Skip to main content

Release Notes v1.133

Yake release notes and upgrade guide

Related upstream release notes / changelogs

Update networking-cilium to 1.45.1

[github.com/gardener/gardener-extension-networking-cilium:v1.45.1]

🏃 Others

  • [OPERATOR] Increased backoff limit of hubble-generate-certs job. by @axel7born [#660]

Helm Charts

  • admission-cilium-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-cilium-application:v1.45.1
  • admission-cilium-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-cilium-runtime:v1.45.1
  • networking-cilium: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/networking-cilium:v1.45.1

Container (OCI) Images

  • gardener-extension-admission-cilium: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-cilium:v1.45.1
  • gardener-extension-networking-cilium: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/networking-cilium:v1.45.1
Update networking-calico to 1.53.1

[github.com/gardener/gardener-extension-networking-calico:v1.53.1]

🏃 Others

  • [OPERATOR] fix indentation for Helm chart securityContext by @domdom82 [#750]

Helm Charts

  • admission-calico-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-calico-application:v1.53.1
  • admission-calico-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-calico-runtime:v1.53.1
  • networking-calico: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/networking-calico:v1.53.1

Container (OCI) Images

  • cni-plugins: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/cni-plugins:v1.53.1
  • gardener-extension-admission-calico: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-calico:v1.53.1
  • gardener-extension-networking-calico: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/networking-calico:v1.53.1
Update external-dns-management to 0.33.0

[github.com/gardener/external-dns-management:v0.33.0]

🏃 Others

  • [OPERATOR] Entry should go to state Stale, if its provider is deleted or not responsible after changes by @MartinWeindel [#718]
  • [OPERATOR] Fix recreation of fully ignored entry with different name. by @MartinWeindel [#711]

Helm Charts

  • dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/charts/dns-controller-manager:v0.33.0

Container (OCI) Images

  • dns-controller-manager-next-generation: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager-next-generation:v0.33.0
  • dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager:v0.33.0
Update runtime-gvisor to 0.27.0

[github.com/gardener/gardener-extension-runtime-gvisor:v0.27.0]

🏃 Others

  • [OPERATOR] The wrong handling of the config value for panic-signal was fixed by adding enclosing quotes. by @MrBatschner [#320]
  • [OPERATOR] Updated gVisor binaries to 20251110.0. by @gardener-github-actions[bot] [#318]

Helm Charts

  • runtime-gvisor: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/runtime-gvisor:v0.27.0

Container (OCI) Images

  • gardener-extension-runtime-gvisor-installation: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor-installation:v0.27.0
  • gardener-extension-runtime-gvisor: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor:v0.27.0
Update shoot-dns-service to 1.75.0

[github.com/gardener/external-dns-management:v0.33.0]

🏃 Others

  • [OPERATOR] Entry should go to state Stale, if its provider is deleted or not responsible after changes by @MartinWeindel [#718]
  • [OPERATOR] Fix recreation of fully ignored entry with different name. by @MartinWeindel [#711]

Helm Charts

  • shoot-dns-service-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-application:v1.75.0
  • shoot-dns-service-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-runtime:v1.75.0
  • shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service:v1.75.0

Container (OCI) Images

  • gardener-extension-admission-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.75.0
  • gardener-extension-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.75.0
Update networking-cilium to 1.45.2

[github.com/gardener/gardener-extension-networking-cilium:v1.45.2]

🏃 Others

  • [OPERATOR] Update node-local-dns mutate function to init sidecar approach. by @DockToFuture [#662]

Helm Charts

  • admission-cilium-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-cilium-application:v1.45.2
  • admission-cilium-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-cilium-runtime:v1.45.2
  • networking-cilium: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/networking-cilium:v1.45.2

Container (OCI) Images

  • gardener-extension-admission-cilium: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-cilium:v1.45.2
  • gardener-extension-networking-cilium: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/networking-cilium:v1.45.2
Update registry-cache to 0.19.0

[github.com/gardener/gardener-extension-registry-cache:v0.19.0]

🏃 Others

  • [OPERATOR] Migrate the extension VPAs from the deprecated update mode Auto to its only fallback strategy - update mode Recreate. by @vitanovs [#467]

Helm Charts

  • admission-registry-cache-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-registry-cache-application:v0.19.0
  • admission-registry-cache-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-registry-cache-runtime:v0.19.0
  • registry-cache: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/registry-cache:v0.19.0

Container (OCI) Images

  • gardener-extension-registry-cache-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/registry-cache-admission:v0.19.0
  • gardener-extension-registry-cache: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/registry-cache:v0.19.0
Update gardener-controlplane to 1.132.2

[github.com/gardener/gardener:v1.132.2]

🐛 Bug Fixes

  • [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @ialidzhikov [#13523]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.2

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.2
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.2
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.2
  • gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.2
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.2
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.2
Update gardener-controlplane to 1.132.2

[github.com/gardener/gardener:v1.132.2]

🐛 Bug Fixes

  • [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @ialidzhikov [#13523]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.2

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.2
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.2
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.2
  • gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.2
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.2
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.2
Update gardenlet to 1.132.2

[github.com/gardener/gardener:v1.132.2]

🐛 Bug Fixes

  • [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @ialidzhikov [#13523]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.132.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.132.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.132.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.132.2

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.132.2
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.132.2
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.132.2
  • gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.132.2
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.132.2
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.132.2
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.132.2
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.132.2
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.132.2
Update provider-aws to 1.66.1

[github.com/gardener/gardener-extension-provider-aws:v1.66.1]

🏃 Others

  • [OPERATOR] Update aws-custom-route-controller to v0.14.0 by @wpross [#1588]

Helm Charts

  • admission-aws-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-application:v1.66.1
  • admission-aws-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-runtime:v1.66.1
  • provider-aws: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-aws:v1.66.1

Container (OCI) Images

  • gardener-extension-admission-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.66.1
  • gardener-extension-provider-aws: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.66.1
Update gardener-controlplane to 1.133.0

[github.com/gardener/gardener:v1.133.0]

⚠️ Breaking Changes

  • [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.29. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @ScheererJ [#13487]
  • [USER] The Shoot .spec.provider.workers[].sysctls field is now validated for valid sysctl keys and non-empty values. by @MrBatschner [#13435]
  • [DEVELOPER] The github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring module is updated from v0.86.2 to v0.87.0. In the new version the type of the ServiceMonitor's .spec.endpoints[].scheme field is changed from string to *monitoringv1.Scheme. by @gardener-ci-robot [#13512]
  • [DEVELOPER] The types from the extension healthcheck package which perform health checks on Deployments, StatefulSets and DaemonSets have been renamed. The respective constructor functions now return the concrete types instead of an interface. The types still implement the interface that was returned before. We do not expect this change to affect existing code in the majority of cases. by @dimityrmirchev [#13329]

📰 Noteworthy

  • [OPERATOR] The ShootCredentialsBinding feature gate of gardenlet is promoted to GA and is unconditionally enabled. by @dimityrmirchev [#13530]
  • [OPERATOR] The .status.encryptedResources field for Shoot and Garden resources has been deprecated in favour of the new .status.credentials.encryptionAtRest.resources field. by @AleksandarSavchev [#12894]
  • [DEVELOPER] The ValidatingAdmissionPolicy admission plugin is now enabled by default for the Gardener API server. If you already have the admission plugin enabled, you can remove the explicit enablement after upgrading to this version of Gardener as the plugin is now enabled by default. by @ScheererJ [#13487]

✨ New Features

  • [OPERATOR] A new VPAInPlaceUpdates feature gate is introduced for gardenlet and gardener-operator. When enabled, the corresponding VerticalPodAutoscaler resources are mutated to perform in-place updates, (i.e mutated with .spec.updatePolicy.updateMode=InPlaceOrRecreate). For more information, see Enabling In-Place Updates of Pod Resources. by @vitanovs [#12940]
  • [OPERATOR] The gardener.cloud/operation annotation for the Garden resource has been extended to allow specifying multiple operations to be run in parallel. by @AleksandarSavchev [#12717]
  • [USER] The gardener.cloud/operation and maintenance.gardener.cloud/operation Shoot annotations have been extended to allow specifying multiple operations to be run in parallel. by @AleksandarSavchev [#12717]

🐛 Bug Fixes

  • [OPERATOR] A bug where the Shoot relevant ClusterRoleBindings responsible for the AdminKubeconfig and ViewerKubeconfig permissions were deployed into the virtual Garden cluster has been fixed. by @vpnachev [#13492]
  • [OPERATOR] Add --skip-metadata flag to ctr images pull in the node-agent init script for better container registry compatibility. by @Nuckal777 [#13265]
  • [OPERATOR] An issue where Plutono would not detect all fields when the OpenTelemetryCollector feature gate is enabled is now fixed. by @rrhubenov [#13531]
  • [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @oliver-goetz [#13459]
  • [OPERATOR] Gardener generally prefers the sshd.service unit when trying to enable/disable the SSH server on worker nodes and bastions. If the sshd.service unit doesn't exist, it falls back to ssh.service. by @timebertt [#13456]
  • [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @DockToFuture [#13511]
  • [USER] An issue causing vpa-updater RBAC resources for in-place updates not to be deployed when the VPA InPlaceOrRecreate feature gate is not explicitly enabled is now fixed. The VPA InPlaceOrRecreate feature gate is enabled by default with the VPA 1.5.1 version which is used by Gardener. That's why the needed in-place updates RBAC resources are now deployed unconditionally. by @vitanovs [#13499]
  • [DEVELOPER] Fixed a bug causing types part of the extension healthcheck package to be injected with clients that they do not actually use. by @dimityrmirchev [#13329]

🏃 Others

  • [OPERATOR] Vali can now ingest logs through the standard ingress in the Shoot control plane even when the OpenTelemetryCollector feature gate is enabled. This allows other parties that rely on it to migrate at their pace while it matures. by @rrhubenov [#13446]
  • [OPERATOR] gardener-apiserver: The ShootValidator admission plugin's type is now changed from mutating to validating. All mutations that were previously performed by the ShootValidator were extracted over time to the new ShootMutator admission plugin. by @ialidzhikov [#13352]
  • [OPERATOR] Defaulting of the Shoot machine image version (.spec.provider.workers[].machine.image.{name,version}) is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13351]
  • [OPERATOR] Logging stack components are updated from v0.69.0 to v0.70.0. Along the way, performance optimizations are applied. by @nickytd [#13563]
  • [OPERATOR] gardener-apiserver: The Shoot .spec.provider.workers[].machine.image field is now a required field. This change has impact only when the ShootMutator admission plugin (which defaults the machine image) is disabled. The admission plugin is enabled by default. by @ialidzhikov [#13399]
  • [OPERATOR] A new field spec.resources was added to the Garden API. The field can be used by extensions to reference Secrets and ConfigMaps. See this documentation for more details. by @timuthy [#13464]
  • [OPERATOR] The Shoot .spec.kubernetes.kubeAPIServer.oidcConfig field is now validated only in the storage layer. Previously, the required .spec.kubernetes.kubeAPIServer.{oidcConfig,issuerURL} fields were validated in the ShootValidator admission plugin due to backwards-compatibility reasons. by @dimitar-kostadinov [#13505]
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.5 to 1.26.7. by @gardener-ci-robot [#13474]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • gardener/gardener-metrics-exporter from 0.41.0 to 0.42.0. Release Notes by @gardener-ci-robot [#13455]
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/brancz/kube-rbac-proxy from v0.20.0 to v0.20.1. by @gardener-ci-robot [#13533]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/cortexproject/cortex from v1.19.1 to v1.20.0. by @gardener-ci-robot [#13390]

📖 Documentation

  • [OPERATOR] A new guide has been added containing instruction and information about how to upgrade a Gardener installation. by @rfranzke [#13401]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.133.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.133.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.133.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.133.0

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.133.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.133.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.133.0
  • gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.133.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.133.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.133.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.133.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.133.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.133.0
Update gardener-controlplane to 1.133.0

[github.com/gardener/gardener:v1.133.0]

⚠️ Breaking Changes

  • [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.29. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @ScheererJ [#13487]
  • [USER] The Shoot .spec.provider.workers[].sysctls field is now validated for valid sysctl keys and non-empty values. by @MrBatschner [#13435]
  • [DEVELOPER] The github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring module is updated from v0.86.2 to v0.87.0. In the new version the type of the ServiceMonitor's .spec.endpoints[].scheme field is changed from string to *monitoringv1.Scheme. by @gardener-ci-robot [#13512]
  • [DEVELOPER] The types from the extension healthcheck package which perform health checks on Deployments, StatefulSets and DaemonSets have been renamed. The respective constructor functions now return the concrete types instead of an interface. The types still implement the interface that was returned before. We do not expect this change to affect existing code in the majority of cases. by @dimityrmirchev [#13329]

📰 Noteworthy

  • [OPERATOR] The ShootCredentialsBinding feature gate of gardenlet is promoted to GA and is unconditionally enabled. by @dimityrmirchev [#13530]
  • [OPERATOR] The .status.encryptedResources field for Shoot and Garden resources has been deprecated in favour of the new .status.credentials.encryptionAtRest.resources field. by @AleksandarSavchev [#12894]
  • [DEVELOPER] The ValidatingAdmissionPolicy admission plugin is now enabled by default for the Gardener API server. If you already have the admission plugin enabled, you can remove the explicit enablement after upgrading to this version of Gardener as the plugin is now enabled by default. by @ScheererJ [#13487]

✨ New Features

  • [OPERATOR] A new VPAInPlaceUpdates feature gate is introduced for gardenlet and gardener-operator. When enabled, the corresponding VerticalPodAutoscaler resources are mutated to perform in-place updates, (i.e mutated with .spec.updatePolicy.updateMode=InPlaceOrRecreate). For more information, see Enabling In-Place Updates of Pod Resources. by @vitanovs [#12940]
  • [OPERATOR] The gardener.cloud/operation annotation for the Garden resource has been extended to allow specifying multiple operations to be run in parallel. by @AleksandarSavchev [#12717]
  • [USER] The gardener.cloud/operation and maintenance.gardener.cloud/operation Shoot annotations have been extended to allow specifying multiple operations to be run in parallel. by @AleksandarSavchev [#12717]

🐛 Bug Fixes

  • [OPERATOR] A bug where the Shoot relevant ClusterRoleBindings responsible for the AdminKubeconfig and ViewerKubeconfig permissions were deployed into the virtual Garden cluster has been fixed. by @vpnachev [#13492]
  • [OPERATOR] Add --skip-metadata flag to ctr images pull in the node-agent init script for better container registry compatibility. by @Nuckal777 [#13265]
  • [OPERATOR] An issue where Plutono would not detect all fields when the OpenTelemetryCollector feature gate is enabled is now fixed. by @rrhubenov [#13531]
  • [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @oliver-goetz [#13459]
  • [OPERATOR] Gardener generally prefers the sshd.service unit when trying to enable/disable the SSH server on worker nodes and bastions. If the sshd.service unit doesn't exist, it falls back to ssh.service. by @timebertt [#13456]
  • [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @DockToFuture [#13511]
  • [USER] An issue causing vpa-updater RBAC resources for in-place updates not to be deployed when the VPA InPlaceOrRecreate feature gate is not explicitly enabled is now fixed. The VPA InPlaceOrRecreate feature gate is enabled by default with the VPA 1.5.1 version which is used by Gardener. That's why the needed in-place updates RBAC resources are now deployed unconditionally. by @vitanovs [#13499]
  • [DEVELOPER] Fixed a bug causing types part of the extension healthcheck package to be injected with clients that they do not actually use. by @dimityrmirchev [#13329]

🏃 Others

  • [OPERATOR] Vali can now ingest logs through the standard ingress in the Shoot control plane even when the OpenTelemetryCollector feature gate is enabled. This allows other parties that rely on it to migrate at their pace while it matures. by @rrhubenov [#13446]
  • [OPERATOR] gardener-apiserver: The ShootValidator admission plugin's type is now changed from mutating to validating. All mutations that were previously performed by the ShootValidator were extracted over time to the new ShootMutator admission plugin. by @ialidzhikov [#13352]
  • [OPERATOR] Defaulting of the Shoot machine image version (.spec.provider.workers[].machine.image.{name,version}) is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13351]
  • [OPERATOR] Logging stack components are updated from v0.69.0 to v0.70.0. Along the way, performance optimizations are applied. by @nickytd [#13563]
  • [OPERATOR] gardener-apiserver: The Shoot .spec.provider.workers[].machine.image field is now a required field. This change has impact only when the ShootMutator admission plugin (which defaults the machine image) is disabled. The admission plugin is enabled by default. by @ialidzhikov [#13399]
  • [OPERATOR] A new field spec.resources was added to the Garden API. The field can be used by extensions to reference Secrets and ConfigMaps. See this documentation for more details. by @timuthy [#13464]
  • [OPERATOR] The Shoot .spec.kubernetes.kubeAPIServer.oidcConfig field is now validated only in the storage layer. Previously, the required .spec.kubernetes.kubeAPIServer.{oidcConfig,issuerURL} fields were validated in the ShootValidator admission plugin due to backwards-compatibility reasons. by @dimitar-kostadinov [#13505]
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.5 to 1.26.7. by @gardener-ci-robot [#13474]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • gardener/gardener-metrics-exporter from 0.41.0 to 0.42.0. Release Notes by @gardener-ci-robot [#13455]
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/brancz/kube-rbac-proxy from v0.20.0 to v0.20.1. by @gardener-ci-robot [#13533]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/cortexproject/cortex from v1.19.1 to v1.20.0. by @gardener-ci-robot [#13390]

📖 Documentation

  • [OPERATOR] A new guide has been added containing instruction and information about how to upgrade a Gardener installation. by @rfranzke [#13401]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.133.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.133.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.133.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.133.0

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.133.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.133.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.133.0
  • gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.133.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.133.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.133.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.133.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.133.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.133.0
Update gardenlet to 1.133.0

[github.com/gardener/gardener:v1.133.0]

⚠️ Breaking Changes

  • [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.29. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @ScheererJ [#13487]
  • [USER] The Shoot .spec.provider.workers[].sysctls field is now validated for valid sysctl keys and non-empty values. by @MrBatschner [#13435]
  • [DEVELOPER] The github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring module is updated from v0.86.2 to v0.87.0. In the new version the type of the ServiceMonitor's .spec.endpoints[].scheme field is changed from string to *monitoringv1.Scheme. by @gardener-ci-robot [#13512]
  • [DEVELOPER] The types from the extension healthcheck package which perform health checks on Deployments, StatefulSets and DaemonSets have been renamed. The respective constructor functions now return the concrete types instead of an interface. The types still implement the interface that was returned before. We do not expect this change to affect existing code in the majority of cases. by @dimityrmirchev [#13329]

📰 Noteworthy

  • [OPERATOR] The ShootCredentialsBinding feature gate of gardenlet is promoted to GA and is unconditionally enabled. by @dimityrmirchev [#13530]
  • [OPERATOR] The .status.encryptedResources field for Shoot and Garden resources has been deprecated in favour of the new .status.credentials.encryptionAtRest.resources field. by @AleksandarSavchev [#12894]
  • [DEVELOPER] The ValidatingAdmissionPolicy admission plugin is now enabled by default for the Gardener API server. If you already have the admission plugin enabled, you can remove the explicit enablement after upgrading to this version of Gardener as the plugin is now enabled by default. by @ScheererJ [#13487]

✨ New Features

  • [OPERATOR] A new VPAInPlaceUpdates feature gate is introduced for gardenlet and gardener-operator. When enabled, the corresponding VerticalPodAutoscaler resources are mutated to perform in-place updates, (i.e mutated with .spec.updatePolicy.updateMode=InPlaceOrRecreate). For more information, see Enabling In-Place Updates of Pod Resources. by @vitanovs [#12940]
  • [OPERATOR] The gardener.cloud/operation annotation for the Garden resource has been extended to allow specifying multiple operations to be run in parallel. by @AleksandarSavchev [#12717]
  • [USER] The gardener.cloud/operation and maintenance.gardener.cloud/operation Shoot annotations have been extended to allow specifying multiple operations to be run in parallel. by @AleksandarSavchev [#12717]

🐛 Bug Fixes

  • [OPERATOR] A bug where the Shoot relevant ClusterRoleBindings responsible for the AdminKubeconfig and ViewerKubeconfig permissions were deployed into the virtual Garden cluster has been fixed. by @vpnachev [#13492]
  • [OPERATOR] Add --skip-metadata flag to ctr images pull in the node-agent init script for better container registry compatibility. by @Nuckal777 [#13265]
  • [OPERATOR] An issue where Plutono would not detect all fields when the OpenTelemetryCollector feature gate is enabled is now fixed. by @rrhubenov [#13531]
  • [OPERATOR] A bug which made istio-ingressgateway forwarding requests via HTTP1.1 only to kube-apiserver when IstioTLSTermination feature gate is active has been fixed. Exhausted connection limits between istio-ingressgateway and kube-apiserver could be a consequence of this bug. by @oliver-goetz [#13459]
  • [OPERATOR] Gardener generally prefers the sshd.service unit when trying to enable/disable the SSH server on worker nodes and bastions. If the sshd.service unit doesn't exist, it falls back to ssh.service. by @timebertt [#13456]
  • [OPERATOR] The server block import feature for node-local-dns is now behind a feature gate (CustomDNSServerInNodeLocalDNS). by @DockToFuture [#13511]
  • [USER] An issue causing vpa-updater RBAC resources for in-place updates not to be deployed when the VPA InPlaceOrRecreate feature gate is not explicitly enabled is now fixed. The VPA InPlaceOrRecreate feature gate is enabled by default with the VPA 1.5.1 version which is used by Gardener. That's why the needed in-place updates RBAC resources are now deployed unconditionally. by @vitanovs [#13499]
  • [DEVELOPER] Fixed a bug causing types part of the extension healthcheck package to be injected with clients that they do not actually use. by @dimityrmirchev [#13329]

🏃 Others

  • [OPERATOR] Vali can now ingest logs through the standard ingress in the Shoot control plane even when the OpenTelemetryCollector feature gate is enabled. This allows other parties that rely on it to migrate at their pace while it matures. by @rrhubenov [#13446]
  • [OPERATOR] gardener-apiserver: The ShootValidator admission plugin's type is now changed from mutating to validating. All mutations that were previously performed by the ShootValidator were extracted over time to the new ShootMutator admission plugin. by @ialidzhikov [#13352]
  • [OPERATOR] Defaulting of the Shoot machine image version (.spec.provider.workers[].machine.image.{name,version}) is moved from the ShootValidator to the ShootMutator admission plugin. by @ialidzhikov [#13351]
  • [OPERATOR] Logging stack components are updated from v0.69.0 to v0.70.0. Along the way, performance optimizations are applied. by @nickytd [#13563]
  • [OPERATOR] gardener-apiserver: The Shoot .spec.provider.workers[].machine.image field is now a required field. This change has impact only when the ShootMutator admission plugin (which defaults the machine image) is disabled. The admission plugin is enabled by default. by @ialidzhikov [#13399]
  • [OPERATOR] A new field spec.resources was added to the Garden API. The field can be used by extensions to reference Secrets and ConfigMaps. See this documentation for more details. by @timuthy [#13464]
  • [OPERATOR] The Shoot .spec.kubernetes.kubeAPIServer.oidcConfig field is now validated only in the storage layer. Previously, the required .spec.kubernetes.kubeAPIServer.{oidcConfig,issuerURL} fields were validated in the ShootValidator admission plugin due to backwards-compatibility reasons. by @dimitar-kostadinov [#13505]
  • [DEPENDENCY] The following dependencies have been updated:
    • registry.k8s.io/dns/k8s-dns-node-cache from 1.26.5 to 1.26.7. by @gardener-ci-robot [#13474]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • gardener/gardener-metrics-exporter from 0.41.0 to 0.42.0. Release Notes by @gardener-ci-robot [#13455]
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/brancz/kube-rbac-proxy from v0.20.0 to v0.20.1. by @gardener-ci-robot [#13533]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEPENDENCY] The following dependencies have been updated:
    • quay.io/cortexproject/cortex from v1.19.1 to v1.20.0. by @gardener-ci-robot [#13390]

📖 Documentation

  • [OPERATOR] A new guide has been added containing instruction and information about how to upgrade a Gardener installation. by @rfranzke [#13401]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.133.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.133.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.133.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.133.0

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.133.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.133.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.133.0
  • gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.133.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.133.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.133.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.133.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.133.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.133.0
Update shoot-rsyslog-relp to 0.11.0

[github.com/gardener/gardener-extension-shoot-rsyslog-relp:v0.11.0]

🐛 Bug Fixes

  • [OPERATOR] Fix casing of role in ScrapeConfig. by @LucaBernstein [#313]
  • [USER] Fixed perm used without an arch is slower warnings in the system integrity rules by explicitly specifying the arch parameter to be b64.
    This also fixes issues when calling augenrules --load to load the configured audit rules. by @plkokanov [#334]

🏃 Others

  • [OPERATOR] An example Extension manifest for extension registration has been added. It can be found at example/extension.yaml. by @timuthy [#301]
  • [OPERATOR] Migrate the extension VPAs from the deprecated update mode Auto to its only fallback strategy - update mode Recreate. by @vitanovs [#318]
  • [DEVELOPER] The Concourse CI/CD pipeline has been migrated to GitHub Actions. by @ccwienk [#281]

Helm Charts

  • shoot-rsyslog-relp-admission-application: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp-admission-application:v0.11.0
  • shoot-rsyslog-relp-admission-runtime: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp-admission-runtime:v0.11.0
  • shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-rsyslog-relp:v0.11.0

Container (OCI) Images

  • gardener-extension-shoot-rsyslog-relp-admission: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp-admission:v0.11.0
  • gardener-extension-shoot-rsyslog-relp: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-rsyslog-relp:v0.11.0