Kubernetes-native system managing the full lifecycle of conformant Kubernetes clusters as a service on Alicloud, AWS, Azure, GCP, OpenStack, vSphere, KubeVirt, Hetzner, EquinixMetal, MetalStack, and OnMetal with minimal TCO.
OTHER License
Published by gardener-robot-ci-3 over 3 years ago
Failed
(and no longer retried) on transient not found
error is now fixed. (#3508, @ialidzhikov)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.16.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.16.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.16.2
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.16.2
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.16.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.16.2
Published by gardener-robot-ci-1 over 3 years ago
Auto
or Recreate
. (#3481, @amshuman-kr)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.16.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.16.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.16.1
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.16.1
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.16.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.16.1
Published by gardener-robot-ci-2 over 3 years ago
confirmation.garden.sapcloud.io/deletion
and shoot.garden.sapcloud.io/operation
are no longer respected by Gardener components. If you are still using the deprecated annotation keys, please switch the the equivalents from the new API group - respectively confirmation.gardener.cloud/deletion
and gardener.cloud/operation
. (#3375, @ialidzhikov)controllers.shootCare.staleExtensionHealthCheckThreshold
to controllers.shootCare.staleExtensionHealthChecks.{enabled,threshold}
in the GardenletConfiguration. It is now configurable and enabled by default. (#3390, @ialidzhikov)au.<shoot-name>.<project-name>.<seed-ingress-domain>
, Grafana - gu.<shoot-name>.<project-name>.<seed-ingress-domain>
, go.<shoot-name>.<project-name>.<seed-ingress-domain>
, Prometheus - p.<shoot-name>.<project-name>.<seed-ingress-domain>
were removed and will not be reachable anymore. Please use the hostnames introduced with Gardener v0.34.0 instead. (#3380, @timuthy)gardener.cloud/role
label key (until now it was garden.sapcloud.io/role
) to perform health checks on controlplane components. Make sure you have first upgraded to at least Gardener v1.14 before you upgrade to this version of Gardener. (#3350, @ialidzhikov)cluster-autoscaler
during roll-outs, following are the minimum versions required for different provider-extensions: gardener-extension-provider-aws v1.16.0
, gardener-extension-provider-openstack v1.12.0
, gardener-extension-provider-azure v1.14.0
, gardener-extension-provider-gcp v1.12.0
, gardener-extension-provider-alicloud v1.18.0
, gardener-extension-provider-vsphere v0.1.0
. (#3332, @hardikdr)cloudprovider
secret has been added in the extensions library. With this change, the EnsurerContext
of the genericmutator
package has been moved to a separate context
package. Please adapt your usage of genericmutator
accordingly. (#3348, @kon-angelo)kubernetes/*
and kubernetes-sigs/controller-runtime
were updated to v0.19.6
and v0.7.0
respectively. This imposes a lot of consequent breaking changes to go projects vendoring gardener/gardener. If your project/extension vendors gardener/gardener, please read the dedicated section in this issue carefully when upgrading your dependencies. (#3393, @timebertt)pkg/utils/secrets.BasicAuthSecretConfig
does no longer allow generating bcrypt password hash. The corresponding functionality is now removed. (#3365, @ialidzhikov)VerticalPodAutoscaler
are accessible via the Vertical Pod Autoscaler
dashboard in Grafana. (#3456, @Kristian-ZH)EveryNodeReady
condition). Please note that both features are only available for new nodes. (#3396, @rfranzke)cluster-autoscaler
is now activated even during rolling-update of the shoot clusters. The change in machine-controller-manager
of adding the cluster-autoscaler.kubernetes.io/scale-down-disabled
annotation during rolling-update is required, in order for autoscaler to not scale-down worker-pools (coming with machine-controller-manager 0.34.0
). (#3332, @hardikdr)cloud-config-downloader.service
systemd service are now updated regularly with the original OperatingSystemConfig
. (#3449, @vpnachev)Node
object with worker.gardener.cloud/restart-systemd-services=kubelet
, for example. (#3396, @rfranzke).spec.revisionHistoryLimit
is now set to 1
for Deployment
s. (#3374, @rfranzke)SeedKubeScheduler
feature gate is added to gardenlet. When enabled, it deploys a custom kube-scheduler
in gardener-kube-scheduler
namespace of Seed clusters with Kubernetes version 1.17
or greater. The scheduler assigns Shoot control plane Pods to Nodes with higher resource utilization, resulting in better bin-packing of control planes. (#3243, @mvladev)etcd v3.4.14
and K8s v1.20.2
. (#3426, @timuthy)ConfigMaps
and Secrets
used to store the config and state of terraform now have owner reference to the Infrastructure resource. (#3275, @vpnachev)allow-to-private-networks
networkpolicy. (#3462, @mvladev).spec.kubernetes.allowPrivilegedContainers=false
. (#3409, @rfranzke)gardener.cloud--allow-to-dns
and gardener.cloud--allow-to-apiserver
networkpolicies can run with deny-all networkpolicy in kube-system
namespace. (#3424, @mvladev)status.state
. (#3422, @MartinWeindel)kube-proxy
that deletes the incorrect conntrack table entries which sometime occur after restart of kube-proxy
and prevent the establishment of a tcp connection to the api-server
. (#3395, @DockToFuture)gardener-controller-manager
's Project
controller that can lead to a continuous reconciliation of Project
resources if they are stuck in Terminating
state. (#3371, @rfranzke).status.clusterIdentity
field is now fixed. (#3366, @ialidzhikov)KonnectivityTunnel
's stability is improved and now handles kube-apiserver
autoscaling. It properly sets --server-count
of konnectivity-server
on such event. (#3267, @mvladev)kubernetes-sigs/controller-runtime
was updated to v0.7.1
. (#3408, @timuthy)istio-ingressgateway
Service are now deprecated and are going to be removed in the next release. Please use the Seed
's spec.settings.loadBalancerServices.annotations
field to set or overwrite those annotations. For shoot.gardener.cloud/use-as-seed
annotated Shoot
clusters, see this PR. (#3185, @mvladev)Component
and Container
fields are added in the logging dashboards for more flexible log queries. (#3456, @Kristian-ZH)configmaps
in the kube-system
namespace and webhooks with a TimeoutSeconds>15
for problematic resources are now also blocking Maintenance
and Hibernation
operations. Please consult this doc for more details. (#3413, @timebertt)seed.spec.ingress.domain
field when passing the value via gradener.seed.ingressDomain
to ControllerRegistration
charts. (#3441, @timuthy)NumberOfBatchIDs
for the fluent-bit-to-loki plugin is set to 5 numbers. (#3402, @vlvasilev)1.15.7
. (#3442, @ialidzhikov)10s
timeout. (#3440, @rfranzke)kubectl get shoot
table view was adapted and does no longer show the DOMAIN
column. Instead, it shows the provider type as well as the last operation type. (#3460, @rfranzke)kube-apiserver
deployment of a shoot cluster does not become ready then Gardener does now evaluate and return the most recent complete logs of the newest pod. It will be part of the .status.last{Operation,Errors}
. As a consequence, start-up failures due to invalid feature gate or runtime config settings is being treated as configuration problem error. (#3353, @rfranzke)terraformer
library in extensions/pkg/terraformer
does now adopt still running pods instead of deleting them and waiting for their deletion. This enables a faster and more reliable status/result propagation and prevents unhelpful error messages. Infrastructure
extension developers do not need to wait for a clean Terraform environment in their Delete()
function anymore as the library is now handling this case out-of-the-box. (#3349, @rfranzke)--webhook-config-namespace
flag, the webhook config is enhanced with an owner reference pointing to the provided namespace. This will lead to auto-cleanup of the webhook config when the extension is uninstalled from a seed (earlier, the webhook config was orphaned even after uninstallation from a seed). (#3341, @rfranzke)HEALTH_ENDPOINT
. The default (/healthy
) has not been changed. (gardener/ingress-default-backend#13, @Diaphteiros)NumberOfBatchIDs
. (gardener/logging#83, @vlvasilev)ControllerSyncTimeout
to control the informer sync period. Prior it was infinity time. (gardener/logging#83, @vlvasilev)ReplaceOutOfOrderTS
is replaces by SortByTimestamp
. The timestamp is no longer replaced. Instead the logs are sorted by their timestamp. (gardener/logging#83, @vlvasilev)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.16.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.16.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.16.0
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.16.0
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.16.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.16.0
Published by gardener-robot-ci-1 over 3 years ago
gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.15.5
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.15.5
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.15.5
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.15.5
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.15.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.15.5
Published by gardener-robot-ci-1 almost 4 years ago
status.state
. (f29a08a04a6a5fe0aab55abda33d66de73ee4905)seed.spec.ingress.domain
field when passing the value via gradener.seed.ingressDomain
to ControllerRegistration
charts. (#3443, @timuthy)1.15.7
. (6dab5ea88fea476f2c3d824fe8ac25238661c69a)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.15.4
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.15.4
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.15.4
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.15.4
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.15.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.15.4
Published by gardener-robot-ci-2 almost 4 years ago
.spec.kubernetes.allowPrivilegedContainers=false
. (#3410, @rfranzke)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.15.3
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.15.3
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.15.3
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.15.3
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.15.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.15.3
Published by gardener-robot-ci-3 almost 4 years ago
kube-proxy
that deletes the incorrect conntrack table entries which sometime occur after restart of kube-proxy
and prevent the establishment of a tcp connection to the api-server
. (243cfebaa3a1d9edbb4e46349639dfdfb776f15f)NumberOfBatchIDs
for the fluent-bit-to-loki plugin is set to 5 numbers. (#3403, @vlvasilev)NumberOfBatchIDs
. (gardener/logging#83, @vlvasilev)ControllerSyncTimeout
to control the informer sync period. Prior it was infinity time. (gardener/logging#83, @vlvasilev)ReplaceOutOfOrderTS
is replaces by SortByTimestamp
. The timestamp is no longer replaced. Instead the logs are sorted by their timestamp. (gardener/logging#83, @vlvasilev)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.15.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.15.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.15.2
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.15.2
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.15.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.15.2
Published by gardener-robot-ci-2 almost 4 years ago
.status.clusterIdentity
field is now fixed. (b9a42571abd8abfe74c734662fe2fc51177ee320)gardener-controller-manager
's Project
controller that can lead to a continuous reconciliation of Project
resources if they are stuck in Terminating
state. (56b5c5aefa90e14d1e5044fb5cb166cd15deac10)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.15.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.15.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.15.1
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.15.1
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.15.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.15.1
Published by gardener-robot-ci-2 almost 4 years ago
nginx-ingress
addon for a shoot used as seed is disabled then you can no longer enable it anymore. Instead, use the new managed ingress controller feature. You can find more information about it here. Existing shoots used as seeds with .spec.addons.nginxIngress.enabled=true
will continue to work. (#3131, @BeckerMax)spec.settings.loadBalancerServices.annotations
field for shooted seeds via the "shoot.gardener.cloud/use-as-seed" annotation. You can do this by specifying the loadBalancerServices.annotations.*
option - for example loadBalancerServices.annotations.service.beta.kubernetes.io/aws-load-balancer-type=nlb
. (#3344, @ialidzhikov)preStop
hooks for >=1.19.x
clusters. (#3295, @timuthy).spec.maintenance.confineSpecRollout
is used. Earlier, EveryNodeReady
or ControlPlaneHealthy
conditions reported an invalid state if the specification was changed but not yet effective due to a rollout during shoot maintenance (confineSpecRollout: true
). (#3286, @timuthy)v1.19
. (#3303, @mvladev)initialDelaySeconds
for the readinessProbe
is reduces to 80 seconds. (#3333, @vlvasilev)vpa-admission-controller
and vpa-updater
pods are now ensured with some minimal CPU and memory resources. (#3330, @vpnachev)preferredDuringSchedulingIgnoredDuringExecution
for gardener-seed-admission-controller
deployment in the garden
namespaces of seed clusters. (#3294, @hardikdr)gardener.cloud:admin
now contains full access permissions for Events
and ResourceQuotas
. (#3291, @timuthy)Kubernetes API Server Details
Dashboard for dropped requests. (#3284, @wyb1)GardenerLoki
plugin (#3283, @Kristian-ZH)GetMachineControllerManagerCloudCredentials
in the WorkerDelegate
optional. Alternatively, extensions can now use the field in the machine class spec.credentialsSecretRef
so that all machine classes refer to the same secret from the Worker
field spec.secretRef
. See here for more details. (#3308, @danielfoehrKn)nginx-ingress
addon for shoots has been updated to v0.41.2
ONLY for Kubernetes 1.20 shoot clusters. All shoot clusters with Kubernetes < 1.20 will remain with the current v0.22.0
version. Please be reminded that the nginx-ingress
addon is not recommended for production scenarios and that you should deploy (+ customize) your own ingress controller instead. Please use it only for development/evaluation purposes. (#3315, @rfranzke)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.15.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.15.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.15.0
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.15.0
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.15.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.15.0
Published by gardener-robot-ci-3 almost 4 years ago
preStop
hooks for >=1.19.x
clusters. (3103cd59df2849506ed256aa05187fd7e0b0006d)gardener.cloud:admin
now contains full access permissions for Events
and ResourceQuotas
. (9367a6968ed9c81c7d3b8d1b94f6a98971b66ee1)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.14.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.14.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.14.1
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.14.1
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.14.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.14.1
Published by gardener-robot-ci-1 almost 4 years ago
WorkerDelegate
must implement method GetMachineControllerManagerCloudCredentials
returning map with cloud credential keys and values just like they are used by the machine-controller-manager. (#3224, @vpnachev)SetVariablesEnvironment
and GenerateVariablesEnvironment
) have been removed. (#3223, @timebertt)Terraformer
functions have been changed to allow passing proper contexts. Please adapt your usage accordingly. (#3223, @timebertt)logr
instead of logrus
in order to have more consistent and readable logging in the infrastructure controllers of provider extensions. Please adapt your usage accordingly. (#3223, @timebertt)Progressing
after it finished a successful reconciliation, and the care controller starts to re-evaluate the health status after this happened. This helps end-users to better understand whether their cluster is indeed healthy after a reconciliation. Earlier, it could take up to 30s
/ 1m
(based on the configured care controller sync period) until the actual status is reflected. (#3251, @rfranzke)24h
ago.KUBERNETES_SERVICE_HOST
environment variable injected when APIServerSNI
is enabled no longer includes a trailing dot (being a Fully Qualified Domain Name) due to several homebrew kubernetes clients not properly handling it and sending wrong server name when initiating a TLS conneciton. (#3235, @mvladev)apieserver-proxy
now uses system-node-critical
priority class. Memory limit is also increased to avoid OOM killer. (#3282, @mvladev)vpa-admission-controller
to not being able to update its status (inside Lease
object) when its enabled for shoot clusters. (#3265, @rfranzke)Seed
s not getting ready when an image vector overwrite for the etcd-druid is configured. (#3212, @rfranzke)gardener-resource-manager
instances running in the Shoot control plane is disabled now. (#3268, @timebertt)1.18.0
. (#3250, @mvladev)get
, list
and watch
for Pods are removed from the fluent-bit RBAC as no longer needed. (#3219, @vlvasilev)mmap: invalid argument
. Prometheus v2.22.1+ provides a fix for this issue. (#3213, @wyb1)metrics-server
, node-problem-detector
and vpn-shoot
now have dnsPolicy: Default
set to them to remove dependency to coredns
. (#3211, @mvladev)OutOf*
in the Seed namespace and the kube-system
namespace of the Shoot. (#3248, @timebertt)garden.sapcloud.io/role: (optional-addon|monitoring|system-component)
are now adapted to specify gardener.cloud/role: (optional-addon|monitoring|system-component)
. (#3220, @ialidzhikov)Seeds
with different cloud providers. (#3254, @plkokanov)gardenlet
is now restarted if APIServerSNI
is enabled on the Seed cluster. (#3226, @mvladev)garden.sapcloud.io/role: shoot
. (#3220, @ialidzhikov)v3.3.17
to v3.4.13
and moved from quay.io/coreos/etcd
to Gardener-specific custom etcd image eu.gcr.io/gardener-project/gardener/etcd
. â ī¸ This will cause an etcd restart. (#3205, @gardener-robot-ci-2)S3
protocol (gardener/etcd-backup-restore#254, @lcavajani)max-call-send-message-size
, max-request-bytes
and max-txn-ops
) to enable restoration for delta snapshots with large amount of data (large number of events or events with large data). (gardener/etcd-backup-restore#282, @abdasgupta)go.etcd.io/etcd
for etcd and go.etcd.io/bbolt
for bbolt. (gardener/etcd-backup-restore#269, @shreyas-s-rao)make integration-test-cluster
target against the cluster pointed to by the environment variable INTEGRATION_TEST_KUBECONFIG
. (gardener/etcd-backup-restore#225, @shreyas-s-rao)--version
. (gardener/gardener-resource-manager#96, @timebertt)make docker-images
are now tagged and build with the commit hash appended to the version. (gardener/gardener-resource-manager#96, @timebertt)--target-disable-cache
flag. (gardener/gardener-resource-manager#95, @timebertt)DynamicRESTMapper
, which will reduce the amount of explicit discovery calls and faster reconciliation loops and some cases. (gardener/gardener-resource-manager#95, @timebertt)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.14.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.14.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.14.0
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.14.0
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.14.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.14.0
Published by gardener-robot-ci-2 almost 4 years ago
24h
ago.gardener.cloud--allow-dns
to allow traffic from Pods with hostNetwork: true
and dnsPolicy: ClusterFirstWithHostNet
. (#3163, @mvladev)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.12.9
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.12.9
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.12.9
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.12.9
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.12.9
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.12.9
Published by gardener-robot-ci-2 almost 4 years ago
24h
ago.KUBERNETES_SERVICE_HOST
environment variable injected when APIServerSNI
is enabled no longer includes a trailing dot (being a Fully Qualified Domain Name) due to several Homebrew Kubernetes clients not properly handling it and sending wrong server name when initiating a TLS connection. (#3236, @mvladev)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.13.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.13.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.13.2
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.13.2
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.13.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.13.2
Published by gardener-robot-ci-3 almost 4 years ago
Seed
s not getting ready when an image vector overwrite for the etcd-druid is configured. (88a620fd039ebc62a4f72279951d480f570d3f1b)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.13.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.13.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.13.1
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.13.1
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.13.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.13.1
Published by gardener-robot-ci-3 almost 4 years ago
Project
resource contains duplicates in the .spec.members[]
list. For the time being, duplicates in this list are merged into a single member automatically by the Gardener API Server. In the future, this will no longer happen, instead, a validation error will be returned if a user sends a Project
resource with duplicate members. Please adapt your API usage to not send any of such resources. (#3137, @rfranzke)gardener.cloud/role=project
and project.gardener.cloud/name=<project-name>
. Until now the project controller was accepting and maintaining also the labels from the old API groups - garden.sapcloud.io/role=project
and project.garden.sapcloud.io/name=<project-name>
. With this change, the project controller removes the namespace labels associated to the old API group. If you are still using these deprecated labels, you need to adapt your machinery. (#3094, @ialidzhikov)shoot.garden.sapcloud.io/use-as-seed
and shoot.garden.sapcloud.io/ignore-alerts
are no longer respected by the corresponding Gardener components. If you are still using these deprecated annotations, you need to adapt your machinery to use respectively shoot.gardener.cloud/use-as-seed
and shoot.gardener.cloud/ignore-alerts
. You need to be careful with use-as-seed annotation as if you don't adapt to the new annotation and update your Gardener version to the one that no longer respects the deprecated annotation, this will be handled as deletion of the ShootedSeed and will mark the Seed for deletion. (#3094, @ialidzhikov)mutatingwebhookconfigurations.admissionregistration.k8s.io
is deployed for all APIServerSNI
- enabled clusters. It adds KUBERNETES_SERVICE_HOST
environment variable pointing to the upstream Kube API Server. To disable this behavior: (#3082, @mvladev)
apiserver-proxy.networking.gardener.cloud/inject: disable
apiserver-proxy.networking.gardener.cloud/inject: disable
alpha.featuregates.shoot.gardener.cloud/apiserver-sni-pod-injector: disable
to disable it cluster-wide.APIServerSNI
-enabled clusters, Pods talking to the Kube API Server need to be allowed to connect to coredns
running in kube-system
namespace in order to resolve the hostname of the Kube API server. It also needs to have access to the IP from the default/kubernetes
endpoint and the upstream IP of of the kube-apiserver. (#3082, @mvladev)
NetworkPolicy
- no action is required.KUBERNETES_SERVICE_HOST
, because the feature is disabled - no action is required.NetworkPolicies
allowing ingress to coredns
in kube-system
and allows traffic top the default/kubernetes
endpoint and the upstream upstream IP of of the kube-apiserver - no action is required.NetworkPolicies
that do not allow access to coredns
in kube-system
and/or do not allows traffic top the default/kubernetes
endpoint and/or the upstream upstream IP of of the kube-apiserver - a NetworkPolicy
allowing such egress must be added e.g.:
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-to-apiserver
spec:
podSelector: {}
egress:
- to:
- ipBlock:
cidr: <IP from default/kubernetes endpoint>/32
- ipBlock:
cidr: <ip from apiserver FQDN e.g. nslookup api.foo.bar>/32
- ports:
- port: 8053
protocol: UDP
- port: 8053
protocol: TCP
to:
- podSelector:
matchExpressions:
- key: k8s-app
operator: In
values:
- kube-dns
namespaceSelector:
matchLabels:
gardener.cloud/purpose: kube-system
policyTypes:
- Egress
- Ingress
Terraformer.SetVariablesEnvironment
has been deprecated in favor of Terraformer.SetEnvVars
. Please adapt your usage of the terraformer library accordingly. (#3204, @timebertt)MachineClass() runtime.Object
that needs to be implemented. It is similar to MachineClassList() runtime.Object
with the difference that it does not return the list object but the machine class object itself. (#3178, @rfranzke)CleanupLeakedClusterRoles
function has been removed from the generic worker actuator package. You can find more information about it here and here. (#3178, @rfranzke)github.com/gardener/[email protected]
or above (that contains https://github.com/gardener/gardener/pull/2265). (#3097, @ialidzhikov)Shoot
now has a new constraint with type MaintenancePreconditionsSatisfied
which indicates whether it's safe to maintain a shoot (see this document to get an overview what happens during maintenance). End-users should check this information to properly configure their clusters in order to avoid problems. (#3173, @rfranzke)kube-apiserver
's --max-requests-inflight
and --max-mutating-requests-inflight
flags by setting the .spec.kubernetes.kubeAPIServer.requests.max{Non}MutatingInflight
fields (default: {400}
/200
) in the Shoot
specification. (#3141, @rfranzke)kube-controller-manager
's --pod-eviction-timeout
flag by setting the .spec.kubernetes.kubeControllerManager.podEvictionTimeout
field (default: 2m0s
) in the Shoot
specification. (#3139, @rfranzke)controlplane
Helm chart for Gardener does now expose a few more configuration options for the gardener-apiserver: (#3207, @rfranzke)
.Values.global.apiserver.goAwayChance
configures the --goaway-chance
flag..Values.global.apiserver.http2MaxStreamsPerConnection
configures the --http2-max-streams-per-connection
flag..Values.global.apiserver.shutdownDelayDuration
configures the --shutdown-delay-duration
flag..Values.global.requests.maxNonMutatingInflight
configures the --max-requests-inflight
flag..Values.global.requests.maxMutatingInflight
configures the --max-mutating-requests-inflight
flag..Values.global.requests.minTimeout
configures the --min-request-timeout
flag..Values.global.requests.timeout
configures the --request-timeout
flag..Values.global.watchCacheSizes.default
configures the --default-watch-cache-size
flag..Values.global.watchCacheSizes.resources[]
configures the --watch-cache-size
flag.ManagedIstio
and APIServerSNI
can now be optionally configured via the new sni
configuration in GardenletConfiguration
, see the example configuration. This allows to use installation of Istio where the the ingressgateway is in another namespace. (#3143, @mvladev)DNSEntry
objects in the shoot controller via the gardenlet's component config (.controllers.shoot.dnsEntryTTLSeconds
, default: 120
). (#3142, @rfranzke)Project
s from the stale checks by annotating their related Namespace
s with project.gardener.cloud/skip-stale-check=true
. (#3136, @rfranzke)[0,5m]
. You can overwrite this jitter period in the gardenlet's component configuration (.controllers.shootedSeedRegistration.syncJitterPeriod
). (#3135, @rfranzke)no-gardenlet
option by setting featureGates.<name>={true,false}
. (#3134, @rfranzke).controllers.shootReference.protectAuditPolicyConfigMaps=true
. (#3117, @rfranzke)mutatingwebhookconfigurations.admissionregistration.k8s.io
is deployed for all APIServerSNI
-enabled clusters. It's running as a sidecar to the KubeAPI Server. (#3082, @mvladev)200
. (#3075, @stoyanr)ResourceQuota
resource which is automatically created in project related namespaces. Please consult the documentation (/docs/concepts/controller-manager.md) for more information. (#3072, @timuthy)apiserver-proxy
overload's manager is removed. (#3062, @mvladev)Shoot
s from being stuck in deletion due to invalid .spec.dns
configuration. (#3168, @rfranzke)Shoot
resources from being stuck in Delete Succeeded
state. (#3167, @rfranzke)gardener.cloud--allow-dns
to allow traffic from Pods with hostNetwork: true
and dnsPolicy: ClusterFirstWithHostNet
. (#3162, @mvladev)corev1.ResourceQuota
objects. (#3132, @timuthy)ConfigMap
s for Shoot
s are now ignored when trying to redeploy the kube-apiserver in the shoot deletion flow. (#3115, @rfranzke)spec.kubernetes.kubelet.kubeReserved.pid
field of the Shoot to be set for Kubernetes versions that don't support the corresponding feature is now fixed. (#3059, @ialidzhikov)allow-to-seed-apiserver
might not include the IP from the KUBERNETES_SERVICE_HOST
environment variable of the gardenlet. (#3203, @mvladev)checkAPIServerAvailability
. (#3195, @timuthy)cluster dns
and the node local ipvs address
to resolve a dns resolution issue with the NodeLocalDNS
feature for dns names in control plane pods. (#3184, @DockToFuture)Namespace
s are adopted for Project
s then they will now be configured to remain even after the Project
is being deleted later again. Earlier, such namespaces were also deleted together with the Project
. Please note that this only takes effect for newly adopted project namespaces. (#3179, @rfranzke)kube-controller-manager
to be scaled up when it is already deleted is now fixed. (#3176, @vpnachev)1.15.5
. (#3175, @ialidzhikov)metrics-server
is upgraded to v0.4.1
and readiness and liveness probes now use http instead of tcp. (#3174, @mvladev)loki
to gardenerloki
to avoid any plugin collisions with future version of the fluent-bit. (#3165, @vlvasilev)ShootState
is no longer sends events for ShootState
resources as they are not evaluated in a meaningful way anyways. (#3149, @rfranzke)ManagedIstio
is not enabled. (#3145, @timuthy)Seed
deletion due to orphaned ManagedResource
s in the garden
namespace. (#3133, @rfranzke)APIServerSNI
feature gate, existing LoadBalancer ports from ManagedIstio
are not removed until all existing SNI-enabled Shoot clusters are migrated. (#3125, @mvladev)istio-ingressgateway
now uses KEEPALIVE to downstream LoadBalancers to prevent idle timeout issues. (#3104, @mvladev)vpn
deployment rolling strategy is improved so that the new pod is created before the old one is deleted. (#3100, @vpnachev)apiserver-proxy
now uses tcp keepalive every 55 seconds to prevent idle timeouts between it and the SNI LoadBalancer. (#3092, @mvladev)/charts/gardener/controlplane
) has been fixed. Earlier, the deployed ValidatingWebhookConfiguration
potentially blocked the creation of Gardener ServiceAccounts
. The validation is now excluded from namespaces with the label app: gardener
. (#3088, @timuthy)
/charts/gardener/controlplane
also deploy the garden
namespace, or add the label app=gardener
to the namespace yourself.CachedRuntimeClients
feature gate is enabled is now fixed. (#3087, @ialidzhikov)kube-controller-manager
deployment. (#3077, @vpnachev)(Cluster)RoleBindings
of system components or addons, that were changed to an invalid state by endusers to be able to reconcile them back to the desired state. (#3074, @timebertt)ShootState
resource to be updated with newly generated secrets is now fixed. (#3069, @vpnachev)kube-system
namespace so the data is not very relevant and only leads to confusion. (#3068, @wyb1)kube-controller-manager
VPA now has minAllowed
values to prevent VPA from scaling it down too much. (#3057, @timebertt)seed.gardener.cloud/disable-capacity-reservation
, seed.gardener.cloud/disable-dns
and seed.gardener.cloud/invisible
to be used. Note, these taints have been replaced by seed.spec.settings
fields and there is no special semantic behind them anymore. (#2970, @vpnachev)unmanaged
. (#2969, @plkokanov)spec.dns
!= nil to a Seed which has DNS disabled is now forbidden and will return an error. (#2969, @plkokanov)github.com/gardener/gardener/extensions/pkg/predicate.Or
(which was deprecated in favor of sigs.k8s.io/controller-runtime/pkg/predicate.Or
) is now removed. (#3111, @ialidzhikov)api
module is now available. Get it with go get github.com/gardener/gardener-resource-manager/api
(gardener/gardener-resource-manager#86, @mvladev)ManagedResource
's .status.conditions[].lastUpdateTime
is no longer continuously updated. This will greatly reduce the number of update calls to the kube-apiserver/etcd. (gardener/gardener-resource-manager#90, @rfranzke)/healthz
endpoint that can be used as part of a liveness probe configuration. It listens on port 8081
by default (configurable via the --health-bind-address
flag). (gardener/gardener-resource-manager#81, @rfranzke)github.com/gardener/gardener
(v1.9.0
-> v1.11.3
)github.com/gardener/hvpa-controller
(v0.2.5
-> v0.3.1
)github.com/onsi/ginkgo
(v1.12.1
-> v1.14.0
)k8s.io/*
(v0.16.8
-> v0.18.10
)sigs.k8s.io/controller-runtime
(v0.5.5
-> v0.6.3
)v1.15.3
. (gardener/gardener-resource-manager#80, @rfranzke)v3.12.1
. (gardener/gardener-resource-manager#80, @rfranzke)CustomResourceDefinitions
of version v1
. (gardener/gardener-resource-manager#85, @timuthy)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.13.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.13.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.13.0
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.13.0
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.13.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.13.0
Published by gardener-robot-ci-3 almost 4 years ago
ShootState
is no longer sends events for ShootState
resources as they are not evaluated in a meaningful way anyways. (e20f0f38eb16566f0f2320ec892c3fadcb10df46)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.12.8
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.12.8
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.12.8
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.12.8
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.12.8
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.12.8
Published by gardener-robot-ci-3 almost 4 years ago
ManagedIstio
is not enabled. (7750dc943f1e022139bdaed735afac033cf5d8c5)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.12.7
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.12.7
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.12.7
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.12.7
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.12.7
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.12.7
Published by gardener-robot-ci-3 almost 4 years ago
APIServerSNI
feature gate, existing LoadBalancer ports from ManagedIstio
are not removed until all existing SNI-enabled Shoot clusters are migrated. (#3126, @mvladev)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.12.6
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.12.6
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.12.6
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.12.6
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.12.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.12.6
Published by gardener-robot-ci-3 almost 4 years ago
.controllers.shootReference.protectAuditPolicyConfigMaps=true
. (3db1c41726dc5f669e015f294b690d330b55bbf1)ConfigMap
s for Shoot
s are now ignored when trying to redeploy the kube-apiserver in the shoot deletion flow. (ed6604017be6a0105af5297e55c0f4b1f5ed4f1d)vpn
deployment rolling strategy is improved so that the new pod is created before the old one is deleted. (16ffd5ed26282ff41bbe34e84f4c1187c8d260c2)/charts/gardener/controlplane
) has been fixed. Earlier, the deployed ValidatingWebhookConfiguration
potentially blocked the creation of Gardener ServiceAccounts
. The validation is now excluded from namespaces with the label app: gardener
. (fccb4bf02ce66ba4fc5c8892134879fe773795e5)
/charts/gardener/controlplane
also deploy the garden
namespace, or add the label app=gardener
to the namespace yourself.CustomResourceDefinitions
of version v1
. (gardener/gardener-resource-manager@314c262952d8caf413de4ad5045b5185b9724aa3)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.12.5
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.12.5
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.12.5
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.12.5
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.12.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.12.5
Published by gardener-robot-ci-3 almost 4 years ago
istio-ingressgateway
now uses KEEPALIVE to downstream LoadBalancers to prevent idle timeout issues. (#3105, @mvladev)apiserver-proxy
now uses tcp keepalive every 55 seconds to prevent idle timeouts between it and the SNI LoadBalancer. (#3093, @mvladev)gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.12.4
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.12.4
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.12.4
gardener-admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.12.4
gardener-seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.12.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.12.4