Release Notes v1.132

Yake release notes and upgrade guide

Update provider-azure to 1.56.1

[github.com/gardener/gardener-extension-provider-azure:v1.56.1]

🐛 Bug Fixes

[OPERATOR] Fix bug in Azure client failing to make use of Workload Identity in Azure China by downgrading the module github.com/AzureAD/microsoft-authentication-library-for-go to version v1.4.2. by @vpnachev [#1358]

Helm Charts

admission-azure-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-application:v1.56.1
admission-azure-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-runtime:v1.56.1
provider-azure: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-azure:v1.56.1

Container (OCI) Images

gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.56.1
gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.56.1

Update gardener-controlplane to 1.131.2

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes

[OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @vpnachev [#13364]
[DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @vpnachev [#13364]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.2
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.2
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.2
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.2

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.2
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.2
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.2
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.2
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.2
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.2
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.2
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.2

Update gardener-controlplane to 1.131.2

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes

[OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @vpnachev [#13364]
[DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @vpnachev [#13364]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.2
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.2
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.2
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.2

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.2
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.2
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.2
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.2
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.2
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.2
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.2
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.2

Update gardenlet to 1.131.2

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes

[OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @vpnachev [#13364]
[DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @vpnachev [#13364]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.131.2
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.131.2
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.131.2
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.131.2

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.131.2
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.131.2
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.131.2
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.131.2
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.131.2
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.131.2
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.131.2
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.131.2

Update image-rewriter to 0.6.0

[github.com/gardener/gardener-extension-image-rewriter:v0.6.0]

✨ New Features

[OPERATOR] The regions fields for image rewrites and containerd host configurations is now optional.
If regions is not set, only the shoot provider is used to select the mirror, enabling global, region-independent endpoints. by @timuthy [#34]

🏃 Others

[OPERATOR] export testresults as inlined ocm-resource by @heldkat [#31]

Helm Charts

image-rewriter: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/image-rewriter:v0.6.0

Container (OCI) Images

gardener-extension-image-rewriter: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/image-rewriter:v0.6.0

Update registry-cache to 0.18.0

[github.com/gardener/gardener-extension-registry-cache:v0.18.0]

⚠️ Breaking Changes

[USER] Registry cache Pods are no longer reachable using Pod DNS - $(podname).$(governing service domain), for example registry-docker-io-0.registry-docker-io.kube-system.svc.cluster.local. by @dimitar-kostadinov [#455]

✨ New Features

[USER] The registry-cache service name can now be customized with the serviceNameSuffix option. by @Wieneo [#425]
[USER] The registry-cache extension does now support shoot clusters with Kubernetes version 1.33. by @ialidzhikov [#437]

🐛 Bug Fixes

[OPERATOR] The Endpoints role in monitoring ScrapeConfig has been fixed. by @oliver-goetz [#459]

🏃 Others

[DEVELOPER] The golang version is updated to 1.25. by @dependabot[bot] [#456]
[OPERATOR] The spec.serviceName field has been removed from the registry cache StatefulSet. All registry cache StatefulSets will be recreated once due to this change. by @dimitar-kostadinov [#455]
[DEVELOPER] The Concourse CI/CD pipeline has been migrated to GitHub Actions. by @ccwienk [#420]
[OPERATOR] An example Extension manifest for extension registration has been added. It can be found at example/extension.yaml. by @timuthy [#448]

Helm Charts

admission-registry-cache-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-registry-cache-application:v0.18.0
admission-registry-cache-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-registry-cache-runtime:v0.18.0
registry-cache: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/registry-cache:v0.18.0

Container (OCI) Images

gardener-extension-registry-cache-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/registry-cache-admission:v0.18.0
gardener-extension-registry-cache: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/registry-cache:v0.18.0

Update external-dns-management to 0.32.0

Helm Charts

dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/charts/dns-controller-manager:v0.32.0

Container (OCI) Images

dns-controller-manager-next-generation: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager-next-generation:v0.32.0
dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager:v0.32.0

Update provider-alicloud to 1.66.1

[github.com/gardener/gardener-extension-provider-alicloud:v1.66.1]

🏃 Others

[OPERATOR] Avoid duplicate creation of Natgateway by @kevin-lacoo [#848]

Helm Charts

admission-alicloud-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-application:v1.66.1
admission-alicloud-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-runtime:v1.66.1
provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-alicloud:v1.66.1

Container (OCI) Images

gardener-extension-admission-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.66.1
gardener-extension-provider-alicloud: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.66.1

Update provider-aws to 1.65.4

[github.com/gardener/gardener-extension-provider-aws:v1.65.4]

🐛 Bug Fixes

[DEPENDENCY] The following third party dependencies have been updated:
- github.com/gardener/gardener v1.129.1 -> v1.129.4 by @vpnachev [#1564]

Helm Charts

admission-aws-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-application:v1.65.4
admission-aws-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-runtime:v1.65.4
provider-aws: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-aws:v1.65.4

Container (OCI) Images

gardener-extension-admission-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.65.4
gardener-extension-provider-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.65.4

Update provider-azure to 1.56.2

[github.com/gardener/gardener-extension-provider-azure:v1.56.2]

🐛 Bug Fixes

[OPERATOR] A bug in the cloud controller manager visible in Azure China has been fixed by updating the container images as follows:
- v1.31.9 -> v1.31.10
- v1.32.8 -> v1.32.9
- v1.33.3 -> v1.33.4 by @vpnachev [#1369]
[OPERATOR] Executables are now built with Go 1.25.4 by @vpnachev [#1370]
[DEPENDENCY] The following third party dependencies have been updated:
- github.com/gardener/gardener v1.130.0 -> v1.130.3 by @vpnachev [#1363]

Helm Charts

admission-azure-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-application:v1.56.2
admission-azure-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-runtime:v1.56.2
provider-azure: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-azure:v1.56.2

Container (OCI) Images

gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.56.2
gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.56.2

Update gardener-controlplane to 1.132.0

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes

[DEPENDENCY] The .gardener.autonomousShootCluster is no longer part of the Helm values when extension charts are rendered. The field has been renamed to gardener.selfHostedShootCluster. In addition, the previous flag --autonomous-shoot-cluster has been renamed to --self-hosted-shoot-cluster. Extension developers should adapt their Helm charts. by @rfranzke [#13273]
[DEVELOPER] "Autonomous Shoot Clusters" have been renamed to "Self-Hosted Shoot Clusters". The "medium-touch" scenario has been renamed to "managed infrastructure" scenario. The "high-touch" scenario has been renamed to "unmanaged infrastructure" scenario. by @rfranzke [#13273]

📰 Noteworthy

[DEVELOPER] A new document has been added describing the development tasks for removing support for a Kubernetes version. See Removing Support For a Kubernetes Version. by @RadaBDimitrova [#12859]

✨ New Features

[OPERATOR] It is now possible to restrict the total count of objects for non-namespaced resources. You can set it through the admission controller configuration's server.resourceAdmissionConfiguration.limits[].count field. by @tobschli [#12916]
[OPERATOR] Gardener can now support clusters with Kubernetes version 1.34. To allow creation/update of 1.34 clusters you will have to update the version of your provider extension(s) to a version that supports 1.34 as well. Please consult the respective releases and notes in the provider extension's repository. by @tobschli [#12883]
[USER] gardener-node-agent now labels worker nodes in shoot clusters with the node-role.kubernetes.io/worker="" label. by @rfranzke [#13387]
[USER] Individual worker pools can now be scheduled for manual rollout using a new annotation on the shoot: gardener.cloud/operation=rollout-workers=<pool1>,<pool2>,...,<poolN>. by @rrhubenov [#12829]
[OPERATOR] Operators can set Seed.spec.settings.loadBalancerServices.class (docs) and/or GardenletConfiguration.exposureClassHandlers[].loadBalancerService.class (docs) to specify a non-default loadBalancerClass for the corresponding istio-ingressgateway services on seeds. by @timebertt [#13305]
[DEVELOPER] Gardener can now support clusters with Kubernetes version 1.34. Extension developers have to prepare individual extensions as well to work with 1.34. by @tobschli [#12883]
[DEVELOPER] Gardener container images now can be built for multiple platforms locally via the variable TARGET_PLATFORMS, e.g. make docker-images TARGET_PLATFORMS=linux/amd64,linux/arm64. If the variable is unset, the container images are built for the platform linux/<host-arch> only. by @vpnachev [#13324]

🐛 Bug Fixes

[OPERATOR] UnauthenticatedHTTP2DOSMitigation feature gate is now always disabled for kube-apiservers where IstioTLSTermination (aka L7 load-balancing) is activated. This prevents unwanted side-effects when unauthenticated requests are sent. HTTP/2 "Rapid Reset" DoS Vulnerability is mitigated by Envoy in this case. by @oliver-goetz [#13405]
[DEVELOPER] Fix make kind-up command to work correctly with Docker>=v29.0.0. by @oliver-goetz [#13410]
[OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @vpnachev [#13282]
[OPERATOR] Gardener no longer deploys the node-exporter ServiceMonitor in the kube-system namespace on unmanaged Seeds. by @rickardsjp [#13382]
[USER] The feature for supporting custom server blocks in node-local-dns is now reverted. by @Kostov6 [#13344]
[USER] An issue with the configuration for the OpenTelemetryCollector on the nodes that leads to missing kernel logs in Vali is now fixed. by @rrhubenov [#13328]
[OPERATOR] The Istio Gateway dashboard now correctly displays the total resource usage across pod restarts. by @rickardsjp [#13402]
[DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @vpnachev [#13282]

🏃 Others

[OPERATOR] gardener-resource-manager now uses kubernetes.io/metadata.name label instead of gardener.cloud/purpose in its webhook namespace selectors. The kubernetes.io/metadata.name is added to all namespaces automatically by Kubernetes. by @shafeeqes [#13398]
[DEPENDENCY] Updated dependency containerd to v2.1.4 (release notes). by @gardener-ci-robot [#13311]
[OPERATOR] Removed obsolete validation for shootDefaults network disjointedness with SeedNetworks. by @domdom82 [#13349]
[OPERATOR] The gardener-operator now does not wait for verticalpodautoscalercheckpoints.autoscaling.k8s.io to be present when the Gardens .spec.runtimeCluster.settings.verticalPodAutoscaler.enabled is false. This allows externally managed VPAs, that do not use the vpa checkpoint api, to be used with the gardener-operator. by @tobschli [#13314]
[OPERATOR] When IstioTLSTermination is active memory of istio-ingressgateways is now scaled by VPA instead of HPA. VPA uses updateMode: Initial that it does not evict pods but only sets reasonable memory requests when new pods are created. by @oliver-goetz [#13370]
[USER] The Shoot .spec.kubernetes.kubeAPIServer.serviceAccountConfig.{issuer,acceptedIssuers} fields are now validated against the OpenID Discovery 1.0 specification. by @acumino [#13325]
[OPERATOR] Logging stack has been upgraded to fluent-bit v4.1.1 and logging plugin v0.68.0. by @nickytd [#13358]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 2.1.1 to 2.1.2. by @gardener-ci-robot [#13384]
[OPERATOR] fluent-bit now supports IPv6 as well. by @damyan [#12003]
[OPERATOR] Readiness probe was added to vpn-shoot tunnel-controller to improve VPN availability during shoot reconciliation. by @domdom82 [#13366]
[OPERATOR] gardener-admission-controller VerticalPodAutoscaler name is changed from gardener-admission-controller to gardener-admission-controller-vpa to fix an issue with duplicate VPA resources for the gardener-admission-controller Deployment. The VPA resource name with the deprecated controlplane chart was gardener-controller-manager-vpa. Previously, switching to the gardener-operator created a VPA with name gardener-controller-manager that targets the same Deployment. by @ialidzhikov [#13430]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/prometheus/alertmanager from v0.28.1 to v0.29.0. by @gardener-ci-robot [#13350]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.13.3 to v1.13.4. by @gardener-ci-robot [#13318]
[DEPENDENCY] The following dependencies have been updated:
- gardener/vpn2 from 0.43.0 to 0.44.0. Release Notes by @gardener-ci-robot [#13339]
[OPERATOR] The following dependencies are updated:
- k8s.io/*: v0.33.5 -> v0.34.1
- sigs.k8s.io/controller-runtime: v0.21.0 -> v0.22.3
- sigs.k8s.io/controller-tools: v0.18.0 -> v0.19.0 by @ScheererJ [#13238]
[OPERATOR] Defaulting of the Shoot Kubernetes versions (.spec.kubernetes.version and .spec.provider.workers[].kubernetes.version) is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13252]
[OPERATOR] Add system load average (1min avg) panel to the Node Details dashboard by @IndritFejza [#13280]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/prometheus/node-exporter from v1.9.1 to v1.10.2. by @gardener-ci-robot [#13266]
[DEPENDENCY] The following dependencies have been updated:
- gardener/gardener-metrics-exporter from 0.40.0 to 0.41.0. Release Notes by @gardener-ci-robot [#13291]
[DEPENDENCY] The following dependencies have been updated:
- fluent/fluent-operator from v3.3.0 to v3.5.0 (Release Notes). by @gardener-ci-robot [#13292]
[USER] It is possible now to create IPv6 workerless shoots without specifying a service range. by @axel7born [#13224]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 2.0.3. by @gardener-ci-robot [#13288]
[OPERATOR] Shoot api now supports configuring additional CA Flags for node group backoff namely initialNodeGroupBackoffDuration, maxNodeGroupBackoffDuration and nodeGroupBackoffResetTimeout. by @ashwani2k [#13403]
[OPERATOR] Defaulting of the Shoot networks is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13207]
[OPERATOR] Support custom server blocks in node-local-dns. by @DockToFuture [#13375]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 2.0.3 to 2.1.1. by @gardener-ci-robot [#13374]
[OPERATOR] maxEmptyBulkDelete is explicitly set to nil, since it can no longer be set for Kubernetes versions >= v1.33. by @RadaBDimitrova [#13054]
[OPERATOR] Migration from dual-stack [IPv4, IPv6] to [IPv4] networking is now allowed. by @axel7born [#12967]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.13.4 to v1.14.0. by @gardener-ci-robot [#13319]
[OPERATOR] Increase client-side rate limits for kube-controller-manager to --kube-api-qps=100 and --kube-api-burst=200 by @voelzmo [#13251]
[OPERATOR] Additional input validations for the SecurityBinding and CredentialsBinding resources are now implemented. by @georgibaltiev [#13258]
[OPERATOR] NamespacedCloudprofiles are now compatible with parent CloudProfiles that use MachineCapabilities. Read more about capabilities in GEP-33. by @Roncossek [#13138]

📖 Documentation

[OPERATOR] Add disaster recovery guide for the garden cluster by @hendrikKahl [#13239]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.0
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.0

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.0
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.0
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.0
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.0
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.0
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.0
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.0

Update gardener-controlplane to 1.132.0

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes

[DEPENDENCY] The .gardener.autonomousShootCluster is no longer part of the Helm values when extension charts are rendered. The field has been renamed to gardener.selfHostedShootCluster. In addition, the previous flag --autonomous-shoot-cluster has been renamed to --self-hosted-shoot-cluster. Extension developers should adapt their Helm charts. by @rfranzke [#13273]
[DEVELOPER] "Autonomous Shoot Clusters" have been renamed to "Self-Hosted Shoot Clusters". The "medium-touch" scenario has been renamed to "managed infrastructure" scenario. The "high-touch" scenario has been renamed to "unmanaged infrastructure" scenario. by @rfranzke [#13273]

📰 Noteworthy

[DEVELOPER] A new document has been added describing the development tasks for removing support for a Kubernetes version. See Removing Support For a Kubernetes Version. by @RadaBDimitrova [#12859]

✨ New Features

[OPERATOR] It is now possible to restrict the total count of objects for non-namespaced resources. You can set it through the admission controller configuration's server.resourceAdmissionConfiguration.limits[].count field. by @tobschli [#12916]
[OPERATOR] Gardener can now support clusters with Kubernetes version 1.34. To allow creation/update of 1.34 clusters you will have to update the version of your provider extension(s) to a version that supports 1.34 as well. Please consult the respective releases and notes in the provider extension's repository. by @tobschli [#12883]
[USER] gardener-node-agent now labels worker nodes in shoot clusters with the node-role.kubernetes.io/worker="" label. by @rfranzke [#13387]
[USER] Individual worker pools can now be scheduled for manual rollout using a new annotation on the shoot: gardener.cloud/operation=rollout-workers=<pool1>,<pool2>,...,<poolN>. by @rrhubenov [#12829]
[OPERATOR] Operators can set Seed.spec.settings.loadBalancerServices.class (docs) and/or GardenletConfiguration.exposureClassHandlers[].loadBalancerService.class (docs) to specify a non-default loadBalancerClass for the corresponding istio-ingressgateway services on seeds. by @timebertt [#13305]
[DEVELOPER] Gardener can now support clusters with Kubernetes version 1.34. Extension developers have to prepare individual extensions as well to work with 1.34. by @tobschli [#12883]
[DEVELOPER] Gardener container images now can be built for multiple platforms locally via the variable TARGET_PLATFORMS, e.g. make docker-images TARGET_PLATFORMS=linux/amd64,linux/arm64. If the variable is unset, the container images are built for the platform linux/<host-arch> only. by @vpnachev [#13324]

🐛 Bug Fixes

[OPERATOR] UnauthenticatedHTTP2DOSMitigation feature gate is now always disabled for kube-apiservers where IstioTLSTermination (aka L7 load-balancing) is activated. This prevents unwanted side-effects when unauthenticated requests are sent. HTTP/2 "Rapid Reset" DoS Vulnerability is mitigated by Envoy in this case. by @oliver-goetz [#13405]
[DEVELOPER] Fix make kind-up command to work correctly with Docker>=v29.0.0. by @oliver-goetz [#13410]
[OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @vpnachev [#13282]
[OPERATOR] Gardener no longer deploys the node-exporter ServiceMonitor in the kube-system namespace on unmanaged Seeds. by @rickardsjp [#13382]
[USER] The feature for supporting custom server blocks in node-local-dns is now reverted. by @Kostov6 [#13344]
[USER] An issue with the configuration for the OpenTelemetryCollector on the nodes that leads to missing kernel logs in Vali is now fixed. by @rrhubenov [#13328]
[OPERATOR] The Istio Gateway dashboard now correctly displays the total resource usage across pod restarts. by @rickardsjp [#13402]
[DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @vpnachev [#13282]

🏃 Others

[OPERATOR] gardener-resource-manager now uses kubernetes.io/metadata.name label instead of gardener.cloud/purpose in its webhook namespace selectors. The kubernetes.io/metadata.name is added to all namespaces automatically by Kubernetes. by @shafeeqes [#13398]
[DEPENDENCY] Updated dependency containerd to v2.1.4 (release notes). by @gardener-ci-robot [#13311]
[OPERATOR] Removed obsolete validation for shootDefaults network disjointedness with SeedNetworks. by @domdom82 [#13349]
[OPERATOR] The gardener-operator now does not wait for verticalpodautoscalercheckpoints.autoscaling.k8s.io to be present when the Gardens .spec.runtimeCluster.settings.verticalPodAutoscaler.enabled is false. This allows externally managed VPAs, that do not use the vpa checkpoint api, to be used with the gardener-operator. by @tobschli [#13314]
[OPERATOR] When IstioTLSTermination is active memory of istio-ingressgateways is now scaled by VPA instead of HPA. VPA uses updateMode: Initial that it does not evict pods but only sets reasonable memory requests when new pods are created. by @oliver-goetz [#13370]
[USER] The Shoot .spec.kubernetes.kubeAPIServer.serviceAccountConfig.{issuer,acceptedIssuers} fields are now validated against the OpenID Discovery 1.0 specification. by @acumino [#13325]
[OPERATOR] Logging stack has been upgraded to fluent-bit v4.1.1 and logging plugin v0.68.0. by @nickytd [#13358]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 2.1.1 to 2.1.2. by @gardener-ci-robot [#13384]
[OPERATOR] fluent-bit now supports IPv6 as well. by @damyan [#12003]
[OPERATOR] Readiness probe was added to vpn-shoot tunnel-controller to improve VPN availability during shoot reconciliation. by @domdom82 [#13366]
[OPERATOR] gardener-admission-controller VerticalPodAutoscaler name is changed from gardener-admission-controller to gardener-admission-controller-vpa to fix an issue with duplicate VPA resources for the gardener-admission-controller Deployment. The VPA resource name with the deprecated controlplane chart was gardener-controller-manager-vpa. Previously, switching to the gardener-operator created a VPA with name gardener-controller-manager that targets the same Deployment. by @ialidzhikov [#13430]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/prometheus/alertmanager from v0.28.1 to v0.29.0. by @gardener-ci-robot [#13350]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.13.3 to v1.13.4. by @gardener-ci-robot [#13318]
[DEPENDENCY] The following dependencies have been updated:
- gardener/vpn2 from 0.43.0 to 0.44.0. Release Notes by @gardener-ci-robot [#13339]
[OPERATOR] The following dependencies are updated:
- k8s.io/*: v0.33.5 -> v0.34.1
- sigs.k8s.io/controller-runtime: v0.21.0 -> v0.22.3
- sigs.k8s.io/controller-tools: v0.18.0 -> v0.19.0 by @ScheererJ [#13238]
[OPERATOR] Defaulting of the Shoot Kubernetes versions (.spec.kubernetes.version and .spec.provider.workers[].kubernetes.version) is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13252]
[OPERATOR] Add system load average (1min avg) panel to the Node Details dashboard by @IndritFejza [#13280]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/prometheus/node-exporter from v1.9.1 to v1.10.2. by @gardener-ci-robot [#13266]
[DEPENDENCY] The following dependencies have been updated:
- gardener/gardener-metrics-exporter from 0.40.0 to 0.41.0. Release Notes by @gardener-ci-robot [#13291]
[DEPENDENCY] The following dependencies have been updated:
- fluent/fluent-operator from v3.3.0 to v3.5.0 (Release Notes). by @gardener-ci-robot [#13292]
[USER] It is possible now to create IPv6 workerless shoots without specifying a service range. by @axel7born [#13224]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 2.0.3. by @gardener-ci-robot [#13288]
[OPERATOR] Shoot api now supports configuring additional CA Flags for node group backoff namely initialNodeGroupBackoffDuration, maxNodeGroupBackoffDuration and nodeGroupBackoffResetTimeout. by @ashwani2k [#13403]
[OPERATOR] Defaulting of the Shoot networks is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13207]
[OPERATOR] Support custom server blocks in node-local-dns. by @DockToFuture [#13375]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 2.0.3 to 2.1.1. by @gardener-ci-robot [#13374]
[OPERATOR] maxEmptyBulkDelete is explicitly set to nil, since it can no longer be set for Kubernetes versions >= v1.33. by @RadaBDimitrova [#13054]
[OPERATOR] Migration from dual-stack [IPv4, IPv6] to [IPv4] networking is now allowed. by @axel7born [#12967]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.13.4 to v1.14.0. by @gardener-ci-robot [#13319]
[OPERATOR] Increase client-side rate limits for kube-controller-manager to --kube-api-qps=100 and --kube-api-burst=200 by @voelzmo [#13251]
[OPERATOR] Additional input validations for the SecurityBinding and CredentialsBinding resources are now implemented. by @georgibaltiev [#13258]
[OPERATOR] NamespacedCloudprofiles are now compatible with parent CloudProfiles that use MachineCapabilities. Read more about capabilities in GEP-33. by @Roncossek [#13138]

📖 Documentation

[OPERATOR] Add disaster recovery guide for the garden cluster by @hendrikKahl [#13239]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.0
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.0

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.0
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.0
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.0
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.0
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.0
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.0
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.0

Update gardenlet to 1.132.0

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes

[DEPENDENCY] The .gardener.autonomousShootCluster is no longer part of the Helm values when extension charts are rendered. The field has been renamed to gardener.selfHostedShootCluster. In addition, the previous flag --autonomous-shoot-cluster has been renamed to --self-hosted-shoot-cluster. Extension developers should adapt their Helm charts. by @rfranzke [#13273]
[DEVELOPER] "Autonomous Shoot Clusters" have been renamed to "Self-Hosted Shoot Clusters". The "medium-touch" scenario has been renamed to "managed infrastructure" scenario. The "high-touch" scenario has been renamed to "unmanaged infrastructure" scenario. by @rfranzke [#13273]

📰 Noteworthy

[DEVELOPER] A new document has been added describing the development tasks for removing support for a Kubernetes version. See Removing Support For a Kubernetes Version. by @RadaBDimitrova [#12859]

✨ New Features

[OPERATOR] It is now possible to restrict the total count of objects for non-namespaced resources. You can set it through the admission controller configuration's server.resourceAdmissionConfiguration.limits[].count field. by @tobschli [#12916]
[OPERATOR] Gardener can now support clusters with Kubernetes version 1.34. To allow creation/update of 1.34 clusters you will have to update the version of your provider extension(s) to a version that supports 1.34 as well. Please consult the respective releases and notes in the provider extension's repository. by @tobschli [#12883]
[USER] gardener-node-agent now labels worker nodes in shoot clusters with the node-role.kubernetes.io/worker="" label. by @rfranzke [#13387]
[USER] Individual worker pools can now be scheduled for manual rollout using a new annotation on the shoot: gardener.cloud/operation=rollout-workers=<pool1>,<pool2>,...,<poolN>. by @rrhubenov [#12829]
[OPERATOR] Operators can set Seed.spec.settings.loadBalancerServices.class (docs) and/or GardenletConfiguration.exposureClassHandlers[].loadBalancerService.class (docs) to specify a non-default loadBalancerClass for the corresponding istio-ingressgateway services on seeds. by @timebertt [#13305]
[DEVELOPER] Gardener can now support clusters with Kubernetes version 1.34. Extension developers have to prepare individual extensions as well to work with 1.34. by @tobschli [#12883]
[DEVELOPER] Gardener container images now can be built for multiple platforms locally via the variable TARGET_PLATFORMS, e.g. make docker-images TARGET_PLATFORMS=linux/amd64,linux/arm64. If the variable is unset, the container images are built for the platform linux/<host-arch> only. by @vpnachev [#13324]

🐛 Bug Fixes

[OPERATOR] UnauthenticatedHTTP2DOSMitigation feature gate is now always disabled for kube-apiservers where IstioTLSTermination (aka L7 load-balancing) is activated. This prevents unwanted side-effects when unauthenticated requests are sent. HTTP/2 "Rapid Reset" DoS Vulnerability is mitigated by Envoy in this case. by @oliver-goetz [#13405]
[DEVELOPER] Fix make kind-up command to work correctly with Docker>=v29.0.0. by @oliver-goetz [#13410]
[OPERATOR] Gardenlet's backupbucket and backupentry controllers are now unsetting all unknown labels and annotations on the extension secrets in the seed cluster, this fixes a bug that occurs after migration from WorkloadIdentity to Secret credentials the workload identity annotations and labels were kept in the secrets causing other controllers to keep trying to use the WorkloadIdentity credentials. by @vpnachev [#13282]
[OPERATOR] Gardener no longer deploys the node-exporter ServiceMonitor in the kube-system namespace on unmanaged Seeds. by @rickardsjp [#13382]
[USER] The feature for supporting custom server blocks in node-local-dns is now reverted. by @Kostov6 [#13344]
[USER] An issue with the configuration for the OpenTelemetryCollector on the nodes that leads to missing kernel logs in Vali is now fixed. by @rrhubenov [#13328]
[OPERATOR] The Istio Gateway dashboard now correctly displays the total resource usage across pod restarts. by @rickardsjp [#13402]
[DEVELOPER] Backupentry generic actuator is fixed to clean all unknown annotations and labels from the etcd-backup secret, this change fixes issues when the credentials are switched between static secret and workload identity. by @vpnachev [#13282]

🏃 Others

[OPERATOR] gardener-resource-manager now uses kubernetes.io/metadata.name label instead of gardener.cloud/purpose in its webhook namespace selectors. The kubernetes.io/metadata.name is added to all namespaces automatically by Kubernetes. by @shafeeqes [#13398]
[DEPENDENCY] Updated dependency containerd to v2.1.4 (release notes). by @gardener-ci-robot [#13311]
[OPERATOR] Removed obsolete validation for shootDefaults network disjointedness with SeedNetworks. by @domdom82 [#13349]
[OPERATOR] The gardener-operator now does not wait for verticalpodautoscalercheckpoints.autoscaling.k8s.io to be present when the Gardens .spec.runtimeCluster.settings.verticalPodAutoscaler.enabled is false. This allows externally managed VPAs, that do not use the vpa checkpoint api, to be used with the gardener-operator. by @tobschli [#13314]
[OPERATOR] When IstioTLSTermination is active memory of istio-ingressgateways is now scaled by VPA instead of HPA. VPA uses updateMode: Initial that it does not evict pods but only sets reasonable memory requests when new pods are created. by @oliver-goetz [#13370]
[USER] The Shoot .spec.kubernetes.kubeAPIServer.serviceAccountConfig.{issuer,acceptedIssuers} fields are now validated against the OpenID Discovery 1.0 specification. by @acumino [#13325]
[OPERATOR] Logging stack has been upgraded to fluent-bit v4.1.1 and logging plugin v0.68.0. by @nickytd [#13358]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 2.1.1 to 2.1.2. by @gardener-ci-robot [#13384]
[OPERATOR] fluent-bit now supports IPv6 as well. by @damyan [#12003]
[OPERATOR] Readiness probe was added to vpn-shoot tunnel-controller to improve VPN availability during shoot reconciliation. by @domdom82 [#13366]
[OPERATOR] gardener-admission-controller VerticalPodAutoscaler name is changed from gardener-admission-controller to gardener-admission-controller-vpa to fix an issue with duplicate VPA resources for the gardener-admission-controller Deployment. The VPA resource name with the deprecated controlplane chart was gardener-controller-manager-vpa. Previously, switching to the gardener-operator created a VPA with name gardener-controller-manager that targets the same Deployment. by @ialidzhikov [#13430]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/prometheus/alertmanager from v0.28.1 to v0.29.0. by @gardener-ci-robot [#13350]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.13.3 to v1.13.4. by @gardener-ci-robot [#13318]
[DEPENDENCY] The following dependencies have been updated:
- gardener/vpn2 from 0.43.0 to 0.44.0. Release Notes by @gardener-ci-robot [#13339]
[OPERATOR] The following dependencies are updated:
- k8s.io/*: v0.33.5 -> v0.34.1
- sigs.k8s.io/controller-runtime: v0.21.0 -> v0.22.3
- sigs.k8s.io/controller-tools: v0.18.0 -> v0.19.0 by @ScheererJ [#13238]
[OPERATOR] Defaulting of the Shoot Kubernetes versions (.spec.kubernetes.version and .spec.provider.workers[].kubernetes.version) is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13252]
[OPERATOR] Add system load average (1min avg) panel to the Node Details dashboard by @IndritFejza [#13280]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/prometheus/node-exporter from v1.9.1 to v1.10.2. by @gardener-ci-robot [#13266]
[DEPENDENCY] The following dependencies have been updated:
- gardener/gardener-metrics-exporter from 0.40.0 to 0.41.0. Release Notes by @gardener-ci-robot [#13291]
[DEPENDENCY] The following dependencies have been updated:
- fluent/fluent-operator from v3.3.0 to v3.5.0 (Release Notes). by @gardener-ci-robot [#13292]
[USER] It is possible now to create IPv6 workerless shoots without specifying a service range. by @axel7born [#13224]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 1.30.9 to 2.0.3. by @gardener-ci-robot [#13288]
[OPERATOR] Shoot api now supports configuring additional CA Flags for node group backoff namely initialNodeGroupBackoffDuration, maxNodeGroupBackoffDuration and nodeGroupBackoffResetTimeout. by @ashwani2k [#13403]
[OPERATOR] Defaulting of the Shoot networks is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13207]
[OPERATOR] Support custom server blocks in node-local-dns. by @DockToFuture [#13375]
[DEPENDENCY] The following dependencies have been updated:
- quay.io/kiwigrid/k8s-sidecar from 2.0.3 to 2.1.1. by @gardener-ci-robot [#13374]
[OPERATOR] maxEmptyBulkDelete is explicitly set to nil, since it can no longer be set for Kubernetes versions >= v1.33. by @RadaBDimitrova [#13054]
[OPERATOR] Migration from dual-stack [IPv4, IPv6] to [IPv4] networking is now allowed. by @axel7born [#12967]
[DEPENDENCY] The following dependencies have been updated:
- registry.k8s.io/ingress-nginx/controller-chroot from v1.13.4 to v1.14.0. by @gardener-ci-robot [#13319]
[OPERATOR] Increase client-side rate limits for kube-controller-manager to --kube-api-qps=100 and --kube-api-burst=200 by @voelzmo [#13251]
[OPERATOR] Additional input validations for the SecurityBinding and CredentialsBinding resources are now implemented. by @georgibaltiev [#13258]
[OPERATOR] NamespacedCloudprofiles are now compatible with parent CloudProfiles that use MachineCapabilities. Read more about capabilities in GEP-33. by @Roncossek [#13138]

📖 Documentation

[OPERATOR] Add disaster recovery guide for the garden cluster by @hendrikKahl [#13239]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.0
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.0

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.0
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.0
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.0
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.0
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.0
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.0
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.0
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.0
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.0

Update gardener-metrics-exporter to 0.42.0

Container (OCI) Images

metrics-exporter: europe-docker.pkg.dev/gardener-project/releases/gardener/metrics-exporter:0.42.0

Update gardener-metrics-exporter to 0.42.0

Container (OCI) Images

metrics-exporter: europe-docker.pkg.dev/gardener-project/releases/gardener/metrics-exporter:0.42.0

Update networking-calico to 1.53.0

[github.com/gardener/gardener-extension-networking-calico:v1.53.0]

🏃 Others

[OPERATOR] Reduced size of the cni-plugins container image significantly. by @ScheererJ [#744]
[OPERATOR] calico-node should not longer bind to the kube-proxy healthz port if used in ebpf mode and kube-proxy is enabled. by @ScheererJ [#732]
[OPERATOR] Calico clusters will now report MTU issues to the kernel log using a PACKET-TOO-BIG prefix. by @domdom82 [#741]
[OPERATOR] Add missing securityContext controls in order to comply with the restricted Pod Security Standards policy. by @mstueer [#715]

Helm Charts

admission-calico-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-calico-application:v1.53.0
admission-calico-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-calico-runtime:v1.53.0
networking-calico: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/networking-calico:v1.53.0

Container (OCI) Images

cni-plugins: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/cni-plugins:v1.53.0
gardener-extension-admission-calico: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-calico:v1.53.0
gardener-extension-networking-calico: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/networking-calico:v1.53.0

Update os-coreos to 1.27.0

[github.com/gardener/gardener-extension-os-coreos:v1.27.0]

🏃 Others

[OPERATOR] Migrate the extension VPAs from the deprecated update mode Auto to its only fallback strategy - update mode Recreate. by @vitanovs [#232]

Helm Charts

os-coreos: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/os-coreos:v1.27.0

Container (OCI) Images

gardener-extension-os-coreos: europe-docker.pkg.dev/gardener-project/releases/extensions/os-coreos:v1.27.0

Update runtime-gvisor to 0.26.0

[github.com/gardener/gardener-extension-runtime-gvisor:v0.26.0]

🏃 Others

[OPERATOR] Updated gVisor binaries to 20251013.0. by @gardener-github-actions[bot] [#303]
[OPERATOR] Updated gVisor binaries to 20251020.0. by @gardener-github-actions[bot] [#305]
[OPERATOR] Updated gVisor binaries to 20251103.0. by @gardener-github-actions[bot] [#313]

Helm Charts

runtime-gvisor: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/runtime-gvisor:v0.26.0

Container (OCI) Images

gardener-extension-runtime-gvisor-installation: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor-installation:v0.26.0
gardener-extension-runtime-gvisor: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor:v0.26.0

Update shoot-dns-service to 1.73.0

[github.com/gardener/external-dns-management:v0.32.0]

🏃 Others

[OPERATOR] Fix potential nil pointer panic in the DNS replication controller if .spec.domains.include is set in the source DNSProvider. by @aaronfern [#705]

Helm Charts

shoot-dns-service-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-application:v1.73.0
shoot-dns-service-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-runtime:v1.73.0
shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service:v1.73.0

Container (OCI) Images

gardener-extension-admission-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.73.0
gardener-extension-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.73.0

Update shoot-oidc-service to 0.34.0

[github.com/gardener/gardener-extension-shoot-oidc-service:v0.34.0]

🏃 Others

[OPERATOR] The extension is now built using go version 1.25.4. by @dependabot[bot] [#384]
[DEPENDENCY] The following third party dependencies have been updated:
- github.com/gardener/gardener v1.131.1 -> v1.131.2 by @dependabot[bot] [#386]

Helm Charts

shoot-oidc-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-oidc-service:v0.34.0

Container (OCI) Images

gardener-extension-shoot-oidc-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-oidc-service:v0.34.0

Update gardener-controlplane to 1.132.1

[github.com/gardener/gardener:v1.132.1]

🐛 Bug Fixes

[OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @oliver-goetz [#13467]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.1
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.1
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.1
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.1

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.1
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.1
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.1
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.1
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.1
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.1
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.1
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.1
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.1

Update gardener-controlplane to 1.132.1

[github.com/gardener/gardener:v1.132.1]

🐛 Bug Fixes

[OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @oliver-goetz [#13467]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.1
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.1
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.1
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.1

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.1
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.1
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.1
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.1
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.1
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.1
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.1
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.1
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.1

Update gardenlet to 1.132.1

[github.com/gardener/gardener:v1.132.1]

🐛 Bug Fixes

[OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @oliver-goetz [#13467]

Helm Charts

controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.1
gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.1
operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.1
resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.1

Container (OCI) Images

admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.1
apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.1
controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.1
gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.1
gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.1
node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.1
operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.1
resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.1
scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.1

Update shoot-dns-service to 1.73.2

[github.com/gardener/gardener-extension-shoot-dns-service:v1.73.2]

🐛 Bug Fixes

[USER] Replicated providers should not be deleted during extension reconciliation. by @MartinWeindel [#610]

Helm Charts

shoot-dns-service-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-application:v1.73.2
shoot-dns-service-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-runtime:v1.73.2
shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service:v1.73.2

Container (OCI) Images

gardener-extension-admission-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.73.2
gardener-extension-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.73.2

Update provider-aws to 1.66.0

[github.com/gardener/gardener-extension-provider-aws:v1.66.0]

✨ New Features

[OPERATOR] providerConfig.nodeTemplate.virtualCapacity mapped to MachineClass NodeTemplate without triggering rollout by @elankath [#1545]
[USER] Shoot worker nodes can now take advantage of AWS Capacity Reservations by @AndreasBurger [#1513]
[OPERATOR] Adding VPC filter when finding resources by tags by @hebelsan [#1558]

🐛 Bug Fixes

[OPERATOR] Always use the same node subnet in case of duplicated zones by @hebelsan [#1552]

🏃 Others

[OPERATOR] Updated aws-sdk aws/smithy-go gardener/etcd-druid gardener/gardener-external-dns-management gardener/gardener gardener/machine-controller-manager ginkgo k8s.io/utils by @wpross [#1554]
[DEPENDENCY] The following container images have been updated:
- csi-driver: v1.47.1 -> v1.52.1 (singleton)
- csi-driver-efs: v2.1.13 -> v2.1.14 (singleton)
- csi-provisioner: v5.3.0 -> v6.0.0 (singleton)
- csi-resizer: v1.14.0 -> v2.0.0 (singleton)
- csi-snapshot-controller: v8.3.0 -> v8.4.0 (singleton)
- csi-snapshotter: v8.3.0 -> v8.4.0 (singleton) by @gardener-github-actions[bot] [#1523]
[OPERATOR] Fix an issue with gateway endpoint validation not accepting valid DNS subdomains. by @kon-angelo [#1536]
[OPERATOR] Update image tag of europe-docker.pkg.dev/gardener-project/releases/gardener/aws-ipam-controller to v0.8.0. by @DockToFuture [#1559]
[OPERATOR] Updated aws-sdk gardener/gardener by @wpross [#1569]
[OPERATOR] Revert to v1.47.1 due to a regression in the calculation of allocatable volumes by @kon-angelo [#1548]
[OPERATOR] Ensure NATGateway contains a public IP in the creation step by @hebelsan [#1572]
[OPERATOR] Update EBS CSI to v1.50.2 by @kon-angelo [#1544]
[OPERATOR] Fix a bug where security group port with value 0 leads to a reconcile error by @hebelsan [#1551]

Helm Charts

admission-aws-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-application:v1.66.0
admission-aws-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-runtime:v1.66.0
provider-aws: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-aws:v1.66.0

Container (OCI) Images

gardener-extension-admission-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.66.0
gardener-extension-provider-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.66.0

Update provider-openstack to 1.51.0

[github.com/gardener/gardener-extension-provider-openstack:v1.51.0]

⚠️ Breaking Changes

[OPERATOR] Deprecate usage of terraformer reconciler. Existing infrastructure objects that have yet to be migrated, will be reconciled with the flow reconciler instead. by @kon-angelo [#1166]
[OPERATOR] Remove use-octavia field uses from the cloudprofile and CCM charts. Operators must update their cloudprofiles if they still use the field. by @kon-angelo [#1179]

🏃 Others

[OPERATOR] Updated gardener/etcd-druid gardener/gardener gardener/machine-controller-manager ginkgo go tools k8s.io/utils by @wpross [#1198]
[DEPENDENCY] The following container images have been updated:
- csi-driver-cinder: v1.33.1 -> v1.34.1 (minor)
- csi-driver-manila: v1.33.1 -> v1.34.1 (minor)
- csi-driver-nfs: v4.12.0 -> v4.12.1 (singleton)
- csi-provisioner: v5.3.0 -> v6.0.0 (singleton)
- csi-resizer: v1.14.0 -> v2.0.0 (singleton)
- csi-snapshot-controller: v8.3.0 -> v8.4.0 (singleton)
- csi-snapshotter: v8.3.0 -> v8.4.0 (singleton) by @gardener-github-actions[bot] [#1183]
[OPERATOR] Update min go version in go.mod to 1.25 by @hebelsan [#1203]
[OPERATOR] Fix an issue preventing OpenStack installations without manila endpoints. Flow reconciler will now do lazy instantiation of the manila client. by @kon-angelo [#1181]

Helm Charts

admission-openstack-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-openstack-application:v1.51.0
admission-openstack-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-openstack-runtime:v1.51.0
provider-openstack: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-openstack:v1.51.0

Container (OCI) Images

gardener-extension-admission-openstack: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-openstack:v1.51.0
gardener-extension-provider-openstack: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-openstack:v1.51.0

Yake release notes and upgrade guide​

Related upstream release notes / changelogs​

[github.com/gardener/gardener-extension-provider-azure:v1.56.1]

🐛 Bug Fixes​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener:v1.131.2]

🐛 Bug Fixes​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener-extension-image-rewriter:v0.6.0]

✨ New Features​

🏃 Others​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener-extension-registry-cache:v0.18.0]

⚠️ Breaking Changes​

✨ New Features​

🐛 Bug Fixes​

🏃 Others​

Helm Charts​

Container (OCI) Images​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener-extension-provider-alicloud:v1.66.1]

🏃 Others​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener-extension-provider-aws:v1.65.4]

🐛 Bug Fixes​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener-extension-provider-azure:v1.56.2]

🐛 Bug Fixes​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes​

📰 Noteworthy​

✨ New Features​

🐛 Bug Fixes​

🏃 Others​

📖 Documentation​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes​

📰 Noteworthy​

✨ New Features​

🐛 Bug Fixes​

🏃 Others​

📖 Documentation​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener:v1.132.0]

⚠️ Breaking Changes​

📰 Noteworthy​

✨ New Features​

🐛 Bug Fixes​

🏃 Others​

📖 Documentation​

Helm Charts​

Container (OCI) Images​

Container (OCI) Images​

Container (OCI) Images​

[github.com/gardener/gardener-extension-networking-calico:v1.53.0]

🏃 Others​

Helm Charts​

Container (OCI) Images​

[github.com/gardener/gardener-extension-os-coreos:v1.27.0]

🏃 Others​

Helm Charts​

Yake release notes and upgrade guide

Related upstream release notes / changelogs

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

✨ New Features

🏃 Others

Helm Charts

Container (OCI) Images

⚠️ Breaking Changes

✨ New Features

🐛 Bug Fixes

🏃 Others

Helm Charts

Container (OCI) Images

Helm Charts

Container (OCI) Images

🏃 Others

Helm Charts

Container (OCI) Images

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

⚠️ Breaking Changes

📰 Noteworthy

✨ New Features

🐛 Bug Fixes

🏃 Others

📖 Documentation

Helm Charts

Container (OCI) Images

⚠️ Breaking Changes

📰 Noteworthy

✨ New Features

🐛 Bug Fixes

🏃 Others

📖 Documentation

Helm Charts

Container (OCI) Images

⚠️ Breaking Changes

📰 Noteworthy

✨ New Features

🐛 Bug Fixes

🏃 Others

📖 Documentation

Helm Charts

Container (OCI) Images

Container (OCI) Images

Container (OCI) Images

🏃 Others

Helm Charts

Container (OCI) Images

🏃 Others

Helm Charts

Container (OCI) Images

🏃 Others

Helm Charts

Container (OCI) Images

🏃 Others

Helm Charts

Container (OCI) Images

🏃 Others

Helm Charts

Container (OCI) Images

🐛 Bug Fixes

Helm Charts

Container (OCI) Images

🐛 Bug Fixes