3.14.0

[garden-setup]

✨ New Features

• [OPERATOR] Upgrade Gardener to v1.28.0 (#580, @Diaphteiros)
• [OPERATOR] Update default kubernetes versions in cloudprofile (#580, @Diaphteiros)

📖 Documentation

• [USER] Improve IAAS CIDR documentation (#578, @christianhuening)

🏃 Others

• [OPERATOR] Upgrade Gardener extension shoot-cert-service to v1.17.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener dns-controller-manager to v0.10.4 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension shoot-dns-service to v1.14.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener terminal-controller-manager to v0.17.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension os-suse-chost to v1.12.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension networking-calico to v1.19.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension os-ubuntu to v1.13.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension provider-openstack to v1.20.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension provider-aws to v1.27.0 (#580, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension provider-azure to v1.21.0 (#580, @Diaphteiros)

[autoscaler]

🐛 Bug Fixes

• [USER] Avoids panics when VM type isn't found during scale from zero (gardener/autoscaler#81, @ialidzhikov)
• [USER] Fetches the VM from the correct map for MCM provider Azure and hence doesn't panic anymore (gardener/autoscaler#81, @ialidzhikov)

[external-dns-management]

📖 Documentation

• [OPERATOR] Credentials documentation for providers azure-dns, alicloud-dns and openstack-designate (gardener/external-dns-management#190, @MartinWeindel)

🏃 Others

• [USER] openstack-designate: support authentication with application credentials as alternative to username/password (gardener/external-dns-management#195, @MartinWeindel)
• [OPERATOR] using both configmaps and leases for leader election (gardener/external-dns-management#196, @MartinWeindel)
• [OPERATOR] Deploying DNSHostedZonePolicy resources as specified in providerConfig.values.hostedZonePolicies of the ControllerDeployment resource (gardener/external-dns-management#194, @MartinWeindel)
• [OPERATOR] Added DNSHostedZonePolicy resource to set zone specific zone state cache TTL (gardener/external-dns-management#191, @MartinWeindel)

[gardener]

⚠️ Breaking Changes

• [USER] Shoot addons are now only allowed on evaluation shoots if the Kubernetes version is >= 1.22. (gardener/gardener#4213, @stoyanr)
• [OPERATOR] Gardener now requires seed clusters to run at least Kubernetes version 1.18. Please update your seed clusters if necessary before updating to this Gardener version. Older Kubernetes releases will not be supported any more. Please note, the version support for shoot clusters is not affected by this change. (gardener/gardener#4426, @timuthy)
• [OPERATOR] Gardenlet does not support seedSelectors anymore; configure an explicit seedConfig in the GardenletConfiguration instead (gardener/gardener#4306, @xrstf)
• [OPERATOR] The obsolete fields SchedulerConfiguration.schedulers.*.retrySyncPeriod have been removed. (gardener/gardener#4285, @timebertt)
• [OPERATOR] Gardenlet feature gate NodeLocalDNS was removed and replaced by a shoot specific annotation. (gardener/gardener#4249, @ScheererJ)
• [OPERATOR] The KonnectivityTunnel feature gate in gardenlet has been dropped and removed from the code. If you upgrade to this Gardener version make sure that the feature gate is disabled and that all shoots were reconciled after you disabled it. (gardener/gardener#4247, @rfranzke)
• [DEVELOPER] make start-gardenlet does not use seedSelector anymore, making the dev gardenlet single-seed only. If you have multiple Seeds in your local setup, you can specify the seed to act on via the SEED_NAME make variable (e.g. make start-gardenlet SEED_NAME=local-foo). (gardener/gardener#4270, @xrstf)
• [DEVELOPER] The already deprecated DirectClient has been removed from the codebase entirely. (gardener/gardener#4225, @timebertt)

✨ New Features

• [USER] It's now possible to configure the imageGC{High,Low}ThresholdPercent fields for the kubelet configuration (defaults: 50 for the high threshold, 40 for the low threshold) in the Shoot API via .spec.{provider.workers[].}kubernetes.kubelet.imageGC{High,Low}ThresholdPercent. (gardener/gardener#4282, @rfranzke)
• [USER] Makes it possible to disable deploying kube-proxy for newly created clusters. Depending on the used networking extension switching off kube-proxy might not be supported yet. Please consult the respective documentation of the used networking extension before disabling kube-proxy. (gardener/gardener#4260, @ScheererJ)
• [USER] Shoot clusters can now reference an ExposureClass to expose their control plane in various network environments via the .spec.exposureClassName. Find more information in this document. (gardener/gardener#4244, @dkistner)
• [USER] Do not trigger a node rollout when switching from CRI.Name==nil to CRI.Name==docker. (gardener/gardener#4237, @voelzmo)
• [USER] Shoots created with or updated to Kubernetes version >= 1.22 will get containerd as default container runtime. If you upgrade an existing shoot which doesn't specify a cri.name property in its worker pools, this will trigger a graceful node rollout and the container runtime is switched from docker to containerd. (gardener/gardener#4222, @voelzmo)
• [USER] It's now possible to override the grace periods for the cleanup steps in the shoot deletion by specifying the following annotations on the Shoot: (gardener/gardener#4212, @rfranzke)
  • shoot.gardener.cloud/cleanup-webhooks-finalize-grace-period-seconds (default behaviour: "300")
  • shoot.gardener.cloud/cleanup-extended-apis-finalize-grace-period-seconds (default behaviour: "3600")
  • shoot.gardener.cloud/cleanup-kubernetes-resources-finalize-grace-period-seconds (default behaviour: "300")
  • shoot.gardener.cloud/cleanup-namespaces-finalize-grace-period-seconds (default behaviour: "300")
  • If "0" is provided then all resources are finalized immediately without waiting for any graceful deletion. Please be aware that this might lead to orphaned infrastructure artefacts.
• [OPERATOR] Gardener API server now has a feature gate DisallowKubeconfigRotationForShootInDeletion , disabled by default, that disallows kubeconfig rotation to be requested for shoot cluster in deletion. (gardener/gardener#4379, @vpnachev)
• [OPERATOR] Similar to the NodeAuthorizer and NodeRestriction features in Kubernetes (preventing kubelets from accessing resources which aren't associated with their responsible Nodes), Gardener does now have a SeedAuthorizer and SeedRestriction feature (preventing gardenlets from accessing resources which aren't associated with their Seeds). If you want to enable it for your landscapes then please consult this document. (gardener/gardener#4326, @rfranzke)
• [OPERATOR] The external ip attached to the load balancer service belonging to a Seed ingress gateway can now be defined in the configuration for the Gardenlet. This is possible for the default ingress gateway and for the ExposureClass handler ingress gateways. For ExposureClass handler ingress gateways this will only work in combination with the APIServerSNI feature flag (default). (gardener/gardener#4319, @dkistner)
• [OPERATOR] Shoot clusters can now use ExposureClasses to expose the control plane in various network environments. The Gardenlet needs to realize the exposure strategy and is therefore required to have the ExposureClass handler configuration in its own config. This can be maintained in the .exposureClassHandlers list of the Gardenlet configuration. Find more information in this document. (gardener/gardener#4244, @dkistner)
• [OPERATOR] A new ProjectValidator admission plugin has been added (enabled by default). It prevents creating Projects with non-empty .spec.namespace fields if the value in .spec.namespace does not start with garden-. Please note that this admission plugin will be removed in a future release again in favor of the static validation in the gardener-apiserver. (gardener/gardener#4228, @rfranzke)
• [OPERATOR] Shoot SSH Keys are regularly rotated, with both the current and previous key being deployed onto each shoot node. (gardener/gardener#4224, @xrstf)
• [OPERATOR] Allow explicit configuration of docker as a container runtime (.spec.provider.workers[].cri.name field in Shoots) for backwards compatibility. Select this only if your workload doesn't run nicely with containerd. This configuration option will be removed in the future! (gardener/gardener#4218, @voelzmo)
• [DEVELOPER] Support option requiring shoot connection to be external (gardener/gardener#4366, @deitch)

🐛 Bug Fixes

• [USER] A fix included in v1.27.0 and v1.27.1 was reverted, because it introduced a regression which caused clusters configured with containerd as a runtime to fail to reconcile (see gardener/gardener#4390 for more details). This now means that bug gardener/gardener#4254 still exists in gardener >1.27.1. (gardener/gardener#4408, @voelzmo)
• [USER] Additional DNS provider Secret is now updated on Shoot deletion. This will allow users to update their invalid Secret data with valid one and now this change will be reflected to the Secret maintained in the Shoot namespace in the Seed. (gardener/gardener#4337, @ialidzhikov)
• [USER] Updating to a MachineImageVersion which doesn't support the chosen CRI configuration will now result in a validation error. (gardener/gardener#4332, @voelzmo)
• [OPERATOR] A bug has been fixed which caused seed clusters running Kubernetes v1.15 not to get ready. (gardener/gardener#4431, @timuthy)
• [OPERATOR] An issue that was not allowing creation of garden Project (with .spec.namespace=garden) is now fixed. (gardener/gardener#4423, @mliepold)
• [OPERATOR] A bug in the cloud config downloader script that was generating error messages like bash: line 161: ;: command not found has been fixed. (gardener/gardener#4355, @vpnachev)
• [OPERATOR] A bug that the shoot maintenance controller was upgrading the OS version to higher but deprecated version instead of using lower and supported has been fixed. (gardener/gardener#4327, @vpnachev)
• [OPERATOR] A bug that the OS version of worker pool is defaulted to higher and deprecated version instead of lower and supported is now fixed. (gardener/gardener#4327, @vpnachev)
• [OPERATOR] An issue causing the SNI transition step to fail for a cluster that still didn't transitioned to SNI is now fixed. (gardener/gardener#4268, @ialidzhikov)

🏃 Others

• [USER] Authenticated users can now read/list/watch ExposureClass resources. (gardener/gardener#4334, @dkistner)
• [OPERATOR] A potential race condition in gardenlet that can lead to nil pointer dereference during the deletion of hibernated Shoot is now fixed. (gardener/gardener#4439, @ialidzhikov)
• [OPERATOR] Fluent-bit priority class value is increased from 50 to 150 (gardener/gardener#4407, @vlvasilev)
• [OPERATOR] The SSH keypair rotation on maintenance window is now set behind a new alpha feature gate in gardener-controller-manager - RotateSSHKeypairOnMaintenance . (gardener/gardener#4397, @ialidzhikov)
• [OPERATOR] Upgrade grafana to 7.5.10 (gardener/gardener#4389, @wyb1)
• [OPERATOR] Envoy used apiserver-proxy and sidecar are upgraded to distroless 1.18.3 version. (gardener/gardener#4304, @mvladev)
• [OPERATOR] ManagedIstio now uses distroless images. (gardener/gardener#4301, @mvladev)
• [OPERATOR] ManagedIstio is now upgraded to 1.10.2 (gardener/gardener#4301, @mvladev)
• [OPERATOR] The blueprint of the Gardenlet landscaper has been fixed to properly reference the gardenlet-landscaper OCI image (gardener/gardener#4283, @danielfoehrKn)
• [OPERATOR] The MountHostCADirectories feature gate in the gardenlet has been promoted to GA. (gardener/gardener#4279, @ialidzhikov)
• [OPERATOR] Labels and annotations on the ResourceQuota config get merged with the respective fields on existing ResourceQuotas (gardener/gardener#4264, @petersutter)
• [OPERATOR] Martian packets are now explicitly enabled in the kernel settings of the shoot clusters nodes. (gardener/gardener#4250, @DockToFuture)
• [OPERATOR] Optimize gardenlet's shoot controller to issue less calls to gardener-apiserver for the highly frequent status updates during reconciliations and normal care operations. (gardener/gardener#4246, @timebertt)
• [OPERATOR] Split EnvoyFilter resources from SNI and ReversedVPN into separate resources. (gardener/gardener#4242, @DockToFuture)
• [OPERATOR] ManagedIstio version is upgraded to 1.10.1 (gardener/gardener#4241, @mvladev)
• [OPERATOR] Error messages containing RequestLimitExceeded are now treated as ERR_INFRA_RATE_LIMITS_EXCEEDED (instead of ERR_INFRA_QUOTA_EXCEEDED before). (gardener/gardener#4236, @rfranzke)
• [OPERATOR] gardener-controller-manager's Seed controller now checks the seed namespace's ownerReferences before adopting it. (gardener/gardener#4232, @timebertt)
• [OPERATOR] Dashboards use UTC instead of browser time by default (gardener/gardener#4229, @wyb1)
• [OPERATOR] Optional logging agent can be installed on the shoot nodes (gardener/gardener#3813, @vlvasilev)
• [DEVELOPER] Switch from *metav1.LabelSelector to metav1.LabelSelector in the gardenercore.SeedSelector type in our APIs. This doesn't impose a breaking change for users of the API, however users of the golang types, will have to adapt accordingly. (gardener/gardener#4299, @timebertt)
• [DEVELOPER] Envtests are now run in a dedicated make target (make test-integration). (gardener/gardener#4265, @timebertt)
• [DEPENDENCY] Envtests that require the control plane binaries now have to be run using hack/test-integration.sh. Please consult gardener's Makefile as a reference usage. (gardener/gardener#4265, @timebertt)

📰 Noteworthy

• [USER] ⚠️ The kubelets on the shoot worker nodes will be restarted in the respective maintenance time windows of the shoot clusters. (gardener/gardener#4321, @rfranzke)
• [USER] Added a document with recommendations when custom CSI components are deployed into shoot clusters. (gardener/gardener#4211, @rfranzke)
• [OPERATOR] The hyperkube image is now only downloaded exactly once per shoot worker node to prevent repetitive, undesired downloads in case the kubelet garbage-collects the image due to excessive root disk usage. (gardener/gardener#4321, @rfranzke)
• [OPERATOR] The MountHostCADirectories feature gate in the gardenlet has been promoted to beta and is now enabled by default. (gardener/gardener#4223, @ialidzhikov)
• [OPERATOR] The gardenlet chart now defines fine-grained RBAC resources for the gardenlet in the Seed cluster. Previously the gardenlet's ServiceAccount was granted with all privileges. With this change the gardenlet's ServiceAccount privileges are limited as much as possible. (gardener/gardener#4129, @ialidzhikov)

[gardener-extension-networking-calico]

⚠️ Breaking Changes

• [OPERATOR] Drop support for k8s<v1.15.0. (gardener/gardener-extension-networking-calico#100, @DockToFuture)
• [OPERATOR] The default leader election resource lock of gardener-extension-networking-calico has been changed from configmapsleases to leases. (gardener/gardener-extension-networking-calico#98, @ialidzhikov)
  • Please make sure, that you had at least [email protected] running before upgrading to v1.19.0, so that it has successfully required leadership with the hybrid resource lock (configmapsleases) at least once.

✨ New Features

• [OPERATOR] It is now possible to specify the leader election resource lock via the chart value leaderElection.resourceLock (defaults to leases). (gardener/gardener-extension-networking-calico#98, @ialidzhikov)

🏃 Others

• [OPERATOR] Revendored to gardener v1.26.0 (gardener/gardener-extension-networking-calico#103, @ScheererJ)
• [OPERATOR] The kubeconfig used by cni (/etc/cni/net.d/calico-kubeconfig) will be automatically updated if the service account token changes. (gardener/gardener-extension-networking-calico#92, @ScheererJ)
• [OPERATOR] adds artifacts for Landscaper integration (gardener/gardener-extension-networking-calico#83, @jschicktanz)

[gardener-extension-os-suse-chost]

⚠️ Breaking Changes

• [OPERATOR] The default leader election resource lock of gardener-extension-os-suse-chost has been changed from configmapsleases to leases. (gardener/gardener-extension-os-suse-chost#48, @ialidzhikov)
  • Please make sure, that you had at least [email protected] running before upgrading to v1.12.0, so that it has successfully required leadership with the hybrid resource lock (configmapsleases) at least once.
• [OPERATOR] ⚠️ The support for cloud-init scripts has been removed. From now on this extension is using only bash scripts to bootstrap SuSE and MemoryOne nodes. (gardener/gardener-extension-os-suse-chost#46, @vpnachev)

✨ New Features

• [OPERATOR] It is now possible to specify the leader election resource lock via the chart value leaderElection.resourceLock (defaults to leases). (gardener/gardener-extension-os-suse-chost#48, @ialidzhikov)

🏃 Others

• [USER] An issue with old version of systemd preventing the hostnamectl set-hostname command to succeed and let kubelet start successfully has been mitigated. (gardener/gardener-extension-os-suse-chost#50, @vpnachev)
• [OPERATOR] This extension is no longer restarting the systemd services from the original OperatingSystemConfig units. (gardener/gardener-extension-os-suse-chost#45, @vpnachev)

[gardener-extension-os-ubuntu]

⚠️ Breaking Changes

• [OPERATOR] The default leader election resource lock of gardener-extension-os-ubuntu has been changed from configmapsleases to leases. (gardener/gardener-extension-os-ubuntu#49, @ialidzhikov)
  • Please make sure, that you had at least [email protected] running before upgrading to v1.12.0, so that it has successfully required leadership with the hybrid resource lock (configmapsleases) at least once.

✨ New Features

• [OPERATOR] It is now possible to specify the leader election resource lock via the chart value leaderElection.resourceLock (defaults to leases). (gardener/gardener-extension-os-ubuntu#49, @ialidzhikov)

🐛 Bug Fixes

• [OPERATOR] Fix a bug that was affecting the DNS resolution for containers running on the node due to usage of systemd-resolved stub i.e. the node local DNS server 127.0.0.53 was also configured in the containers, but this endpoint is not available there. See https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/#known-issues for more details about the issue. (gardener/gardener-extension-os-ubuntu#51, @vpnachev)

🏃 Others

• [OPERATOR] Fix a bug that was preventing the containerd to start-up when the /etc/containerd/config.toml file is missing. (gardener/gardener-extension-os-ubuntu#52, @vpnachev)
• [OPERATOR] This extension now explicitly install containred and runc instead of relying they will be installed as docker.io dependencies. (gardener/gardener-extension-os-ubuntu#51, @vpnachev)
• [OPERATOR] This extension is no longer restarting the systemd services from the original OperatingSystemConfig units. (gardener/gardener-extension-os-ubuntu#47, @vpnachev)

[gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] Add permissions for leader election lease of shoot-dns-service in control plane (gardener/gardener-extension-shoot-dns-service#67, @MartinWeindel)

[gardener-resource-manager]

✨ New Features

• [OPERATOR] Don't overwrite resources/replicas of objects annotated with resources.gardener.cloud/preserve-{resources,replicas}. (gardener-attic/gardener-resource-manager#122, @harishmanasa)
• [DEVELOPER] The gardener-resource-manager now features an optional garbage collector controller (disabled by default) for immutable ConfigMaps/Secrets. Please take a look at this document if you want to use it. (gardener-attic/gardener-resource-manager#127, @rfranzke)

🐛 Bug Fixes

• [OPERATOR] Fix the --version flag to print the appropriate metadata. (gardener-attic/gardener-resource-manager#129, @ialidzhikov)

📰 Noteworthy

• [DEVELOPER] Most dependencies have been revendored, most prominently: (gardener-attic/gardener-resource-manager#126, @rfranzke)
  • github.com/gardener/[email protected]
  • k8s.io/*@v0.21.2
  • sigs.k8s.io/[email protected]

[terminal-controller-manager]

✨ New Features

• [OPERATOR] Added support to authenticate against GKE clusters using google service account key. In this case, the referenced secret needs to have the serviceaccount.json data key in addition to the kubeconfig data key (gardener/terminal-controller-manager#57, @petersutter)

🏃 Others

• [OPERATOR] Tolerations with NoExecute effect and CriticalAddonsOnly key will be added to the terminal pod when host.pod.nodeSelector is specified in the Terminal resource. (gardener/terminal-controller-manager#58, @plkokanov)
• [DEVELOPER] The Golang version has been updated to 1.16.6 (gardener/terminal-controller-manager#57, @petersutter)