[gardener]

⚠️ Breaking Changes

• [USER] Earlier, Gardener created certificates with Common Name: system:apiserver for the Kube-Apiserver. In order to be DNS-1123 compliant, this certificate field is changed to Common Name: kube-apiserver for new shoot clusters. (#4467, @timuthy)
• [OPERATOR] Kubernetes will remove the built-in dockershim, which means eventually all Gardener Shoots will need to switch to containerd. Operators of Gardener and Shoot owners need to take action, please continue reading our detailed guide about the why, what, and when! (#4452, @voelzmo)
• [OPERATOR] The following changes have been made incompatibly to the GardenerSchedulerConfiguration: (#4320, @xrstf)
  • The configuration key server has been refined into healthProbes and metrics. Note that both cannot be listening on the same port.
  • The CachedRuntimeClients feature gate has been removed, objects are now always cached.
  • lockObjectName was removed in favor of resourceName.
  • lockObjectNamespace was removed in favor of resourceNamespace.
• [OPERATOR] If you deploy Gardener with the provided Helm charts, note that the metrics endpoint for the Gardener-Scheduler is now exposed via a service on port 9090. (#4320, @xrstf)

🐛 Bug Fixes

• [USER] The symmetric keys HS256, HS384 and HS512 are now removed from the valid OIDC Signing algorithms as they are not supported by the kubernetes API server. (#4470, @plkokanov)
• [OPERATOR] Keep the already available replicas of kube-controller-manager (if any) during Create operations regardless of whether hibernation is enabled or not. (#4479, @plkokanov)
• [OPERATOR] Keep kube-apiserver HPA scale down mode Auto even when scale down is disabled. The scale down is naturally disabled because minReplicas and maxReplicas are set to be equal. (#4451, @amshuman-kr)

🏃 Others

• [OPERATOR] A bug has been fixed which prevented the CSR auto-approval process for Gardenlet certificates when the SeedAuthorizer is enabled. Hence, the user certificate used by Gardenlet to connect to the Garden cluster was not renewed successfully. (#4502, @timuthy)
• [OPERATOR] Azure errors with OverconstrainedZonalAllocationRequest error code are now classified as configuration problems. (#4482, @plkokanov)
• [OPERATOR] Improved handling of the shoot resource in the shoot controller to ensure that data races are avoided as much as possible. (#4459, @stoyanr)
• [OPERATOR] Ensured that the backup entry name is generated only once using non-empty strings to prevent issues with backup entry names generated as --. (#4454, @stoyanr)
• [OPERATOR] Projects are now reconciled every time a shoot is created. (#4447, @kris94)
• [OPERATOR] Grafana discovers available logging components at runtime for "Controlplane Logs Dashboard" (#4387, @vlvasilev)
• [DEVELOPER] Added new staticchecks by bumping golangci-lint. Please make sure to update your local installation of golangci-lint, e.g. by running make install-requirements (#4475, @voelzmo)

[logging]

🏃 Others

• [DEVELOPER] Add Telegraf image to the ci pipeline (gardener/logging#104, @vlvasilev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.29.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.29.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.29.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.29.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.29.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.29.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.29.0

[gardener]

🐛 Bug Fixes

• [USER] The symmetric keys HS256, HS384 and HS512 are now removed from the valid OIDC Signing algorithms as they are not supported by the kubernetes API server. (#4473, @plkokanov)
• [OPERATOR] Keep kube-apiserver HPA scale down mode Auto even when scale down is disabled. The scale down is naturally disabled because minReplicas and maxReplicas are set to be equal. (#4469, @amshuman-kr)

🏃 Others

• [OPERATOR] Ensured that the backup entry name is generated only once using non-empty strings to prevent issues with backup entry names generated as --. (#4455, @stoyanr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.26.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.26.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.26.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.26.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.26.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.26.3
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.26.3

[gardener]

🐛 Bug Fixes

• [USER] The symmetric keys HS256, HS384 and HS512 are now removed from the valid OIDC Signing algorithms as they are not supported by the kubernetes API server. (#4472, @plkokanov)
• [OPERATOR] Keep kube-apiserver HPA scale down mode Auto even when scale down is disabled. The scale down is naturally disabled because minReplicas and maxReplicas are set to be equal. (#4468, @amshuman-kr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.5
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.5
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.5

[gardener]

🐛 Bug Fixes

• [USER] The symmetric keys HS256, HS384 and HS512 are now removed from the valid OIDC Signing algorithms as they are not supported by the kubernetes API server. (#4471, @plkokanov)
• [OPERATOR] Keep kube-apiserver HPA scale down mode Auto even when scale down is disabled. The scale down is naturally disabled because minReplicas and maxReplicas are set to be equal. (#4466, @amshuman-kr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.28.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.28.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.28.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.28.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.28.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.28.2
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.28.2

[gardener]

🏃 Others

• [OPERATOR] Ensured that the backup entry name is generated only once using non-empty strings to prevent issues with backup entry names generated as --. (#4457, @stoyanr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.28.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.28.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.28.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.28.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.28.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.28.1
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.28.1

[gardener]

🏃 Others

• [OPERATOR] Ensured that the backup entry name is generated only once using non-empty strings to prevent issues with backup entry names generated as --. (#4456, @stoyanr)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.4
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.4

[gardener]

⚠️ Breaking Changes

• [OPERATOR] Gardener now requires seed clusters to run at least Kubernetes version 1.18. Please update your seed clusters if necessary before updating to this Gardener version. Older Kubernetes releases will not be supported any more. Please note, the version support for shoot clusters is not affected by this change. (#4426, @timuthy)

✨ New Features

• [OPERATOR] Gardener API server now has a feature gate DisallowKubeconfigRotationForShootInDeletion , disabled by default, that disallows kubeconfig rotation to be requested for shoot cluster in deletion. (#4379, @vpnachev)
• [OPERATOR] Shoot SSH Keys are regularly rotated, with both the current and previous key being deployed onto each shoot node. (#4224, @xrstf)
• [DEVELOPER] Support option requiring shoot connection to be external (#4366, @deitch)

🐛 Bug Fixes

• [USER] A fix included in v1.27.0 and v1.27.1 was reverted, because it introduced a regression which caused clusters configured with containerd as a runtime to fail to reconcile (see https://github.com/gardener/gardener/issues/4390 for more details). This now means that bug https://github.com/gardener/gardener/issues/4254 still exists in gardener >1.27.1. (#4408, @voelzmo)
• [OPERATOR] A bug has been fixed which caused seed clusters running Kubernetes v1.15 not to get ready. (#4431, @timuthy)
• [OPERATOR] An issue that was not allowing creation of garden Project (with .spec.namespace=garden) is now fixed. (#4423, @mliepold)
• [OPERATOR] A bug in the cloud config downloader script that was generating error messages like bash: line 161: ;: command not found has been fixed. (#4355, @vpnachev)

🏃 Others

• [OPERATOR] A potential race condition in gardenlet that can lead to nil pointer dereference during the deletion of hibernated Shoot is now fixed. (#4439, @ialidzhikov)
• [OPERATOR] Fluent-bit priority class value is increased from 50 to 150 (#4407, @vlvasilev)
• [OPERATOR] The SSH keypair rotation on maintenance window is now set behind a new alpha feature gate in gardener-controller-manager - RotateSSHKeypairOnMaintenance . (#4397, @ialidzhikov)
• [OPERATOR] Upgrade grafana to 7.5.10 (#4389, @wyb1)

[autoscaler]

🐛 Bug Fixes

• [USER] Avoids panics when VM type isn't found during scale from zero (gardener/autoscaler#81, @ialidzhikov)
• [USER] Fetches the VM from the correct map for MCM provider Azure and hence doesn't panic anymore (gardener/autoscaler#81, @ialidzhikov)

[gardener-resource-manager]

✨ New Features

• [OPERATOR] Don't overwrite resources/replicas of objects annotated with resources.gardener.cloud/preserve-{resources,replicas}. (gardener/gardener-resource-manager#122, @harishmanasa)
• [DEVELOPER] The gardener-resource-manager now features an optional garbage collector controller (disabled by default) for immutable ConfigMaps/Secrets. Please take a look at this document if you want to use it. (gardener/gardener-resource-manager#127, @rfranzke)

🐛 Bug Fixes

• [OPERATOR] Fix the --version flag to print the appropriate metadata. (gardener/gardener-resource-manager#129, @ialidzhikov)

📰 Noteworthy

• [DEVELOPER] Most dependencies have been revendored, most prominently: (gardener/gardener-resource-manager#126, @rfranzke)
  • github.com/gardener/[email protected]
  • k8s.io/*@v0.21.2
  • sigs.k8s.io/[email protected]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.28.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.28.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.28.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.28.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.28.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.28.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.28.0

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which caused seed clusters running Kubernetes v1.15 not to get ready. (#4432, @timuthy)
• [OPERATOR] An issue that was not allowing creation of garden Project (with .spec.namespace=garden) is now fixed. (#4429, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.3
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.3

[gardener]

🐛 Bug Fixes

• [OPERATOR] An issue that was not allowing creation of garden Project (with .spec.namespace=garden) is now fixed. (#4430, @ialidzhikov)

[autoscaler]

🐛 Bug Fixes

• [USER] Avoids panics when VM type isn't found during scale from zero (gardener/autoscaler#81, @ialidzhikov)
• [USER] Fetches the VM from the correct map for MCM provider Azure and hence doesn't panic anymore (gardener/autoscaler#81, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.26.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.26.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.26.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.26.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.26.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.26.2
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.26.2

[autoscaler]

🐛 Bug Fixes

• [USER] Avoids panics when VM type isn't found during scale from zero (gardener/autoscaler#81, @ialidzhikov)
• [USER] Fetches the VM from the correct map for MCM provider Azure and hence doesn't panic anymore (gardener/autoscaler#81, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.25.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.25.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.25.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.25.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.25.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.25.4
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.25.4

[gardener]

🐛 Bug Fixes

• [USER] A fix included in v1.27.0 and v1.27.1 was reverted, because it introduced a regression which caused clusters configured with containerd as a runtime to fail to reconcile (see https://github.com/gardener/gardener/issues/4390 for more details). This now means that bug https://github.com/gardener/gardener/issues/4254 still exists in gardener >1.27.1. (#4409, @voelzmo)

[autoscaler]

🐛 Bug Fixes

• [USER] Avoids panics when VM type isn't found during scale from zero (gardener/autoscaler#81, @ialidzhikov)
• [USER] Fetches the VM from the correct map for MCM provider Azure and hence doesn't panic anymore (gardener/autoscaler#81, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.2
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.2

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug in the cloud config downloader script that was generating error messages like bash: line 161: ;: command not found has been fixed. (#4356, @vpnachev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.1
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.1

[gardener]

⚠️ Breaking Changes

• [OPERATOR] Gardenlet does not support seedSelectors anymore; configure an explicit seedConfig in the GardenletConfiguration instead (#4306, @xrstf)
• [OPERATOR] The KonnectivityTunnel feature gate in gardenlet has been dropped and removed from the code. If you upgrade to this Gardener version make sure that the feature gate is disabled and that all shoots were reconciled after you disabled it. (#4247, @rfranzke)

✨ New Features

• [USER] It's now possible to configure the imageGC{High,Low}ThresholdPercent fields for the kubelet configuration (defaults: 50 for the high threshold, 40 for the low threshold) in the Shoot API via .spec.{provider.workers[].}kubernetes.kubelet.imageGC{High,Low}ThresholdPercent. (#4282, @rfranzke)
• [USER] Shoot clusters can now reference an ExposureClass to expose their control plane in various network environments via the .spec.exposureClassName. Find more information in this document. (#4244, @dkistner)
• [OPERATOR] Similar to the NodeAuthorizer and NodeRestriction features in Kubernetes (preventing kubelets from accessing resources which aren't associated with their responsible Nodes), Gardener does now have a SeedAuthorizer and SeedRestriction feature (preventing gardenlets from accessing resources which aren't associated with their Seeds). If you want to enable it for your landscapes then please consult this document. (#4326, @rfranzke)
• [OPERATOR] The external ip attached to the load balancer service belonging to a Seed ingress gateway can now be defined in the configuration for the Gardenlet. This is possible for the default ingress gateway and for the ExposureClass handler ingress gateways. For ExposureClass handler ingress gateways this will only work in combination with the APIServerSNI feature flag (default). (#4319, @dkistner)
• [OPERATOR] Shoot clusters can now use ExposureClasses to expose the control plane in various network environments. The Gardenlet needs to realize the exposure strategy and is therefore required to have the ExposureClass handler configuration in its own config. This can be maintained in the .exposureClassHandlers list of the Gardenlet configuration. Find more information in this document. (#4244, @dkistner)

🐛 Bug Fixes

• [USER] Additional DNS provider Secret is now updated on Shoot deletion. This will allow users to update their invalid Secret data with valid one and now this change will be reflected to the Secret maintained in the Shoot namespace in the Seed. (#4337, @ialidzhikov)
• [USER] Updating to a MachineImageVersion which doesn't support the chosen CRI configuration will now result in a validation error. (#4332, @voelzmo)
• [OPERATOR] A bug that the shoot maintenance controller was upgrading the OS version to higher but deprecated version instead of using lower and supported has been fixed. (#4327, @vpnachev)
• [OPERATOR] A bug that the OS version of worker pool is defaulted to higher and deprecated version instead of lower and supported is now fixed. (#4327, @vpnachev)

🏃 Others

• [USER] Authenticated users can now read/list/watch ExposureClass resources. (#4334, @dkistner)
• [OPERATOR] Envoy used apiserver-proxy and sidecar are upgraded to distroless 1.18.3 version. (#4304, @mvladev)
• [OPERATOR] ManagedIstio now uses distroless images. (#4301, @mvladev)
• [OPERATOR] ManagedIstio is now upgraded to 1.10.2 (#4301, @mvladev)
• [OPERATOR] The MountHostCADirectories feature gate in the gardenlet has been promoted to GA. (#4279, @ialidzhikov)
• [OPERATOR] Optional logging agent can be installed on the shoot nodes (#3813, @vlvasilev)
• [DEVELOPER] Envtests are now run in a dedicated make target (make test-integration). (#4265, @timebertt)
• [DEPENDENCY] Envtests that require the control plane binaries now have to be run using hack/test-integration.sh. Please consult gardener's Makefile as a reference usage. (#4265, @timebertt)

📰 Noteworthy

• [USER] ⚠️ The kubelets on the shoot worker nodes will be restarted in the respective maintenance time windows of the shoot clusters. (#4321, @rfranzke)
• [OPERATOR] The hyperkube image is now only downloaded exactly once per shoot worker node to prevent repetitive, undesired downloads in case the kubelet garbage-collects the image due to excessive root disk usage. (#4321, @rfranzke)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.27.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.27.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.27.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.27.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.27.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.27.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.27.0

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug that the shoot maintenance controller was upgrading the OS version to higher but deprecated version instead of using lower and supported has been fixed. (#4343, @vpnachev)
• [OPERATOR] A bug that the OS version of worker pool is defaulted to higher and deprecated version instead of lower and supported is now fixed. (#4343, @vpnachev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.24.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.24.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.24.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.24.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.24.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.24.3
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.24.3

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug that the shoot maintenance controller was upgrading the OS version to higher but deprecated version instead of using lower and supported has been fixed. (#4342, @vpnachev)
• [OPERATOR] A bug that the OS version of worker pool is defaulted to higher and deprecated version instead of lower and supported is now fixed. (#4342, @vpnachev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.25.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.25.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.25.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.25.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.25.3
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.25.3
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.25.3

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug that the shoot maintenance controller was upgrading the OS version to higher but deprecated version instead of using lower and supported has been fixed. (#4341, @vpnachev)
• [OPERATOR] A bug that the OS version of worker pool is defaulted to higher and deprecated version instead of lower and supported is now fixed. (#4341, @vpnachev)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.26.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.26.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.26.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.26.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.26.1
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.26.1
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.26.1

[gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing the SNI transition step to fail for a cluster that still didn't transitioned to SNI is now fixed. (#4275, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.25.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.25.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.25.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.25.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.25.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.25.2
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.25.2

[gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing the SNI transition step to fail for a cluster that still didn't transitioned to SNI is now fixed. (#4276, @ialidzhikov)

🏃 Others

• [OPERATOR] Error messages containing RequestLimitExceeded are now treated as ERR_INFRA_RATE_LIMITS_EXCEEDED (instead of ERR_INFRA_QUOTA_EXCEEDED before). (#4256, @vpnachev)
• [OPERATOR] gardener-controller-manager's Seed controller now checks the seed namespace's ownerReferences before adopting it. (#4234, @timebertt)

[autoscaler]

🐛 Bug Fixes

• [USER] Added support for 12 new AWS instance types and 1 Azure instance type to support scale up from zero. (gardener/autoscaler#86, @AxiomSamarth)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.24.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.24.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.24.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.24.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.24.2
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.24.2
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.24.2

[gardener]

🏃 Others

• [OPERATOR] Error messages containing RequestLimitExceeded are now treated as ERR_INFRA_RATE_LIMITS_EXCEEDED (instead of ERR_INFRA_QUOTA_EXCEEDED before). (#4257, @vpnachev)
• [OPERATOR] gardener-controller-manager's Seed controller now checks the seed namespace's ownerReferences before adopting it. (#4235, @timebertt)

[autoscaler]

🐛 Bug Fixes

• [USER] Added support for 12 new AWS instance types and 1 Azure instance type to support scale up from zero. (gardener/autoscaler#86, @AxiomSamarth)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.23.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.23.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.23.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.23.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.23.4
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.23.4
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.23.4

[gardener]

⚠️ Breaking Changes

• [USER] Shoot addons are now only allowed on evaluation shoots if the Kubernetes version is >= 1.22. (#4213, @stoyanr)
• [OPERATOR] The obsolete fields SchedulerConfiguration.schedulers.*.retrySyncPeriod have been removed. (#4285, @timebertt)
• [OPERATOR] Gardenlet feature gate NodeLocalDNS was removed and replaced by a shoot specific annotation. (#4249, @ScheererJ)
• [DEVELOPER] make start-gardenlet does not use seedSelector anymore, making the dev gardenlet single-seed only. If you have multiple Seeds in your local setup, you can specify the seed to act on via the SEED_NAME make variable (e.g. make start-gardenlet SEED_NAME=local-foo). (#4270, @xrstf)
• [DEVELOPER] The already deprecated DirectClient has been removed from the codebase entirely. (#4225, @timebertt)

✨ New Features

• [USER] Makes it possible to disable deploying kube-proxy for newly created clusters. Depending on the used networking extension switching off kube-proxy might not be supported yet. Please consult the respective documentation of the used networking extension before disabling kube-proxy. (#4260, @ScheererJ)
• [USER] Do not trigger a node rollout when switching from CRI.Name==nil to CRI.Name==docker. (#4237, @voelzmo)
• [USER] Shoots created with or updated to Kubernetes version >= 1.22 will get containerd as default container runtime. If you upgrade an existing shoot which doesn't specify a cri.name property in its worker pools, this will trigger a graceful node rollout and the container runtime is switched from docker to containerd. (#4222, @voelzmo)
• [USER] It's now possible to override the grace periods for the cleanup steps in the shoot deletion by specifying the following annotations on the Shoot: (#4212, @rfranzke)
  • shoot.gardener.cloud/cleanup-webhooks-finalize-grace-period-seconds (default behaviour: "300")
  • shoot.gardener.cloud/cleanup-extended-apis-finalize-grace-period-seconds (default behaviour: "3600")
  • shoot.gardener.cloud/cleanup-kubernetes-resources-finalize-grace-period-seconds (default behaviour: "300")
  • shoot.gardener.cloud/cleanup-namespaces-finalize-grace-period-seconds (default behaviour: "300")
  • If "0" is provided then all resources are finalized immediately without waiting for any graceful deletion. Please be aware that this might lead to orphaned infrastructure artefacts.
• [OPERATOR] A new ProjectValidator admission plugin has been added (enabled by default). It prevents creating Projects with non-empty .spec.namespace fields if the value in .spec.namespace does not start with garden-. Please note that this admission plugin will be removed in a future release again in favor of the static validation in the gardener-apiserver. (#4228, @rfranzke)
• [OPERATOR] Allow explicit configuration of docker as a container runtime (.spec.provider.workers[].cri.name field in Shoots) for backwards compatibility. Select this only if your workload doesn't run nicely with containerd. This configuration option will be removed in the future! (#4218, @voelzmo)

🐛 Bug Fixes

• [OPERATOR] An issue causing the SNI transition step to fail for a cluster that still didn't transitioned to SNI is now fixed. (#4268, @ialidzhikov)

🏃 Others

• [OPERATOR] The blueprint of the Gardenlet landscaper has been fixed to properly reference the gardenlet-landscaper OCI image (#4283, @danielfoehrKn)
• [OPERATOR] Labels and annotations on the ResourceQuota config get merged with the respective fields on existing ResourceQuotas (#4264, @petersutter)
• [OPERATOR] Martian packets are now explicitly enabled in the kernel settings of the shoot clusters nodes. (#4250, @DockToFuture)
• [OPERATOR] Optimize gardenlet's shoot controller to issue less calls to gardener-apiserver for the highly frequent status updates during reconciliations and normal care operations. (#4246, @timebertt)
• [OPERATOR] Split EnvoyFilter resources from SNI and ReversedVPN into separate resources. (#4242, @DockToFuture)
• [OPERATOR] ManagedIstio version is upgraded to 1.10.1 (#4241, @mvladev)
• [OPERATOR] Error messages containing RequestLimitExceeded are now treated as ERR_INFRA_RATE_LIMITS_EXCEEDED (instead of ERR_INFRA_QUOTA_EXCEEDED before). (#4236, @rfranzke)
• [OPERATOR] gardener-controller-manager's Seed controller now checks the seed namespace's ownerReferences before adopting it. (#4232, @timebertt)
• [OPERATOR] Dashboards use UTC instead of browser time by default (#4229, @wyb1)
• [DEVELOPER] Switch from *metav1.LabelSelector to metav1.LabelSelector in the gardenercore.SeedSelector type in our APIs. This doesn't impose a breaking change for users of the API, however users of the golang types, will have to adapt accordingly. (#4299, @timebertt)

📰 Noteworthy

• [USER] Added a document with recommendations when custom CSI components are deployed into shoot clusters. (#4211, @rfranzke)
• [OPERATOR] The MountHostCADirectories feature gate in the gardenlet has been promoted to beta and is now enabled by default. (#4223, @ialidzhikov)
• [OPERATOR] The gardenlet chart now defines fine-grained RBAC resources for the gardenlet in the Seed cluster. Previously the gardenlet's ServiceAccount was granted with all privileges. With this change the gardenlet's ServiceAccount privileges are limited as much as possible. (#4129, @ialidzhikov)

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.26.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.26.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.26.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.26.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.26.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.26.0
landscaper-gardenlet: eu.gcr.io/gardener-project/gardener/landscaper-gardenlet:v1.26.0