[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The signature of github.com/gardener/gardener/pkg/chartrenderer.RenderedChart#Files has changed. by @acumino [#8877]
• [OPERATOR] The deprecated field seed.spec.secretRef has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @acumino [#8896]
• [OPERATOR] Migration code for Plutono and Vali is now removed. Consider manual cleanup for longterm broken Shoots as described in the PR to avoid leaking Loki's PV. by @rickardsjp [#8999]
• [DEVELOPER] The pkg/resourcemanager/predicate.ClassFilter.Active function was replaced by IsTransferringResponsibility and IsWaitForCleanupRequired.
  • pkg/resourcemanager/predicate.ClassFilter.IsTransferringResponsibility should be used to check whether the .spec.class field of a ManagedResource has changed and let the controller which was previously responsible for the ManagedResource perform any additional/cleanup tasks.
  • pkg/resourcemanager/predicate.ClassFilter.IsWaitForCleanupRequired should be used by the controller to which the responsibility was transferred to determine whether it should wait for any tasks/cleanup activities made by the previously responsible controller. by @Kostov6 [#8886]

📰 Noteworthy

• [OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to GA and is now locked to "enabled by default". by @ialidzhikov [#8979]

✨ New Features

• [OPERATOR] When hibernating a cluster, Gardener now assigns an error code ERR_CLEANUP_CLUSTER_RESOURCES to shoot clusters if (user) pods are still running in namespaces other than kube-system. by @benedictweis [#9060]
• [OPERATOR] node-agent checks health of containerd and kubelet now. This replaces the previous bash implementation of these health checks. by @majst01 [#8786]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.29. To allow creation/update of 1.29 clusters you will have to update the version of your provider extension(s) to a version that supports 1.29 as well. Please consult the respective releases and notes in the provider extension's repository. by @acumino [#8976]
• [OPERATOR] The components managed by gardener now use PDBs with unhealthyPodEvictionPolicy: AlwaysAllow for clusters with kubernetes version >= 1.26. (For v1.26 clusters (shoots and virtual-garden cluster), the featuregate PDBUnhealthyPodEvictionPolicy needs to be turned on in the kube-apiserver. From v1.27 this is enabled by default.) by @shafeeqes [#8969]
• [DEVELOPER] Add local setup for dual-stack seeds. by @axel7born [#8983]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.29. Extension developers have to prepare individual extensions as well to work with 1.29. by @acumino [#8976]

🐛 Bug Fixes

• [OPERATOR] False positive PrometheusCantScrape alerts for the etcd-druid job in the shoot control plane are no longer firing, even if the --enable-backup-compaction feature of etcd-druid is not turned on. by @istvanballok [#8988]
• [OPERATOR] Allow the dependency-watchdog-prober to patch deployments and deployments/scale resources. by @aaronfern [#9036]
• [DEVELOPER] Local single-zone gardener development setups should now work as expected again even if the istio ingress pods are not scheduled on the control plane node. by @ScheererJ [#8998]
• [DEVELOPER] Local gardener-operator and multi-zone gardener development setups now use externalTrafficPolicy: Local for inbound communication to mitigate cross-node network problems. by @ScheererJ [#8972]

🏃 Others

• [OPERATOR] The following dependency has been updated:
  • k8s.io/[email protected]+incompatible -> helm.sh/helm/[email protected] by @acumino [#8877]
• [OPERATOR] Spreading istio pods across hosts is now enforced if there are enough hosts in a particular zone. by @ScheererJ [#8970]
• [OPERATOR] The following images are updated:
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-operator: v2.3.0 -> v2.7.0
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-bit: v2.1.4 -> v2.2.0 by @nickytd [#9031]
• [OPERATOR] The reliability of kube-state-metrics in the garden namespace of the Seed cluster has been improved to minimize periods of unavailability for Prometheus metric collection by @petersutter [#8931]
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/prometheus: v2.47.0 -> v2.48.1 by @istvanballok [#8994]
• [OPERATOR] kube-proxy is now running in non-privileged mode for K8s >= 1.29 Shoots. The work that needs privileged mode is extracted to an init container. See https://www.kubernetes.dev/blog/2024/01/05/kube-proxy-non-privileged/. by @shafeeqes [#9000]
• [OPERATOR] Plutono is updated to v7.5.28.
  Vali and Valitail are updated to v2.2.13. by @nickytd [#9010]
• [OPERATOR] nginx-ingress-controller image is updated to v1.9.5. by @shafeeqes [#8997]
• [OPERATOR] Istio ingress gateway dashboard now always shows a graph for all istio namespaces even if no traffic was received in some of them. by @ScheererJ [#9032]
• [OPERATOR] kube-proxy's sidecar container no longer installs its tools at runtime, but comes with its toolset pre-installed. by @ScheererJ [#9006]
• [DEVELOPER] On startup, gardenlet now removes the resources.gardener.cloud/gardener-resource-manager finalizer from Secrets related to ManagedResources. by @Kostov6 [#8912]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] EtcdWrapper has progressed from the alpha stage to the beta stage, which now allows for its default usage in etcd-druid. If you prefer to continue using the etcd-custom-image, you can disable the EtcdWrapper by adjusting the feature flag. by @ishan16696 [gardener/etcd-druid#744]

✨ New Features

• [USER] Add support for overriding storage API endpoint for provider GCS, by adding new field storageAPIEndpoint in the GCP/GCS backup secret, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for EtcdCopyBackupsTasks, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-druid#737]

🏃 Others

• [OPERATOR] Adds documentation for local setup of Etcd Druid by @anveshreddy18 [gardener/etcd-druid#721]
• [OPERATOR] Documentation for the controllers of etcd-druid by @renormalize [gardener/etcd-druid#722]
• [DEVELOPER] Upgrade to go 1.21.4 by @seshachalam-yv [gardener/etcd-druid#727]

[gardener/vpn2]

🏃 Others

• [USER] Security improvements to the openvpn configuration. Due to backwards incompatible change between the vpn server and client a short downtime is to be expected during the initial upgrade. by @dimityrmirchev [gardener/vpn2#53]

[gardener/etcd-wrapper]

🏃 Others

• [OPERATOR] The etcd process now runs with umask set to 0077, this way the files it creates have no permissions on group and others level. by @AleksandarSavchev [gardener/etcd-wrapper#16]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.87.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.87.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.87.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.87.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.87.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.87.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.87.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.87.0

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @shreyas-s-rao [gardener/etcd-druid#756]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Dynamic loading of IaaS credentials is now optimized to make use of file system information instead of calculating a hash of the credentials to detect changes. by @renormalize [gardener/etcd-backup-restore#670]
• [OPERATOR] A regression in chunk deletion behavior for openstack provider has now been fixed. by @shreyas-s-rao [gardener/etcd-backup-restore#703]
• [OPERATOR] Add unit tests for chunk deletion by @anveshreddy18 [gardener/etcd-backup-restore#685]
• [USER] Add support for overriding storage API endpoint for provider GCS, by setting environment variable GOOGLE_STORAGE_API_ENDPOINT, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for copy subcommand, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-backup-restore#691]

Docker Images

• admission-controller-linux-amd64: eu.gcr.io/gardener-project/gardener/admission-controller:v1.86.1
• apiserver-linux-amd64: eu.gcr.io/gardener-project/gardener/apiserver:v1.86.1
• controller-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/controller-manager:v1.86.1
• gardenlet-linux-amd64: eu.gcr.io/gardener-project/gardener/gardenlet:v1.86.1
• node-agent-linux-amd64: eu.gcr.io/gardener-project/gardener/node-agent:v1.86.1
• operator-linux-amd64: eu.gcr.io/gardener-project/gardener/operator:v1.86.1
• resource-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/resource-manager:v1.86.1
• scheduler-linux-amd64: eu.gcr.io/gardener-project/gardener/scheduler:v1.86.1

[gardener/gardener]

⚠️ Breaking Changes

• [OPERATOR] All virtual garden access Secrets have to be labeled with with resources.gardener.cloud/class=shoot. Otherwise the virtual-GRM won't consider the Secrets and won't renew them. by @rfranzke [#8883]
• [OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to beta and is now turned on by default. by @ialidzhikov [#8873]
• [DEVELOPER] Support for the deprecated NetworkPolicy annotations networking.resources.gardener.cloud/from-policy-allowed-ports and networking.resources.gardener.cloud/from-policy-pod-label-selector has been removed. Use networking.resources.gardener.cloud/from-<some-alias>-allowed-ports instead (documentation). by @rfranzke [#8883]

📰 Noteworthy

• [DEVELOPER] The local Gardener environments for e2e tests running in Prow are now backed by the registry-cache extensions enabled in the Prow cluster. This should have a positive impact on the network I/O for image pulls and resulting costs. by @oliver-goetz [#8880]
• [OPERATOR] The WorkerlessShoots has been promoted to GA and is now locked to "enabled by default". by @acumino [#8906]

✨ New Features

• [USER] It is now possible to configure the resources encrypted in the ETCD for shoot clusters, see this document for more details. by @shafeeqes [#8842]
• [USER] The shoots/viewerkubeconfig subresource now also restricts viewer access to resources which are specified in the spec.kubernetes.kubeAPIServer.encryptionConfig in the Shoot in addition to Secrets. by @shafeeqes [#8966]
• [USER] It is now possible to request a kubeconfig with read-only access (all APIs except core/v1.Secret) for shoot clusters by using the new shoots/viewerkubeconfig subresource. Read all about it here. by @rfranzke [#8870]
• [OPERATOR] The vpn-seed-server component now supports IPv4 seed clusters hosting IPv6 shoot clusters. by @DockToFuture [#8830]
• [OPERATOR] It is now possible to configure the resources encrypted in the ETCD for the virtual garden cluster, see this document for more details. by @shafeeqes [#8842]

🐛 Bug Fixes

• [DEPENDENCY] extension library: An issue causing the Worker restore operation to fail for hibernated Shoots is now fixed. by @ialidzhikov [#8943]
• [OPERATOR] A bug causing the Shoot to use the wrong istio load balancer if the ExposureClass name and the exposureclass handler name are not the same is now fixed. by @shafeeqes [#8926]
• [OPERATOR] Fixed a bug where a Shoot with an expired machine image or Kubernetes version could be created.
  For machine images: only allow updating to a higher expired machine image version for an existing worker pool
  For Kubernetes versions: do not allow creation of a worker pool with an expired K8s version, but still allow updating an existing worker pool to a higher expired version. by @danielfoehrKn [#8854]
• [OPERATOR] gardener-node-agent's OperatingSystemConfig controller now respects the reconciliation timeout and aborts the reconciliation if it takes too long. by @rfranzke [#8907]
• [OPERATOR] gardener-node-agent now creates temporary directories and files under /var/lib/gardener-node-agent/tmp instead of /tmp. This fixes issues during OperatingSystemConfig reconciliation which occur when /var and /tmp are backed by different file systems or devices. by @rfranzke [#8894]
• [OPERATOR] gardener-node-agent now skips disablement and stop attempts of deleted units in case their unit files have already been cleaned up by third parties. by @rfranzke [#8898]
• [OPERATOR] gardener-node-agent now converts the hostname to lower case to match kubelet behaviour when it maintains the kubernetes.io/hostname label on Nodes. by @rfranzke [#8902]

🏃 Others

• [OPERATOR] gardener-node-agent now stops waiting for systemd command results if they don't respond back after 10s. by @rfranzke [#8919]
• [OPERATOR] Add unhealthy nodes dashboard. by @adenitiu [#8869]
• [OPERATOR] Add egressCIDRs field to the infrastructureStatus resource. This allows provider-extensions to specify a list of stable CIDRs used as source IP for traffic generated by the shoot's worker nodes. by @kon-angelo [#8888]
• [DEVELOPER] Add support for optional SCRIPT_ROOT environment var in vgopath enabled hack scripts by @afritzler [#8935]

[gardener/vpn2]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [gardener/vpn2#62]

📰 Noteworthy

• [OPERATOR] added ipv6 single-stack support by @nschad [gardener/vpn2#45]
• [OPERATOR] Add iptables backend detection to firewall script. by @axel7born [gardener/vpn2#64]

[gardener/apiserver-proxy]

📰 Noteworthy

• [OPERATOR] Remove the optional creation of iptables rules and the flag--setup-iptables. by @axel7born [gardener/apiserver-proxy#70]

[gardener/gardener-metrics-exporter]

🏃 Others

• [OPERATOR] Metrics are exported for pending shoots as well. by @timebertt [gardener/gardener-metrics-exporter#91]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.86.0
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.86.0
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.86.0
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.86.0
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.86.0
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.86.0
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.86.0
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.86.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] gardener-node-agent now converts the hostname to lower case to match kubelet behaviour when it maintains the kubernetes.io/hostname label on Nodes. by @rfranzke [#8903]
• [OPERATOR] gardener-node-agent now skips disablement and stop attempts of deleted units in case their unit files have already been cleaned up by third parties. by @rfranzke [#8900]
• [OPERATOR] gardener-node-agent now creates temporary directories and files under /var/lib/gardener-node-agent/tmp instead of /tmp. This fixes issues during OperatingSystemConfig reconciliation which occur when /var and /tmp are backed by different file systems or devices. by @rfranzke [#8895]
• [OPERATOR] gardener-node-agent's OperatingSystemConfig controller now respects the reconciliation timeout and aborts the reconciliation if it takes too long. by @rfranzke [#8908]
• [DEPENDENCY] extension library: An issue causing the Worker restore operation to fail for hibernated Shoots is now fixed. by @ialidzhikov [#8949]

🏃 Others

• [DEVELOPER] Add support for optional SCRIPT_ROOT environment var in vgopath enabled hack scripts by @afritzler [#8948]
• [OPERATOR] gardener-node-agent now stops waiting for systemd command results if they don't respond back after 10s. by @rfranzke [#8920]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.85.1
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.85.1
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.85.1
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.85.1
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.85.1
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.85.1
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.85.1
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.85.1

[gardener/gardener]

🐛 Bug Fixes

• [DEPENDENCY] extension library: An issue causing the Worker restore operation to fail for hibernated Shoots is now fixed. by @ialidzhikov [#8950]

🏃 Others

• [DEVELOPER] Add support for optional SCRIPT_ROOT environment var in vgopath enabled hack scripts by @afritzler [#8944]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.84.2
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.84.2
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.84.2
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.84.2
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.84.2
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.84.2
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.84.2
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.84.2

[gardener/gardener]

🐛 Bug Fixes

• [DEPENDENCY] extension library: An issue causing the Worker restore operation to fail for hibernated Shoots is now fixed. by @ialidzhikov [#8951]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.83.3
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.83.3
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.83.3
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.83.3
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.83.3
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.83.3
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.83.3
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.83.3

[gardener/etcd-backup-restore]

📰 Noteworthy

• [OPERATOR] Fix a restoration failure which can occurs due to an etcd database space exceeds during restoration. by @ishan16696 [gardener/etcd-backup-restore#668]
• [OPERATOR] Making etcd-backup-restore restart tolerant while scaling-up an etcd cluster. by @ishan16696 [gardener/etcd-backup-restore#661]

🏃 Others

• [OPERATOR] Enhanced Garbage Collector to garbage collect the chunks for cloud providers like GCP and OpenStack which does not automatically delete snapshot chunks after the formation of a composite object. by @anveshreddy18 [gardener/etcd-backup-restore#673]
• [USER] The snapshots are fetched from the actual backend store when queried for latest snapshots on /snapshot/latest endpoint. by @abdasgupta [gardener/etcd-backup-restore#675]

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The webhookcmd.NewAddToManagerSimpleOptions function was removed, please use webhookcmd.NewAddToManagerOptions instead. by @timuthy [#8725]
• [DEPENDENCY] The extensionswebhook.New forbids to pass mutators and validators at the same time. Please use separate webhooks for validating and mutating actions if required. by @timuthy [#8725]
• [OPERATOR] All the functionality related to the deprecated field seed.spec.secretRef has been removed and subsequently seed.spec.secretRef will be dropped from the Seed API in a later release of Gardener. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @acumino [#8833]
• [USER] With this PR, the plutono UI will be able to fetch newer logs only. The older logs, which are submitted via the tenant operator will not be visible in the UI. To access the older logs, for the standard log retention period , either set the --org-id parameter for valicli or the X-Scope-Org http request header for curl or wget needs to be supplied to fetch them, using the port-forwarded service to the vali target. by @nickytd [#8800]

📰 Noteworthy

• [DEVELOPER] The extension webhook registration does now differentiate between mutating and validating actions and creates matching ValidatingWebhookConfigration or MutatingWebhookConfiguration objects. Earlier, only MutatingWebhookConfigurations were created. by @timuthy [#8725]
• [DEVELOPER] The UseGardenerNodeAgent feature gate is now enabled for the local development scenario. You can read more about gardener-node-agent here. by @rfranzke [#8847]

✨ New Features

• [DEVELOPER] Add full single-stack IPv6 support for gardener provider-local by @nschad [#8574]
• [DEPENDENCY] Webhook registration webhookcmd.NewAddToManagerOptions can now be used for admission controllers performing validation and mutation in the Garden cluster. This option automatically creates and maintains required {Mutating,Validating}WebhookConfiguration objects as well as comes with an automated management for CA and server certificates. by @timuthy [#8725]
• [OPERATOR] gardenlet's Shoot care controller now garbage-collects orphaned Lease objects related to no longer existing Nodes - see this upstream issue for more details. by @rfranzke [#8817]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which prevented shoot reconciliations in case the old system:machine-controller-manager-seed ClusterRole was still referenced in the RoleBinding for machine-controller-manager. by @himanshu-kun [#8816]
• [OPERATOR] A bug causing EveryNodeReady condition to be added in workerless shoot status if gardenlet of the given shoot's seed becomes unhealthy is fixed. by @gardener-ci-robot [#8889]
• [OPERATOR] A bug in the Seed care controller has been fixed which caused the Seed to remain in NotReady state when vali was disabled in gardenlet's component config (via .logging.vali.enabled=false) while logging was enabled (.logging.enabled=true). by @rfranzke [#8840]

🏃 Others

• [OPERATOR] Federate non-namespaced metrics, e.g. kube_node_spec_taint, kube_node_spec_unschedulable. by @adenitiu [#8850]
• [OPERATOR] The Version of Istio is up-dated to 1.19.3 by @axel7born [#8723]
• [OPERATOR] showing kubelet version and OS image version in Plutono Node/Worker Pool overview dashboard by @tedteng [#8757]
• [OPERATOR] The gardener-resource-manager deployment procedure was improved. Earlier, GRM was unnecessarily rolled during shoot reconciliation if worker nodes contained custom taints. by @timuthy [#8835]
• [OPERATOR] Update vertical-pod-autoscaler to 1.0.0. This introduces the /status subresource on VPA objects. by @voelzmo [#8852]

📖 Documentation

• [USER] Document whether is an error in the shoot.status is a user error or not. by @hendrikKahl [#8758]

[gardener/etcd-druid]

📰 Noteworthy

• [DEVELOPER] Added e2e test for compaction. by @abdasgupta [gardener/etcd-druid#723]
• [OPERATOR] Compaction job now reconciles on Job Status changes along with the holder identity changes in snapshot leases. by @abdasgupta [gardener/etcd-druid#711]

✨ New Features

• [DEVELOPER] Added documentation and sample configurations for simplifying Localstack setup, making it easier for developers to create a local testing environment using a Kind cluster. by @seshachalam-yv [gardener/etcd-druid#713]

🐛 Bug Fixes

• [OPERATOR] Local storage provider for backups is now supported for snapshot compaction jobs. by @abdasgupta [gardener/etcd-druid#682]

🏃 Others

• [OPERATOR] Update alpine image version to 3.18.4. by @shreyas-s-rao [gardener/etcd-druid#724]

📖 Documentation

• [OPERATOR] Updated the recovery from permanent quorum loss ops guide. by @ishan16696 [gardener/etcd-druid#697]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.85.0
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.85.0
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.85.0
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.85.0
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.85.0
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.85.0
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.85.0
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.85.0

[gardener/gardener]

🏃 Others

• [OPERATOR] Updated alpine image to version 3.18.4. by @plkokanov [#8858]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.84.1
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.84.1
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.84.1
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.84.1
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.84.1
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.84.1
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.84.1
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.84.1

[gardener/gardener]

🐛 Bug Fixes

• [DEVELOPER] A bug causing the crd generation for druid.gardener.cloud group to fail in extensions is now fixed. by @shafeeqes [#8789]

🏃 Others

• [OPERATOR] NewClientForShoot creates a client with a rest mapper using LazyDiscovery. by @acumino [#8781]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.83.2
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.83.2
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.83.2
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.83.2
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.83.2
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.83.2
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.83.2
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.83.2

[gardener/machine-controller-manager]

🐛 Bug Fixes

• [OPERATOR] Removes node.machine.sapcloud.io/not-managed-by-mcm annotation from nodes managed by the MCM. by @elankath [gardener/machine-controller-manager#866]

🏃 Others

• [OPERATOR] The default machine-safety-orphan-vms-period has been reduced from 30m to 15m. by @elankath [gardener/machine-controller-manager#866]

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] New Secrets referenced in ManagedResources will no longer be patched with the label resources.gardener.cloud/garbage-collectable-reference when the ManagedResource is reconciled. Secrets which already exist in the ManagedResource specification will still be patched if necessary. by @dimityrmirchev [#8788]
• [OPERATOR] ⚠️ The deprecated fields spec.settings.dependencyWatchdog.endpoint and spec.settings.dependencyWatchdog.probe have been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @himanshu-kun [#8747]
• [USER] A validation rule was added that forbids changing the primary DNS provider in .spec.dns.providers as soon as the shoot was scheduled. by @timuthy [#8761]

📰 Noteworthy

• [DEVELOPER] The Secret reconciler in gardener-resource-manager will now always remove its finalizer (if present). by @Kostov6 [#8745]
• [DEVELOPER] Vendoring has been removed from the project, i.e., there is no vendor folder anymore. by @afritzler [#8775]

✨ New Features

• [OPERATOR] The deltaSnapshotRetentionPeriod parameter has been introduced in the etcdConfig section of the GardenletConfiguration. This new feature allows users to configure the retention period for delta snapshots in the ETCD component. By making the delta snapshot retention period configurable, we provide a more flexible debugging experience. Delta snapshots can now be retained for a user-defined duration, offering a valuable window for reviewing changes in case of any issues. by @seshachalam-yv [#8659]
• [OPERATOR] Enabled the node-exporter's textfile collector. It will parse files matching the *.prom glob in the /var/lib/node-exporter/textfile-collector directory and load metrics from them so that they can be scraped by prometheus. by @plkokanov [#8721]
• [OPERATOR] Condition handling was improved for Shoots of ManagedSeeds. Earlier, when unknown conditions were removed from seeds (e.g. maintained by third-party components), the affected condition was still present in the shoot's conditions. by @timuthy [#8736]
• [USER] The kube-controller-manager controllers are now disabled based on disabled APIs, which can be configured with spec.kubernetes.kubeAPIServer.runtimeConfig field in the Shoot API. All controllers are enabled by default for Shoot with workers. For workerless Shoots, some non-required APIs are disabled by default, which can be overridden by the above configuration. by @shafeeqes [#8763]
• [DEVELOPER] Use ginkgolinter instead of self baked gomegacheck by @afritzler [#8769]

🐛 Bug Fixes

• [DEVELOPER] A bug causing the crd generation for druid.gardener.cloud group to fail in extensions is now fixed. by @shafeeqes [#8789]
• [OPERATOR] During the restore phase of control plane migration, the machine-controller-manager is deployed with 0 replicas if it did not exist before or if it existed and was not scaled up yet. This fixes an issue that could cause the Shoot's nodes to get recreated during control plane migration. by @plkokanov [#8742]

🏃 Others

• [OPERATOR] Control plane components kube-apiserver, kube-controller-manager and kube-scheduler now run as nonroot user and group 65532. by @AleksandarSavchev [#8690]
• [OPERATOR] The credentials (CA) rotation has been made more robust. In some cases, the Shoot reconciliation stuck at Deploying main and events etcd when the rotation was in Preparing phase. by @timuthy [#8795]
• [OPERATOR] Control plane components kube-apiserver, kube-controller-manager and kube-scheduler now mount key files with DefaultMode set to 416(0640 permissions). by @AleksandarSavchev [#8790]
• [OPERATOR] Plutono is updated to v7.5.26.
  Vali is updated to v2.2.11.
  Kube-rbac-proxy is updated to v0.15.0. by @nickytd [#8799]
• [OPERATOR] The registry of the prometheus-operator image is switched from ghcr (ghcr.io/prometheus-operator/prometheus-config-reloader) to quay.io (quay.io/prometheus-operator/prometheus-config-reloader) because the ghcr does not support image pulls over IPv6. by @ialidzhikov [#8751]
• [OPERATOR] gardener-apiserver and gardener-admission-controller now mount key files with DefaultMode set to 416(0640 permissions). by @AleksandarSavchev [#8790]
• [OPERATOR] NewClientForShoot creates a client with a rest mapper using LazyDiscovery. by @acumino [#8781]
• [OPERATOR] Shoot control plane prometheus is now scraping kubelet volume metrics (kubelet_volume_stats_available_bytes, kubelet_volume_stats_capacity_bytes and kubelet_volume_stats_used_bytes) from the kube-system namespace. This allows Gardener extensions deploying PVCs to the Shoot's kube-system namespace (such as the registry-cache extension) to build alerting and plutono dashboard panels using these kubelet volume metrics. by @ialidzhikov [#8798]
• [OPERATOR] Prepare shared component_descriptor script for migration from GCR to Artifact Registry. by @ccwienk [#8755]
• [OPERATOR] metrics exposed by cluster autoscaler now scraped by prometheus by @aaronfern [#8750]
• [DEVELOPER] The component checklist is enhanced with 2 new rules for container images:
  • Do not use container images from registries that don't support IPv6 - registries such as GHCR, ECR, MCR don't support image pulls over IPv6
  • Do not use Shoot container images that are not multi-arch by @ialidzhikov [#8770]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.84.0
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.84.0
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.84.0
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.84.0
• node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.84.0
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.84.0
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.84.0
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.84.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] machine-controller-manager RBAC in the Shoot cluster does now allow MCM to delete volumeattachments. MCM provider extensions vendoring machine-controller-manager >= v0.50.0 (ref https://github.com/gardener/machine-controller-manager/pull/839) need to delete volumeattachments. by @ialidzhikov [#8774]
• [DEVELOPER] A bug causing the crd generation for druid.gardener.cloud group to fail in extensions is now fixed. by @shafeeqes [#8789]

🏃 Others

• [OPERATOR] NewClientForShoot creates a client with a rest mapper using LazyDiscovery. by @acumino [#8781]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.82.3
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.82.3
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.82.3
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.82.3
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.82.3
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.82.3
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.82.3

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] machine-controller-manager RBAC in the Shoot cluster does now allow MCM to delete volumeattachments. MCM provider extensions vendoring machine-controller-manager >= v0.50.0 (ref https://github.com/gardener/machine-controller-manager/pull/839) need to delete volumeattachments. by @ialidzhikov [#8774]

🏃 Others

• [OPERATOR] NewClientForShoot creates a client with a rest mapper using LazyDiscovery. by @acumino [#8781]

Docker Images

• admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.7
• apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.7
• controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.7
• gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.7
• operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.7
• resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.7
• scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.7

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] machine-controller-manager RBAC in the Shoot cluster does now allow MCM to delete volumeattachments. MCM provider extensions vendoring machine-controller-manager >= v0.50.0 (ref https://github.com/gardener/machine-controller-manager/pull/839) need to delete volumeattachments. by @ialidzhikov [#8774]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.83.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.83.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.83.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.83.1
node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.83.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.83.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.83.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.83.1

no release notes available

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.6
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.6
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.6
operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.6
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.6
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.6

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The hack/check-docforge.sh script is now removed. The repo based manifest are removed in favor of a centrally managed manifests. See https://github.com/gardener/documentation/issues/431. The manifests are now maintained centrally in https://github.com/gardener/documentation/tree/master/.docforge. by @Kostov6 [#8692]
• [USER] Validation has been added for spec.kubernetes.kubeAPIServer.runtimeConfig field in the Shoot API. Disabling APIs marked as "Required" by gardener is not permitted. by @shafeeqes [#8695]

✨ New Features

• [OPERATOR] CloudProfiles allow configuring update strategies {patch, minor, major} for machine images that affect update behavior during auto and force update. by @danielfoehrKn [#8275]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed which caused ServiceAccounts related to garden access secrets for extensions to leak in the seed namespace in the garden cluster after uninstallation of said extensions. by @rfranzke [#8697]
• [OPERATOR] A bug causing the managedseed controller to error if the controller restarts and the seed secret is already deleted is now fixed. by @shafeeqes [#8699]
• [OPERATOR] An issue causing the etcd-backup Secret to be wrongly deleted for a Shoot cluster due to stale BackupEntry deletion from a previous Shoot creation with the same name is now fixed. by @Kostov6 [#8709]
• [OPERATOR] An issue has been fixed that prevented setting the UnauthenticatedHTTP2DOSMitigation feature gate. by @timuthy [#8732]
• [OPERATOR] Add memory and cpu limits (maxAllowed) to Prometheus (H)VPAs. by @rickardsjp [#8694]

🏃 Others

• [OPERATOR] nginx-ingress-controller image is updated to v1.9.4. by @shafeeqes [#8727]
• [OPERATOR] Partial Shoot maintenance errors are now reported as events on the Shoot and in the Shoot's LastMaintenance status. by @danielfoehrKn [#8275]
• [OPERATOR] With this release the obervability compoents are updated to the latest release versions. Plutono is now at v2.5.25 and Vali is now at v2.2.9 by @nickytd [#8689]
• [OPERATOR] The .status.lastOperation in core.gardener.cloud/v1beta1.Seed and operator.gardener.cloud/v1alpha1.Garden resources is now only updated each 5s during a reconciliation. Previously, it was updated immediately when a task was finished. by @rfranzke [#8705]
• [OPERATOR] The testmachinery tests now use AdminKubeconfig of the Shoots of ManagedSeeds to create seed client. by @shafeeqes [#8698]
• [OPERATOR] APIServer validation allows updating to expired Kubernetes and machine image versions. by @danielfoehrKn [#8275]

[gardener/etcd-druid]

🏃 Others

• [OPERATOR] Alpine image used in init containers is now part of the IMAGEVECTOR_OVERWRITE by @aaronfern [gardener/etcd-druid#714]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.83.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.83.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.83.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.83.0
node-agent: eu.gcr.io/gardener-project/gardener/node-agent:v1.83.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.83.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.83.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.83.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed that prevented setting the UnauthenticatedHTTP2DOSMitigation feature gate. by @timuthy [#8737]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.82.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.82.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.82.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.82.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.82.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.82.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.82.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed that prevented setting the UnauthenticatedHTTP2DOSMitigation feature gate. by @timuthy [#8738]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.5
operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.5

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed that prevented setting the UnauthenticatedHTTP2DOSMitigation feature gate. by @timuthy [#8739]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.7
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.7
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.7
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.7
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.7
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.7
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.7

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug causing the managedseed controller to error if the controller restarts and the seed secret is already deleted is now fixed. by @shafeeqes [#8699]
• [OPERATOR] A bug has been fixed which caused ServiceAccounts related to garden access secrets for extensions to leak in the seed namespace in the garden cluster after uninstallation of said extensions. by @rfranzke [#8697]

🏃 Others

• [OPERATOR] github.com/gardener/etcd-druid #714 @aaronfern
  Alpine image used in init containers is now part of the IMAGEVECTOR_OVERWRITE by @gardener-ci-robot [#8684]
• [OPERATOR] The testmachinery tests now use AdminKubeconfig of the Shoots of ManagedSeeds to create seed client. by @shafeeqes [#8698]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.82.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.82.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.82.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.82.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.82.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.82.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.82.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug causing the managedseed controller to error if the controller restarts and the seed secret is already deleted is now fixed. by @shafeeqes [#8699]
• [OPERATOR] A bug has been fixed which caused ServiceAccounts related to garden access secrets for extensions to leak in the seed namespace in the garden cluster after uninstallation of said extensions. by @rfranzke [#8697]

🏃 Others

• [OPERATOR] The testmachinery tests now use AdminKubeconfig of the Shoots of ManagedSeeds to create seed client. by @shafeeqes [#8698]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.4
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.4
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.4
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.4
operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.4
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.4
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.4