @wyb1)
• [OPERATOR] The following images are updated: (gardener/gardener#6163, @himanshu-kun)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v0.19.0 -> v1.20.1 (for Kubernetes < 1.20)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.20.0 -> v1.20.1 (for Kubernetes 1.20)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.21.0 -> v1.21.1 (for Kubernetes 1.21)
  • eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.21.0 -> v1.22.1 (for Kubernetes >= 1.22)
• [OPERATOR] Adapt allow-to-dns networkpolicy to also work with node local dns in cilium case. (gardener/gardener#6181, @DockToFuture)
• [OPERATOR] Activate the diskstats collector for the node_exporter (gardener/gardener#6183, @wyb1)
• [OPERATOR] The GA-ed CachedRuntimeClients, AdminKubeconfigRequest, DenyInvalidExtensionResources and UseDNSRecords feature gates are removed and can no longer be specified via the --feature-gates flags. (gardener/gardener#6193, @ialidzhikov)
• [OPERATOR] The default value for --audit-log-path of Gardener API Server was changed from /var/lib/audit.log to /tmp/audit.log so that a nonroot user can access it without additional permissions. (gardener/gardener#6204, @vpnachev)
• [OPERATOR] Pause container image is now used from k8s.gcr.io/pause instead of gcr.io/google_containers/pause-amd64. (gardener/gardener#6238, @acumino)
• [OPERATOR] Improve the CPU and memory usage calculation on the Node Details dashboard (gardener/gardener#6132, @istvanballok)
• [OPERATOR] Update node local dns to v1.22.5 (gardener/gardener#6138, @ScheererJ)
• [OPERATOR] The blackbox exporter scrape probe logs are also written to stdout (gardener/gardener#6140, @istvanballok)
• [OPERATOR] Bump prometheus to v2.36.1 (gardener/gardener#6141, @wyb1)
• [OPERATOR] NetworkPolicy/allow-to-private-networks now allows access to networks overlapping the shoot networks in case reversed VPN is active. (gardener/gardener#6143, @ScheererJ)
• [OPERATOR] kube-apiserver and prometheus pods are no longer allowed to access shoot networks in case reversed VPN is active. (gardener/gardener#6143, @ScheererJ)
• [DEVELOPER] Added wrapper scripts and make targets that can be used to setup the skaffold test environment and trigger e2e integration tests: make ci-e2e-kind can be used to trigger the default e2e integration tests; make ci-e2e-kind-migration can be used to trigger the control plane migration e2e test. (gardener/gardener#5987, @kris94)
• [DEPENDENCY] k8s.io/* is now upgraded to v0.24.1 and sigs.k8s.io/controller-runtime is now upgraded to v0.12.1. (gardener/gardener#6101, @kris94)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.50.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.50.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.50.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.50.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.50.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.50.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.50.0

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which could prevent gardenlet pods from coming up in case the projected-token-mount webhook served by gardener-resource-manager is unavailable or broken. (gardener/gardener#6228, @gardener-ci-robot)
• [OPERATOR] A bug has been fixed which prevented the assignment of the ERR_CLEANUP_CLUSTER_RESOURCES error code to Shoots. (gardener/gardener#6213, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.48.6
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.48.6
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.48.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.48.6
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.48.6
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.48.6
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.48.6