Bot releases are hidden (Show)

gardener - v1.45.0

Published by gardener-robot-ci-2 over 2 years ago

[gardener]

⚠️ Breaking Changes

[DEVELOPER] Support for Terraformer v1 was finally dropped. (gardener/gardener#5728, @rfranzke)
[DEPENDENCY] Extensions need to prepare for supporting the Shoot CA rotation feature (GEP-18). Please see CA Rotation in Extensions and Conventions for detailed descriptions of the requirements. (gardener/gardener#5803, @timebertt)
[DEPENDENCY] The extension library has been adapted to support the Shoot CA rotation feature (GEP-18). Please see gardener/gardener#5803 for a detailed description on how to adapt to the breaking changes. (gardener/gardener#5803, @timebertt)

✨ New Features

[DEVELOPER] A new API diff check has been added to ensure PRs are not changing exported interfaces, types, or method signatures in incompatible ways. (gardener/gardener#5532, @acumino)

🐛 Bug Fixes

[USER] Temporarily no longer allow changing container runtime on existing workers due to an open bug: #4415. (gardener/gardener#5791, @voelzmo)
[USER] An issue preventing nodes from updating their downloaded cloud config checksum annotation has been fixed. (gardener/gardener#5761, @rfranzke)
[OPERATOR] Only requests but not limits of an existing kube-apiserver deployment are copied when HVPA is enabled to allow limits to be removed from existing deployments. (gardener/gardener#5835, @stoyanr)
[OPERATOR] addons-nginx-ingress-controller, kubernetes-dashboard, blackgox-exporter no longer have lower memory limits when VPA is enabled. (gardener/gardener#5828, @stoyanr)
[OPERATOR] A bug has been fixed which can result in Shoots stuck in deletion when the ShootMaxTokenExpiration{Overwrite,Validation} feature gates are enabled. (gardener/gardener#5799, @rfranzke)
[OPERATOR] Fix a bug in the PodDisruptionBudget of the Gardener API server that was not allowing maintenance operations with the hosting cluster when the HVPA is enabled the replicas are set to 1. (gardener/gardener#5773, @vpnachev)
[OPERATOR] A bug has been fixed which prevented the migration of existing basic auth secrets without CSV data to the new secrets manager. (gardener/gardener#5766, @rfranzke)
[OPERATOR] Fixed an issue that could cause the cloud-config-downloader to invalidate its credentials token if the node that it is currently running on has issues with the file system where the credentials token is stored (for example when the node runs out of disk space). (gardener/gardener#5719, @plkokanov)
[DEVELOPER] Fixed a bug that caused make gardener-up to fail. (gardener/gardener#5834, @timebertt)

🏃 Others

[OPERATOR] The Golang version is updated to 1.17.9. (gardener/gardener#5815, @ialidzhikov)
[OPERATOR] In case gardener-resource-manager fails to be bootstrapped because its client certificate has expired, gardenlet does now automatically generate a new client certificate and re-triggers the bootstrap process. (gardener/gardener#5798, @rfranzke)
[OPERATOR] The DenyInvalidExtensionResources feature gate in the seed-admission-controller has been promoted to GA and can no longer be disabled. (gardener/gardener#5793, @ary1992)
[OPERATOR] In order to save network I/O and costs, the cloud-config-downloader script running every 30s on each shoot worker node now first performs a metadata-only request for the cloud config Secret. It only downloads the full secret (including data containing the executor script) if the checksum annotation has changed. (gardener/gardener#5768, @rfranzke)
[OPERATOR] CachedRuntimeClients feature gate in gardener-controller-manager, gardenlet is promoted to GA and cannot be disabled. (gardener/gardener#5752, @ary1992)
[OPERATOR] Loki memory limit is decreased to 3Gi. (gardener/gardener#5751, @vlvasilev)
[OPERATOR] Increase the QPS and burst values for kube-apiserver requests for the vpa-recommender of Seed and Shoot clusters to better cope with large cluster sizes. (gardener/gardener#5743, @danielfoehrKn)
[OPERATOR] RotateSSHKeypairOnMaintenance feature gate in gardener-controller-manager has been promoted to beta and is now enabled by default. (gardener/gardener#5740, @ary1992)
[OPERATOR] Fix kube-proxy switch from IPVS to IPTables mode. (gardener/gardener#5739, @ScheererJ)
[OPERATOR] Update api-server-proxy to v0.3.0. (gardener/gardener#5738, @DockToFuture)
[OPERATOR] Gardenlet will now update its kubeconfig if gardenClientConnection.gardenClusterCACert is specified and contains a different CA cert than the one currently used in the kubeconfig. (gardener/gardener#5735, @Diaphteiros)
[OPERATOR] Gardener resource manager can now properly deploy v1beta1 CronJobs if they are part of a ManagedResource's referenced Secret (gardener/gardener#5727, @plkokanov)
[OPERATOR] The ShootMaxTokenExpirationOverwrite feature gate has been promoted to beta and is now enabled by default. (gardener/gardener#5726, @rfranzke)
[OPERATOR] VPA binaries and dependency have been upgraded to 0.10.0. (gardener/gardener#5716, @stoyanr)
[OPERATOR] Additional reconciliations for resources after adding the finalizer are prevented using an early exit approach. (gardener/gardener#5683, @shafeeqes)
[OPERATOR] Updates istio components to v1.12.5 (gardener/gardener#5340, @ScheererJ)

📰 Noteworthy

[USER] Newly created shoot clusters now get a dedicated CA certificate which is used for signing client certificates. Note that this client CA is different from the cluster CA. For existing clusters, the client CA is the same like the cluster CA to ensure backwards compatibility. (gardener/gardener#5779, @rfranzke)
[OPERATOR] The seed cluster CA certificate is now auto-rotated each 30d. (gardener/gardener#5785, @rfranzke)
[DEVELOPER] The local Gardener development setup now uses calico instead of kindnetd as CNI plugin for the seed and shoot clusters. This enables support for NetworkPolicys and rolling updates of shoot worker nodes. (gardener/gardener#5774, @rfranzke)

[etcd-backup-restore]

🐛 Bug Fixes

[OPERATOR] Fix defragmentation fail issue which occurs due to x509: failed to validate certificate for 0.0.0.0 because it doesn't contain any IP SANs. (gardener/etcd-backup-restore#459, @ishan16696)

[ext-authz-server]

✨ New Features

[USER] Update alpine image to version 3.15.3 and update dependencies. (gardener/ext-authz-server#4, @DockToFuture)

[hvpa-controller]

🏃 Others

[OPERATOR] The HVPA controller now respects controlledResources and controlledValues parameters that have been newly introduced in autoscaling.k8s.io/v1. (gardener/hvpa-controller#93, @stoyanr)
[OPERATOR] autoscaling.k8s.io/v1 is now being used instead of autoscaling.k8s.io/v1beta2 in HVPA resources. This enables using controlledValues: RequestsOnly in spec.vpa.template.spec.resourcePolicy (gardener/hvpa-controller#91, @stoyanr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.45.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.45.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.45.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.45.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.45.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.45.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.45.0

gardener - v1.44.5

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

🐛 Bug Fixes

[OPERATOR] Only requests but not limits of an existing kube-apiserver deployment are copied when HVPA is enabled to allow limits to be removed from existing deployments. (gardener/gardener#5838, @gardener-ci-robot)
[OPERATOR] addons-nginx-ingress-controller, kubernetes-dashboard, blackgox-exporter no longer have lower memory limits when VPA is enabled. (gardener/gardener#5830, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.44.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.44.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.44.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.44.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.44.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.44.5
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.44.5

gardener - v1.44.4

Published by gardener-robot-ci-2 over 2 years ago

[gardener]

🐛 Bug Fixes

[OPERATOR] A bug has been fixed which can result in Shoots stuck in deletion when the ShootMaxTokenExpiration{Overwrite,Validation} feature gates are enabled. (gardener/gardener#5813, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.44.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.44.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.44.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.44.4
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.44.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.44.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.44.4

gardener - v1.43.4

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

🐛 Bug Fixes

[OPERATOR] A bug has been fixed which can result in Shoots stuck in deletion when the ShootMaxTokenExpiration{Overwrite,Validation} feature gates are enabled. (gardener/gardener#5812, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.43.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.43.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.43.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.43.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.43.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.43.4
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.43.4

gardener - v1.42.6

Published by gardener-robot-ci-3 over 2 years ago

[gardener]

🐛 Bug Fixes

[USER] Temporarily no longer allow changing container runtime on existing workers due to an open bug: #4415. (gardener/gardener#5797, @gardener-ci-robot)
[OPERATOR] Fix a bug in the PodDisruptionBudget of the Gardener API server that was not allowing maintenance operations with the hosting cluster when the HVPA is enabled the replicas are set to 1. (gardener/gardener#5777, @gardener-ci-robot)

🏃 Others

[OPERATOR] Fix kube-proxy switch from IPVS to IPTables mode. (gardener/gardener#5771, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.42.6
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.42.6
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.42.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.42.6
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.42.6
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.42.6
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.42.6

gardener - v1.43.3

Published by gardener-robot-ci-3 over 2 years ago

[gardener]

🐛 Bug Fixes

[USER] Temporarily no longer allow changing container runtime on existing workers due to an open bug: #4415. (gardener/gardener#5796, @gardener-ci-robot)
[USER] An issue preventing nodes from updating their downloaded cloud config checksum annotation has been fixed. (gardener/gardener#5765, @gardener-ci-robot)
[OPERATOR] Fix a bug in the PodDisruptionBudget of the Gardener API server that was not allowing maintenance operations with the hosting cluster when the HVPA is enabled the replicas are set to 1. (gardener/gardener#5776, @gardener-ci-robot)

🏃 Others

[OPERATOR] Fix kube-proxy switch from IPVS to IPTables mode. (gardener/gardener#5770, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.43.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.43.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.43.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.43.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.43.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.43.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.43.3

gardener - v1.44.3

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

🐛 Bug Fixes

[USER] Temporarily no longer allow changing container runtime on existing workers due to an open bug: #4415. (gardener/gardener#5795, @gardener-ci-robot)
[OPERATOR] Fix a bug in the PodDisruptionBudget of the Gardener API server that was not allowing maintenance operations with the hosting cluster when the HVPA is enabled the replicas are set to 1. (gardener/gardener#5775, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.44.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.44.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.44.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.44.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.44.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.44.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.44.3

gardener - v1.44.2

Published by gardener-robot-ci-2 over 2 years ago

[gardener]

🐛 Bug Fixes

[USER] An issue preventing nodes from updating their downloaded cloud config checksum annotation has been fixed. (gardener/gardener#5764, @gardener-ci-robot)
[OPERATOR] A bug has been fixed which prevented the migration of existing basic auth secrets without CSV data to the new secrets manager. (gardener/gardener#5767, @gardener-ci-robot)

🏃 Others

[OPERATOR] Fix kube-proxy switch from IPVS to IPTables mode. (gardener/gardener#5769, @gardener-ci-robot)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.44.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.44.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.44.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.44.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.44.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.44.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.44.2

gardener - v1.44.1

Published by gardener-robot-ci-3 over 2 years ago

[etcd-backup-restore]

🐛 Bug Fixes

[OPERATOR] Fix defragmentation fail issue which occurs due to x509: failed to validate certificate for 0.0.0.0 because it doesn't contain any IP SANs. (gardener/etcd-backup-restore#459, @ishan16696)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.44.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.44.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.44.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.44.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.44.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.44.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.44.1

gardener - v1.44.0

Published by gardener-robot-ci-3 over 2 years ago

[gardener]

✨ New Features

[USER] The static admin kubeconfig for shoot clusters can now be disabled by setting .spec.kubernetes.enableStaticTokenKubeconfig=false in the specification of the Shoot resource. The respective <shoot-name>.kubeconfig secret in the project namespace in the garden cluster will be deleted. (gardener/gardener#5649, @ary1992)
[USER] Project admins can now issue short-lived cluster-admin kubeconfigs by using the shoots/adminkubeconfig subresource. Please consult this document for more information. (gardener/gardener#5649, @ary1992)
[OPERATOR] The nodes annotated with node.machine.sapcloud.io/not-managed-by-mcm="1" are no longer considered in health checks ran by the worker controller. (gardener/gardener#5697, @acumino)
[OPERATOR] gardener-seed-admission-controller now supports enabling profiling handlers. See this document for more details. (gardener/gardener#5651, @ialidzhikov)
[OPERATOR] etcd nodes on Shoots labeled with .spec.purpose=infrastructure get UpdateMode=off instead of MaintenanceWindow, which means, they only get scaled up, never down. (gardener/gardener#5645, @voelzmo)
[DEVELOPER] The secrets manager is now able to automatically renew secrets which are about to expire. This is done as part of the regular reconciliation flows when the respective secret has reached 80% of its validity. (gardener/gardener#5679, @rfranzke)

🐛 Bug Fixes

[DEVELOPER] references.InjectAnnotations now considers Secrets/ConfigMaps in projected volumes. This fixes an issue where the garbage collector part of gardener-resource-manager could clean up in-use Secrets or ConfigMaps which were only referenced by projected volumes. (gardener/gardener#5692, @rfranzke)

🏃 Others

[OPERATOR] cluster-autoscaler will be restarted together with other control plane components during shoot maintenance time windows. (gardener/gardener#5721, @plkokanov)
[OPERATOR] Existing annotations or labels on ManagedResources are now kept during shoot reconciliations. Earlier, they were reverted. (gardener/gardener#5715, @rfranzke)
[OPERATOR] Split VPA count in dashboard by API version (gardener/gardener#5695, @voelzmo)
[OPERATOR] Creation of source BackupEntries is allowed by the gardenlet responsible for the seed indicated by the BackupEntry.Spec.SeedName if the spec of the source BackupEntry matches the spec of the already existing BackupEntry for the shoot cluster. (gardener/gardener#5680, @plkokanov)
[OPERATOR] Logs from shoot components can beretrieved only from pods running in the shoot kube-system namespace (gardener/gardener#5677, @vlvasilev)
[OPERATOR] Add several panels to identify issues with DNS cache host limit faster. (gardener/gardener#5660, @ScheererJ)
[OPERATOR] gardener-resource-manager now supports enabling profiling handlers. See this document for more details. (gardener/gardener#5654, @acumino)
[OPERATOR] The gardener control plane helm chart does now define a PriorityClass for gardener control plane components (gardener-apiserver, gardener-admission-controller, gardener-controller-manager and gardener-scheduler) to make sure that they have high priority in the scheduling queue and that they are not preempted (evicted) in favour of other Pods. (gardener/gardener#5652, @ialidzhikov)
[OPERATOR] Increased maximum number of hosts in the dns cache config of the envoy proxy side car of vpn-seed-server. (gardener/gardener#5640, @ScheererJ)
[OPERATOR] The shoot logging stack in Seed is deployed only after the gardener-resource-manager becomes ready. (gardener/gardener#5632, @shafeeqes)
[OPERATOR] The shoot.spec.seedName field can no longer be changed together with other changes to the shoot.spec. Additionally the shoot.spec field can no longer be changed if the shoot.status.lastOperation is migrate or restore and it has not completed successfully yet. (gardener/gardener#5587, @plkokanov)
[OPERATOR] istiod and istio-ingressgateway do now define a PriorityClass to make sure that they have high priority in the scheduling queue and that they are not preempted (evicted) in favour of other Pods. (gardener/gardener#5468, @DockToFuture)
[OPERATOR] Gardenlet related configmaps and secrets are now using unique names. If you deploy the Gardenlet yourself using helm charts you need to take care of deleting the old, now-unused secrets and configmaps yourself. (gardener/gardener#5038, @BeckerMax)
[DEPENDENCY] The ExtensionLabels admission plugin of gardener-apiserver now supports the SecretBinding resource. It will now maintain the provider type label on the resource which will allow extension admission components to select resources with a given provider type using an object selector. (gardener/gardener#5681, @ialidzhikov)
[DEPENDENCY] The SecretBinding types now implement the core.Object interface which makes possible usage of the SecretBinding types with the GardenCoreProviderType predicate. (gardener/gardener#5665, @ialidzhikov)

📰 Noteworthy

[OPERATOR] The etcd pods for shoot control planes will be restarted during the first shoot reconciliation. (gardener/gardener#5693, @gardener-robot-ci-3)
[OPERATOR] Memory limits of all shoot control plane or system components have been removed or adjusted according to measured usage to prevent OOMKills due to reaching the limits. (gardener/gardener#5689, @stoyanr)
[OPERATOR] dependency-watchdog-probe does no longer use a client certificate but an auto-rotated ServiceAccount token which is only valid for 12h. (gardener/gardener#5685, @rfranzke)
[OPERATOR] VPA resources now use controlledValues: RequestsOnly to prevent the VPA mechanism from proportionally changing the limits, which doesn't make sense. (gardener/gardener#5638, @stoyanr)
[OPERATOR] CPU limits from all gardener components have been removed to prevent CPU throttling due to reaching limits. (gardener/gardener#5627, @stoyanr)
[OPERATOR] It is no longer possible to force the kube-apiserver of shoot clusters to write secrets in plain text to etcd. (gardener/gardener#5616, @rfranzke)

[dependency-watchdog]

🐛 Bug Fixes

[OPERATOR] A bug is fixed which allowed dependency-watchdog to not ignore scaling operations on deployment which are not enabled/deployed in a given cluster (gardener/dependency-watchdog#46, @acumino)
- A bug with uploading of a rotated dependency-watchdog-probe secrets is now fixed by refreshing the clients with updated secrets.

📰 Noteworthy

[OPERATOR] A dependent's scaling up/down can be ignored by DWD now by adding the annotation dependency-watchdog.gardener.cloud/ignore-scaling to the deployment (gardener/dependency-watchdog#49, @himanshu-kun)

[etcd-backup-restore]

✨ New Features

[OPERATOR] To Dynamically load Iaas credentials, added support to pass the credentials through file mount. (gardener/etcd-backup-restore#435, @ishan16696)
[OPERATOR] The support to pass the credentials through environment variables will get deprecated by etcd-backup-restore v0.18.0 (gardener/etcd-backup-restore#435, @ishan16696)
[OPERATOR] Added the leader-election to the backup-restore. Added support to allow only backup-restore Leader to take/upload the snapshots and trigger the defragmentation. (gardener/etcd-backup-restore#353, @ishan16696)

🏃 Others

[OPERATOR] The used Golang version was updated to 1.17. (gardener/etcd-backup-restore#445, @timuthy)
[OPERATOR] Fixed etcd-backup-restore exiting immediately on SIGTERM without proper context cancellation (gardener/etcd-backup-restore#440, @sibucan)
[OPERATOR] Added support for non-AWS S3-compatible providers by specifying a custom endpoint. (gardener/etcd-backup-restore#431, @sibucan)
[OPERATOR] Failed backups won't fail the readinessProbe thus etcd is allowed to keep serving the incoming traffic. (gardener/etcd-backup-restore#411, @ishan16696)
[OPERATOR] Added CLI flags --backoff-multiplier, --backoff-attempt-limit and --backoff-threshold-time to configure the exponential-backoff mechanism. (gardener/etcd-backup-restore#411, @ishan16696)
[OPERATOR] Upgrade the Go from v1.14 to v1.16 (gardener/etcd-backup-restore#405, @ishan16696)

[etcd-druid]

⚠️ Breaking Changes

[OPERATOR] The default leader election resource lock of etcd-druid has been changed from configmapsleases to leases. (gardener/etcd-druid#281, @acumino)
- Please make sure, that you had at least [email protected] running before upgrading so that it has successfully acquired leadership with the hybrid resource lock (configmapsleases) at least once.
[OPERATOR] Using the etcd client service for server communication (default port 2380) has been deprecated. The port will be removed from the service in the near future. If necessary, switch to the new peer service instead. (gardener/etcd-druid#273, @timuthy)
[OPERATOR] The claiming logic for services has been removed from Etcd-Druid. This means that existing service objects cannot be adopted anymore but a new and dedicated object is created. Please check any usages for already adopted services and switch to the dedicated <etcd-name>-client service. (gardener/etcd-druid#273, @timuthy)
[DEVELOPER] Make target install-requirements was dropped. Instead, required 3rd party binaries are automatically installed to a local bin dir (./hack/tools/bin). (gardener/etcd-druid#261, @timuthy)

✨ New Features

[OPERATOR] To Dynamically load Iaas credentials, added support to pass the credentials through secret mount. (gardener/etcd-druid#301, @ishan16696)
[OPERATOR] Set File Path through Env: <ProviderName>_APPLICATION_CREDENTIALS (gardener/etcd-druid#301, @ishan16696)
[OPERATOR] Leader-election specifications can be configured through Etcd resource spec via .spec.backup.leaderElection. (gardener/etcd-druid#285, @ishan16696)
[OPERATOR] A new service (<etcd-name>-peer) for etcd peer communication (default port 2380) is now created by Etcd-Druid. (gardener/etcd-druid#273, @timuthy)
[OPERATOR] Etcd-Druid now creates member Lease objects which enables the heartbeat functionality for etcd members. Along the way a new flag --etcd-member-unknown-threshold was introduced. It determines the duration after which a etcd member's state is considered unknown when the member Lease is not renewed. (gardener/etcd-druid#262, @timuthy)
[DEVELOPER] When --disable-etcd-serviceaccount-automount is set to true then the .automountServiceAccountToken will be set to false for the ServiceAccount created for etcd. (gardener/etcd-druid#277, @rfranzke)

🐛 Bug Fixes

[OPERATOR] A bug has been fixed which prevented the ServiceAccount's automountServiceAccountToken field from being reconciled. (gardener/etcd-druid#317, @rfranzke)
[OPERATOR] The default CPU and memory limits for etcd and backup-restore containers have been removed to enable removal of limits via the Etcd resource. (gardener/etcd-druid#312, @stoyanr)
[OPERATOR] A bug has been fixed which caused the etcd-druid not removing its finalizers from referenced secrets in Etcd resources when those references changed. (gardener/etcd-druid#310, @rfranzke)
[OPERATOR] A bug has been fix which caused the Nil pointer exception in EtcdCopyBackupsTask. (gardener/etcd-druid#306, @ishan16696)
[OPERATOR] A bug has been fixed that led to multiple update conflicts when the etcd resource was reconciled. (gardener/etcd-druid#263, @timuthy)
[OPERATOR] A bug has been fixed which caused the etcd.status.clusterSize only being set for new etcd resources (gardener/etcd-druid#260, @timuthy)

🏃 Others

[OPERATOR] The ETCD backup restore is now configured to support Local provider in container environment. (gardener/etcd-druid#300, @kris94)
[OPERATOR] The Golang version which is used to build Etcd-Druid was updated to 1.17.6. (gardener/etcd-druid#294, @timuthy)
[OPERATOR] Please be aware that Etcd-Druid needs to re-create the etcd StatefulSet if the etcd cluster is scaled up from 1 -> x for the first time. (gardener/etcd-druid#293, @timuthy)
[OPERATOR] The amount of active reconciliations has been limited to improve performance, CPU, memory and network consumption. (gardener/etcd-druid#276, @timuthy)
[OPERATOR] Updated labels used in compaction job to differentiate them from etcd pods. This allows for pod scheduling policies to schedule compaction jobs on predetermined nodes (gardener/etcd-druid#270, @aaronfern)
[OPERATOR] feature operator (gardener/etcd-druid#250, @breuerfelix)
- Deploying and maintaining the correct PodDisruptionBudget configuration according to Etcd resource status
[DEVELOPER] The handling for 3rd party binaries (e.g. controller-gen), usually required for Make targets, has been improved. Instead of installing those tools to a global directory, a dedicated local directory of in the code repository is used (hack/tools/bin). (gardener/etcd-druid#261, @timuthy)

📰 Noteworthy

[DEVELOPER] The CA data key is now configurable under .spec.etcd.tls.tlsCASecretRef.dataKey. It still defaults to ca.crt if not provided. (gardener/etcd-druid#309, @rfranzke)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.44.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.44.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.44.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.44.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.44.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.44.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.44.0

gardener - v1.41.8

Published by gardener-robot-ci-2 over 2 years ago

[gardener]

🏃 Others

[OPERATOR] istiod and istio-ingressgateway do now define a PriorityClass to make sure that they have high priority in the scheduling queue and that they are not preempted (evicted) in favour of other Pods. (gardener/gardener#5698, @ScheererJ)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.41.8
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.41.8
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.41.8
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.41.8
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.41.8
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.41.8
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.41.8

gardener - v1.42.5

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

🏃 Others

[OPERATOR] istiod and istio-ingressgateway do now define a PriorityClass to make sure that they have high priority in the scheduling queue and that they are not preempted (evicted) in favour of other Pods. (gardener/gardener#5699, @ScheererJ)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.42.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.42.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.42.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.42.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.42.5
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.42.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.42.5

gardener - v1.43.2

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

🏃 Others

[OPERATOR] istiod and istio-ingressgateway do now define a PriorityClass to make sure that they have high priority in the scheduling queue and that they are not preempted (evicted) in favour of other Pods. (gardener/gardener#5700, @ScheererJ)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.43.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.43.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.43.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.43.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.43.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.43.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.43.2

gardener - v1.42.4

Published by gardener-robot-ci-3 over 2 years ago

[gardener]

✨ New Features

[OPERATOR] etcd nodes on Shoots labeled with .spec.purpose=infrastructure get UpdateMode=off instead of 'MaintenanceWindow`, which means, they only get scaled up, never down. (gardener/gardener#5647, @rfranzke)

🏃 Others

[OPERATOR] Increased maximum number of hosts in the dns cache config of the envoy proxy side car of vpn-seed-server. (gardener/gardener#5642, @rfranzke)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.42.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.42.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.42.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.42.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.42.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.42.4
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.42.4

gardener - v1.41.7

Published by gardener-robot-ci-3 over 2 years ago

[gardener]

✨ New Features

[OPERATOR] etcd nodes on Shoots labeled with .spec.purpose=infrastructure get UpdateMode=off instead of 'MaintenanceWindow`, which means, they only get scaled up, never down. (gardener/gardener#5646, @rfranzke)

🏃 Others

[OPERATOR] Increased maximum number of hosts in the dns cache config of the envoy proxy side car of vpn-seed-server. (gardener/gardener#5643, @rfranzke)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.41.7
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.41.7
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.41.7
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.41.7
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.41.7
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.41.7
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.41.7

gardener - v1.43.1

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

✨ New Features

[OPERATOR] etcd nodes on Shoots labeled with .spec.purpose=infrastructure get UpdateMode=off instead of 'MaintenanceWindow`, which means, they only get scaled up, never down. (gardener/gardener#5648, @rfranzke)

🏃 Others

[OPERATOR] Increased maximum number of hosts in the dns cache config of the envoy proxy side car of vpn-seed-server. (gardener/gardener#5641, @rfranzke)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.43.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.43.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.43.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.43.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.43.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.43.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.43.1

gardener - v1.43.0

Published by gardener-robot-ci-3 over 2 years ago

[gardener]

⚠️ Breaking Changes

[USER] When the Gardener operators enable the ShootMaxTokenExpirationOverwrite feature gate then values for the .spec.kubernetes.kubeAPIServer.serviceAccountConfig.maxTokenExpiration field in the ShootSpec not in [30d,90d] will be overwritten to be within these boundaries. When they enable the ShootMaxTokenExpirationValidation feature gate then values in [30d,90d] are enforced. Adapt your shoot specifications to match these requirements! (gardener/gardener#5550, @rfranzke)
[OPERATOR] The ShootExtensionStatus resource is no longer served from the core.gardener.cloud resource group by the gardener-apiserver. The resource was intended to hold information of the provider status fields from extensions resources from the Seed cluster but actually a controller acting on this resource was never added. (gardener/gardener#5618, @ialidzhikov)
[OPERATOR] If you maintain ResourceQuota objects in the endusers' Project namespaces, make sure to increase the secrets quota, so that the new <shoot-name>.ca-cluster secret can be synced to the garden cluster (see documentation). (gardener/gardener#5612, @timebertt)
[DEVELOPER] Remove all landscaper related code. (gardener/gardener#5481, @danielfoehrKn)
[DEPENDENCY] Extensions using the token requestor (and hence the generic-token-kubeconfig secret) should switch to using extensionscontroller.GenericTokenKubeconfigSecretNameFromCluster in order to extract the name of the correct secret. This is a prerequisite for CA rotation. (gardener/gardener#5510, @rfranzke)

✨ New Features

[USER] There is a new Secret for each Shoot in the corresponding Project Namespace (<shoot-name>.ca-cluster) which contains the current CA bundle for establishing trust to the Shoot's API server (see documentation). (gardener/gardener#5612, @timebertt)
[OPERATOR] Logs of the gardener components in the shoot's kube-system are scraped and available for the operators. (gardener/gardener#5600, @vlvasilev)
[OPERATOR] Allow the seed-prometheus to scrape pods labeled with networking.gardener.cloud/from-prometheus: allowed (gardener/gardener#5582, @voelzmo)
[OPERATOR] Allow the seed-prometheus to scrape VPA recommender and VPA updater (gardener/gardener#5582, @voelzmo)
[OPERATOR] The 'apiserver_audit_(event|error)_total' metrics of the shoot clusters are now preserved in the aggregated prometheus of the seed. (gardener/gardener#5573, @vpnachev)
[OPERATOR] It is now possible to exclude ManagedResources from reconciliation by annotating the resources with resources.gardener.cloud/ignore=true. (gardener/gardener#5556, @rfranzke)
[OPERATOR] A new controller in the gardenlet for syncing Secrets in shoot namespaces to ShootState resources has been introduced. It persists all marked secrets so that they can be used for restoration in case of a disaster or a control plane migration. (gardener/gardener#5503, @rfranzke)
[OPERATOR] The storage capacity of the central Loki is now configurable (via the gardenlet's component config). The default storage capacity is increased from 30Gi to 100Gi. (gardener/gardener#5390, @vlvasilev)
[DEVELOPER] A new manager for secrets related to seed or shoot clusters has been introduced. Please consult the documentation for more information. (gardener/gardener#5503, @rfranzke)

🐛 Bug Fixes

[USER] A bug preventing the nodeTemplate in Machines to be updated when the machine type was changed has been fixed. (gardener/gardener#5577, @himanshu-kun)
[USER] A race condition has been fixed which can lead to pods without any projected token volumes for newly created shoots. (gardener/gardener#5549, @rfranzke)
[USER] A bug causing shoot reconciliations or deletions to fail with "no matches for kind" errors has been fixed. (gardener/gardener#5539, @rfranzke)
[OPERATOR] The CheckDaemonSet func does no longer return err for a DaemonSet that is in ongoing rollout and has allowed number of unavailable replicas during the rollout. (gardener/gardener#5628, @ialidzhikov)
[OPERATOR] An issue causing update request to SecretBinding with provider=nil to wrongly be rejected when the SecretBindingProviderValidation feature gate is enabled is now fixed. (gardener/gardener#5617, @ialidzhikov)
[OPERATOR] An issue has been fixed leading to shoot namespaces in the seed blocking deletion due to referenced objects with finalizers. (gardener/gardener#5557, @rfranzke)
[OPERATOR] An issue causing Shoot deletion to fail in a rare case when the corresponding Shoot Namespace in the Seed is already terminating is now fixed. (gardener/gardener#5555, @ialidzhikov)
[OPERATOR] preserve service annotations for nginx-ingress-controller and istio-ingressgateway services (gardener/gardener#5457, @FlorinPeter)
[DEVELOPER] Fixed an indentation issue in the VPA charts which caused a validation error when executing ./hack/check-charts.sh ./charts (gardener/gardener#5615, @voelzmo)
[DEVELOPER] The helm version is now updated to v3.6.3 to prevent make install-requirements from failing on M1 Macs. (gardener/gardener#5546, @briantopping)
[DEPENDENCY] A bug in the extensions health check library has been fixed which could prevent status reporting for the Worker resources. (gardener/gardener#5589, @rfranzke)

📖 Documentation

[USER] Added documentation about enabling the CopyEtcdBackupsDuringControlPlaneMigration feature gate so that etcd backups are copied to the destination seed's BackupBucket during control plane migration. (gardener/gardener#5620, @plkokanov)
[OPERATOR] The feature gate documentation does now contain information about which of the feature gates are relevant for which Gardener components. (gardener/gardener#5535, @rfranzke)
[DEVELOPER] Added documentation about using the owner check mechanism introduced for the "bad case" scenario of control plane migration when implementing Reconcilers for new extension controllers. (gardener/gardener#5620, @plkokanov)

🏃 Others

[OPERATOR] The file permissions of the keys in vpn-shoot are now properly set so that openvpn will not issue warnings. (gardener/gardener#5614, @ScheererJ)
[OPERATOR] SeedKubeScheduler: gardenlet does now configure gardener-kube-scheduler running on K8s 1.23 Seed clusters with KubeSchedulerConfiguration from the kubescheduler.config.k8s.io/v1beta3 API version. (gardener/gardener#5584, @ialidzhikov)
[OPERATOR] The Golang version was bumped to 1.17.8. (gardener/gardener#5575, @ialidzhikov)
[OPERATOR] The kubectl get secretbinding table view was adapted to show the provider type field of the SecretBinding resource. (gardener/gardener#5566, @ialidzhikov)
[OPERATOR] Increased the static memory limit of kube-proxy for cases where the vertical pod autoscaler is not acting as planned. (gardener/gardener#5552, @ScheererJ)
[OPERATOR] SeedKubeScheduler: gardenlet does now configure gardener-kube-scheduler running on K8s 1.22 Seed clusters with KubeSchedulerConfiguration from the kubescheduler.config.k8s.io/v1beta2 API version. (gardener/gardener#5538, @ialidzhikov)
[OPERATOR] The pods grafana dashboard now includes the node name and the pod/node ips per pod as well as a link to the node dashboard. (gardener/gardener#5537, @ScheererJ)
[OPERATOR] The systemd services deployed to each shoot cluster worker node do no longer LIST nodes calls. Instead, the name of the node is fetched once and then stored in a file on the disk so that the systemd services can do GET node calls with the respective name of the node. This should reduce the load on the kube-apiserver and etcd. (gardener/gardener#5529, @rfranzke)

📰 Noteworthy

[USER] There is a new section in the ShootStatus under .status.credentials.rotation.sshKeypair describing when the SSH keypair rotation was last initiated and last completed. (gardener/gardener#5583, @rfranzke)
[USER] There is a new section in the ShootStatus under .status.credentials.rotation.kubeconfig describing when the kubeconfig rotation was last initiated and last completed. (gardener/gardener#5524, @rfranzke)
[OPERATOR] There are two new feature gates affecting the values for the .spec.kubernetes.kubeAPIServer.serviceAccountConfig.maxTokenExpiration field in the ShootSpec: (gardener/gardener#5550, @rfranzke)
- ShootMaxTokenExpirationOverwrite - if enabled then the gardener-apiserver overwrites any values for .spec.kubernetes.kubeAPIServer.serviceAccountConfig.maxTokenExpiration which are not in [30d,90d] to the respective boundary
- ShootMaxTokenExpirationValidation - if enabled then the gardener-apiserver enforces that values for .spec.kubernetes.kubeAPIServer.serviceAccountConfig.maxTokenExpiration are in [30d,90d]
- It is recommended to first enable ShootMaxTokenExpirationOverwrite to not break users specifying other values, and after some time enable ShootMaxTokenExpirationValidation to enforce the boundaries are respected. This is required to ensure all Gardener system components remain functional now that they leverage auto-rotated tokens requested by the TokenRequest API.
[OPERATOR] The DNSRecord extension resources for shoot clusters are now only reconciled during shoot creation or maintenance or when they are unhealthy. Similarly, the DNSRecord extension resource for seed cluster is now only reconciled during seed creation or when it is unhealthy. Both is to prevent flooding DNS provider APIs which typically have quite low rate limits. (gardener/gardener#5531, @rfranzke)

[autoscaler]

🏃 Others

[USER] CA now balances between similar node groups properly during scale-from-zero. (gardener/autoscaler#114, @himanshu-kun)
[DEVELOPER] Gardener CA now supports basic IT to run locally. (gardener/autoscaler#111, @AxiomSamarth)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.43.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.43.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.43.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.43.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.43.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.43.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.43.0

gardener - v1.41.6

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

✨ New Features

[OPERATOR] The 'apiserver_audit_(event|error)_total' metrics of the shoot clusters are now preserved in the aggregated prometheus of the seed. (gardener/gardener#5597, @vpnachev)

🐛 Bug Fixes

[USER] A bug preventing the nodeTemplate in Machines to be updated when the machine type was changed has been fixed. (gardener/gardener#5603, @rfranzke)
[DEPENDENCY] A bug in the extensions health check library has been fixed which could prevent status reporting for the Worker resources. (gardener/gardener#5590, @timebertt)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.41.6
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.41.6
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.41.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.41.6
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.41.6
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.41.6
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.41.6

gardener - v1.40.5

Published by gardener-robot-ci-2 over 2 years ago

[gardener]

✨ New Features

[OPERATOR] The 'apiserver_audit_(event|error)_total' metrics of the shoot clusters are now preserved in the aggregated prometheus of the seed. (gardener/gardener#5596, @vpnachev)

🐛 Bug Fixes

[USER] A bug preventing the nodeTemplate in Machines to be updated when the machine type was changed has been fixed. (gardener/gardener#5604, @rfranzke)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.40.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.40.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.40.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.40.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.40.5
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.40.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.40.5

gardener - v1.42.3

Published by gardener-robot-ci-1 over 2 years ago

[gardener]

✨ New Features

[OPERATOR] The 'apiserver_audit_(event|error)_total' metrics of the shoot clusters are now preserved in the aggregated prometheus of the seed. (gardener/gardener#5598, @vpnachev)

🐛 Bug Fixes

[USER] A bug preventing the nodeTemplate in Machines to be updated when the machine type was changed has been fixed. (gardener/gardener#5602, @rfranzke)
[DEPENDENCY] A bug in the extensions health check library has been fixed which could prevent status reporting for the Worker resources. (gardener/gardener#5591, @timebertt)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.42.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.42.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.42.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.42.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.42.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.42.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.42.3