[gardener]

Action Required

• [USER] Ingress hostnames of monitoring and logging components of shoot clusters have been changed: AlertManager - au-<project-name--shoot-name>.<seed-ingress-domain>, Grafana - gu-<project-name--shoot-name>.<seed-ingress-domain>, go-<project-name--shoot-name>.<seed-ingress-domain>, Prometheus - p-<project-name--shoot-name>.<seed-ingress-domain>, Kibana - k-<project-name--shoot-name>.<seed-ingress-domain>. Previous hostnames are still active but will be removed in the future. (#1769, @timuthy)
• [OPERATOR] Gardener now deletes the kube-apiserver service for clusters in hibernation if the related seed cluster doesn't disable DNS (seed taint: seed.gardener.cloud/disable-dns). This reduces the costs of hibernated clusters, especially on public cloud providers. Please make sure your extension provider can deal with this change. Versions >= 1.2.0 of Gardener-Extensions are compatible if you use providers from this repository. Please also bear in mind to always use the shoot's api-server domain name provided by Gardener (api.<shoot.spec.dns.domain>, or api..., or server in generated kubeconfig) instead of the load balancer's IP/Hostname. (#1791, @timuthy)
• [OPERATOR] In order to support Kubernetes 1.17 you must use at least v1.2.0 of the provider extension controllers. (#1771, @rfranzke)
• [OPERATOR] Ingress hostnames of monitoring and logging components of seed clusters (in garden namespace) have been changed: Grafana - g-seed.<seed-ingress-domain>, Prometheus - p-seed.<seed-ingress-domain>, Kibana - k-seed.<seed-ingress-domain>. (#1769, @timuthy)
• [OPERATOR] All Gardener components now work with the core.gardener.cloud/v1beta1 API group (instead of core.gardener.cloud/v1alpha1). Please make sure that all extension controllers can understand both the v1alpha1 and v1beta1 version to ensure a smooth update. (#1763, @rfranzke)
• [DEVELOPER] Developers might want to re-run ./hack/dev-setup-register-gardener in order to refresh the API version priority. In some cases the .kube caches should be cleaned by rm -rf ~/.kube/cache; rm -rf ~/.kube/http-cache. (#1760, @rfranzke)

Most notable changes

• [USER] Gardener does now support shoot clusters with Kubernetes version 1.17. You should consider the Kubernetes release notes before upgrading to 1.17. (#1771, @rfranzke)
• [USER] The metrics-server version for all shoots has been upgraded from v0.3.3 to v0.3.6. (#1771, @rfranzke)
• [USER] Gardener does now deploy the new v2.0.0-beta8 Kubernetes Dashboard for 1.16+ shoot clusters. Please note that the URL to access it is http://localhost:8001/api/v1/namespaces/kubernetes-dashboard/services/https:kubernetes-dashboard:/proxy/. For shoot clusters < 1.16 the v1.10.1 version of the Kubernetes Dashboard is used - the URL remains the same (http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/). (#1765, @rfranzke)
• [USER] The new core.gardener.cloud/v1beta1 API version now has the highest priority. This means that e.g. kubectl get shoot will no longer return the Shoot in garden.sapcloud.io/v1beta1 but in core.gardener.cloud/v1beta1. If the garden.sapcloud.io/v1beta1 is desired then kubectl get shoot.garden.sapcloud.io should be used. In some cases the .kube caches should be cleaned by rm -rf ~/.kube/cache; rm -rf ~/.kube/http-cache. Please note that this is the last step before the garden.sapcloud.io/v1beta1 will finally be removed. (#1760, @rfranzke)
• [OPERATOR] The hard-coded calico logging configuration has been removed from the fluentd configuration. Please ensure that your networking-calico extension version (if you use it) is at least . (#1805, @rfranzke)
• [OPERATOR] Operators can now add generally trusted certificates which are used by shoots' control plane components like AlertManager, Grafana, Prometheus, Kibana as well as seeds' monitoring and logging components. Please have a look at https://github.com/gardener/gardener/tree/master/docs/usage/ for more information. (#1769, @timuthy)
• [OPERATOR] The ControllerInstallation resources now have a new ControllerHealthy condition that reflects the healthiness of the deployed extension controller. It is regularly updated and can be controlled via the Gardenlet's .controllers.controllerInstallationCare.syncPeriod flag (default: 30s). (#1753, @rfranzke)
• [OPERATOR] The Seed resources now have a new ExtensionsReady condition that reflects the healthiness of all deployed extensions to this seed. It is updated as soon as the status of a related ControllerInstallation resource changes. (Please note that this condition will be transported to the Shoot conditions as well in case the Shoot is a seed.) (#1753, @rfranzke)
• [OPERATOR] All resources are now stored in etcd in the core.gardener.cloud/v1beta1 version (except ShootState resources as they were not yet promoted to v1beta1). (#1748, @rfranzke)
• [OPERATOR] The bootstrap procedure for node workers has been improved. In some Gardener setups, Ubuntu machines were not able to join the cluster because the cloud-config-downloader service didn't start automatically. Please note that all nodes will be rolled out in case your Worker extension controllers are not using v1.1.0 (see https://github.com/gardener/gardener-extensions/pull/474 for more information). [Contributed by @majst01] (#1736, @timuthy)
• [OPERATOR] The external probe of dependency-watchdog now uses the internal DNS to the shoot apiserver to avoid clash with shoot deletion workflow. (#1734, @amshuman-kr)
• [DEVELOPER] It is now possible for infrastructure extension controllers to dynamically provision a node network as part of the Infrastructure reconciliation. Please see this document for further information. (#1782, @rfranzke)
• [DEVELOPER] It is now possible to run Gardener in environments where no dedicated network for the worker nodes is required per shoot cluster (i.e., environments having a large network for all VMs of all clusters). In this case, the Seeds and the Shoots do not need to specify a node CIDR. Gardener won’t configure the VPN components as it assumes network connectivity by default between the seed worker nodes and the shoot worker nodes. (#1782, @rfranzke)
• [DEVELOPER] The extensions.gardener.cloud/v1alpha1 API now uses types from the core.gardener.cloud/v1beta1 (instead of the core.gardener.cloud/v1alpha1 API). (#1741, @rfranzke)

Improvements

• [USER] An issue that unintentionally updated the machine image to the latest one during shoot updates when no image was provided has been fixed. (#1761, @rfranzke)
• [USER] An issue has been fixed which prevented availability zones from being added to existing shoot clusters. (#1757, @timuthy)
• [USER] Availability zone updates to shoot clusters are now validated against the corresponding CloudProfile. (#1757, @timuthy)
• [USER] It is now forbidden again to remove the .spec.dns section during shoot updates. Earlier it was (unintentionally) possible to remove the complete section when updating a shoot. (#1756, @rfranzke)
• [USER] It is now forbidden to choose a seed that disables DNS if the shoot itself specifies a DNS section. (#1756, @rfranzke)
• [USER] It is now allowed to change the .spec.dns.providers section when a seed is assigned as final DNS decisions can only be taken when the seed is clarified. (#1756, @rfranzke)
• [USER] Gardener now offers a temporary, experimental Kyma addon that can be installed onto shoot clusters out-of-the-box by annotating the Shoot with experimental.addons.shoot.gardener.cloud/kyma=enabled. Be aware that we won't provide upgrades or customization, and that this addon is temporary and will be removed in a future version of Gardener again. Its purpose is to ease the Kyma installation and to show-case which features it provides. It is by no means a production-ready setup. Also, please note that, once enabled, the Kyma addon can never be disabled again. The only way to get rid of it is to delete the shoot cluster. You can check the status of the installation by using kubectl -n kyma-installer logs deploy/kyma-installer -f. (#1754, @rfranzke)
• [USER] Project members are now allowed to read events in their project namespaces. This is improving the kubectl describe shoot <shoot-name> experience. (#1729, @vpnachev)
• [USER] The version of the nginx-ingress addon has been reverted from v0.26.1 to v0.22.0. Generally, we advice to deploy nginx-ingress on your own and leverage the DNS service extension for shoot clusters in order to get full control over version and customization suitable to your workload's needs. (#1719, @rfranzke)
• [OPERATOR] EncryptionConfiguration of gardener-apiserver is now configurable in the helm chart values. (#1790, @EmoinLanyu)
• [OPERATOR] Gardenlet Care Controller does not have dependency to machine controller anymore but relies on healthchecks from the extensions (#1786, @danielfoehrKn)
• [OPERATOR] An issue preventing HVPA to be properly bootstrapped on v1.11.x Seed is now fixed. (#1777, @ialidzhikov)
• [OPERATOR] An issue where nodes were failing to join the cluster because of circular dependency between docker, kubelet and updatecacerts services has been fixed. (#1755, @vpnachev)
• [OPERATOR] Enabled vertical scale down also for kube-apiserver via HVPA (#1750, @ggaurav10)
• [OPERATOR] Kubernetes dependencies are updated to kubernetes-1.16.0. (#1737, @ialidzhikov)
• [OPERATOR] Classify as infrastructure dependency error if a cloud provider does not have sufficient machine types in a region (#1732, @dansible)
• [OPERATOR] ShootStateSync Controller, used for replicating the Gardener extensions states into the Shoot's ShootState resource, is added to Gardenlet. (#1731, @swilen-iwanow)
• [OPERATOR] An issue preventing featureGates to be enabled in GardenletConfiguration is now fixed. (#1728, @ialidzhikov)
• [OPERATOR] An issue has been fixed which made Gardener overwrite the .spec.provider.workers[].volume.type value of all shoot worker pools. (#1714, @timuthy)
• [DEVELOPER] Add GardenerOperationRestore constant. (#1800, @vlvasilev)
• [DEVELOPER] The local development setup scripts have been updated to be compatible with the latest Kind version (v0.6.1). (#1780, @timuthy)
• [DEVELOPER] Documentation for the Network extension resource has been added. (#1775, @zanetworker)

[logging]

Most notable changes

• [OPERATOR] es curator was updated from 5.6.0 to 5.8.1, the python base image was updated from 2.7 to 3.7 (gardener/logging#29, @dguendisch)

Improvements

• [OPERATOR] The release tags from now are prefixed with v. (gardener/logging#32, @vpnachev)

[vpn]

Most notable changes

• [OPERATOR] It is now possible to omit the NODE_NETWORK environment variable for both vpn-seed and vpn-shoot in case it is not required to tunnel traffic from the seed to the shoot node network via the VPN. (gardener/vpn#49, @rfranzke)
• [OPERATOR] ipv6 route and gateway entries from shoot cluster are blocked (gardener/vpn#48, @DockToFuture)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.34.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.34.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.34.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.34.0

[gardener]

Improvements

• [OPERATOR] An issue preventing HVPA to be properly bootstrapped on v1.11.x Seed is now fixed. (b6f626a8e5077f2faf126a8c22d5d61c2861b7c1)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.7
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.7
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.7
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.7

[gardener]

Improvements

• [USER] An issue that unintentionally updated the machine image to the latest one during shoot updates when no image was provided has been fixed. (681b1d5e9c1f03272a72911bdfc8e19011cc5487)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.6
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.6
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.6

[gardener]

Most notable changes

• [OPERATOR] All resources are now stored in etcd in the core.gardener.cloud/v1beta1 version (except ShootState resources as they were not yet promoted to v1beta1). (9a8e6b48925cacf3ec5a62b4aba1433157e5b9d7)

Improvements

• [USER] It is now allowed to change the .spec.dns.providers section when a seed is assigned as final DNS decisions can only be taken when the seed is clarified. (44f04579f3f48599f92a42eccb3d0b6c23254917)
• [USER] It is now forbidden to choose a seed that disables DNS if the shoot itself specifies a DNS section. (4e8c2777fa064857a212bd79821d3ab49081a8c0)
• [USER] It is now forbidden again to remove the .spec.dns section during shoot updates. Earlier it was (unintentionally) possible to remove the complete section when updating a shoot. (002f231ad71a10ed7ebeee2f5e6408f652768321)
• [USER] Availability zone updates to shoot clusters are now validated against the corresponding CloudProfile. (8d0518dd570ed0137c7593d0f3b583937ae209c8)
• [USER] An issue has been fixed which prevented availability zones from being added to existing shoot clusters. (b1afc7375adfb82a9762e1c2876a3298cb55c0ae)
• [USER] Gardener now offers a temporary, experimental Kyma addon that can be installed onto shoot clusters out-of-the-box by annotating the Shoot with experimental.addons.shoot.gardener.cloud/kyma=enabled. Be aware that we won't provide upgrades or customization, and that this addon is temporary and will be removed in a future version of Gardener again. Its purpose is to ease the Kyma installation and to show-case which features it provides. It is by no means a production-ready setup. Also, please note that, once enabled, the Kyma addon can never be disabled again. The only way to get rid of it is to delete the shoot cluster. You can check the status of the installation by using kubectl -n kyma-installer logs deploy/kyma-installer -f. (b7b3d0f277f3138d6be1679191566ddf64908f22)
• [OPERATOR] An issue where nodes were failing to join the cluster because of circular dependency between docker, kubelet and updatecacerts services has been fixed. (#1758, @vpnachev)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.5
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.5
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.5

[gardener]

Most notable changes

• [OPERATOR] The external probe of dependency-watchdog now uses the internal DNS to the shoot apiserver to avoid clash with shoot deletion workflow. (16747306e0fa172d823a031454f5a0cd56c53dba)

Improvements

• [OPERATOR] Classify as infrastructure dependency error if a cloud provider does not have sufficient machine types in a region (db28bdc737453baea38abae7b0de698762109a95)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.4
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.4
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.4

[gardener]

Improvements

• [OPERATOR] An issue preventing featureGates to be enabled in GardenletConfiguration is now fixed. (daafce1748232048a0d32576e7fe741eff48d793)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.3
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.3
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.3

[gardener]

Improvements

• [USER] The version of the nginx-ingress addon has been reverted from v0.26.1 to v0.22.0. (034818a78da4be0910f60a2d2e9204f7fb254b12)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.2

[gardener]

Improvements

• [OPERATOR] An issue that may cause the gardener-controller-manager to panic when a Shoot does not specify a DNS domain has been fixed. (4068682793d985ec43e3b8d78b50b50d6be1e03a)
• [OPERATOR] An issue has been fixed which made Gardener overwrite the .spec.provider.workers[].volume.type value of all shoot worker pools. (ae3568b5456997bf1ce8b32a227ff62ec3196ada)

[gardener]

Improvements

• [OPERATOR] An issue has been fixed which made Gardener overwrite the .spec.provider.workers[].volume.type value of all shoot worker pools. (2ffa234eecfdf9d8e41e92a74a3c6e0b61e0d09a)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.1

[gardener]

Action Required

• [OPERATOR] With this PR we incorporate a major architectural change, namely, the introduction of a new Gardener component: the gardenlet. (#1601, @rfranzke)
  • With previous versions of Gardener we were running the control loops for all shoot clusters and all seed clusters centrally in the garden cluster (gardener-controller-manager).
  • Now, we have split the gardener-controller-manager and factored out the control loops that are involving communication with seed and shoot clusters into the new gardenlet component.
  • The motivation was twofold, mainly to enable true scalability (beyond the capacity of a single and central controller-manager), but secondly also to allow running seed and shoot clusters in isolated networks.
  • With the gardenlet, we distribute the shoot reconciliation (mainly, but also others) control loops into all seed clusters, effectively reducing the load and responsibility of a single gardenlet.
  • Gardener's architecture is now even more comparable with the Kubernetes architecture: The Gardener control plane consists out of the gardener-apiserver, gardener-controller-manager, and gardener-scheduler, while the gardenlet is the primary agent running in every seed cluster. Take a look at this comparison diagram.
  • Unlike the kubelet, the gardenlet allows to control more than one seed cluster (although, we don't recommend this setup for production). Basically, you can even run a single gardenlet in the garden cluster controlling all the seed clusters, resulting in the same Gardener v0 architecture. The landscape operator is responsible for designing its landscape, though, for the mentioned reasons we recommend running one gardenlet per seed.
  • Please find a more detailed description here.
  • Migration from previous Gardener versions:
  • ⚠️ Be aware that the gardener Helm chart is now split into two separate Helm charts: controlplane and gardenlet. Also, some keys in the chart values have been moved around!
  • Please find the migration instructions here.
  • Removals and notable changes
  • The SeedAvailable condition does no longer exist and has been replaced by Bootstrapped and GardenletReady.
  • The spec.secretRef field in the Seed resource is now optional. It is only required in case the Seed is controlled by a Gardenlet that runs outside of the seed cluster itself.
  • The Logging and HVPA feature gates have been moved from the gardener-controller-manager to the gardenlet.
  • The Seed status does now contain a new kubernetesVersion field into which the gardenlet reports the Kubernetes version of the seed cluster.
  • The printer columns for kubectl get seeds have been reworked.
  • The gardener-controller-manager features two new controllers:
  • The seed lifecycle controller. Its main task is to set the GardenletReady condition to Unknown for Seed resources which don't receive heartbeats from the gardenlet anymore.
  • The CSR auto-approval controller watches CertificateSigningRequests and auto-approves them in case they were filed by a gardenlet.
• [OPERATOR] All garden.sapcloud.io:... RBAC resources have been renamed to gardener.cloud:.... (#1601, @rfranzke)
• [DEVELOPER] Developers should re-run ./hack/dev-setup-register-gardener in order to register the new core.gardener.cloud/v1beta1 API group. (#1681, @rfranzke)
• [DEVELOPER] Developers need to run make dev-setup again, and make start-gardenlet in order to start the Gardenlet. Please find here more instructions for how to setup the local development environment. (#1601, @rfranzke)

Most notable changes

• [USER] Every shoot cluster will now feature a shoot-info configmap in its kube-system namespace. This configmap contains some important information about the shoot cluster itself, e.g., maintenance time window, project name, etc. (#1690, @rfranzke)
• [USER] As preparation for the final removal of the already deprecated garden.sapcloud.io/v1beta1 API group, all resources (except ShootState) available in core.gardener.cloud/v1alpha1 are now promoted to core.gardener.cloud/v1beta1 with the following changes: (#1681, @rfranzke)
  • The .spec.seed field in core.gardener.cloud/v1alpha1.BackupBucket has been renamed to .spec.seedName in core.gardener.cloud/v1beta1.BackupBucket.
  • The .spec.seed field in core.gardener.cloud/v1alpha1.BackupEntry has been renamed to .spec.seedName in core.gardener.cloud/v1beta1.BackupEntry.
  • The .spec.blockCIDRs field core.gardener.cloud/v1alpha1.Seed has been moved to .spec.networks.blockCIDRs in core.gardener.cloud/v1beta1.Seed.
  • The .spec.addons.kubernetes-dashboard field core.gardener.cloud/v1alpha1.Shoot has been renamed to .spec.addons.kubernetesDashboard in core.gardener.cloud/v1beta1.Shoot.
  • The .spec.addons.nginx-ingress field core.gardener.cloud/v1alpha1.Shoot has been renamed to .spec.addons.nginxIngress in core.gardener.cloud/v1beta1.Shoot.
  • The .status.seed field core.gardener.cloud/v1alpha1.Shoot has been renamed to .status.seedName in core.gardener.cloud/v1beta1.Shoot.
  • The .status.lastError field core.gardener.cloud/v1alpha1.Shoot does no longer exist in core.gardener.cloud/v1beta1.Shoot (in favour of .status.lastErrors).
• [USER] It is now possible to instruct Gardener to skip certain cleanup tasks when deleting a Shoot cluster by annotating it with shoot.gardener.cloud/skip-cleanup=true. Please be careful using this as it might leave orphaned infrastructure resources. Services (of type load balancer) as well as persistent volume resources are still deleted even if this annotation is set. (#1679, @rfranzke)
• [OPERATOR] Added dependency-watchdog as a bootstrap component. Both for watching etcd and kube-apiserver endpoints as well as for probing the shoot kube-apiserver for loadbalancer issues. (#1641, @amshuman-kr)
  • This replaces the existing dependency-watchdog in every shoot control-plane in the seed clusters. Bumped dependency-watchdog to v0.3.0.
  • Also, increased node monitor grace period to give the dependency watchdog probe a change to scale down the kube-controller-manager before the nodes are marked as NotReady.
• [OPERATOR] It is now possible to taint seed clusters with the seed.gardener.cloud/disable-dns taint. This will cause all shoot clusters assigned to this seed to not use any DNS records for the kube-apiservers. Instead, the load balancer IP/hostname is used directly in all kubeconfigs for communication. (#1617, @rfranzke)
• [OPERATOR] When a load balancer service does now output both .status.ingress[].hostname and .status.ingress[].ip then the provided hostname is now taken instead of the IP address. (#1617, @rfranzke)
• [DEVELOPER] The exported variable pkg/operation/common.CalicoTyphaDeploymentName has been removed (#1712, @vpnachev)
• [DEVELOPER] All Gardener components are still working with core.gardener.cloud/v1alpha1 but will soon switch to core.gardener.cloud/v1beta1. That means that the extensions.gardener.cloud/v1alpha1.Cluster resource will then contain the core.gardener.cloud/v1beta1 resources only. Extension controllers should be prepared to be able to work with both the v1alpha1 and the v1beta1 version. (#1681, @rfranzke)
• [DEVELOPER] The local development setup is now easier if all seeds are tainted with the seed.gardener.cloud/disable-dns taint. No internal or default domain secrets are required in this case. (#1617, @rfranzke)
• [DEVELOPER] The base image version for all Gardener Docker image is now alpine:3.10. (#1601, @rfranzke)

Improvements

• [USER] An issue has been resolved which caused Shoots to be displayed as reconciled successfully instead of showing an error, in case the specified DNS provider secret is missing and the Shoot could not be reconciled or deleted. (#1706, @tim-ebert)
• [USER] It is now possible to configure the external traffic policy for the load balancer service exposing the nginx-ingress addon by setting .spec.addons.nginx-ingress.externalTrafficPolicy. It defaults to Cluster and valid values are {Cluster,Local}. (#1701, @rfranzke)
• [USER] The version of the nginx-ingress addon has been bumped from v0.22.0 to v0.26.1. (#1701, @rfranzke)
• [USER] Patch strategy and patch merge keys are added to the public APIs. This allows for effective usage of kubectl patch command. (#1694, @mvladev)
• [OPERATOR] The system-component health check for calico-typha has been removed. (#1712, @vpnachev)
• [OPERATOR] Gardener resources, e.g. Shoots, Seeds, ControllerRegistrations, etc. can now be encrypted when the API server writes them to etcd. If you want to enable encryption for certain resources, an EncryptionConfiguration must be passed via the --encryption-provider-config flag to the Gardener-Apiserver. This is based on the Kubernetes standard encryption option which is already supported for the Kube-Apiserver (https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/). (#1707, @timuthy)
• [OPERATOR] An issue in the shoot care controller has been fixed which caused the Gardener-Controller-Manager to crash. (#1689, @timuthy)
• [OPERATOR] Gardener now deploys network policies into the kube-system namespace of the shoot to guarantee that the blackbox-exporter component can communicate with the control plane. (#1688, @wyb1)
• [OPERATOR] An issue preventing Shoot with .spec.kubernetes.allowPrivilegedContainers=false to be created is now fixed. (#1686, @ialidzhikov)
• [OPERATOR] Server certificates for Grafana (operator / user), Prometheus and Kibana endpoints of Shoots are now created with a validity of 2 years (unlike 10 years previously). (#1685, @timuthy)
• [OPERATOR] A bug has been fixed which caused the Grafana ingresses of shoots to serve the Kubernetes Fake Certificate instead of a certificate signed by the cluster CA. (#1685, @timuthy)
• [OPERATOR] Adds error handling when HVPA CRD is not already installed, but a delete operation is attempted (#1678, @ggaurav10)
• [OPERATOR] The legacy storageclasses ManagedResource is no longer deleted during DeployManagedResources step. (#1677, @ialidzhikov)
• [OPERATOR] ControllerInstallation controller does now uses ManagedResources. (#1646, @ialidzhikov)
• [OPERATOR] Added ShootState resource which is used to save the state of Shoot control plane resources necessary for control plane migration. (#1634, @plkokanov)
• [DEVELOPER] sigs.k8s.io/controller-runtime is updated to v0.2.2. (#1700, @ialidzhikov)

[dependency-watchdog]

Most notable changes

• [USER] Fixed the command-line incompatibility for the root command introduced in the release 0.3.0. (gardener/dependency-watchdog#8, @amshuman-kr)
• [USER] Introduced cobra commands. (gardener/dependency-watchdog#7, @amshuman-kr)
  • 1. The root command works exactly like before.
  • I.e. it watches the endpoint objects and kicks the
  • dependant pods in CrashloopBackoff.
  • 2. The probe sub-command probes kube-apiservers
  • using internal and external IP kubeconfigs and
  • scales the dependant scale subresources up and down.
  • Both the root command and the probe sub-command support
  • managing a single namespace as well as all namespaces.

[gardener-resource-manager]

Improvements

• [OPERATOR] An issue preventing ManagedResource and Secret to be updated with the given labels and annotations is now fixed. (gardener/gardener-resource-manager@ee239b534b87fd16fb2710dc5fc173557e12eacd)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.33.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.33.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.33.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v0.33.0

[gardener]

Improvements

• [OPERATOR] An issue in the shoot care controller has been fixed which caused the Gardener-Controller-Manager to crash. (ecb6ca424bb6d5f0c0daef9e8edfeee1f4027e4f)
• [OPERATOR] An issue preventing Shoot with .spec.kubernetes.allowPrivilegedContainers=false to be created is now fixed. (5ba3ce75d7e3d23884743c7f6401b5e6e4cf744b)
• [OPERATOR] Adds error handling when HVPA CRD is not already installed, but a delete operation is attempted (8dd9625b9e79730c842a464fea5b0b1e7b24eaf6)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.32.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.32.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.32.1

[gardener]

Action Required

• [OPERATOR] The values to configure an Alertmanager via the gardener controller manager have changed from .controller.alertingSMTP to .controller.alerting. (#1594, @wyb1)
• [OPERATOR] Gardener now checks duplicate Kubernetes versions, region names and zones names in the CloudProfile resource. Please make sure, that there are no duplicates in your existing CloudProfiles before upgrading gardener. (#1568, @tim-ebert)

Most notable changes

• [USER] When cluster autoscaler enabled (workers have different min / max values), kube-scheduler will no longer use a ClusterAutoscaler-friendly scheduling algorithm as it can cause instability in the workloads. (#1610, @mvladev)
• [USER] It is now possible to add additional availability zones to an existing shoot cluster without the necessity of recreating it. It should be noted that when additional zones are added, the existing machines will be distributed across the different zones (i.e., machines will be re-scaled). For example, if you have a cluster with one zone and a worker pool with 8 nodes, and you add two additional zones, then 5 of your nodes will be drained and terminated, while 3 new nodes are provisioned in the second zone, and 2 new nodes are provisioned in the third zone. Be aware of the fact that Gardener will start the drain/termination process right away and does not wait until the new nodes in the new zones have come up. Hence, it is recommended to first scale up your nodes (such that you have enough capacity to run your workload temporarily in the first zone until the new nodes join the cluster (after which you can scale down your shoot again)). (#1587, @zanetworker)
• [OPERATOR] To enable scaling of kube-apiserver and etcd of shooted seeds via HVPA, enable the feature gate HVPAForShootedSeed. (#1668, @ggaurav10)
• [OPERATOR] extensions v1alpha1.DefaultStatus.State type changes from String to *runtime.RawExtension (#1663, @vlvasilev)
  • Status.State of the following CRDs ControlPlane, Extension, Infrastructure, Network, OperatingSystemConfig and Worker change its type to *runtime.RawExtension
• [OPERATOR] Operators can configure Gardener to send cluster alerts to an external alertmanager. See the docs for more details. (#1594, @wyb1)
• [OPERATOR] From now on changes in the cloudprofile.spec.caBundle will be applied only to newly created nodes. (#1586, @vpnachev)
• [DEVELOPER] The self-generated Golang client for the machine.sapcloud.io API group has been replaced in favour of the controller-runtime client. (#1656, @rfranzke)

Improvements

• [USER] An issue that caused shoots from getting stuck during deletion flow when the cloud provider credentials have been refreshed has been fixed. (#1664, @rfranzke)
• [USER] An issue that prevent updating/deleting shoots in case their region has been removed from the referencing CloudProfile has been fixed. (#1661, @rfranzke)
• [USER] Gardener now waits for a "clean" cluster state before hibernating the Shoot's control plane. (#1638, @tim-ebert)
• [USER] Improved error messages if validating the shoot/seed network disjointedness fails. (#1588, @Diaphteiros)
• [USER] The shoot cluster CA certificate is now installed only the freshly created nodes. If this feature is required on all nodes of the cluster, new workers have to be rolled-out. (#1586, @vpnachev)
• [USER] The Terraform error log parsing has been improved and will now return more meaningful outputs to the user. (2bcc57c0519bfee12e51d8f3880d25afae5b5626)
• [OPERATOR] Increase the timeout for kubernetes update tests to 45 minutes (#1669, @schrodit)
• [OPERATOR] The release tags from now are prefixed with v. (#1665, @ialidzhikov)
• [OPERATOR] Gardener now triggers infrastructure related changes on shoots immediately, instead of only during the maintenance time window. (#1662, @timuthy)
• [OPERATOR] It is now possible to add regions that don't have any availability zones to the CloudProfile. (#1661, @rfranzke)
• [OPERATOR] Prometheus now scrapes kube-proxy metrics, especially (kubeproxy_network_programming_duration_seconds and kubeproxy_sync_proxy_rules). (#1654, @wyb1)
• [OPERATOR] The clean-up check which is executed during a shoot deletion has been improved. Previously, the check failed when managed resources were re-created after their deletion. (#1652, @timuthy)
• [OPERATOR] Bump etcd version to 3.3.17, fixing the GRPC issue "panic: send on closed channel". (#1643, @swapnilgm)
• [OPERATOR] Gardener now forbids hibernating Shoots with problematic Webhooks that might prevent the Shoot from being woken up again. Problematic Webhooks are MutatingWebhookConfigurations and ValidatingWebhookConfigurations with failurePolicy=Fail|nil and rules for CREATE|UPDATE|* for pods|nodes. (#1642, @tim-ebert)
• [OPERATOR] Integrate the TestMachinery Bot to enable integration tests for Pull Requests. (#1635, @schrodit)
• [OPERATOR] Add integration test to validate network connectivity between all nodes in a shoot (#1632, @schrodit)
• [OPERATOR] kube-scheduler no longer uses the ClusterAutoscaler-friendly scheduling algorithm when cluster-autoscaler is enabled as it can cause instability in the workloads. (#1610, @mvladev)
• [OPERATOR] gardener-apiserver now prevents the removal of the gardener finalizer for existing shoots if the shoot deletion has not yet finished successfully. (#1608, @tim-ebert)
• [OPERATOR] An issue was fixed which prevented a Seed to be properly cleaned up before deletion and blocked the deletion of any left over Shoots on this Seed. (#1604, @tim-ebert)
• [OPERATOR] Gardener now makes sure that the .spec.kubernetes.kubeAPIServer.auditConfig.auditPolicy.configMapRef.resourceVersion of shoot resources is set when an audit policy ConfigMap is referenced. (#1598, @timuthy)
• [OPERATOR] Fix conversion of garden.sapcloud.io/v1beta1.CloudProfile. (#1570, @vpnachev)
• [OPERATOR] An issue in the SecretBinding controller that could cause the controller-manager to panic has been resolved. (#1569, @rfranzke)
• [OPERATOR] The remaining code of the deprecated and removed kube2iam addon has been removed. (#1566, @rfranzke)
• [OPERATOR] There is a new field in the status of garden.sapcloud.io/v1beta1.Shoot and core.gardener.cloud/v1alpha1.Shoot: .status.lastErrors[] contains a list of all errors which occurred during the last operation on the Shoot resource. Each error in the list has a unique TaskID which depends on the task that caused the error. (#1404, @plkokanov)
• [OPERATOR] Once a step which caused an error during the previous operation on a Shoot resource completes successfully, the corresponding error is removed from .status.lastErrors[]. (#1404, @plkokanov)
• [DEVELOPER] Task functions executed by HandleErrors can now return a special type of error which can be checked by the calling code and decide whether to stop execution and return nil or return an error. (#1591, @plkokanov)
• [DEVELOPER] sigs.k8s.io/controller-runtime is updated to v0.2.0-beta.5. (#1548, @ialidzhikov)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v0.32.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v0.32.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v0.32.0

[gardener]

Most notable changes

• [USER] When cluster autoscaler enabled (workers have different min / max values), kube-scheduler will no longer use a ClusterAutoscaler-friendly scheduling algorithm as it can cause instability in the workloads. (#1611, @mvladev)

Improvements

• [OPERATOR] Restrict terraformer to delete jobs and pods only in its namespace. (#1616, @ialidzhikov)
• [OPERATOR] kube-scheduler no longer uses the ClusterAutoscaler-friendly scheduling algorithm when cluster-autoscaler is enabled as it can cause instability in the workloads. (#1611, @mvladev)
• [OPERATOR] Gardener now makes sure that the .spec.kubernetes.kubeAPIServer.auditConfig.auditPolicy.configMapRef.resourceVersion of shoot resources is set when an audit policy ConfigMap is referenced. (1d2aff4bc26d8c808e9f410df5e8a105a6af2230)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.31.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.31.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.31.2

[gardener]

Improvements

• [USER] The Terraform error log parsing has been improved and will now return more meaningful outputs to the user. (7df4ff31291eaa445e1014b797350aa522385e34)
• [OPERATOR] An issue in the SecretBinding controller that could cause the controller-manager to panic has been resolved. (1a3636f59b27274cc80c377918ef50e494f4a838)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.31.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.31.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.31.1

[gardener]

Action Required

• [OPERATOR] The gardener-controller-manager is now working only with core.gardener.cloud/v1alpha1 instead of garden.sapcloud.io/v1beta1 resources. You have to use at least version 0.14.0 of the gardener-extensions. (#1453, @rfranzke)
• [OPERATOR] The deprecated BackupInfrastructure resource has been removed from the garden.sapcloud.io/v1beta1 API group. Please ensure that no BackupInfrastructure resources exist in your landscape anymore before updating to this Gardener version. (#1453, @rfranzke)
• [OPERATOR] The name of the calico-typha deployment has been adapted to fit to the name used by the networking-calico extension. Please update your networking-calico extension version to at least 0.13.1. (cd5a9096ecd38f7c7110632599ef32cbc0bf60d4)

Most notable changes

• [USER] It is now possible to provide custom configuration for the standard nginx-ingress addon provided by Gardener using the .spec.addons.nginx-ingress.config map. (#1563, @rfranzke)
  • ⚠️ Be aware that you cannot control the version of the ingress controller, hence, it is not recommended to use this field as Gardener can update the version anytime, potentially conflicting with your custom configuration. Deploy your own ingress controller instead.
• [USER] When cluster autoscaler is enabled (workers have different min / max values), kube-scheduler will use a ClusterAutoscaler-friendly scheduling algorithm. (#1551, @mvladev)
  • In practice this means that kube-scheduler will more likely prioritize nodes with higher resource usage for pod scheduling. This would lead to better resource usage and it will likely provision less nodes. All other scheduler priority configurations are not affected.
• [USER] Shoot clusters that are using a default domain can now only be created with the following naming scheme: <shoot-name>.<project-name>.<default-domain>. (#1520, @rfranzke)
• [USER] core.gardener.cloud/v1alpha1.Shoot and garden.sapcloud.io/v1beta1.Shoot now support monitoring configurations under spec.monitoring. (#1516, @wyb1)
• [USER] Request bodies for normal API requests (create/delete/update/patch operations of regular resources) to the Gardener API server are now limited to 3MB. This fixes a flaw (CVE-2019-11253) in json/yaml decoding where large or malformed documents could consume excessive server resources. (#1514, @rfranzke)
• [USER] The garden.sapcloud.io/v1beta1.Shoot resource does now support the configuration of availability zones and service endpoints for Azure shoot clusters. (#1505, @dkistner)
• [USER] The long deprecated kube-lego and kube2iam addons are now finally removed. They will remain in the garden.sapcloud.io/v1beta1.Shoot API but won't have any effect anymore. (#1453, @rfranzke)
• [USER] As part of the final removal of the long deprecated kube2iam addon it will be deprovisioned of all existing Shoots that still enable it. Also, all IAM roles created by Gardener for the kube2iam addon will be deleted. (#1453, @rfranzke)
• [USER] The kubeconfigs provided for Plants may now only contain the following keys as authentication info: client-certificate-data, client-key-data, token, username, or password. You may have to update your secrets accordingly. (0635b74b8785533d1d6cccf1beec18a63339c1ba)
• [USER] The gopkg.in/yaml.v2 library is updated to version v2.2.4 to mitigate CVE-2019-11253. (0635b74b8785533d1d6cccf1beec18a63339c1ba)
• [USER] The .spec.networking.type for a Shoot is now immutable. (8dbfed921e62e510896be975916d172939524fa0)
• [OPERATOR] The ClusterRoles garden.sapcloud.io:system:project-member andgarden.sapcloud.io:system:project-viewer are now aggregated. (#1539, @mvladev)
  • Gardener administrators can now use the rbac.gardener.cloud/aggregate-to-project-member: "true" and rbac.gardener.cloud/aggregate-to-project-viewer: "true" labels to add additional rules to the aggregated roles.
• [OPERATOR] There is a new field in the core.gardener.cloud/v1alpha1.CloudProfile resource: .spec.machineTypes[].storage.class can be used to indicate the storage class (standard or premium, similar to .spec.volumeTypes[].class) in case Quotas are used for environments in which the root disk of VMs is defined by the machine type and not separately (like OpenStack, for example). (#1527, @rfranzke)
• [OPERATOR] gardener-apiserver prevents the removal of the gardener finalizer for existing shoots if there are some backing assets like networks, machines, etc. (e.g. if the shoot namespace in the seed still exists). (#1519, @tim-ebert)
• [OPERATOR] VPA components are upgraded to version 0.6.3. VPA can now increase the limits of containers proportionally, effectively enabling better auto-scaling of control plane components. (#1512, @wyb1)
• [OPERATOR] The control plane components kube-apiserver and etcd will be autoscaled horizontally and vertically using hvpa-controller if the HVPA feature gate is enabled. Currently, the update policy for the autoscalers is set to ScaleUp, which is intended as a safer first step, however, it might have cost impact. Eventually, the update policy will be changed to Auto for kube-apiserver first and later for etcd in a future release. (#1421, @ggaurav10)
• [OPERATOR] The gardener-controller-manager does now register a new validating webhook for CREATE and UPDATE requests on Secrets. This is in order to validate that kubeconfig secrets may only contain kubeconfigs whose authentication information meets our requirements. (924fb2692c04b5321774e0168ceed510954800aa)
• [OPERATOR] The kubeconfigs provided for Seeds may now only contain the following keys as authentication info: client-certificate-data, client-key-data, token, username, or password. You may have to update your secrets accordingly. (0635b74b8785533d1d6cccf1beec18a63339c1ba)
• [DEVELOPER] It is now possible for extension controllers to contribute to the shoot health status conditions. Take a look at this document for further instructions and information. (#1523, @rfranzke)
• [DEVELOPER] The gardener-controller-manager is now working only with core.gardener.cloud/v1alpha1 instead of garden.sapcloud.io/v1beta1 resources. (#1453, @rfranzke)
• [DEVELOPER] The Cluster resource in the seed clusters will now contain the core.gardener.cloud/v1alpha1 version of the CloudProfile, Seed, and Shoot resource. Extension controllers should be made capable of supporting/understanding both for at least one release until all shoots have been reconciled. (Existing Cluster resource of not-yet-reconciled shoots will still contain the garden.sapcloud.io/v1beta1 version). (#1453, @rfranzke)
• [DEVELOPER] The shoot.garden.sapcloud.io/uid as well as the shoot.garden.sapcloud.io/hibernated annotation on the shoot namespace in the seed cluster are deprecated and will be removed in a future version. You should consider using the Cluster resource instead. (#1453, @rfranzke)
• [DEVELOPER] Due to the new webhook on secrets you have to re-run make dev-setup and execute kubectl delete validatingwebhookconfiguration validate-namespace-deletion (it has been renamed to gardener-controller-manager). (924fb2692c04b5321774e0168ceed510954800aa)

Improvements

• [USER] Azure Shoot clusters can now be deployed into existing virtual networks (vNet). The vNet can't be in the same Resource Group as the Shoot Infrastructure resources. (#1558, @dkistner)
• [USER] CoreDNS now supports custom configuration via an external config-map called custom-dns in the kube-system namespace. More documentation can be found here (#1541, @zanetworker)
• [USER] core.gardener.cloud/v1alpha1.Shoot does now support field selector by spec.seedName and spec.cloudProfileName. (#1529, @ialidzhikov)
• [USER] Node-problem-detector is integrated into Gardener. Certain problems occured in nodes will be visible as part of NodeConditions or Event. Refer NPD doc for more info. (#1525, @hardikdr)
• [USER] An issue with the conversion for OpenStack shoots when spec.workers[].volume was stated has been fixed. (#1506, @danielfoehrKn)
• [USER] Finalizers for resources of the Gardener APIs are no longer written during creation by the gardener-apiserver. Instead, the gardener-controller-manager writes them once it starts reconciliation. (#1463, @tim-ebert)
• [USER] The .spec.provider.workers[].volume.type field is now optional in the core.gardener.cloud/v1alpha1.Shoot resource. (3a5a59fbf55f68923b865a4cf0ad83607697a407)
• [OPERATOR] terraformer memory limit is set to 1.5Gi. (#1557, @ialidzhikov)
• [OPERATOR] kube-scheduler now uses the ClusterAutoscaler-friendly scheduling algorithm when cluster-autoscaler is enabled. (#1551, @mvladev)
• [OPERATOR] Add VPA to cluster-autoscaler (#1535, @RaphaelVogel)
• [OPERATOR] A user named gardener is deployed on every shoot node to ease ssh access to it. (#1513, @KristianZH)
• [OPERATOR] Add an integration to validate a full gardener reconcile (#1510, @schrodit)
• [OPERATOR] Add an integration to test the scale out an additional shoot worker node. (#1510, @schrodit)
• [OPERATOR] An issue with unsuccessful finalization of Shoot resources for Kubernetes < v1.14 is now fixed. (#1508, @ialidzhikov)
• [OPERATOR] Add alerts for etcd DB size limits. (#1503, @shreyas-s-rao)
• [OPERATOR] An issue has been fixed which removed a wrong extension from the cluster when an extension had been disabled. (#1501, @timuthy)
• [OPERATOR] An issue has been fixed that didn't respect the global machine image for v1beta1 Shoots (#1499, @danielfoehrKn)
• [OPERATOR] Add documentation for operator and user alerts. (#1494, @wyb1)
• [OPERATOR] Gardener has improved the way it determines the Gardener identity to prevent a possible resource. exhaustion. (#1493, @timuthy)
• [OPERATOR] An issue has been fixed that caused different kubectl commands to not work properly on Kubernetes clusters of version 1.10.x. Therefore, Gardener rolls back the metric-server to v0.3.1 for those clusters. (#1485, @timuthy)
• [OPERATOR] The terraformer package is now able to work with version 4 of terraform state. (#1480, @ialidzhikov)
• [OPERATOR] Fix monitoring regression for aggregated monitoring (#1478, @wyb1)
• [OPERATOR] Gardener now cleans up k8s resources with a TerminationGracePeriodSeconds of 300 when deleting a shoot cluster. (#1469, @timuthy)
• [OPERATOR] Gardener does now read ConfigMaps labelled with extensions.gardener.cloud/configuration=monitoring and injects their data into the prometheus and grafana configurations. This allows extension controllers to define their provider-specific monitoring configuration for the components they deploy. (#1466, @svetlinas)
• [OPERATOR] Update integration test helm chart to 9.2.0 (#1459, @schrodit)
• [OPERATOR] Use token authentication in kubernetes dashboard integration test (#1459, @schrodit)
• [DEVELOPER] Gardener's "Applier" does now keep the status of existing VerticalPodAutoscaler resources when applying manifests. (#1538, @rfranzke)
• [DEVELOPER] TerraformerChartPath and ChartInitializer func are now removed from pkg/operation. (#1481, @ialidzhikov)
• [DEVELOPER] The .spec.pools[].volume.type field is now optional in the extensions.gardener.cloud/v1alpha1.Worker resource. (3a5a59fbf55f68923b865a4cf0ad83607697a407)
• [DEVELOPER] Validation functions for Gardener's extensions.gardener.cloud/v1alpha1 API group has been implemented. Gardener does not validate these resources itself, however, extension controllers can call them in order to validate the extension CRDs. They have to add proper validation logic for their provider configs, but the validation of general fields in the API can be done with the provided functions. (06bc8a037a48bab6ca0836b4fcfd6f28029d156d)

[autoscaler]

Improvements

• [OPERATOR] Ignore worker specific labels and 128Ki of memory difference while balancing nodegroups. (gardener/autoscaler#23, @hardikdr)

[gardener-resource-manager]

Improvements

• [OPERATOR] Gardener-resource-manager now supports ignoring resources annotated with resources.gardener.cloud/ignore: "true". This is to allow customisation of resources if required. (gardener/gardener-resource-manager#18, @zanetworker)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.31.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.31.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.31.0

[gardener]

Most notable changes

• [USER] The kubeconfigs provided for Plants may now only contain the following keys as authentication info: client-certificate-data, client-key-data, token, username, or password. You may have to update your secrets accordingly. (51a925c48eaf4ef00753bd2c7d2e2ecbfaf431e2)
• [USER] The gopkg.in/yaml.v2 library is updated to version v2.2.4 to mitigate CVE-2019-11253. (2b4383e4f6b648e5e46e6a83cf1ee1aa13462237)
• [OPERATOR] The gardener-controller-manager does now register a new validating webhook for CREATE and UPDATE requests on Secrets. This is in order to validate that kubeconfig secrets may only contain kubeconfigs whose authentication information meets our requirements. (b409b3a1036eff1d1ca6b7c5a6f321aa76437f96)
• [OPERATOR] The kubeconfigs provided for Seeds may now only contain the following keys as authentication info: client-certificate-data, client-key-data, token, username, or password. You may have to update your secrets accordingly. (51a925c48eaf4ef00753bd2c7d2e2ecbfaf431e2)
• [DEVELOPER] Due to the new webhook on secrets you have to re-run make dev-setup and execute kubectl delete validatingwebhookconfiguration validate-namespace-deletion (it has been renamed to gardener-controller-manager). (b409b3a1036eff1d1ca6b7c5a6f321aa76437f96)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.30.5
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.30.5
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.30.5

[gardener]

Most notable changes

• [USER] Request bodies for normal API requests (create/delete/update/patch operations of regular resources) to the Gardener API server are now limited to 3MB. This fixes a flaw (CVE-2019-11253) in json/yaml decoding where large or malformed documents could consume excessive server resources. (8c962ef4d386cbf8bdd04eccb8f55cabc97d3f61)

Improvements

• [OPERATOR] Fix monitoring regression for aggregated monitoring (#1502, @wyb1)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.30.4
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.30.4
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.30.4

[gardener]

Improvements

• [OPERATOR] An issue has been fixed which removed a wrong extension from the cluster when an extension had been disabled. (177e2716efe71d150ee36326891698232be494c5, @timuthy)
• [OPERATOR] An issue has been fixed that didn't respect the global machine image for v1beta1 Shoots (199e58f6294a72d3dbcd0ed098bc478d697feb03, @danielfoehrKn)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.30.3
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.30.3
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.30.3

[gardener]

Improvements

• [OPERATOR] The deletion of unsuccessfully hibernated Shoot was improved to prevent nil pointer dereference in gardener-controller-manager. (#1488, @ialidzhikov)
• [OPERATOR] An issue has been fixed that caused different kubectl commands to not work properly on Kubernetes clusters of version 1.10.x. Therefore, Gardener rolls back the metric-server to v0.3.1 for those clusters. (#1486, @timuthy)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.30.2
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.30.2
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.30.2

[gardener]

Action Required

• [OPERATOR] The name of the calico-typha deployment has been adapted to fit to the name used by the networking-calico extension. Please update your networking-calico extension version to at least 0.13.1. (1086fe82cfe6a57368ce066c145714c73c72748f)

Improvements

• [OPERATOR] The Golang version has been updated to 1.13.1. (eec8857e6702a1937f1d6fc7f56be8bee3be7ebf)
• [OPERATOR] Update integration test helm chart to 9.2.0 (af896ad88d4e0296cd8915e01119ba3a48d53dbd)
• [OPERATOR] Use token authentication in kubernetes dashboard integration test (524450222c7c59cf2cc3a361dd885c4f32adbff3)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.30.1
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.30.1
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.30.1