Skip to main content

Release Notes v1.127

Yake release notes and upgrade guide​

Related upstream release notes / changelogs​

Update networking-cilium to 1.42.2

[github.com/gardener/gardener-extension-networking-cilium:v1.42.2]

πŸƒ Others​

  • [OPERATOR] Update cilium to v1.17.7 by @ScheererJ [#626]
Update dashboard to 1.81.3

[github.com/gardener/dashboard:1.81.3]

πŸ› Bug Fixes​

  • [USER] Infrastructure dependency, resource depletion, and quota exceeded errors no longer appear as credential issues. by @gardener-github-actions[bot] [#2591]
  • [USER] Fixed an issue where worker disk performance settings (IOPS) weren’t saved after editing, ensuring your changes now persist. by @gardener-github-actions[bot] [#2609]
Update dashboard to 1.81.3

[github.com/gardener/dashboard:1.81.3]

πŸ› Bug Fixes​

  • [USER] Infrastructure dependency, resource depletion, and quota exceeded errors no longer appear as credential issues. by @gardener-github-actions[bot] [#2591]
  • [USER] Fixed an issue where worker disk performance settings (IOPS) weren’t saved after editing, ensuring your changes now persist. by @gardener-github-actions[bot] [#2609]
Update shoot-networking-filter to 0.24.1

[github.com/gardener/gardener-extension-shoot-networking-filter:v0.24.1]

πŸƒ Others​

  • [OPERATOR] Fix priorityClassName for deployment on Garden runtime cluster. by @MartinWeindel [#266]

Helm Charts​

  • runtime-networking-filter: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/runtime-networking-filter:v0.24.1
  • shoot-networking-filter-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter-admission-application:v0.24.1
  • shoot-networking-filter-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter-admission-runtime:v0.24.1
  • shoot-networking-filter: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter:v0.24.1

Container (OCI) Images​

  • gardener-extension-shoot-networking-filter-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-filter-admission:v0.24.1
  • gardener-extension-shoot-networking-filter: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-filter:v0.24.1
  • gardener-runtime-networking-filter: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-networking-filter:v0.24.1
Update shoot-networking-problemdetector to 0.29.0

[github.com/gardener/gardener-extension-shoot-networking-problemdetector:v0.29.0]

πŸƒ Others​

  • [OPERATOR] An example Extension manifest for extension registration has been added. It can be found at example/extension.yaml by @timuthy [#271]

Helm Charts​

  • shoot-networking-problemdetector: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-problemdetector:v0.29.0

Container (OCI) Images​

  • gardener-extension-shoot-networking-problemdetector: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-problemdetector:v0.29.0
Update acl to 1.11.0

What's Changed​

πŸ€– Dependencies​

ℹ️ Other Changes​

Full Changelog: https://github.com/stackitcloud/gardener-extension-acl/compare/v1.10.0...v1.11.0

Update shoot-cert-service to 1.53.0

[github.com/gardener/gardener-extension-shoot-cert-service:v1.53.0]

πŸ› Bug Fixes​

  • [OPERATOR] Deployment on runtime cluster: cert-class needs also to be set for source controllers. by @MartinWeindel [#461]
  • [USER] Control-plane certificate: Use dnsNames field instead of commonName for long domain names > 64 characters. by @MartinWeindel [#445]

πŸƒ Others​

  • [OPERATOR] shoot-cert-service no longer supports Shoots with Кubernetes version <= 1.28. by @MartinWeindel [#437]
  • [OPERATOR] export testresults as inlined ocm-resource by @heldkat [#438]

Helm Charts​

  • shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.53.0

Container (OCI) Images​

  • gardener-extension-shoot-cert-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.53.0
Update gardener-controlplane to 1.127.0

[github.com/gardener/gardener:v1.127.0]

⚠️ Breaking Changes​

  • [OPERATOR] The ProjectValidator admission plugin is now renamed to ProjectMutator. If you have references to the old name of the admission plugin, make sure to adapt them before upgrading to this version of Gardener. by @georgibaltiev [#12818]

  • [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.28. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @seshachalam-yv [#12486]

  • [USER] It is not allowed anymore to specify a comma ",", as well as duplicate values, within the entries of theShoot.spec.kubernetes.kubeAPIServer.apiAudiences[]. Please update your Shoots accordingly. by @tobschli [#12788]

  • [DEVELOPER] The Priority field for the MachineDeployment API is now required instead of optional. Provider extensions need to make sure that the MachineDeployments they generate specify this field. by @tobschli [#12742]

  • [OPERATOR] The CredentialsRotationWithoutWorkersRollout feature gate has been promoted to GA and is enabled unconditionally. by @rfranzke [#12857]

  • [OPERATOR] The GA-ed and unconditionally enabled NewVPN feature gates is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @ialidzhikov [#12807]

  • [OPERATOR] A Project resource's .spec.namespace field is now validated in the storage layer. It was previously validated in the ProjectValidator admission plugin due to backwards-compatibility reasons. With this change, gardener-apiserver unconditionally accepts only garden and values with prefix garden- as valid Project namespaces. by @georgibaltiev [#12784]

  • [USER] gardener-apiserver no longer serves the /openapi/v2 endpoint. kubectl < 1.27 relies on this endpoint. Make sure to use kubectl 1.27+ against this version of gardener-apiserver. by @seshachalam-yv [#12486]

  • [USER] The spec.seedSelector field in the Shoot API is now validated for invalid label values. by @shafeeqes [#12708]

  • [OPERATOR] The following fields of resources in the core.gardener.cloud group are now validated for invalid label values:

    • spec.seedSelector in the CloudProfile API
    • spec.deployment.seedSelector in the ControllerRegistration API
    • scheduling.seedSelector in the ExposureClass API

    The following fields of resources in the operator.gardener.cloud group are now validated for invalid label values:

    • spec.virtualCluster.gardener.gardenerControllerManager.defaultProjectQuotas.projectSelector in the Garden API

    The following fields of resources in the controllermanager.config.gardener.cloud group are now validated for invalid label values:

    • controllers.project.quotas[].projectSelector

    The following fields of resources in the seedmanagement.gardener.cloud group are now validated for invalid label values:

    • spec.selector in the ManagedSeedSet API

    The following fields of resources in the settings.gardener.cloud group are now validated for invalid label values:

    • spec.projectSelector in the ClusterOpenIDConnectPreset API by @shafeeqes [#12708]

πŸ“° Noteworthy​

  • [USER] shoot.spec.secretBindingName field is deprecated in favour of shoot.spec.credentialsBindingName and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. If users do not perform the migration on their own, the migration will be forced and newly created CredentialsBindings will be labeled with credentialsbinding.gardener.cloud/status=force-migrated. by @dimityrmirchev [#12804]
  • [USER] It is now forbidden to specify configuration for admission plugins that are not configurable (via Shoot.spec.kubernetes.kubeAPIServer.admissionPlugins[].config) by @tobschli [#12768]
  • [OPERATOR] When gardenlet starts up, it now checks the version skew with the gardener-apiserver (click here for the policy document). by @rfranzke [#12863]
  • [OPERATOR] On startup gardenlets will configure .spec.dns.internal settings for its respective Seed. Operators should adapt their Seed manifests to explicitly configure internal DNS as .spec.dns.internal will become a mandatory configuration after release v1.129.0. by @dimityrmirchev [#12663]
  • [USER] SecretBinding API is deprecated in favour of CredentialsBinding and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. by @dimityrmirchev [#12804]

✨ New Features​

  • [OPERATOR] Enabling feature gate OpenTelemetryCollector will now route logs through the collector in the Shoot control-plane before reaching Vali. by @rrhubenov [#12568]
  • [OPERATOR] The Seed spec was extended to allow explicit configuration for internal DNS settings. Operators can configure these by setting .spec.dns.internal. The implicit configuration that involved selecting a DNS secret from the Garden cluster based on labels will be eventually removed. Operators should adapt their Seed manifests to explicitly configure internal DNS. by @dimityrmirchev [#12663]

πŸ› Bug Fixes​

  • [DEVELOPER] Ambiguous go.mod dependencies were removed when calling make import-tools-bin. by @timuthy [#12810]
  • [OPERATOR] A misconfiguration has been fixed which was preventing gardener-admission-controller from being called for ConfigMap creations of gardenlet. by @rfranzke [#12858]
  • [OPERATOR] Flip the status of a set EmergencyStopShootReconciliations Seed condition from False to True. by @LucaBernstein [#12823]
  • [OPERATOR] Fix shoot creation failure for shoots with kubernetes version >=1.32 and openidconnect preset present by @p53 [#12743]

πŸƒ Others​

  • [OPERATOR] GOMAXPROCS for the gardener-controller-manager is set by the Go runtime instead of the external go.uber.org/automaxprocs/maxprocs library. by @timuthy [#12801]
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 1.30.10. by @gardener-ci-robot [#12827]
  • [DEPENDENCY] We now use envoyproxy/envoy:distroless-v1.35.0 instead of the deprecated repository envoyproxy/envoy-distroless:v1.35.0 by @oliver-goetz [#12868]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.4 to 1.26.5. by @gardener-ci-robot [#12806]
  • [DEVELOPER] The optimistic defaulting of priorities for MachineDeployments was removed. This needs to be done by the provider extension now. by @tobschli [#12742]
  • [DEPENDENCY] The following dependencies have been updated:
    • gardener/machine-controller-manager from v0.59.2 to v0.60.0. Release Notes
    • github.com/gardener/machine-controller-manager from v0.59.2 to v0.60.0. by @gardener-ci-robot [#12842]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/autoscaling/vpa-admission-controller from 1.4.1 to 1.4.2.
    • registry.k8s.io/autoscaling/vpa-recommender from 1.4.1 to 1.4.2.
    • registry.k8s.io/autoscaling/vpa-updater from 1.4.1 to 1.4.2. by @gardener-ci-robot [#12813]
  • [DEPENDENCY] The following dependencies have been updated:
  • [OPERATOR] Add validation for the name of worker's root volumes. by @kon-angelo [#12820]
  • [OPERATOR] The gardener/autoscaler image has been updated to v1.33.0. Release Notes by @aaronfern [#12800]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/ingress-nginx/controller-chroot from v1.13.1 to v1.13.2. by @gardener-ci-robot [#12848]
  • [OPERATOR] Improved dual-stack migration by ensuring CoreDNS pods are restarted before configuring the kube-dns service as dual-stack, preventing IPv6 DNS query failures during migration. by @axel7born [#12816]
  • [OPERATOR] gardener-apiserver: The FinalizerRemoval admission plugin's type is now changed from mutating to validating. by @georgibaltiev [#12786]
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/kube-state-metrics/kube-state-metrics from v2.16.0 to v2.17.0. by @gardener-ci-robot [#12865]

Helm Charts​

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.127.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.127.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.127.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.127.0

Container (OCI) Images​

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.127.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.127.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.127.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.127.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.127.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.127.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.127.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.127.0
Update gardener-controlplane to 1.127.0

[github.com/gardener/gardener:v1.127.0]

⚠️ Breaking Changes​

  • [OPERATOR] The ProjectValidator admission plugin is now renamed to ProjectMutator. If you have references to the old name of the admission plugin, make sure to adapt them before upgrading to this version of Gardener. by @georgibaltiev [#12818]

  • [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.28. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @seshachalam-yv [#12486]

  • [USER] It is not allowed anymore to specify a comma ",", as well as duplicate values, within the entries of theShoot.spec.kubernetes.kubeAPIServer.apiAudiences[]. Please update your Shoots accordingly. by @tobschli [#12788]

  • [DEVELOPER] The Priority field for the MachineDeployment API is now required instead of optional. Provider extensions need to make sure that the MachineDeployments they generate specify this field. by @tobschli [#12742]

  • [OPERATOR] The CredentialsRotationWithoutWorkersRollout feature gate has been promoted to GA and is enabled unconditionally. by @rfranzke [#12857]

  • [OPERATOR] The GA-ed and unconditionally enabled NewVPN feature gates is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @ialidzhikov [#12807]

  • [OPERATOR] A Project resource's .spec.namespace field is now validated in the storage layer. It was previously validated in the ProjectValidator admission plugin due to backwards-compatibility reasons. With this change, gardener-apiserver unconditionally accepts only garden and values with prefix garden- as valid Project namespaces. by @georgibaltiev [#12784]

  • [USER] gardener-apiserver no longer serves the /openapi/v2 endpoint. kubectl < 1.27 relies on this endpoint. Make sure to use kubectl 1.27+ against this version of gardener-apiserver. by @seshachalam-yv [#12486]

  • [USER] The spec.seedSelector field in the Shoot API is now validated for invalid label values. by @shafeeqes [#12708]

  • [OPERATOR] The following fields of resources in the core.gardener.cloud group are now validated for invalid label values:

    • spec.seedSelector in the CloudProfile API
    • spec.deployment.seedSelector in the ControllerRegistration API
    • scheduling.seedSelector in the ExposureClass API

    The following fields of resources in the operator.gardener.cloud group are now validated for invalid label values:

    • spec.virtualCluster.gardener.gardenerControllerManager.defaultProjectQuotas.projectSelector in the Garden API

    The following fields of resources in the controllermanager.config.gardener.cloud group are now validated for invalid label values:

    • controllers.project.quotas[].projectSelector

    The following fields of resources in the seedmanagement.gardener.cloud group are now validated for invalid label values:

    • spec.selector in the ManagedSeedSet API

    The following fields of resources in the settings.gardener.cloud group are now validated for invalid label values:

    • spec.projectSelector in the ClusterOpenIDConnectPreset API by @shafeeqes [#12708]

πŸ“° Noteworthy​

  • [USER] shoot.spec.secretBindingName field is deprecated in favour of shoot.spec.credentialsBindingName and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. If users do not perform the migration on their own, the migration will be forced and newly created CredentialsBindings will be labeled with credentialsbinding.gardener.cloud/status=force-migrated. by @dimityrmirchev [#12804]
  • [USER] It is now forbidden to specify configuration for admission plugins that are not configurable (via Shoot.spec.kubernetes.kubeAPIServer.admissionPlugins[].config) by @tobschli [#12768]
  • [OPERATOR] When gardenlet starts up, it now checks the version skew with the gardener-apiserver (click here for the policy document). by @rfranzke [#12863]
  • [OPERATOR] On startup gardenlets will configure .spec.dns.internal settings for its respective Seed. Operators should adapt their Seed manifests to explicitly configure internal DNS as .spec.dns.internal will become a mandatory configuration after release v1.129.0. by @dimityrmirchev [#12663]
  • [USER] SecretBinding API is deprecated in favour of CredentialsBinding and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. by @dimityrmirchev [#12804]

✨ New Features​

  • [OPERATOR] Enabling feature gate OpenTelemetryCollector will now route logs through the collector in the Shoot control-plane before reaching Vali. by @rrhubenov [#12568]
  • [OPERATOR] The Seed spec was extended to allow explicit configuration for internal DNS settings. Operators can configure these by setting .spec.dns.internal. The implicit configuration that involved selecting a DNS secret from the Garden cluster based on labels will be eventually removed. Operators should adapt their Seed manifests to explicitly configure internal DNS. by @dimityrmirchev [#12663]

πŸ› Bug Fixes​

  • [DEVELOPER] Ambiguous go.mod dependencies were removed when calling make import-tools-bin. by @timuthy [#12810]
  • [OPERATOR] A misconfiguration has been fixed which was preventing gardener-admission-controller from being called for ConfigMap creations of gardenlet. by @rfranzke [#12858]
  • [OPERATOR] Flip the status of a set EmergencyStopShootReconciliations Seed condition from False to True. by @LucaBernstein [#12823]
  • [OPERATOR] Fix shoot creation failure for shoots with kubernetes version >=1.32 and openidconnect preset present by @p53 [#12743]

πŸƒ Others​

  • [OPERATOR] GOMAXPROCS for the gardener-controller-manager is set by the Go runtime instead of the external go.uber.org/automaxprocs/maxprocs library. by @timuthy [#12801]
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 1.30.10. by @gardener-ci-robot [#12827]
  • [DEPENDENCY] We now use envoyproxy/envoy:distroless-v1.35.0 instead of the deprecated repository envoyproxy/envoy-distroless:v1.35.0 by @oliver-goetz [#12868]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.4 to 1.26.5. by @gardener-ci-robot [#12806]
  • [DEVELOPER] The optimistic defaulting of priorities for MachineDeployments was removed. This needs to be done by the provider extension now. by @tobschli [#12742]
  • [DEPENDENCY] The following dependencies have been updated:
    • gardener/machine-controller-manager from v0.59.2 to v0.60.0. Release Notes
    • github.com/gardener/machine-controller-manager from v0.59.2 to v0.60.0. by @gardener-ci-robot [#12842]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/autoscaling/vpa-admission-controller from 1.4.1 to 1.4.2.
    • registry.k8s.io/autoscaling/vpa-recommender from 1.4.1 to 1.4.2.
    • registry.k8s.io/autoscaling/vpa-updater from 1.4.1 to 1.4.2. by @gardener-ci-robot [#12813]
  • [DEPENDENCY] The following dependencies have been updated:
  • [OPERATOR] Add validation for the name of worker's root volumes. by @kon-angelo [#12820]
  • [OPERATOR] The gardener/autoscaler image has been updated to v1.33.0. Release Notes by @aaronfern [#12800]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/ingress-nginx/controller-chroot from v1.13.1 to v1.13.2. by @gardener-ci-robot [#12848]
  • [OPERATOR] Improved dual-stack migration by ensuring CoreDNS pods are restarted before configuring the kube-dns service as dual-stack, preventing IPv6 DNS query failures during migration. by @axel7born [#12816]
  • [OPERATOR] gardener-apiserver: The FinalizerRemoval admission plugin's type is now changed from mutating to validating. by @georgibaltiev [#12786]
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/kube-state-metrics/kube-state-metrics from v2.16.0 to v2.17.0. by @gardener-ci-robot [#12865]

Helm Charts​

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.127.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.127.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.127.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.127.0

Container (OCI) Images​

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.127.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.127.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.127.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.127.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.127.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.127.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.127.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.127.0
Update gardenlet to 1.127.0

[github.com/gardener/gardener:v1.127.0]

⚠️ Breaking Changes​

  • [OPERATOR] The ProjectValidator admission plugin is now renamed to ProjectMutator. If you have references to the old name of the admission plugin, make sure to adapt them before upgrading to this version of Gardener. by @georgibaltiev [#12818]

  • [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.28. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @seshachalam-yv [#12486]

  • [USER] It is not allowed anymore to specify a comma ",", as well as duplicate values, within the entries of theShoot.spec.kubernetes.kubeAPIServer.apiAudiences[]. Please update your Shoots accordingly. by @tobschli [#12788]

  • [DEVELOPER] The Priority field for the MachineDeployment API is now required instead of optional. Provider extensions need to make sure that the MachineDeployments they generate specify this field. by @tobschli [#12742]

  • [OPERATOR] The CredentialsRotationWithoutWorkersRollout feature gate has been promoted to GA and is enabled unconditionally. by @rfranzke [#12857]

  • [OPERATOR] The GA-ed and unconditionally enabled NewVPN feature gates is removed. If you have references to this feature gate, clean them up before upgrading to this version of Gardener. by @ialidzhikov [#12807]

  • [OPERATOR] A Project resource's .spec.namespace field is now validated in the storage layer. It was previously validated in the ProjectValidator admission plugin due to backwards-compatibility reasons. With this change, gardener-apiserver unconditionally accepts only garden and values with prefix garden- as valid Project namespaces. by @georgibaltiev [#12784]

  • [USER] gardener-apiserver no longer serves the /openapi/v2 endpoint. kubectl < 1.27 relies on this endpoint. Make sure to use kubectl 1.27+ against this version of gardener-apiserver. by @seshachalam-yv [#12486]

  • [USER] The spec.seedSelector field in the Shoot API is now validated for invalid label values. by @shafeeqes [#12708]

  • [OPERATOR] The following fields of resources in the core.gardener.cloud group are now validated for invalid label values:

    • spec.seedSelector in the CloudProfile API
    • spec.deployment.seedSelector in the ControllerRegistration API
    • scheduling.seedSelector in the ExposureClass API

    The following fields of resources in the operator.gardener.cloud group are now validated for invalid label values:

    • spec.virtualCluster.gardener.gardenerControllerManager.defaultProjectQuotas.projectSelector in the Garden API

    The following fields of resources in the controllermanager.config.gardener.cloud group are now validated for invalid label values:

    • controllers.project.quotas[].projectSelector

    The following fields of resources in the seedmanagement.gardener.cloud group are now validated for invalid label values:

    • spec.selector in the ManagedSeedSet API

    The following fields of resources in the settings.gardener.cloud group are now validated for invalid label values:

    • spec.projectSelector in the ClusterOpenIDConnectPreset API by @shafeeqes [#12708]

πŸ“° Noteworthy​

  • [USER] shoot.spec.secretBindingName field is deprecated in favour of shoot.spec.credentialsBindingName and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. If users do not perform the migration on their own, the migration will be forced and newly created CredentialsBindings will be labeled with credentialsbinding.gardener.cloud/status=force-migrated. by @dimityrmirchev [#12804]
  • [USER] It is now forbidden to specify configuration for admission plugins that are not configurable (via Shoot.spec.kubernetes.kubeAPIServer.admissionPlugins[].config) by @tobschli [#12768]
  • [OPERATOR] When gardenlet starts up, it now checks the version skew with the gardener-apiserver (click here for the policy document). by @rfranzke [#12863]
  • [OPERATOR] On startup gardenlets will configure .spec.dns.internal settings for its respective Seed. Operators should adapt their Seed manifests to explicitly configure internal DNS as .spec.dns.internal will become a mandatory configuration after release v1.129.0. by @dimityrmirchev [#12663]
  • [USER] SecretBinding API is deprecated in favour of CredentialsBinding and will be removed after Kubernetes support for version 1.34 is dropped. Please see https://gardener.cloud/docs/gardener/shoot-operations/secretbinding-to-credentialsbinding-migration. by @dimityrmirchev [#12804]

✨ New Features​

  • [OPERATOR] Enabling feature gate OpenTelemetryCollector will now route logs through the collector in the Shoot control-plane before reaching Vali. by @rrhubenov [#12568]
  • [OPERATOR] The Seed spec was extended to allow explicit configuration for internal DNS settings. Operators can configure these by setting .spec.dns.internal. The implicit configuration that involved selecting a DNS secret from the Garden cluster based on labels will be eventually removed. Operators should adapt their Seed manifests to explicitly configure internal DNS. by @dimityrmirchev [#12663]

πŸ› Bug Fixes​

  • [DEVELOPER] Ambiguous go.mod dependencies were removed when calling make import-tools-bin. by @timuthy [#12810]
  • [OPERATOR] A misconfiguration has been fixed which was preventing gardener-admission-controller from being called for ConfigMap creations of gardenlet. by @rfranzke [#12858]
  • [OPERATOR] Flip the status of a set EmergencyStopShootReconciliations Seed condition from False to True. by @LucaBernstein [#12823]
  • [OPERATOR] Fix shoot creation failure for shoots with kubernetes version >=1.32 and openidconnect preset present by @p53 [#12743]

πŸƒ Others​

  • [OPERATOR] GOMAXPROCS for the gardener-controller-manager is set by the Go runtime instead of the external go.uber.org/automaxprocs/maxprocs library. by @timuthy [#12801]
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 1.30.10. by @gardener-ci-robot [#12827]
  • [DEPENDENCY] We now use envoyproxy/envoy:distroless-v1.35.0 instead of the deprecated repository envoyproxy/envoy-distroless:v1.35.0 by @oliver-goetz [#12868]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.4 to 1.26.5. by @gardener-ci-robot [#12806]
  • [DEVELOPER] The optimistic defaulting of priorities for MachineDeployments was removed. This needs to be done by the provider extension now. by @tobschli [#12742]
  • [DEPENDENCY] The following dependencies have been updated:
    • gardener/machine-controller-manager from v0.59.2 to v0.60.0. Release Notes
    • github.com/gardener/machine-controller-manager from v0.59.2 to v0.60.0. by @gardener-ci-robot [#12842]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/autoscaling/vpa-admission-controller from 1.4.1 to 1.4.2.
    • registry.k8s.io/autoscaling/vpa-recommender from 1.4.1 to 1.4.2.
    • registry.k8s.io/autoscaling/vpa-updater from 1.4.1 to 1.4.2. by @gardener-ci-robot [#12813]
  • [DEPENDENCY] The following dependencies have been updated:
  • [OPERATOR] Add validation for the name of worker's root volumes. by @kon-angelo [#12820]
  • [OPERATOR] The gardener/autoscaler image has been updated to v1.33.0. Release Notes by @aaronfern [#12800]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/ingress-nginx/controller-chroot from v1.13.1 to v1.13.2. by @gardener-ci-robot [#12848]
  • [OPERATOR] Improved dual-stack migration by ensuring CoreDNS pods are restarted before configuring the kube-dns service as dual-stack, preventing IPv6 DNS query failures during migration. by @axel7born [#12816]
  • [OPERATOR] gardener-apiserver: The FinalizerRemoval admission plugin's type is now changed from mutating to validating. by @georgibaltiev [#12786]
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/kube-state-metrics/kube-state-metrics from v2.16.0 to v2.17.0. by @gardener-ci-robot [#12865]

Helm Charts​

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.127.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.127.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.127.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.127.0

Container (OCI) Images​

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.127.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.127.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.127.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.127.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.127.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.127.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.127.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.127.0
Update shoot-flux to 0.21.0

What's Changed​

New Contributors​

Full Changelog: https://github.com/stackitcloud/gardener-extension-shoot-flux/compare/v0.20.1...v0.21.0

Update provider-alicloud to 1.64.1

[github.com/gardener/gardener-extension-provider-alicloud:v1.64.1]

πŸƒ Others​

  • [OPERATOR] Flow-base now supports zone CIDR named with worker , and enable migrate from worker to workers by @kevin-lacoo [#835]

Helm Charts​

  • admission-alicloud-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-application:v1.64.1
  • admission-alicloud-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-runtime:v1.64.1
  • provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-alicloud:v1.64.1

Container (OCI) Images​

  • gardener-extension-admission-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.64.1
  • gardener-extension-provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.64.1
Update cert-management to 0.18.0

[github.com/gardener/cert-management:v0.18.0]

✨ New Features​

  • [USER] Introduced new Certificate fields: .spec.renewBefore, .status.renewalDate. The field renewBefore allows specifying whether a Certificate should be renewed sooner than the configured renewal window. by @marc1404 [#569]

πŸƒ Others​

  • [USER] Add validation of data fields for secrets of an ACME issuer secret (private key and external account binding secrets). by @MartinWeindel [#554]

πŸ“– Documentation​

  • [USER] Add documentation how to use ACME with external account binding. by @MartinWeindel [#539]

Helm Charts​

  • cert-controller-manager: europe-docker.pkg.dev/gardener-project/releases/charts/cert-controller-manager:v0.18.0

Container (OCI) Images​

  • cert-management: europe-docker.pkg.dev/gardener-project/releases/cert-controller-manager:v0.18.0