[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug causing the managedseed controller to error if the controller restarts and the seed secret is already deleted is now fixed. by @shafeeqes [#8699]
• [OPERATOR] A bug has been fixed which caused ServiceAccounts related to garden access secrets for extensions to leak in the seed namespace in the garden cluster after uninstallation of said extensions. by @rfranzke [#8697]

🏃 Others

• [OPERATOR] The testmachinery tests now use AdminKubeconfig of the Shoots of ManagedSeeds to create seed client. by @shafeeqes [#8698]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.6
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.6
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.6
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.6
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.6
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.6
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.6

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @rfranzke [#8663]

🏃 Others

• [OPERATOR] The following Golang dependencies have been updated:
  • k8s.io/* from v0.28.2 to v0.28.3
  • sigs.k8s.io/controller-runtime from v0.16.2 to v0.16.3 by @rfranzke [#8680]
• [OPERATOR] Kubernetes feature gate UnauthenticatedHTTP2DOSMitigation is considered valid for versions >= 1.25. by @gardener-ci-robot [#8672]

Docker Images

apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.5
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.5
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.5

[gardener/gardener]

🏃 Others

• [OPERATOR] Kubernetes feature gate UnauthenticatedHTTP2DOSMitigation is considered valid for versions >= 1.25. by @gardener-ci-robot [#8671]
• [OPERATOR] The following Golang dependencies have been updated:
  • k8s.io/* from v0.28.2 to v0.28.3
  • sigs.k8s.io/controller-runtime from v0.16.2 to v0.16.3 by @rfranzke [#8681]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.3

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The deprecated ChartRenderer.Render and ChartApplier.{Apply,Delete} methods have been dropped. Use ChartRendere.RenderEmbeddedFS and ChartApplier.{Apply,Delete}FromEmbeddedFS instead. by @rfranzke [#8540]
• [DEPENDENCY] The hack/generate-crds.sh script now receives the file name prefix via the -p option (previously, the prefix was the first argument to the script). by @rfranzke [#8560]
• [DEPENDENCY] The no longer required --gardenlet-manages-mcm option has been removed. All code in provider extensions related to management/deployment of machine-controller-manager should be removed. by @rfranzke [#8596]
• [DEPENDENCY] The deprecated core.gardener.cloud/apiserver-exposure label and handling has been dropped. by @rfranzke [#8540]
• [DEPENDENCY] Provider extensions must now pass the cluster.Cluster object for the garden cluster to the genericactuator.NewActuator function. See this for an example how to create such a cluster.Cluster object. by @rfranzke [#8559]
• [OPERATOR] Before upgrading to this Gardener versions, you must make sure that the Services of all registered provider extensions serving webhooks for the shoot cluster are annotated with networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports=[{"protocol":"TCP","port":<port>}], networking.resources.gardener.cloud/namespace-selectors=[{"matchLabels":{"gardener.cloud/role":"shoot"}}], and networking.resources.gardener.cloud/pod-label-selector-namespace-alias=extensions. by @rfranzke [#8540]
• [DEVELOPER] Methods SkipIf and DoIf for TaskFn have been dropped. A new field SkipIf is introduced in Task, If set to true the task will be skipped and will also not be reported by the progress reporter. by @acumino [#8541]

📰 Noteworthy

• [DEVELOPER] The pkg/utils/secrets package now signs certificates with 3072 bit RSA keys. by @dimityrmirchev [#8635]
• [DEVELOPER] During the Migrate phase of a control plane migration of a Shoot, the state is now only persisted after all extension resources have been migrated. Consequently, make sure that you have added all state to the .status.state field of the respective extension object when running Migrate(). by @rfranzke [#8559]
• [DEVELOPER] A generate-admin-kubeconf.sh script which can be used to generate an admin kubeconfig for a local shoot cluster was added in the hack/usage directory. by @dimityrmirchev [#8636]
• [DEVELOPER] The extensions/pkg/controller/operatingsystemconfig/oscommon package is deprecated and will be removed as soon as the UseGardenerNodeAgent feature gate has been promoted to GA. OS extension developers should start adapting to this new feature, see documentation and example based on provider-local. by @rfranzke [#8647]
• [OPERATOR] The Worker state reconciler has been dropped, i.e., updated provider extensions will no longer populate the machine state to the .status.state field of Worker resources. For a few releases, gardenlet will no longer persist any still existing data in the .status.state field of Worker resources during a control plane migration of a Shoot, and it will set .status.state to nil after a successful reconciliation or restore operation. by @rfranzke [#8559]
• [OPERATOR] Configure the value for the flag metrics-scrape-wait-duration for compaction controller to set a wait duration at the end of every compaction job, to allow for metrics to be scraped by a Prometheus instance. by @abdasgupta [#8607]
• [OPERATOR] The MachineControllerManagerDeployment has been promoted to GA and is now locked to "enabled by default". Make sure that all registered provider extensions support this feature gate before upgrading to this version of Gardener. by @rfranzke [#8596]
• [OPERATOR] The GA-ed DisableScalingClassesForShoots feature gate has been removed. by @rfranzke [#8596]
• [OPERATOR] maxSurge for kube-apiserver and gardener-apiserver of the virtual garden cluster is set to 100%. by @oliver-goetz [#8640]
• [OPERATOR] The kube-apiserver no longer mounts root CA bundles from the underlying host. by @dimityrmirchev [#8645]
• [USER] Gardener now uses 3072 bit RSA keys in order to generate TLS certificates. by @dimityrmirchev [#8635]
• [USER] nginx-ingress-controller now enables annotation validation. by @dimityrmirchev [#8644]
• [DEPENDENCY] The MachineClassKind(), MachineClass(), and MachineClassList() methods have been dropped from the generic Worker actuator's interface and do not need to be implemented anymore. by @rfranzke [#8559]

✨ New Features

• [OPERATOR] gardener-operator maintains the two most recent generic-token-kubeconfig secrets in the runtime-cluster. In addition the latest secret name is published to the garden resource in .metadata.annotations[generic-token-kubeconfig.secret.gardener.cloud/name]. Third-party components referring to this secret should check this annotation value after a credentials or CA rotation for the virtual-garden cluster took place. by @timuthy [#8657]
• [OPERATOR] Feature gate APIServerFastRollout for gardenlet is introduced and enabled by default. When enabled, maxSurge for kube-apiservers of Shoots is set to 100%. by @oliver-goetz [#8640]
• [DEVELOPER] It is now possible to annotate managed resources part of ManagedResource objects with resources.gardener.cloud/finalize-deletion-after=<duration>, e.g., resources.gardener.cloud/finalize-deletion-after=1h. After this time, gardener-resource-manager will forcefully delete the resource by removing their finalizers. by @rfranzke [#8584]
• [DEVELOPER] Change port of ssh reverse tunnel to 443 by @axel7born [#8606]
• [USER] Machine scale-up delay for new pods can now be configured for cluster-autoscaler via the field .spec.kubernetes.clusterAutoscaler.newPodScaleupDelay in the Shoot API . by @aaronfern [#8590]
• [USER] Concurrent empty machines bulk deletion can now be configured for cluster-autoscaler via the field .spec.kubernetes.clusterAutoscaler.maxEmptyBulkDelete in the Shoot API . by @aaronfern [#8590]

🐛 Bug Fixes

• [DEVELOPER] Use cgroupv2 fix for local-setup on macOS too. by @oliver-goetz [#8633]

🏃 Others

• [DEVELOPER] Gardener base image is updated to gcr.io/distroless/static-debian12:nonroot. by @oliver-goetz [#8628]
• [DEPENDENCY] nginx-ingress-controller image is updated to v1.9.1. by @dimityrmirchev [#8644]
• [DEPENDENCY] The skaffold version is updated from v2.7.0 to v2.8.0. by @dimitar-kostadinov [#8634]
• [DEPENDENCY] nginx-ingress-controller image is updated to v1.9.3. by @dimityrmirchev [#8650]
• [OPERATOR] Kubernetes feature gate UnauthenticatedHTTP2DOSMitigation is considered valid for versions >= 1.25. by @gardener-ci-robot [#8670]
• [OPERATOR] The regression is now fixed and the control plane logs shall be visible in the Plutono dashboards. by @nickytd [#8655]
• [OPERATOR] The following Golang dependencies have been updated:
  • k8s.io/* from v0.28.2 to v0.28.3
  • sigs.k8s.io/controller-runtime from v0.16.2 to v0.16.3 by @gardener-ci-robot [#8677]

📖 Documentation

• [USER] Added an example for AdminKubeconfigRequest via the Python Kubernetes client. by @Shegox [#8651]

[gardener/ext-authz-server]

✨ New Features

• [USER] Update golang 1.20.4 -> 1.21.3 by @axel7born [gardener/ext-authz-server#23]

[gardener/apiserver-proxy]

🏃 Others

• [OPERATOR] Remove unneeded Monitor function from iptables implementation by @axel7born [gardener/apiserver-proxy#54]
• [OPERATOR] Update golang image in verify step to 1.21.3. by @DockToFuture [gardener/apiserver-proxy#56]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Update alpine base image version to 3.18.4. by @shreyas-s-rao [gardener/etcd-backup-restore#666]

Docker Images

operator: eu.gcr.io/gardener-project/gardener/operator:v1.82.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.82.0
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.82.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.82.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.82.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.82.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.82.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed which was causing a broken ControlPlaneHealthy condition report for Shoots when the MachineControllerManagerDeployment feature gate gets enabled until their next reconciliation. by @rfranzke [#8664]

🏃 Others

• [DEPENDENCY] nginx-ingress-controller image is updated to v1.9.3. by @gardener-ci-robot [#8658]

[gardener/gardener]

🏃 Others

• [OPERATOR] The regression is now fixed and the control plane logs shall be visible in the Plutono dashboards. by @gardener-ci-robot [#8656]
• [DEPENDENCY] nginx-ingress-controller image is updated to v1.9.1. by @gardener-ci-robot [#8652]

Docker Images

operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.1
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.1

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fixed a possibility for the migrate phase of control plane migration to become permanently stuck if the shoot was created when the MachineControllerManagerDeployment feature gate is disabled, control plane migration is triggered for the shoot and the feature gate is enabled during the migration phase. by @gardener-ci-robot [#8571]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.79.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.79.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.79.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.79.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.79.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.79.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.79.3

no release notes available

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] Fixed a possibility for the migrate phase of control plane migration to become permanently stuck if the shoot was created when the MachineControllerManagerDeployment feature gate is disabled, control plane migration is triggered for the shoot and the feature gate is enabled during the migration phase. by @gardener-ci-robot [#8572]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [USER] Update etcd-custom-image to v3.4.26-2. by @shreyas-s-rao [gardener/etcd-druid#656]
• [OPERATOR] Etcd druid will now not support policy/v1beta1 for PodDisruptionBudgets and will only use policy/v1 for PodDisruptionBudgets by @aaronfern [gardener/etcd-druid#681]

📰 Noteworthy

• [OPERATOR] custodian-sync-period value is set to 15s in the Helm chart for etcd-druid. by @shreyas-s-rao [gardener/etcd-druid#688]
• [OPERATOR] Add new flag metrics-scrape-wait-duration for compaction controller to set a wait duration at the end of every compaction job, to allow for metrics to be scraped by a Prometheus instance. by @abdasgupta [gardener/etcd-druid#686]
• [OPERATOR] Etcd snapshot compaction jobs will now be named <etcd-name>-compactor for better readability for human operators. by @abdasgupta [gardener/etcd-druid#672]

✨ New Features

• [OPERATOR] Introduce Spec.Backup.DeltaSnapshotRetentionPeriod in the Etcd resource to allow configuring retention period for delta snapshots. by @seshachalam-yv [gardener/etcd-druid#651]
• [DEVELOPER] Add support for Local provider for e2e tests. by @shreyas-s-rao [gardener/etcd-druid#668]

🐛 Bug Fixes

• [OPERATOR] A bug causing incorrect volume mount path for Etcds and EtcdCopyBackupsTasks using Local snapshot storage provider while using distroless etcd-backup-restore image v0.25.x has been resolved. by @aaronfern [gardener/etcd-druid#662]
• [OPERATOR] Custodian controller no longer watches leases owned by the etcd resources, thus reducing frequency of etcd status updates and now honouring custodian-sync-period value. by @shreyas-s-rao [gardener/etcd-druid#688]
• [OPERATOR] Resolved an issue where the Custodian Controller was not updating the Replicas field in the etcd status to reflect the CurrentReplicas from the StatefulSet status. This fix ensures consistent behavior with the etcd Controller in Druid. by @seshachalam-yv [gardener/etcd-druid#701]
• [OPERATOR] A bug causing EtcdCopyBackupsTask jobs to fail to create temp snapshot directory while using distroless etcd-backup-restore image v0.25.x has been resolved. by @aaronfern [gardener/etcd-druid#662]

🏃 Others

• [OPERATOR] Upgraded etcd-backup-restore from v0.24.3 to v0.24.6 for etcd-custom-image, and from v0.25.1 to v0.26.0 for etcd-wrapper by @gardener-robot-ci-3 [gardener/etcd-druid#687]
• [OPERATOR] All default images are now present in images.yaml by @aaronfern [gardener/etcd-druid#673]

📖 Documentation

• [DEVELOPER] Introduce DEPs (Druid Enhancement Proposals) for proposing large design changes in etcd-druid. by @shreyas-s-rao [gardener/etcd-druid#659]
• [OPERATOR] Introduce DEP-04 EtcdMember Custom Resource. by @shreyas-s-rao [gardener/etcd-druid#658]

[gardener/etcd-backup-restore]

📰 Noteworthy

• [USER] Introduce flag metrics-scrape-wait-duration to etcdbrctl compact command, that specifies a wait duration at the end of a snapshot compaction, to allow Prometheus to scrape metrics related to compaction before the etcdbrctl process exits. by @abdasgupta [gardener/etcd-backup-restore#667]
• [OPERATOR] Etcd-backup-restore now uses the user home directory to create files. by @aaronfern [gardener/etcd-backup-restore#637]
• [OPERATOR] Etcd-backup-restore now uses a distroless image as its base image. It is no longer compatible with etcd-custom-image, and must be used with etcd-wrapper instead. by @aaronfern [gardener/etcd-backup-restore#637]

🏃 Others

• [OPERATOR] Upgraded Ginkgo v1 to v2 and updated other dependencies by @seshachalam-yv [gardener/etcd-backup-restore#647]
• [OPERATOR] While scaling up a non-HA etcd cluster to HA skipping the scale-up checks for first member of etcd cluster as first member can never be a part of scale-up scenarios. by @ishan16696 [gardener/etcd-backup-restore#649]
• [OPERATOR] Bump alpine base version for Docker build to 3.18.2. by @shreyas-s-rao [gardener/etcd-backup-restore#638]
• [OPERATOR] Backup-restore waits for its etcd to be ready before attempting to update peerUrl by @aaronfern [gardener/etcd-backup-restore#628]
• [OPERATOR] Introduced delta-snapshot-retention-period CLI flag to extend the configurable retention period for delta snapshots in etcd-backup-restore, enhancing flexibility for backup retention. by @seshachalam-yv [gardener/etcd-backup-restore#640]
• [OPERATOR] Revendors the bbolt from v1.3.6 to v1.3.7 by @ishan16696 [gardener/etcd-backup-restore#659]
• [DEVELOPER] Add CVE categorization for etcd-backup-restore. by @shreyas-s-rao [gardener/etcd-backup-restore#644]

[gardener/machine-controller-manager]

🐛 Bug Fixes

• [OPERATOR] Force drain and delete volume attachments for nodes un-healthy due to ReadOnlyFileSystem and NotReady for too long by @elankath [gardener/machine-controller-manager#839]
• [OPERATOR] Included UnavailableReplicas in determining if a machine deployment status update is needed by @rishabh-11 [gardener/machine-controller-manager#833]
• [OPERATOR] An issue causing nil pointer panic on scaleup of the machinedeployment along with trigger of rolling update, is fixed by @acumino [gardener/machine-controller-manager#814]
• [USER] An edge case where outdated DesiredReplicas annotation blocked a rolling update is fixed. by @rishabh-11 [gardener/machine-controller-manager#821]

🏃 Others

• [DEVELOPER] status.Status now captures underline cause, allowing consumers to introspect the error returned by the provider. WrapError() function could be used to wrap the provider error by @unmarshall [gardener/machine-controller-manager#842]
• [DEVELOPER] A new make target is introduced to add license headers. by @unmarshall [gardener/machine-controller-manager#845]
• [DEVELOPER] Bump k8s.io/* deps to v0.27.2 by @afritzler [gardener/machine-controller-manager#820]
• [DEVELOPER] Removed dead metrics code and refactored the remaining metrics code by @himanshu-kun [gardener/machine-controller-manager#823]
• [OPERATOR] New metrics introduced:
  • api_request_duration_seconds -> tracks time taken for successful invocation of provider APIs. This metric can be filtered by provider and service.
  • driver_request_duration_seconds -> tracks total time taken to successfully complete driver method invocation. This metric can be filtered by provider and operation.
  • driver_requests_failed_total -> records total number of failed driver API requests. This metric can be filtered by provider, operations and error_code. by @unmarshall [gardener/machine-controller-manager#842]
• [OPERATOR] Updated to go v1.20.5 by @rishabh-11 [gardener/machine-controller-manager#827]
• [OPERATOR] Added a new metric that will allow to get the number of stale (due to unhealthiness) machines that are getting terminated by @jguipi [gardener/machine-controller-manager#808]
• [OPERATOR] Added errorCode field in the LastOperation struct. This should be implemented only for the CreateMachine call in the triggerCreationFlow. This field will be utilized by Cluster autoscaler to do early backoff by @rishabh-11 [gardener/machine-controller-manager#851]
• [OPERATOR] Makefile targets have changed: Introduced gardener-setup, gardener-restore, gardener-local-mcm-up, non-gardener-setup, non-gardener-restore, non-gardener-local-mcm-up. Users can also directly use the scripts which are used by these makefile targets. by @unmarshall [gardener/machine-controller-manager#852]

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] Extensions have to implement the ForceDelete function in the actuator with the logic of forcefully deleting all the resources deployed by them. by @shafeeqes [#8414]
• [DEPENDENCY] The extensions/pkg/controller.Use{TokenRequestor,ServiceAccountTokenVolumeProjection} functions have been removed since they always return true. by @rfranzke [#8582]
• [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions < 1.24. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @shafeeqes [#8487]
• [DEVELOPER] The pkg/utils/gardener.IntStrPtrFromInt function has been renamed to IntStrPtrFromInt32 since intstr.FromInt is deprecated. by @rfranzke [#8579]
• [USER] The alpha.kube-apiserver.scaling.shoot.gardener.cloud/class annotation on Shoots has no effect anymore and should be removed. by @rfranzke [#8526]

📰 Noteworthy

• [USER] The two additional labels worker.gardener.cloud/image-name and worker.gardener.cloud/image-version that were previously introduced and attached to worker nodes are removed again to fix a regression that causes the kubelet to restart on nodes that are due to be upgraded to a new OS but not rolled yet which causes their Pods to become temporarily unready. by @MrBatschner [#8524]
• [OPERATOR] The MachineControllerManagerDeployment has been promoted to beta and is now enabled by default. Make sure that all registered provider extensions support this feature gate before upgrading to this version of Gardener. by @rfranzke [#8526]
• [OPERATOR] The DisableScalingClassesForShoots feature gates has been promoted to GA (and is now always enabled). by @rfranzke [#8526]

✨ New Features

• [USER] The gardener-scheduler now populates scheduling failure reasons to the Shoot's .status.lastOperation.description field. by @rfranzke [#8527]
• [USER] When the ShootForceDeletion featuregate in the apiserver is turned on, users will be able to force-delete the Shoot. You MUST ensure that all the resources created in the IaaS account are cleaned up to prevent orphaned resources. Gardener will NOT delete any resources in the Shoot cloud-provider account. See Shoot Force Deletion for more details. by @shafeeqes [#8414]
• [USER] Multiple expanders for cluster-autoscaler can now be specified in the Shoot API via the .spec.kubernetes.clusterAutoscaler.expander field. by @aaronfern [#8573]

🐛 Bug Fixes

• [OPERATOR] Fixed a possibility for the migrate phase of control plane migration to become permanently stuck if the shoot was created when the MachineControllerManagerDeployment feature gate is disabled, control plane migration is triggered for the shoot and the feature gate is enabled during the migration phase. by @plkokanov [#8568]
• [USER] Fix an issue, where DNS lookups for non-existing pods of a StatefulSet yielded one of the existing pods even when it should not have. by @axel7born [#8544]
• [USER] A bug has been fixed that prevented users without permissions to list CustomResourceDefinitions from interacting with the Gardener APIs when using a kubectl version lower than 1.27. by @rfranzke [#8577]
• [USER] A bug causing unnecessary reorder of extension in Shoot spec.extensions is fixed. by @acumino [#8569]

🏃 Others

• [OPERATOR] The shoot namespace in seeds is redeployed during the shoot migration flow to update the zones in use. by @plkokanov [#8564]
• [OPERATOR] nginx-ingress-controller image is updated to v1.9.0. by @shafeeqes [#8558]
• [OPERATOR] Add an alert for VPNHAShootNoPods when shoot in HA (high availability) mode. by @tedteng [#8506]
• [USER] Gardener refined the scope of the problematic webhook matcher for endpoint objects. Earlier, shoot clusters were assigned a constraint reporting a problem with a failurePolocy: Fail webhook acting on these objects. Now, only endpoints in the kube-system and defaults namespaces are considered for this check. by @acumino [#8521]

[gardener/autoscaler]

✨ New Features

• [DEVELOPER] unit tests framework introduced to test implemented methods of Cloudprovider and Nodegroup interface by @rishabh-11 [gardener/autoscaler#215]
• [USER] Gardener autoscaler now backs-off early from a node-group (i.e. machinedeployment) in case of ResourceExhausted error. Refer docs at https://github.com/gardener/autoscaler/blob/machine-controller-manager-provider/cluster-autoscaler/FAQ.md#when-does-autoscaler-backs-off-early-from-a-node-group for details. by @himanshu-kun [gardener/autoscaler#253]

🐛 Bug Fixes

• [OPERATOR] A bug where MCM removed a machine other than the one , CA wanted , is resolved. by @rishabh-11 [gardener/autoscaler#215]

🏃 Others

• [OPERATOR] Initial implementation for Refresh() method of CloudProvider interface done by @rishabh-11 [gardener/autoscaler#215]
• [OPERATOR] machinepriority.machine.sapcloud.io annotation on machine is now reset to 3 by autoscaler if the corresponding node doesn't have ToBeDeletedByClusterAutoscaler taint by @rishabh-11 [gardener/autoscaler#215]

[gardener/etcd-custom-image]

📰 Noteworthy

• [OPERATOR] Update alpine base image version to 3.18.3. by @shreyas-s-rao [gardener/etcd-custom-image#40]

Docker Images

operator: eu.gcr.io/gardener-project/gardener/operator:v1.81.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.81.0
admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.81.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.81.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.81.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.81.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.81.0

[gardener/gardener]

🐛 Bug Fixes

• [USER] A bug has been fixed that prevented users without permissions to list CustomResourceDefinitions from interacting with the Gardener APIs when using a kubectl version lower than 1.27. by @gardener-ci-robot [#8580]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.3
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.3
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.3
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.3
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.3
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.3
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.3

[gardener/gardener]

🐛 Bug Fixes

• [USER] A bug causing unnecessary reorder of extension in Shoot spec.extensions is fixed. by @gardener-ci-robot [#8575]
• [OPERATOR] Fixed a possibility for the migrate phase of control plane migration to become permanently stuck if the shoot was created when the MachineControllerManagerDeployment feature gate is disabled, control plane migration is triggered for the shoot and the feature gate is enabled during the migration phase. by @gardener-ci-robot [#8570]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.2
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.2
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.2
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.2
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.2
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.2
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.2

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing several tasks from the Shoot reconciliation flow to fail with transient errors of type duplicate filename in registry is now fixed. by @gardener-ci-robot [#8555]
• [USER] The two additional labels worker.gardener.cloud/image-name and worker.gardener.cloud/image-version that were previously introduced and attached to worker nodes are removed again to fix a regression that causes the kubelet to restart on nodes that are due to be upgraded to a new OS but not rolled yet which causes their Pods to become temporarily unready. by @gardener-ci-robot [#8552]

🏃 Others

• [OPERATOR] extension library: State update for a Worker object can be now skipped by annotating it with worker.gardener.cloud/skip-state-update=true. by @gardener-ci-robot [#8492]

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing several tasks from the Shoot reconciliation flow to fail with transient errors of type duplicate filename in registry is now fixed. by @gardener-ci-robot [#8556]
• [USER] The two additional labels worker.gardener.cloud/image-name and worker.gardener.cloud/image-version that were previously introduced and attached to worker nodes are removed again to fix a regression that causes the kubelet to restart on nodes that are due to be upgraded to a new OS but not rolled yet which causes their Pods to become temporarily unready. by @gardener-ci-robot [#8553]

🏃 Others

• [OPERATOR] extension library: State update for a Worker object can be now skipped by annotating it with worker.gardener.cloud/skip-state-update=true. by @gardener-ci-robot [#8493]

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] An issue causing several tasks from the Shoot reconciliation flow to fail with transient errors of type duplicate filename in registry is now fixed. by @gardener-ci-robot [#8557]

[gardener/gardener]

🐛 Bug Fixes

• [USER] The two additional labels worker.gardener.cloud/image-name and worker.gardener.cloud/image-version that were previously introduced and attached to worker nodes are removed again to fix a regression that causes the kubelet to restart on nodes that are due to be upgraded to a new OS but not rolled yet which causes their Pods to become temporarily unready. by @gardener-ci-robot [#8551]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.1
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.1
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.1
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.1
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.1
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.1
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.1

[gardener/gardener]

🏃 Others

• [OPERATOR] extension library: State update for a Worker object can be now skipped by annotating it with worker.gardener.cloud/skip-state-update=true. by @gardener-ci-robot [#8494]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.77.5
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.77.5
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.77.5
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.77.5
operator: eu.gcr.io/gardener-project/gardener/operator:v1.77.5
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.77.5
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.77.5

[gardener/gardener]

⚠️ Breaking Changes

• [DEVELOPER] If the kubeletCSRApprover controller is enabled, it is now mandatory to specify the namespace in the source cluster in which the Machine resources reside via .controllers.kubeletCSRApprover.machineNamespace. by @rfranzke [#8483]
• [DEVELOPER] leader-election-resource-lock flag is dropped and the leader-election resource-lock is hard coded to leases. by @acumino [#8464]
• [DEVELOPER] The .{source,target}ClientConnection.namespace field has been renamed to namespaces and now takes a list of namespaces. The .targetClientConnection.disableCachedClient field has been removed. by @rfranzke [#8483]
• [OPERATOR] It is no longer possible to configure .spec.virtualCluster.kubernetes.kubeAPIServer.authorization in the Garden API. by @rfranzke [#8309]
• [OPERATOR] The deprecated .spec.virtualCluster.dns.domain field has been dropped from the Garden API. Make use of .spec.virtualCluster.dns.domains. by @rfranzke [#8434]

📰 Noteworthy

• [OPERATOR] gardener-resource-manager now disables cache only for Secrets and ConfigMap if DisableCachedClient set to true. by @acumino [#8474]
• [OPERATOR] The following golang dependencies have been upgraded, please consult the upstream release notes and this issue for guidance on upgrading your golang dependencies when vendoring this gardener version:
  • k8s.io/* to v0.28.2
  • sigs.k8s.io/controller-runtime to v0.16.2
  • sigs.k8s.io/controller-tools to v0.13.0 by @acumino [#8464]
• [OPERATOR] The target cache for gardener-resource-manager is now unconditionally enabled, leading to faster reconciliations and less network I/O. by @rfranzke [#8483]
• [USER] Gardener now reports nodes for which the checksum/cloud-config-data hasn't been populated yet. This could point towards an error on the node and that not all Gardener related configuration happened successfully. by @timuthy [#8448]

✨ New Features

• [OPERATOR] gardener-operator now runs a new controller which protects Secrets and ConfigMaps with a finalizer in case they are referenced in Garden resources. by @rfranzke [#8439]
• [OPERATOR] It is now possible to trigger gardenlet kubeconfig renewal for unmanaged Seeds by annotating them with gardener.cloud/operation=renew-kubeconfig. This was already supported for ManagedSeeds only. by @oliver-goetz [#8396]
• [OPERATOR] The ResourcesProgressing condition appearing in the status of ManagedResources now checks for non-terminated Pods before reporting status=False. by @rfranzke [#8515]
• [OPERATOR] gardener-operator is now managing the Gardener control plane components (gardener-{apiserver,admission-controller,controller-manager,scheduler}). by @rfranzke [#8309]
• [OPERATOR] gardener-operator now renews garden access secrets and the gardenlet kubeconfig on all Seeds during CA/service account signing key credentials rotation. by @oliver-goetz [#8396]
• [OPERATOR] gardener-operator now takes over management of gardener-metrics-exporter. by @acumino [#8419]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.28. In order to allow creation/update of 1.28 clusters you will have to update the version of your provider extension(s) to a version that supports 1.28 as well. Please consult the respective releases and notes in the provider extension's repository. by @oliver-goetz [#8479]
• [OPERATOR] It is now possible to configure .spec.virtualCluster.gardener.gardenerAPIServer.auditWebhook in the Garden API. by @rfranzke [#8309]
• [OPERATOR] gardener-operator now refuses to start if operators attempt to downgrade or skip minor Gardener versions. Please see this document for more information. by @rfranzke [#8413]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.28. Extension developers have to prepare individual extensions as well to work with 1.28. by @oliver-goetz [#8479]
• [DEVELOPER] The plutono dashboards are now verified as part of make check. by @Sallyan [#8401]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed that prevented ControllerInstallations from getting deleted when the backing ControllerRegistration with .spec.deployment.policy={Always,AlwaysExceptNoShoots} was deleted. by @rfranzke [#8443]
• [OPERATOR] Several default settings of Kubernetes feature gates have been corrected. by @oliver-goetz [#8427]
• [OPERATOR] An issue causing several tasks from the Shoot reconciliation flow to fail with transient errors of type duplicate filename in registry is now fixed. by @ialidzhikov [#8478]
• [OPERATOR] A bug was fixed which was causing existing Bastion resources on the garden cluster to not be deleted when SSHAccess is disabled on a Shoot cluster. by @AleksandarSavchev [#8421]
• [OPERATOR] The .spec.kubernetes.kubeAPIServer.serviceAccountConfig.acceptedIssuers field of the Shoot spec no longer allows duplicate values. by @dimitar-kostadinov [#8466]
• [USER] A bug has been fixed which was allowing users to specify an extension of the same type in .spec.extensions[].type more than once in the Shoot API. by @acumino [#8457]
• [USER] Applying Gardener resources server-side has caused the the server is currently unable to handle the request error which is now fixed. by @oliver-goetz [#8468]

🏃 Others

• [OPERATOR] The Plutono version has been updated from v7.5.23 to v7.5.24. by @istvanballok [#8475]
• [OPERATOR] The node-local-dns ConfigMap now has a label k8s-app=node-local-dns for identifying it. by @ScheererJ [#8505]
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/prometheus: v2.43.1 -> v2.47.0 by @istvanballok [#8486]
• [OPERATOR] extension library: State update for a Worker object can be now skipped by annotating it with worker.gardener.cloud/skip-state-update=true. by @ialidzhikov [#8482]
• [OPERATOR] The logging components: vali and valitail are now updated to v2.2.8. by @nickytd [#8458]
• [USER] It is possible to delete a Shoot even if shoot.gardener.cloud/ignore annotation is set to true. by @shafeeqes [#8432]

[gardener/ingress-default-backend]

🏃 Others

• [OPERATOR] Update base image of ingress-default-backend to alpine:3.18.3 by @ScheererJ [gardener/ingress-default-backend#27]

Docker Images

admission-controller: eu.gcr.io/gardener-project/gardener/admission-controller:v1.80.0
apiserver: eu.gcr.io/gardener-project/gardener/apiserver:v1.80.0
controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:v1.80.0
scheduler: eu.gcr.io/gardener-project/gardener/scheduler:v1.80.0
operator: eu.gcr.io/gardener-project/gardener/operator:v1.80.0
gardenlet: eu.gcr.io/gardener-project/gardener/gardenlet:v1.80.0
resource-manager: eu.gcr.io/gardener-project/gardener/resource-manager:v1.80.0

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed that prevented ControllerInstallations from getting deleted when the backing ControllerRegistration with .spec.deployment.policy={Always,AlwaysExceptNoShoots} was deleted. by @rfranzke [#8455]
• [OPERATOR] Several default settings of Kubernetes feature gates have been corrected. by @gardener-ci-robot [#8471]

[gardener/gardener]

🐛 Bug Fixes

• [OPERATOR] A bug has been fixed that prevented ControllerInstallations from getting deleted when the backing ControllerRegistration with .spec.deployment.policy={Always,AlwaysExceptNoShoots} was deleted. by @gardener-ci-robot [#8452]
• [OPERATOR] Several default settings of Kubernetes feature gates have been corrected. by @gardener-ci-robot [#8470]