[gardener]

Most notable changes

• [USER] Gardener does now have protobuf definitions for its API resources. Clients can now specify application/vnd.kubernetes.protobuf content type in the Accept header for their requests. For more information about protobuf representation see this documentation. (#2113, @ialidzhikov)
• [OPERATOR] remove read-only from kibana index (#2183, @vlvasilev)
• [OPERATOR] Gardener can now support shoot clusters with Kubernetes version 1.18. In order to allow creation/update of 1.18 clusters you will have to update the version of your provider extension(s) to a version that supports 1.18 as well. Please consult the respective releases and notes in the provider extension's repository. (#2111, @rfranzke)
• [OPERATOR] A new component has been introduced, the gardener-seed-admission-controller. It runs in every seed cluster and prevents the undesired deletion of CustomResourceDefinitions labeled with gardener.cloud/deletion-protected=true, and most custom resources of the extensions.gardener.cloud/v1alpha1 API group if they were not previously annotated with confirmation.gardener.cloud/deletion=true. (#2066, @rfranzke)
• [DEVELOPER] The gardener/gardener-extensions repository was merged into this repository based on v1.6.0. Please remove your github.com/gardener/gardener-extensions Golang dependency in favour of github.com/gardener/gardener, and adapt your hack script call invocations if necessary. (#2141, @rfranzke)
• [DEVELOPER] The ./hack/dev-setup-extensions script was removed in favour of the Gardener Extensions Manager. (#2141, @rfranzke)

Improvements

• [USER] Now only machine image name can be specified in the shoot manifest, Gardener will default the version to the latest available version for the specified image. (#2138, @vpnachev)
• [OPERATOR] Revert minimum amount of CPU for kube-apiserver container to 300m as it caused boot crash loopback. (#2174, @mvladev)
• [OPERATOR] Gardener now sets the default Node labels via the Worker CRD instead of via kubelet flags. (#2166, @tim-ebert)
• [OPERATOR] VPA recommendations are now disabled for Prometheus's prometheus-config-reloader container. (#2164, @mvladev)
• [OPERATOR] gardener-apiserver chart does now allow configuring the --disable-admission-plugins and --enable-admission-plugins flags. (#2159, @ialidzhikov)
• [OPERATOR] Extension resources are no longer synced by the ShootState Sync Controller if the corresponding Cluster resource does not exist. (#2135, @plkokanov)
• [OPERATOR] Etcd .status.lastError is now properly propagated as reason to Shoot .status.lastErrors. (#2134, @ialidzhikov)
• [OPERATOR] Gardener now deploys one ContainerRuntime CRD per WorkerPool per container runtime. This enables container runtimes to be configurable on the worker pool level. (#2128, @danielfoehrKn)
• [OPERATOR] Fixed a bug that prevented an existing worker pool using containerd to be updated with a container runtime (e.g gvisor). (#2128, @danielfoehrKn)
• [OPERATOR] Update of the temporary, experimental Kyma addon to latest Kyma version 1.11.0. It can be installed onto shoot clusters out-of-the-box by annotating the Shoot with experimental.addons.shoot.gardener.cloud/kyma=enabled. Be aware that we won't provide upgrades or customization, and that this addon is temporary and will be removed in a future version of Gardener again. Its purpose is to ease the Kyma installation and to show-case which features it provides. It is by no means a production-ready setup. Also, please note that, once enabled, the Kyma addon can never be disabled again. The only way to get rid of it is to delete the shoot cluster. You can check the status of the installation by using kubectl get installation/kyma-installation -o jsonpath="{'Status: '}{.status.state}{', description: '}{.status.description}". (#2126, @a-thaler)
• [OPERATOR] Kubernetes and Machine image versions now have the optional field "classification" with allowed values of [preview, supported, deprecated, expired]. Please see GEP5 (https://github.com/gardener/gardener/docs/proposals/05-versioning-policy.md) and the operations documentation under https://github.com/gardener/gardener/blob/master/docs/operations/versioning.md. (#2105, @danielfoehrKn)
• [DEVELOPER] Gardener now sets the default Node labels via the Worker CRD instead of via kubelet flags. Please make sure that your worker controller properly propagates the specified labels to the Node objects. (#2166, @tim-ebert)
• [DEVELOPER] Refactor hack scripts for usage in extensions (local image vector override, common helper, build-ld flags) via vendoring. (#2165, @danielfoehrKn)
• [DEVELOPER] The Seed object does now allow to specify a provider-specific and seed-specific configuration in the .spec.provider.providerConfig field. (#2162, @rfranzke)
• [DEVELOPER] Gardener's ControllerInstallation controller does now pass the complete specification of the Seed object to the extension's Helm chart with the .gardener.seed.spec value. This way extension's can find out every information about the seed they get installed to. (#2162, @rfranzke)
• [DEVELOPER] The oscommon package for OperatingSystemConfig extension does now work for one or multiple extension types. (#2161, @Kristian-ZH)
• [DEVELOPER] The version of the nodeless garden cluster is bumped to v1.17.3. (#2125, @tim-ebert)

[etcd-druid]

Improvements

• [OPERATOR] etcd-druid does now accept openstack for spec.backup.store.provider. (gardener/etcd-druid#43, @ialidzhikov)
• [OPERATOR] ❇️ Populate etcd container root-ca-certificates list with the provided self-signed ca-bundle for communication with backup-restore sidecar (gardener/etcd-druid#40, @swapnilgm)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.3.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.3.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.3.0
seed-admission-controller: eu.gcr.io/gardener-project/gardener/seed-admission-controller:v1.3.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.3.0

[etcd-druid]

Improvements

• [OPERATOR] etcd-druid does now accept openstack for spec.backup.store.provider. (gardener/etcd-druid#43, @ialidzhikov)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.2.3
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.2.3
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.2.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.2.3

[etcd-druid]

Improvements

• [OPERATOR] ❇️ Populate etcd container root-ca-certificates list with the provided self-signed ca-bundle for communication with backup-restore sidecar (gardener/etcd-druid#40, @swapnilgm)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.2.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.2.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.2.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.2.2

[gardener]

Improvements

• [OPERATOR] Extension resources are no longer synced by the ShootState Sync Controller if the corresponding Cluster resource does not exist. (cf8fbf9c9ff2238bcee259ac02cacab6d0c09b5f)
• [OPERATOR] Etcd .status.lastError is now properly propagated as reason to Shoot .status.lastErrors. (ef30875fd55a4fb71c3bdf08c836ff4dad474467)
• [OPERATOR] gardener-apiserver chart does now allow configuring the --disable-admission-plugins and --enable-admission-plugins flags. (07259f7b689d8a04bbb1a6e872107bc229df803d)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.2.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.2.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.2.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.2.1

[gardener]

Action Required

• [OPERATOR] As validation at the gardener now does not prevent the worker.Minimum to be zero while worker.Maximum is non-zero, it is recommended to install following provider extensions with the proper related validation enabled, to avoid incompatibility with cluster-autoscaler. gardener-extension-provider-gcp: v1.4.0, gardener-extension-provider-alicloud: v1.7.0, gardener-extension-provider-openstack: v1.4.0. (#2045, @hardikdr)
• [DEVELOPER] With the introduction of the etcd-druid you have to make sure that the extension controllers that are deployed do no longer inject the backup-restore sidecar as this task is now handled by gardener/etcd-druid directly. The corresponding implementation in the gardener/gardener-extensions library has been adapted, see https://github.com/gardener/gardener-extensions/pull/603. You can also find an example adaptation for a specific provider extension here: https://github.com/gardener/gardener-extension-provider-aws/pull/42 (#1762, @georgekuruvillak)

Most notable changes

• [USER] Gardener now checks that a namespace specified in project resources (project.spec.namespace) is not already taken by another project. (#2071, @timuthy)
• [USER] It must now be ensured that the Shoot specification contains at least one worker pool with either no taints or only taints with PreferNoSchedule effect. This is to make sure that the system components (CoreDNS, vpn-shoot, etc.) can be scheduled correctly. (#2067, @rfranzke)
• [USER] Every shoot cluster does now contain NetworkPolicies that allow the necessary traffic directions for the nginx-ingress-controller, metrics-server, and node-exporter. (#2044, @neo-liang-sap)
• [USER] It is now possible to configure additional container runtimes like gVisor (if previously registered by the Gardener landscape administrator) for shoot clusters. It is possible via the the .spec.provider.workers[].cri.containerRuntimes list. Example value: [{type: gvisor}]. It can be set to each worker pool in the shoot cluster. (#2035, @nimrodoron)
• [USER] Project members are now allowed to define their own Roles and RoleBindings to further customize the access to the resources in their Project namespace. (#2032, @mvladev)
• [USER] Project viewers are now allowed to view Roles and RoleBindings in their Project namespace. (#2032, @mvladev)
• [USER] TokenRequest and TokenRequestProjection feature gates are now enabled by default. By default, service account tokens now have audience - kubernetes and issuer - the external address of the API server. This allows for service account token volume projection to be used in the cluster. .spec.kubernetes.kubeAPIServer.audiences and .spec.kubernetes.kubeAPIServer.serviceAccountConfig.issuer can still be used to override those values if needed. (#1991, @mvladev)
• [USER] The core.gardener.cloud/v1beta1.Shoot resource now has a new .spec.provider.workers[].cri optional property. This property contains a name field. The only valid value for this field at this time is: containerd. Setting this property with the relevant value will enable the kubelet to work with containerd as a CRI instead of the default Docker Shim in case the used operating system config extension supports it. Please note that this cannot be changed afterwards - only during cluster creation or when a new worker pool is added. Also, please double-check whether the corresponding extension controller for the operating system that you use is supporting containerd. (#1971, @nimrodoron)
• [OPERATOR] The Gardener Helm chart now enables the shoot control plane restarter during maintenance by default. (#2116, @timuthy)
• [OPERATOR] Gardener will no longer deploy all extension controller to all seed clusters. Instead, it will dynamically deploy/delete them based on the scheduled BackupBuckets, BackupEntrys, and Shoots. (#1993, @rfranzke)
• [OPERATOR] This release introduces etcd-druid to manage Etcd resources in shoot control planes.etcd-druid will be deployed during seed-bootstrap phase in the garden namespace. etcd-druid listens for Etcd resources deployed/updated/deleted in the shoot namespaces. When an Etcd resource is created, the etcd-druid adds finalizers to the dependant secrets such as the tls and the object-store secrets. It then goes on to create the statefulsets, services and the configmap to deploy etcd along with the backup-restore sidecar. The ready field in the Etcd resource reflects the availability of the related etcd statefulsets. This is checked before kube-apiserver is deployed by gardenlet. (#1762, @georgekuruvillak)
• [DEVELOPER] Gardener now deletes every pod of the shoot control plane with the label maintenance.gardener.cloud/restart: true if a shoot is assigned the task annotation shoot.gardener.cloud/tasks: restartControlPlanePods. This is used to refresh the state and cache of probably long running containers and thus can circumvent potential dead-locks or starving routines. If you are a developer of a Gardener extension please check the necessity and possibility of labelling such pods. For example, a running instance of the Cloud-Controller-Manager can safely be deleted/restarted while the shoot profits from a refreshed instance. More information can be found in docs/extensions/shoot-maintenance.md (#2098, @timuthy)
• [DEVELOPER] ⚠️ The local nodeless Gardener setup (for local development) has been reverted to K8s 1.15 in order to be consistent with the highest version supported by Gardener in a production environment. (#2075, @timuthy)
• [DEVELOPER] A new container runtime extensibility contract has been introduced that allows to develop external container runtime extension controllers. Information for developing such an extension can be found here. (#2035, @nimrodoron)
• [DEVELOPER] The extensions.gardener.cloud/v1alpha1.OperatingSystemConfig resource has a new .spec.criConfig property. This property contains a new name field. This optional property will be set if the shoot's worker pool config contains CRI configuration with the current only valid value containerd. Each OS extensions should enable the containerd with the default configurations as mentioned in: (#1971, @nimrodoron)
  • https://github.com/gardener/gardener/blob/master/docs/proposals/10-shoot-additional-container-runtimes.md

Improvements

• [USER] A column HIBERNATION has been added to the output of kubectl get shoots which shows the current hibernation status (Awake, Hibernated, Hibernating or Waking Up). (#2078, @tim-ebert)
• [USER] It is no longer possible to submit Shoot resources whose specification targets extension types that are not registered in the system. (#2049, @rfranzke)
• [USER] Gardener now allows setting minimum=0 for worker pools in the Shoot. However, not all providers might support it yet and setting it to 0 might cause undesired issues with the availability of the machines. As of today, only AWS and Azure are known to support it (will be extended to other providers in the future). (#2045, @hardikdr)
• [USER] An issue preventing kyma 1.10.0 to be installed is now fixed. (#2028, @ialidzhikov)
• [OPERATOR] NOE (#2119, @rfranzke)
• [OPERATOR] Shoot clusters for which an operation could never be created (e.g. because of invalid DNS configuration) can now be deleted right away. (#2118, @timuthy)
• [OPERATOR] DNS entries are now deleted when a shoot enters hibernation which prevents outdated DNS records. (#2100, @timuthy)
• [OPERATOR] Control plane controllers of shoot clusters can now be automatically restarted during the shoot's maintenance time window. This is used to refresh the state and cache of probably long running containers and thus can circumvent potential dead-locks or starving routines. The feature can be enabled via the ControllerManagerConfiguration under .controllers.shootMaintecance.enableShootControlPlaneRestarter (see example/20-componentconfig-gardener-controller-manager.yaml). (#2098, @timuthy)
• [OPERATOR] If a cluster is stuck in deletion because its content cannot be removed right away, the shoot resource will now contain the error code ERR_CLEANUP_CLUSTER_RESOURCES in .status.lastErrors (#2090, @timuthy)
• [OPERATOR] 🐛 Fix the etcd restoration failure alert rule (#2089, @swapnilgm)
• [OPERATOR] Increase the node-exporter scrape timeout from 10s to 30s. (#2086, @wyb1)
• [OPERATOR] Added the following aggregate metrics (by containers). Firstly, to keep track of the number of containers whose resource usage is over scaling, limiting thresholds, vpa recommendations. Secondly, to keep track of the number containers which have pending scale down or scale up recommendations. Thirdly, to keep track of minimum and maximum values for usage, requests, limits and VPA recommendations for containers across the cluster. Fourthly, to keep track of the number of containers that have requests over a threshold percentage of their VPA maxAllowed configuration. (#2080, @amshuman-kr)
• [OPERATOR] A project related namespace can now be used with the following labels: gardener.cloud/role: project, project.gardener.cloud/name: <project-name>. (#2072, @timuthy)
• [OPERATOR] Added HPA metrics to kube-state-metrics in garden ns. These can help in analysing HPA behaviour and in analysing the benefits and impact of reducing HPA scale down stabilization period (currently 24h) to a lower value. (#2060, @amshuman-kr)
• [OPERATOR] Optimize apiserver HVPA minAllowed config to a lower value to improve overall CPU utilization in the seed clusters. (#2056, @amshuman-kr)
• [OPERATOR] It is no longer possible to submit BackupBucket, BackupEntry, or Seed` resources whose specifications target extension types that are not registered in the system. (#2049, @rfranzke)
• [OPERATOR] Added new metric to monitor CPU throttling (#2046, @ggaurav10)
• [OPERATOR] gardenlet does no longer explicitly label well-known ManagedResources that don't have the origin: gardener label because of legacy reasons. (#2040, @ialidzhikov)
• [OPERATOR] It is now possible to specify an image vector overwrite for image vectors of components directly deployed by Gardener (e.g., the etcd-druid will have its own image vector in the future that operators might want to overwrite with custom image locations). Please consult this document to get more information. (#2036, @rfranzke)
• [OPERATOR] Fixed a bug that caused Gardener to override kube-apiserver deployment's resources field on every reconcile, thus, overriding the values set by HVPA controller. (#2025, @ggaurav10)
• [OPERATOR] An issue has been fixed which prevented shoot clusters without a spec.dns.domain configuration from being scheduled on a seed. (#2010, @timuthy)
• [OPERATOR] An issue preventing to get the file content of manifest using the FileContent func of RenderedChart in the pkg/chartrenderer package is now fixed. (#2009, @ialidzhikov)
• [OPERATOR] An issue has been fixed which caused the Gardenlet to crash for shoot clusters which already have used a non compliant default shoot domain. (#2006, @timuthy)
• [OPERATOR] Make kubelet flag --image-pull-progress-deadline configurable. Default: 1m (#2003, @ggaurav10)
• [OPERATOR] External domain now points to API Server LoadBalancer instead of the internal domain. This is helpful when a Shoot uses a private hosted zone for the internal domain. (#1994, @danielfoehrKn)
• [OPERATOR] The ShootState resource is now created at the beginning of the shoot reconciliation flow. (#1972, @plkokanov)
• [OPERATOR] Cluster scoped extension resources are now properly handled when their state has to be synced to the ShootState. (#1972, @plkokanov)
• [DEVELOPER] core.(v1alpha1/v1beta1).QuotaSpec.ClusterLifetimeDays, core.(v1alpha1,v1beta1).LastOperation.Progress, extensions.v1alpha1.WorkerPool.Maximum, extensions.v1alpha1.WorkerPool.Minimum, extensions.v1alpha1.MachineDeployment.Maximum, extensions.v1alpha1.MachineDeployment.Minimum fields types changed from int to int32. (#2104, @ialidzhikov)
• [DEVELOPER] Local setup is now compatible also with newer versions of minikube (>= v1.8.0). (#2088, @ialidzhikov)
• [DEVELOPER] Added high-level interfaces which can be used by different components in the Shoot reconciliation. It allows of life-cycle to be fully encapsulated, mocked for testing and isolation from other components (#2051, @mvladev)
• [DEVELOPER] A bug in the test framework has been fixed that panicked if no seed was assigned to the shoot. (#2021, @schrodit)
• [DEVELOPER] The current seed state was added to the test framework's state dump. (#2021, @schrodit)
• [DEVELOPER] Changed the specification of GardenerResourceData to use runtime.RawExtension instead of a string map to persist data required for deploying resources. (#1972, @plkokanov)

[etcd-druid]

Improvements

• [OPERATOR] Added the gardener-shoot-control-plane priority class to the etcd pods and changed the temporary directory path for the snapstore from /tmp to /var/etcd/data/temp. (gardener/etcd-druid#35, @rfranzke)
• [OPERATOR] Changed logic in etcd druid to query for statefulset readiness and update the etcd status accordingly (gardener/etcd-druid#34, @georgekuruvillak)
• [OPERATOR] Removed .status.lastError after successful reconciliation (gardener/etcd-druid#33, @georgekuruvillak)
  • Fixed the labels/selector issue in the statefulset manifest
  • Introduced .status.observedGeneration
  • Added logic to only reconcile if gardener.cloud/operation=reconcile and oldMeta.generation != newMeta.generation or .status.LastError != nil
• [OPERATOR] Fix wget in etcd bootstrap script. (gardener/etcd-druid#32, @shreyas-s-rao)
• [OPERATOR] Etcds with Alicloud backup infrastructure can now be created correctly. (gardener/etcd-druid#31, @georgekuruvillak)
• [OPERATOR] Fixed the issue related to concurrent reconcilation of etcd resources messing up configmap, service and statefulset values. (gardener/etcd-druid#28, @georgekuruvillak)
• [OPERATOR] Fix finalizer check in secret during deletion. (gardener/etcd-druid#27, @georgekuruvillak)
• [OPERATOR] Added configurable worker count. (gardener/etcd-druid#26, @georgekuruvillak)
• [OPERATOR] Added default values to values.yaml. It also takes care of go-template value conversion issues. (gardener/etcd-druid#20, @georgekuruvillak)
• [OPERATOR] Add additional printer columns for kubectl. (gardener/etcd-druid#18, @georgekuruvillak)

[hvpa-controller]

Improvements

• [OPERATOR] Removing "Temporary/fast fix to enable scale down even if vpaWeight == 0" as we have better ways to optimise cost now (gardener/hvpa-controller#63, @ggaurav10)
• [OPERATOR] Ignore minChange configuration while overriding scale up stabilisation. This ensures that full VPA recommendations are applied in case the target pods are OOMKilled or restarted due to livenessProbe failure, no matter what. (gardener/hvpa-controller#62, @amshuman-kr)
• [OPERATOR] Consider HPA to be limited if we have seen oomkill or liveness probe fails already. This change makes HVPA controller scale the app vertically more actively, ignoring the HPA's status condition type ScalingLimited. (gardener/hvpa-controller#58, @ggaurav10)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.2.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.2.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.2.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.2.0

[hvpa-controller]

Improvements

• [OPERATOR] Removing "Temporary/fast fix to enable scale down even if vpaWeight == 0" as we have better ways to optimise cost now (gardener/hvpa-controller#63, @ggaurav10)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.6
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.6
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.6

[hvpa-controller]

Improvements

• [OPERATOR] Ignore minChange configuration while overriding scale up stabilisation. This ensures that full VPA recommendations are applied in case the target pods are OOMKilled or restarted due to livenessProbe failure, no matter what. (gardener/hvpa-controller#62, @amshuman-kr)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.5
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.5
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.5

[gardener]

Improvements

• [USER] A compatibility issue has been fixed which prevented shoot manifests from being re-applied w/o a primary DNS provider. (#2034, @timuthy)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.4
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.4
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.4

[gardener]

Improvements

• [USER] An issue preventing kyma 1.10.0 to be installed is now fixed. (#2031, @ialidzhikov)
• [OPERATOR] Fixed a bug that caused Gardener to override kube-apiserver deployment's resources field on every reconcile, thus, overriding the values set by HVPA controller. (#2024, @ggaurav10)
• [OPERATOR] Prevent cluster-autoscaler from downscaling any node running etcd pod. (#2022, @shreyas-s-rao)

[hvpa-controller]

Improvements

• [OPERATOR] Consider HPA to be limited if we have seen oomkill or liveness probe fails already. This change makes HVPA controller scale the app vertically more actively, ignoring the HPA's status condition type ScalingLimited. (gardener/hvpa-controller#58, @ggaurav10)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.3
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.3
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.3

[gardener]

Improvements

• [OPERATOR] An issue preventing to get the file content of manifest using the FileContent func of RenderedChart in the pkg/chartrenderer package is now fixed. (#2011, @ialidzhikov)
• [OPERATOR] An issue has been fixed which prevented shoot clusters without a spec.dns.domain configuration from being scheduled on a seed. (08919f57e22f871366a7e655be34d32d9449b55a)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.2

[gardener]

Improvements

• [OPERATOR] An issue has been fixed which caused the Gardenlet to crash for shoot clusters which already have used a non compliant default shoot domain. (f694669e6f719b1cd81d62ba59f8e1fd584175b8)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.1

[gardener]

Action Required

• [USER] Since Gardener now supports multiple DNS providers it's not valid to let shoot use a default domain and a DNS provider without a spec.dns.providers[0].secretName. These functionless providers are removed by Gardener automatically, but will be forbidden in the future. Please make sure that you don't use a DNS provider without spec.dns.providers[*].secretName. (#1998, @timuthy)
• [DEVELOPER] The new label core.gardener.cloud/apiserver-exposure: gardener-managed will be used by Gardener to indicate to extensions that Gardener is responsible for managing the said resource. All extensions should check this label (using the helper IsAPIServerExposureManaged function) and not modify the resource when they are handling API server exposure. (#1929, @mvladev)

Most notable changes

• [USER] Gardener now supports the configuration of multiple DNS providers in the shoot. (#1959, @timuthy)
• [USER] Authenticated users can now read/list/watch Seed resources. (#1919, @rfranzke)
• [USER] The minimum value for the podPidsLimit field in the kubelet configuration for Shoot resources is now 100. If you have specified a value less then 100 the gardener-apiserver will automatically migrate it for you, however, you should switch to the new minimum value as this auto-migration logic will be removed again with one of the next releases. (#1901, @rfranzke)
• [OPERATOR] Gardener now supports the configuration of multiple DNS providers in the shoot. These providers can especially be used in combination with the shoot-dns-service (https://github.com/gardener/gardener-extension-shoot-dns-service) in your Garden environment. (#1959, @timuthy)
• [OPERATOR] The gardenlet does now create a new gardener-internal secret in every shoot namespace that can be used to communicate with the shoot API server via its Kubernetes service (in-cluster). If it does not run in the same seed cluster then it falls back to the gardener secret which contains a kubeconfig with the public address to the shoot's API server. (#1928, @rfranzke)
• [OPERATOR] The gardener.cloud:system:cloudprofiles ClusterRole and ClusterRoleBinding resources have been renamed to gardener.cloud:system:read-global-resources. They are now allowing all authenticated users to read CloudProfile and Seed resources. (#1919, @rfranzke)
• [OPERATOR] The gardener-controller-manager configuration now supports a new .controllers.seed.shootMonitorPeriod field. This field controls the time after which the controller-manager will set the status to Unknown for all the shoot conditions and constraints in case the responsible gardenlet does not send heartbeats anymore. (#1911, @rfranzke)
• [OPERATOR] The shoot etcds are now scaled down only during maintenance time window. (#1891, @ggaurav10)
• [OPERATOR] The resource limits for etcds and the kube-apiservers of shoots are now scaled along with the resource requests. (#1891, @ggaurav10)
• [DEVELOPER] It is now possible to let the project controller manage extension roles for access to the Gardener-managed resources in the garden cluster. Please consult this documentation for further information. (#1948, @rfranzke)

Improvements

• [USER] An issue has been fixed which caused the deletion of previously woken-up shoot clusters to fail. (#1984, @timuthy)
• [USER] gardener-apiserver does no longer use the value of garden.sapcloud.io/purpose or gardener.cloud/purpose when .spec.purpose is not specified. (#1950, @ialidzhikov)
• [USER] A bug has been fixed which caused a reconciliation failure for shoot clusters which specify spec.provider.workers[].volume.size without spec.provider.workers[].volume.type. (#1930, @timuthy)
• [USER] The controller-manager does now correctly release the finalizer inSecrets if no referencing SecretBindings exist anymore. (#1927, @rfranzke)
• [USER] The Gardener users now have access to the logs from the kube-scheduler and cluster-autoscaler of their shoot clusters. (#1918, @vpnachev)
• [USER] A bug has been fixed that prevented worker pools from being added to existing shoot clusters. (#1914, @rfranzke)
• [USER] Shoot configuration for OIDC authentication (Kubernetes API Server), requires if one of the fields clientID and issuerURl is provided, the other must be provided also. (#1909, @swilen-iwanow)
• [USER] The SystemComponentsHealthy condition now also reflects the status of the connectivity between the control plane and the worker nodes. (#1900, @rfranzke)
• [USER] Worker volumes can be encrypted, and additional Data Volumes can be attached to a worker. Kubernetes persistent state can be saved to a Data Volume. (#1893, @guydaichs)
• [USER] Developers can now make use of a nodeless local gardener setup. Simply run make local-garden-up and get a nodeless Garden cluster. (#1842, @zanetworker)
• [OPERATOR] Assign initial requests for kube-apiserver based on cluster autoscaler minNodes instead of maxNodes (#1992, @ggaurav10)
• [OPERATOR] Gardener API server does no longer allow empty values for worker machine.image.name and machine.image.version. (#1986, @ialidzhikov)
• [OPERATOR] Vertical Pod Autoscaler provides 10% lower recommendations to improve resource utilization. (#1983, @wyb1)
• [OPERATOR] HVPA minAllowed values for kube-apiserver and etcd have been lowered to improve resource utilization. (#1983, @wyb1)
• [OPERATOR] Network and worker deployments are serialized. (#1981, @georgekuruvillak)
• [OPERATOR] Shoot's ETCD encryption configuration is synced from the Garden cluster if it does not exist in the Shoot's control plane (#1978, @plkokanov)
• [OPERATOR] Grafana is no longer able to access the internet. (#1977, @wyb1)
• [OPERATOR] All prometheus scrape intervals have been set to 1m. (#1976, @wyb1)
• [OPERATOR] Disable memory metric for horizontal scaling of shoots' kube-apiserver in HVPA. This would help in scaling down kube-apiserver horizontally when the load is low since the affect of memory caching is eliminated. This helps in decreasing the cost of seeds. (#1968, @ggaurav10)
• [OPERATOR] A bug that caused a scheduler panic when a Shoot with .spec.networking.pods = .spec.networking.services = nil is created and there is at least one Seed with .spec.networking.shootDefaults = nil has been fixed. (#1965, @rfranzke)
• [OPERATOR] Some more aggregate metrics to monitor the seed workload with more focus on the health of the seed workload. Includes container restart counts, ready replicas for deployment/statefulsets, pod counts by phase and state etc. (#1958, @amshuman-kr)
• [OPERATOR] Reduce watchdog frequency to reduce the traffic to the shoot apiservers. (#1954, @amshuman-kr)
• [OPERATOR] The Chart Applier now returns a combined error in case a rendered Manifest cannot be applied instead of doing an early exit on error. (#1949, @tim-ebert)
• [OPERATOR] The pods for the gardener components apiserver, controller manager, scheduler and gardenlet can be extended with custom annotations and labels via the gardener helm chart. (#1945, @vpnachev)
• [OPERATOR] Two more annotations from to the old API group have now equivalents in the new API group as follows: (#1940, @ialidzhikov)
  • shoot.garden.sapcloud.io/use-as-seed -> shoot.gardener.cloud/use-as-seed
  • shoot.garden.sapcloud.io/ignore-alerts -> shoot.gardener.cloud/ignore-alerts
• [OPERATOR] The imagevector does now support sha256 image tags. (#1937, @rfranzke)
• [OPERATOR] Update of the temporary, experimental Kyma addon to latest Kyma version 1.10. It can be installed onto shoot clusters out-of-the-box by annotating the Shoot with experimental.addons.shoot.gardener.cloud/kyma=enabled. Be aware that we won't provide upgrades or customization, and that this addon is temporary and will be removed in a future version of Gardener again. Its purpose is to ease the Kyma installation and to show-case which features it provides. It is by no means a production-ready setup. Also, please note that, once enabled, the Kyma addon can never be disabled again. The only way to get rid of it is to delete the shoot cluster. You can check the status of the installation by using kubectl get installation/kyma-installation -o jsonpath="{'Status: '}{.status.state}{', description: '}{.status.description}". (#1935, @a-thaler)
• [OPERATOR] The availability of configures worker zones is now only cross checked with the referring CloudProfile if a shoot is created or the worker zones in a shoot are changed. This avoids the breakage of existing shoots whose availability zones were removed from the CloudProfile afterwards. (#1925, @timuthy)
• [OPERATOR] Fix image vector overwrite description (#1916, @MSSedusch)
• [OPERATOR] Adds admission plugin which forbids ShootState deletion if the corresponding Shoot still exist. (#1908, @plkokanov)
• [OPERATOR] Readd the shoot.garden.sapcloud.io/uid annotation to the Shoot namespace as there is still machinery that relies on it. (#1906, @ialidzhikov)
• [OPERATOR] The alertmanager StatefulSet is now automatically scaled vertically by the VPA. (#1903, @rfranzke)
• [OPERATOR] The gardenlet Helm chart now come with a PriorityClass for the gardenlet Deployment to ensure it always runs and is never preempted in favor of other pods. (#1899, @rfranzke)
• [OPERATOR] A bug that may accidentally release the finalizer from Secrets when a referencing SecretBinding resource is deleted has been fixed. (#1898, @rfranzke)
• [OPERATOR] New metric seed:images:count exposes a count of the images running in the seeds. (#1897, @wyb1)
• [OPERATOR] Enhanced monitoring for all seed workloads (shoot control-planes, bootstrap components and extensions) by introducing a new kube-state-metrics in the garden namespace to scrape metrics for all the workloads. (#1863, @amshuman-kr)
  • The prometheus in the garden namespace now additionally scrapes the new kube-state-metrics, seed node-exporters, vpa-exporter and hvpa-controller.
  • New recording rules for the prometheus in the garden namespace to aggregate metrics about usage, request, limits, VPA recommendation, HVPA applied recommendations, node usage, allocatable resources, conditions and counts of pods, nodes and shoots hosted on the seed cluster.
  • These aggregate metrics are automatically scraped by the aggregate-prometheus.
  • Some of the pod-wise aggregate metrics have been removed to reduce the load on the aggregate-prometheus.
• [DEVELOPER] It is now even easier to get started developing on Gardener by leveraging the nodeless local setup. Please refer to the documentation to see how to use it. (#1979, @tim-ebert)
• [DEVELOPER] Added the fenced parameter to the test framework to specify shoots tests running in a fenced environment (#1973, @schrodit)
• [DEVELOPER] The Chart Renderer now splits up rendered template files into individual manifests to ensure proper sorting of the manifests. (#1947, @tim-ebert)

[gardener-resource-manager]

Improvements

• [OPERATOR] A bug preventing the sync period from being respected was resolved. (gardener/gardener-resource-manager#34, @rfranzke)
• [OPERATOR] The default cache resync period is now changed to 24h. If you want to overwrite this you can specify the --cache-resync-period flag. (gardener/gardener-resource-manager#33, @rfranzke)

[hvpa-controller]

Improvements

• [OPERATOR] Consider HPA scale out to be limited in case, overrideScaleUpStabilization is set in the status and hpa weight is 0 so that full VPA recommendation is immediately applied. (gardener/hvpa-controller#565, @ggaurav10)
• [OPERATOR] Handled case when maintenance time window is missing (gardener/hvpa-controller#53, @ggaurav10)
• [OPERATOR] Enhanced hvpa controller logs to include details about the reconciling object. (gardener/hvpa-controller#51, @ggaurav10)
• [OPERATOR] HVPA now supports setting scale mode to MaintenanceWindow. When this mode is set, scaling happens only during user-defined maintenance time window. (gardener/hvpa-controller#50, @ggaurav10)
  • Currently, this mode is supported only for vertical scaling. Support for horizontal scaling is dependent on implementation of scale subresource in HVPA
• [OPERATOR] Added support of limits scaling (gardener/hvpa-controller#49, @ggaurav10)
• [OPERATOR] Override vpaWeight if HPA is not maxed out and oomkill still happens (gardener/hvpa-controller#48, @ggaurav10)
• [OPERATOR] The release tags from now are prefixed with v. (gardener/hvpa-controller#47, @ialidzhikov)
• [OPERATOR] Aggregated metrics are always initialised. Detailed metrics are initialised as soon as the corresponding resource is reconciled. (gardener/hvpa-controller#46, @amshuman-kr)
• [OPERATOR] Change default port to 9569 (gardener/hvpa-controller#42, @ggaurav10)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.1.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.1.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.1.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.1.0

[gardener]

Improvements

• [USER] A bug has been fixed which caused a reconciliation failure for shoot clusters which specify spec.provider.workers[].volume.size without spec.provider.workers[].volume.type. (#1932, @timuthy)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.0.4
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.0.4
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.0.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.0.4

[gardener]

Improvements

• [USER] The controller-manager does now correctly release the finalizer inSecrets if no referencing SecretBindings exist anymore. (6bcf688067fac03eb09f0b7557be4742d4db5a16)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.0.3
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.0.3
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.0.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.0.3

[gardener]

Improvements

• [USER] A bug has been fixed that prevented worker pools from being added to existing shoot clusters. (530f98609ec0b4e3bc77d3f8dad159e2e7fe9a79)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.0.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.0.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.0.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.0.2

[gardener]

Improvements

• [OPERATOR] A bug that may accidentally release the finalizer from Secrets when a referencing SecretBinding resource is deleted has been fixed. (77ca4895250a028c1291d143b9b4b963cca16f07)
• [OPERATOR] Readd the shoot.garden.sapcloud.io/uid annotation to the Shoot namespace as there is still machinery that relies on it. (0c781be437db55d5ae5450ef2cd387907dc682c4)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.0.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.0.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.0.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.0.1

[gardener]

Action Required

• [USER] The legacy garden.sapcloud.io API group is finally removed. If you have not yet adapted your manifests, templates, automation, etc., you have to do it now. It is no longer possible to interact with Gardener using the legacy API. (#1832, @rfranzke)
• [OPERATOR] The .gardenlet.kubeconfig field in the Gardenlet Helm chart is no longer available. If you want to provide a kubeconfig for the garden cluster you have to use .gardenlet.config.gardenClientConnection.kubeconfig now. Also, you now have the possibility to overwrite the kubeconfig for the seed cluster by specifying .gardenlet.config.seedClientConnection.kubeconfig. (#1870, @rfranzke)
• [OPERATOR] ⚠️ This is a major release of Gardener as it requires the migration of its data stored in etcd. Due to the removal of the legacy garden.sapcloud.io API group the keys for the Gardener-managed resources in etcd have to be renamed. We are providing a small tool to perform this operation. You must consult the migration guide document before you deploy the Gardener v1 version. Please, precisely follow the steps described in the document. (#1832, @rfranzke)
• [DEVELOPER] Developers have to update their local development setup. Concretely, the hack/migrate-etcd and hack/dev-setup-register-gardener scripts must be run before starting the Gardener API server. (#1832, @rfranzke)

Most notable changes

• [DEVELOPER] The extensions.gardener.cloud/v1alpha1.BackupBucket resource does now have a new .spec.providerConfig field that can be used to pass provider-specific configuration to the extension controller. The extensions.gardener.cloud/v1alpha1.BackupEntry resource does now have new .spec.providerConfig and .spec.backupBucketProviderStatus fields. The contents for both fields are copied over from the respective BackupBucket resource. In the garden cluster, the Seed resource does now allow to provide the providerConfig for backup buckets in .spec.backup.providerConfig. (#1799, @rfranzke)

Improvements

• [USER] A bug has been fixed that prevented the update of Kubernetes versions for kubelets. (#1850, @rfranzke)
• [USER] Fixed a bug in the defaulting of the kubernetes dashboard authentication method to now default based on the api-server authentication method (#1846, @schrodit)
• [USER] Fixed Project related ClusterRole aggregations. These are required e.g. for the Webterminal feature of the gardener dashboard and fixes the error: terminals.dashboard.gardener.cloud is forbidden: User "[email protected]" cannot list resource "terminals" in API group "dashboard.gardener.cloud" in the namespace "garden-project" (#1836, @petersutter)
• [OPERATOR] Deprecated annotation shoot.garden.sapcloud.io/uid and label shoot.garden.sapcloud.io/hibernated are no longer added to the Shoot namespace. (#1885, @ialidzhikov)
• [OPERATOR] Shoot annotations prefixed with custom.shoot.sapcloud.io/ are no longer maintained on the Shoot namespace. (#1885, @ialidzhikov)
• [OPERATOR] Scheduler: Fixing MinimalDistance Strategy to correctly apply the seed selector from the CloudProfile and fixing a bug in the distance logic (#1884, @danielfoehrKn)
• [OPERATOR] Aligning MCM metrics scraper for MCM 0.26.1 version (#1882, @prashanth26)
• [OPERATOR] Gardener-apiserver is now scaled by HVPA (#1880, @ggaurav10)
• [OPERATOR] The gardenlet now uses the ResourcesApplied condition of the ManagedResource to determine the Installed condition for a given ControllerInstallation. (#1876, @tim-ebert)
• [OPERATOR] Changed dependency-watchdog probe shoot kubeconfigs to use client certs. (#1873, @amshuman-kr)
• [OPERATOR] The controller-manager does now delete orphaned ShootState resources for non-existing Shoots that were accidentally left in the system. (#1868, @rfranzke)
• [OPERATOR] Consolidated the reserve excess capacity to support both new control-planes as well as newly (vertically) scaled old control-planes. (#1861, @amshuman-kr)
• [OPERATOR] Upgrades kube-state-metrics to 1.9.3. (#1859, @wyb1)
• [OPERATOR] ShootState resources do now has owner references to their respective Shoot resources. (#1855, @swilen-iwanow)
• [OPERATOR] The legacy garden.sapcloud.io:system RoleBindings in project namespaces are now properly cleaned up. (#1849, @rfranzke)
• [OPERATOR] The ExtensionReady condition for Seed resources does now show in its message the rationale behind the computed status. (#1848, @rfranzke)
• [OPERATOR] New etcd prefix migrator tool is available at cmd/registry-migrator/main.go which can be used to migrate existing prefixed keys to a new prefix. See cmd/registry-migrator/README.md for more details. (#1847, @mvladev)
• [OPERATOR] An issue allowing Shoot lifetime (shoot.garden.sapcloud.io/expirationTimestamp) to be extended to infinity is now fixed. Now Shoot lifetime can be extended only up to .spec.clusterLifetimeDays from the current date, but never more. (#1841, @ialidzhikov)
• [OPERATOR] Fix to prevent api server from crashing when shoot's worker volume is removed. (#1840, @Gerrit91)
• [OPERATOR] Refactored Gardener integration test framework. (#1802, @schrodit)
• [DEVELOPER] Add LastOperationTypeMigrate constant in pkg/apis/core (#1864, @vlvasilev)

[gardener-resource-manager]

Improvements

• [OPERATOR] gardener-resource-manager now logs errors and adds messages to the condition ResourcesApplied if there were errors decoding resources in referenced secrets. (gardener/gardener-resource-manager#31, @tim-ebert)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.0.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.0.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.0.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.0.0

[gardener]

Improvements

• [USER] A bug has been fixed that prevented the update of Kubernetes versions for kubelets. (243959f0cc51e84db9b24f5b6f2a2a60b7a35599)
• [USER] Fixed a bug in the defaulting of the kubernetes dashboard authentication method to now default based on the api-server authentication method (cf3571b17eb6fd82165cbee2cb79b5dc80d02874)
• [OPERATOR] ShootState resources do now has owner references to their respective Shoot resources. (733433ed58fbaf271460a0591f09411176041180)
• [OPERATOR] The legacy garden.sapcloud.io:system RoleBindings in project namespaces are now properly cleaned up. (66e097abd0b0f045bb1f5b02624af0a511d4af2e)
• [OPERATOR] An issue allowing Shoot lifetime (shoot.garden.sapcloud.io/expirationTimestamp) to be extended to infinity is now fixed. Now Shoot lifetime can be extended only up to .spec.clusterLifetimeDays from the current date, but never more. (7cff1c006626199303330d55077f57ecbd1c03f5)
• [OPERATOR] Fix to prevent api server from crashing when shoot's worker volume is removed. (941446f3f3e8375f05cd34c22263a297454ae5d2)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.35.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.35.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.35.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.35.2

[gardener]

Improvements

• [USER] Fixed Project related ClusterRole aggregations. These are required e.g. for the Webterminal feature of the gardener dashboard and fixes the error: terminals.dashboard.gardener.cloud is forbidden: User "[email protected]" cannot list resource "terminals" in API group "dashboard.gardener.cloud" in the namespace "garden-project" (a787a3743ae6702305f41b73187bed870d4dddf4)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.35.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.35.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.35.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.35.1

[gardener]

Most notable changes

• [USER] The blackbox-exporter deployment in the kube-system namespace of shoot clusters has now the monitoring role label instead of system-component. (#1830, @rfranzke)
• [USER] The Shoot resource does now have a new .spec.purpose field with possible values evaluation (default), testing, development, production. As of today, testing shoots won't get a logging or monitoring stack as part of their control planes. Also, the Gardener scheduler will not consider the region of the testing shoot anymore, i.e., it may end up on a seed in a completely different region if it is better to balance the whole system. Other than these there is no difference currently, but we might introduce more in the future. (#1827, @rfranzke)

Improvements

• [OPERATOR] The aggregate-prometheus now scrapes the vpa-exporter and has vpa metrics for the components running in the garden namespace of the seeds. (#1829, @wyb1)
• [OPERATOR] Gardenlet can now update Services whose .spec.externalTrafficPolicy equals Local correctly. (#1821, @jia-jerry)
• [OPERATOR] If the shoot name is a pure number, now Gardener can successfully create shoot-info configmap in kube-system namespace of shoot cluster. (#1819, @jia-jerry)
• [OPERATOR] Warning messages for CoreDNS imports are now removed for new shoot clusters. If you want to remove them for your existing shoot clusters then add this data section to the coredns-custom configmap in your kube-system namespace. (#1815, @zanetworker)
• [OPERATOR] The shoot.garden.sapcloud.io/use-as-seed annotation now supports as use-serviceaccount-bootstrapping configuration option. If set, the Gardenlet will not create a bootstrap token but a service account when it deploys itself into a shooted seed cluster. This is useful in case the Garden cluster does not support bootstrap tokens. (#1810, @rfranzke)
• [OPERATOR] It is now possible to taint seed clusters as protected and invisible without disrupting CRUD operations for existing shoot clusters that have already been running on them. (#1808, @vpnachev)
• [OPERATOR] Added grafana dashboard for ETCD backups. (#1794, @shreyas-s-rao)

[gardener-resource-manager]

Improvements

• [OPERATOR] Gardener resource manager can now handle Services whose externalTrafficPolicy equals Local correctly. (gardener/gardener-resource-manager#29, @jia-jerry)
• [OPERATOR] Kubernetes dependencies are updated to kubernetes-1.16.0. (gardener/gardener-resource-manager#26, @ialidzhikov)
• [OPERATOR] sigs.k8s.io/controller-runtime is updated to v0.2.2. (gardener/gardener-resource-manager#25, @ialidzhikov)
• [OPERATOR] An issue preventing ManagedResource and Secret to be updated with the given labels and annotations is now fixed. (gardener/gardener-resource-manager#24, @ialidzhikov)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.35.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.35.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.35.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.35.0