Release Notes v1.135
Yake release notes and upgrade guide
Related upstream release notes / changelogs
Update provider-gcp to 1.48.2
Helm Charts
- admission-gcp-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-gcp-application:v1.48.2 - admission-gcp-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-gcp-runtime:v1.48.2 - provider-gcp:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-gcp:v1.48.2
Container (OCI) Images
- gardener-extension-admission-gcp:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-gcp:v1.48.2 - gardener-extension-provider-gcp:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-gcp:v1.48.2
Update shoot-dns-service to 1.76.0
[github.com/gardener/gardener-extension-shoot-dns-service:v1.76.0]
🏃 Others
[USER]Allow to use next-generation dns-controller-manager per configuration in shoot manifest with.spec.extensions[@type="shoot-dns-service"].providerConfig.useNextGenerationController=true. This feature has alpha status. by @MartinWeindel [#615]
[github.com/gardener/external-dns-management:v0.34.0]
🐛 Bug Fixes
[OPERATOR]In an edge case, the data section for aSecretis not dropped anymore when it is not longer used by any provider and the secret is updated to remove the finalizer. by @MartinWeindel [#723]
Helm Charts
- shoot-dns-service-admission-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-application:v1.76.0 - shoot-dns-service-admission-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service-admission-runtime:v1.76.0 - shoot-dns-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-dns-service:v1.76.0
Container (OCI) Images
- gardener-extension-admission-shoot-dns-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.76.0 - gardener-extension-shoot-dns-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.76.0
Update provider-aws to 1.66.2
[github.com/gardener/gardener-extension-provider-aws:v1.66.2]
🐛 Bug Fixes
[OPERATOR]Set --strict-topology for the external provisioner of the EBS CSI Driver. by @hebelsan [#1610]
Helm Charts
- admission-aws-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-application:v1.66.2 - admission-aws-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-runtime:v1.66.2 - provider-aws:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-aws:v1.66.2
Container (OCI) Images
- gardener-extension-admission-aws:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.66.2 - gardener-extension-provider-aws:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.66.2
Update provider-azure to 1.57.1
[github.com/gardener/gardener-extension-provider-azure:v1.57.1]
🐛 Bug Fixes
[OPERATOR]Support not only the DNS-specific keys for dns provider secrets, but in addition the infrastructure secret keys. by @wpross [#1404]
🏃 Others
[OPERATOR]Fix a bug where the namespace for the discovery of the kubeconfig secret was incorrect during the remedy-controller removal. by @kon-angelo [#1405]
Helm Charts
- admission-azure-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-application:v1.57.1 - admission-azure-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-runtime:v1.57.1 - provider-azure:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-azure:v1.57.1
Container (OCI) Images
- gardener-extension-admission-azure:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.57.1 - gardener-extension-provider-azure:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.57.1
Update shoot-oidc-service to 0.35.0
[github.com/gardener/gardener-extension-shoot-oidc-service:v0.35.0]
✨ New Features
[DEVELOPER]It is now possible to deploy the extension, viamake extension-up, in a locally running gardener installation managed with gardener-operator. by @vpnachev [#399]
🏃 Others
[OPERATOR]The container image base layer has been updated to Debian 13 (trixie). by @dimityrmirchev [#401][DEPENDENCY]The following third party dependencies have been updated:- github.com/gardener/gardener v1.132.1 -> v1.134.0
- golang.org/x/tools v0.38.0 -> v0.40.0
- golang.org/x/crypto v0.44.0 -> v0.46.0
- golang.org/x/mod v0.29.0 -> v0.31.0
- golang.org/x/net v0.46.0 -> v0.48.0
- golang.org/x/sync v0.18.0 -> v0.19.0
- golang.org/x/sys v0.38.0 -> v0.39.0
- golang.org/x/term v0.37.0 -> v0.38.0
- golang.org/x/text v0.31.0 -> v0.32.0
- helm.sh/helm/v3 v3.19.1 -> v3.19.2
- istio.io/api v1.27.3 -> v1.27.4
- k8s.io/api v0.34.1 -> v0.34.3
- k8s.io/apiextensions-apiserver v0.34.1 -> v0.34.3
- k8s.io/apimachinery v0.34.1 -> v0.34.3
- k8s.io/apiserver v0.34.1 -> v0.34.3
- k8s.io/client-go v0.34.1 -> v0.34.3
- k8s.io/code-generator v0.34.1 -> v0.34.3
- k8s.io/component-base v0.34.1 -> v0.34.3
- k8s.io/component-helpers v0.34.1 -> v0.34.3
- k8s.io/cluster-bootstrap v0.34.1 -> v0.34.3
- k8s.io/kube-aggregator v0.34.1 -> v0.34.3
- k8s.io/kubelet v0.34.1 -> v0.34.3
- k8s.io/metrics v0.34.1 -> v0.34.3 by @dependabot[bot] [#400]
[DEPENDENCY]The following third party dependencies have been updated:- github.com/gardener/gardener v1.132.0 -> v1.132.1 by @dependabot[bot] [#393]
Helm Charts
- shoot-oidc-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-oidc-service:v0.35.0
Container (OCI) Images
- gardener-extension-shoot-oidc-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-oidc-service:v0.35.0
Update gardener-controlplane to 1.134.1
[github.com/gardener/gardener:v1.134.1]
🐛 Bug Fixes
[OPERATOR]Refactor the collectorjournaldreceiver to capture kernel logs via a more stable method. by @rrhubenov [#13730][OPERATOR]An issue causing credentials rotation for the Garden resource to fail is now fixed. by @ialidzhikov [#13738][DEVELOPER]Change the registry port in the local setup to:5001. by @LucaBernstein [#13672]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.1 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.1 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.1 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.1
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.1 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.1 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.1 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.1 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.1 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.1 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.1 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.1 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.1
Update gardener-controlplane to 1.134.1
[github.com/gardener/gardener:v1.134.1]
🐛 Bug Fixes
[OPERATOR]Refactor the collectorjournaldreceiver to capture kernel logs via a more stable method. by @rrhubenov [#13730][OPERATOR]An issue causing credentials rotation for the Garden resource to fail is now fixed. by @ialidzhikov [#13738][DEVELOPER]Change the registry port in the local setup to:5001. by @LucaBernstein [#13672]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.1 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.1 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.1 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.1
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.1 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.1 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.1 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.1 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.1 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.1 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.1 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.1 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.1
Update gardenlet to 1.134.1
[github.com/gardener/gardener:v1.134.1]
🐛 Bug Fixes
[OPERATOR]Refactor the collectorjournaldreceiver to capture kernel logs via a more stable method. by @rrhubenov [#13730][OPERATOR]An issue causing credentials rotation for the Garden resource to fail is now fixed. by @ialidzhikov [#13738][DEVELOPER]Change the registry port in the local setup to:5001. by @LucaBernstein [#13672]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.1 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.1 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.1 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.1
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.1 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.1 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.1 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.1 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.1 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.1 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.1 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.1 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.1
Update gardener-metrics-exporter to 0.43.0
[github.com/gardener/gardener-metrics-exporter:0.43.0]
🏃 Others
[OPERATOR]Update dependencies by @chrkl [#141][USER]Add metrics for Gardenlet resources in virtual garden. by @RaphSku [#138]
Container (OCI) Images
- metrics-exporter:
europe-docker.pkg.dev/gardener-project/releases/gardener/metrics-exporter:0.43.0
Update gardener-metrics-exporter to 0.43.0
[github.com/gardener/gardener-metrics-exporter:0.43.0]
🏃 Others
[OPERATOR]Update dependencies by @chrkl [#141][USER]Add metrics for Gardenlet resources in virtual garden. by @RaphSku [#138]
Container (OCI) Images
- metrics-exporter:
europe-docker.pkg.dev/gardener-project/releases/gardener/metrics-exporter:0.43.0
Update image-rewriter to 0.7.0
Update shoot-networking-filter to 0.26.0
[github.com/gardener/gardener-extension-shoot-networking-filter:v0.26.0]
🏃 Others
[OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#302][OPERATOR]Migrate the extension VPAs from the deprecated update modeAutoto its only fallback strategy - update modeRecreate. by @vitanovs [#278]
Helm Charts
- runtime-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/runtime-networking-filter:v0.26.0 - shoot-networking-filter-admission-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter-admission-application:v0.26.0 - shoot-networking-filter-admission-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter-admission-runtime:v0.26.0 - shoot-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter:v0.26.0
Container (OCI) Images
- gardener-extension-shoot-networking-filter-admission:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-filter-admission:v0.26.0 - gardener-extension-shoot-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-filter:v0.26.0 - gardener-runtime-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-networking-filter:v0.26.0
Update shoot-networking-problemdetector to 0.31.0
[github.com/gardener/gardener-extension-shoot-networking-problemdetector:v0.31.0]
🏃 Others
[OPERATOR]Update go version to v1.25. by @DockToFuture [#299][OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#315]
Helm Charts
- shoot-networking-problemdetector:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-problemdetector:v0.31.0
Container (OCI) Images
- gardener-extension-shoot-networking-problemdetector:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-problemdetector:v0.31.0
Update os-ubuntu to 1.34.0
[github.com/gardener/gardener-extension-os-ubuntu:v1.34.0]
🏃 Others
[OPERATOR]Allows the operator to deploy nodes with custom apt configuration. by @robinschneider [#203]
Helm Charts
- os-ubuntu:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/os-ubuntu:v1.34.0
Container (OCI) Images
- gardener-extension-os-ubuntu:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/os-ubuntu:v1.34.0
Update provider-alicloud to 1.68.0
[github.com/gardener/gardener-extension-provider-alicloud:v1.68.0]
⚠️ Breaking Changes
[OPERATOR]Following the renaming based on gardener/gardener#13273, autonomous shoot cluster was renamed to self-hosted shoot cluster. This leads to e.g. a change of the/gardener-extension-provider-alicloud's cli argument--autonomous-shoot-clusterto change to--self-hosted-shoot-clusterand the respective helm chart's variable.Values.gardener.autonomousShootClusterto change to.Values.gardener.selfHostedShootCluster. by @marc1404 [#859][OPERATOR]provider-alicloudno longer supports Shoots with Кubernetes version <= 1.29. by @marc1404 [#859]
🏃 Others
[OPERATOR]out put error info during infra config validate by @kevin-lacoo [#862][OPERATOR]Update following images version: alicloud-controller-manager to v2.12.4, csi-plugin-alicloud to v1.34.3, csi-attacher to v4.10.0, csi-node-driver-registrar to v2.15.0, csi-provisioner to v5.3.0, csi-snapshotter to v8.4.0, csi-snapshot-controller to v8.4.0, csi-resizer tov1.14.0, csi-liveness-probe to v2.17.0 by @kevin-lacoo [#863][DEPENDENCY]Updated dependencygardener/gardenertov1.134.0(Release Notes). by @marc1404 [#859]
Helm Charts
- admission-alicloud-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-application:v1.68.0 - admission-alicloud-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-runtime:v1.68.0 - provider-alicloud:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-alicloud:v1.68.0
Container (OCI) Images
- gardener-extension-admission-alicloud:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.68.0 - gardener-extension-provider-alicloud:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.68.0
Update gardener-controlplane to 1.134.2
[github.com/gardener/gardener:v1.134.2]
🐛 Bug Fixes
[OPERATOR]extension library: An issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from the BackupEntry Secret is now fixed. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#13791][USER]Fix a bug that prevents updating expiration dates of overridden machine image versions inNamespacedCloudProfiles. by @LucaBernstein [#13769]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.2 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.2 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.2 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.2
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.2 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.2 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.2 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.2 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.2 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.2 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.2 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.2 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.2
Update gardener-controlplane to 1.134.2
[github.com/gardener/gardener:v1.134.2]
🐛 Bug Fixes
[OPERATOR]extension library: An issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from the BackupEntry Secret is now fixed. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#13791][USER]Fix a bug that prevents updating expiration dates of overridden machine image versions inNamespacedCloudProfiles. by @LucaBernstein [#13769]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.2 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.2 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.2 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.2
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.2 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.2 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.2 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.2 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.2 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.2 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.2 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.2 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.2
Update gardenlet to 1.134.2
[github.com/gardener/gardener:v1.134.2]
🐛 Bug Fixes
[OPERATOR]extension library: An issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from the BackupEntry Secret is now fixed. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#13791][USER]Fix a bug that prevents updating expiration dates of overridden machine image versions inNamespacedCloudProfiles. by @LucaBernstein [#13769]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.2 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.2 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.2 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.2
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.2 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.2 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.2 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.2 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.2 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.2 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.2 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.2 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.2
Update provider-alicloud to 1.68.1
[github.com/gardener/gardener-extension-provider-alicloud:v1.68.1]
🐛 Bug Fixes
[OPERATOR]Thegithub.com/gardener/gardenerdependency was bumped tov1.134.2to include a fix for an issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from theBackupEntrySecret. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration (Release Notes). by @plkokanov [#866]
Helm Charts
- admission-alicloud-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-application:v1.68.1 - admission-alicloud-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-runtime:v1.68.1 - provider-alicloud:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-alicloud:v1.68.1
Container (OCI) Images
- gardener-extension-admission-alicloud:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.68.1 - gardener-extension-provider-alicloud:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.68.1
Update provider-azure to 1.57.2
[github.com/gardener/gardener-extension-provider-azure:v1.57.2]
🐛 Bug Fixes
[OPERATOR]Thegithub.com/gardener/gardenerdependency was bumped tov1.132.4to include a fix for an issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from theBackupEntrySecret. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#1426][OPERATOR]Downgrade csi-provisioner and csi-resizer for K8S <= 1.33 to make VolumeAttributesClass available for K8S <= 1.33 (v1beta1 + enabled featureGate) and K8S >= 1.34 (v1). by @AndreasBurger [#1428][OPERATOR]Fixed an issue during backupBucket validation without providerConfig. by @wpross [#1424]
🏃 Others
[OPERATOR]Fix an issue that would prevent cluster-autoscaler from consideringVolumeAttributesClassesfor scaling on shoot< v1.34by @AndreasBurger [#1429]
Helm Charts
- admission-azure-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-application:v1.57.2 - admission-azure-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-runtime:v1.57.2 - provider-azure:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-azure:v1.57.2
Container (OCI) Images
- gardener-extension-admission-azure:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.57.2 - gardener-extension-provider-azure:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.57.2
Update provider-gcp to 1.48.3
[github.com/gardener/gardener-extension-provider-gcp:v1.48.3]
✨ New Features
[USER]UpdateVolumeAttributesClassenablement for clusters <=v1.34. If annotated the kube-apiserver, kube-scheduler, kube-controller-manager will get the VAC feature gate enabled automatically. by @kon-angelo [#1289]
🐛 Bug Fixes
[OPERATOR]Thegithub.com/gardener/gardenerdependency was bumped tov1.132.4to include a fix for an issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from theBackupEntrySecret. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#1288]
Helm Charts
- admission-gcp-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-gcp-application:v1.48.3 - admission-gcp-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-gcp-runtime:v1.48.3 - provider-gcp:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-gcp:v1.48.3
Container (OCI) Images
- gardener-extension-admission-gcp:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-gcp:v1.48.3 - gardener-extension-provider-gcp:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-gcp:v1.48.3
Update cert-management to 0.20.0
[github.com/gardener/cert-management:v0.20.0]
✨ New Features
[USER]SupportPKCS#8encoding of certificate private key. ForCertificateobjects, set.spec.privateKey.encodingtoPKCS8. For source objects likeIngressandService, set the annotationcert.gardener.cloud/private-key-encoding=PKCS8. by @MartinWeindel [#638]
🏃 Others
[OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#633]
Helm Charts
- cert-controller-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/cert-controller-manager:v0.20.0
Container (OCI) Images
- cert-management:
europe-docker.pkg.dev/gardener-project/releases/cert-controller-manager:v0.20.0
Update networking-calico to 1.55.0
[github.com/gardener/gardener-extension-networking-calico:v1.55.0]
📰 Noteworthy
[OPERATOR]CNI plugins are now updated regularly by @domdom82 [#766]
🏃 Others
[OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#763]
Helm Charts
- admission-calico-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-calico-application:v1.55.0 - admission-calico-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-calico-runtime:v1.55.0 - networking-calico:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/networking-calico:v1.55.0
Container (OCI) Images
- cni-plugins:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/cni-plugins:v1.55.0 - gardener-extension-admission-calico:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-calico:v1.55.0 - gardener-extension-networking-calico:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/networking-calico:v1.55.0
Update runtime-gvisor to 0.28.0
[github.com/gardener/gardener-extension-runtime-gvisor:v0.28.0]
🏃 Others
[OPERATOR]Updated gVisor binaries to 20260105.0. by @gardener-github-actions[bot] [#334]
Helm Charts
- runtime-gvisor:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/runtime-gvisor:v0.28.0
Container (OCI) Images
- gardener-extension-runtime-gvisor-installation:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor-installation:v0.28.0 - gardener-extension-runtime-gvisor:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-gvisor:v0.28.0
Update provider-openstack to 1.52.0
[github.com/gardener/gardener-extension-provider-openstack:v1.52.0]
⚠️ Breaking Changes
[OPERATOR]ETCD backup config in the provider-chart no longer requires an additionalbackupyaml-level to render as expected by @AndreasBurger [#1234][OPERATOR]Following the renaming based on PR13273, autonomous shoot cluster was renamed to self hosted shoot cluster. This leads to e.g. a change of the/gardener-extension-provider-azure's cli argument--autonomous-shoot-clusterto change to--self-hosted-shoot-clusterand the respective helm chart's variable.Values.gardener.autonomousShootClusterto change to.Values.gardener.selfHostedShootCluster. by @tobschli [#1210][OPERATOR]provider-openstackno longer supports Shoots with Кubernetes version <= 1.29. by @marc1404 [#1226]
✨ New Features
[OPERATOR]Implements Machine Image Capabilities support for OpenStack, enabling better compatibility management between MachineTypes and MachineImages through CapabilitySets. by @Vincinator [#1222][OPERATOR]TheWorkercontroller is prepared to support self-hosted shoot clusters with managed infrastructure (see GEP-28). by @timebertt [#1211][USER]The provider-openstack extension does now support shoot clusters with Kubernetes version 1.34. You should consider the Kubernetes release notes before upgrading to 1.34. by @tobschli [#1210]
🐛 Bug Fixes
[OPERATOR]Downgrade csi-provisioner and csi-resizer for K8S <= 1.33 to make VolumeAttributesClass available for K8S <= 1.33 (v1beta1 + enabled featureGate) and K8S >= 1.34 (v1). by @wpross [#1232]
🏃 Others
[OPERATOR]Upgrade csi-provisioner for K8S version >= 1.34 to v6.1.0. by @wpross [#1232][OPERATOR]Update gardener/gardener to v1.133.0 by @hebelsan [#1224][OPERATOR]Adds DNS Record integration tests by @hebelsan [#1205][OPERATOR]Set --strict-topology for the external provisioner of the Cinder CSI controller. by @hebelsan [#1230][OPERATOR]Remove CPU requests for openstack-extension components in Shoot and Seed. by @voelzmo [#1215][OPERATOR]Extension-provider logging config can now be changed via helm-values by @AndreasBurger [#1234][DEPENDENCY]Updated dependencygardener/gardenertov1.134.0(Release Notes). by @marc1404 [#1226]
Helm Charts
- admission-openstack-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-openstack-application:v1.52.0 - admission-openstack-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-openstack-runtime:v1.52.0 - provider-openstack:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-openstack:v1.52.0
Container (OCI) Images
- gardener-extension-admission-openstack:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-openstack:v1.52.0 - gardener-extension-provider-openstack:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-openstack:v1.52.0
Update shoot-cert-service to 1.56.0
[github.com/gardener/gardener-extension-shoot-cert-service:v1.56.0]
🏃 Others
[OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#497][OPERATOR]Adjust DNS class if next generation dns-shoot-service settings detected. by @MartinWeindel [#505]
[github.com/gardener/cert-management:v0.20.0]
✨ New Features
[USER]SupportPKCS#8encoding of certificate private key. ForCertificateobjects, set.spec.privateKey.encodingtoPKCS8. For source objects likeIngressandService, set the annotationcert.gardener.cloud/private-key-encoding=PKCS8. by @MartinWeindel [#638]
🏃 Others
[OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#633]
Helm Charts
- shoot-cert-service:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-cert-service:v1.56.0
Container (OCI) Images
- gardener-extension-shoot-cert-service:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-cert-service:v1.56.0
Update dashboard to 1.83.1
Update dashboard to 1.83.1
Update networking-cilium to 1.46.0
[github.com/gardener/gardener-extension-networking-cilium:v1.46.0]
✨ New Features
[USER]Allow configuration of Cilium's wireguard encryption by @hown3d [#654]
🏃 Others
[OPERATOR]Updatenode-local-dnsmutate function to init sidecar approach. by @DockToFuture [#661][OPERATOR]Update cilium tov1.17.11. by @DockToFuture [#667][OPERATOR]Increased backoff limit of hubble-generate-certs job. by @axel7born [#651][OPERATOR]Updatecilium-cliimage ref toeurope-docker.pkg.dev/gardener-project/releases/gardener/cilium-cli:1.11.0. by @DockToFuture [#668][OPERATOR]The base image is updated togcr.io/distroless/static-debian13:nonroot. by @MartinWeindel [#666]
Helm Charts
- admission-cilium-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-cilium-application:v1.46.0 - admission-cilium-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-cilium-runtime:v1.46.0 - networking-cilium:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/networking-cilium:v1.46.0
Container (OCI) Images
- gardener-extension-admission-cilium:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-cilium:v1.46.0 - gardener-extension-networking-cilium:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/networking-cilium:v1.46.0
Update os-ubuntu to 1.35.0
Update dashboard to 1.83.2
[github.com/gardener/dashboard:1.83.2]
🏃 Others
[OPERATOR]Updated markdown parsing tounified / remark / rehypepipeline, improving security and GitHub-flavored Markdown compatibility by @grolu [#2728]
Container (OCI) Images
- gardener-dashboard:
europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.83.2
Update dashboard to 1.83.2
[github.com/gardener/dashboard:1.83.2]
🏃 Others
[OPERATOR]Updated markdown parsing tounified / remark / rehypepipeline, improving security and GitHub-flavored Markdown compatibility by @grolu [#2728]
Container (OCI) Images
- gardener-dashboard:
europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.83.2
Update provider-alicloud to 1.68.2
Helm Charts
- admission-alicloud-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-application:v1.68.2 - admission-alicloud-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-alicloud-runtime:v1.68.2 - provider-alicloud:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-alicloud:v1.68.2
Container (OCI) Images
- gardener-extension-admission-alicloud:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-alicloud:v1.68.2 - gardener-extension-provider-alicloud:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-alicloud:v1.68.2
Update provider-aws to 1.67.0
[github.com/gardener/gardener-extension-provider-aws:v1.67.0]
⚠️ Breaking Changes
[OPERATOR]provider-awsno longer supports Shoots with Кubernetes version <= 1.29. by @tobschli [#1591][OPERATOR]Following the renaming based on PR13273, autonomous shoot cluster was renamed to self hosted shoot cluster. This leads to e.g. a change of the/gardener-extension-provider-aws's cli argument--autonomous-shoot-clusterto change to--self-hosted-shoot-clusterand the respective helm chart's variable.Values.gardener.autonomousShootClusterto change to.Values.gardener.selfHostedShootCluster. by @tobschli [#1591][OPERATOR]ETCD backup config in the provider-chart no longer requires an additionalbackupyaml-level to render as expected by @AndreasBurger [#1623]
📰 Noteworthy
[OPERATOR]Update credential provider ECR patterns by @hebelsan [#1602]
✨ New Features
[OPERATOR]TheWorkercontroller is prepared to support self-hosted shoot clusters with managed infrastructure (see GEP-28). by @timebertt [#1581][USER]It's possible to specify an own IPv6 IPAM pool now. by @axel7born [#1573][USER]The provider-aws extension does now support shoot clusters with Kubernetes version 1.34. You should consider the Kubernetes release notes before upgrading to 1.34. by @tobschli [#1591]
🐛 Bug Fixes
[OPERATOR]Fix cluster deletion if EFS can not be found by @hebelsan [#1593][OPERATOR]no rollout hot-update of ProviderConfig.NodeTemplate.VirtualCapacity with/without already existing ProviderConfig.
new hash strategy adopted for ProviderConfig for k8s versions >= 1.34 by @elankath [#1589][OPERATOR]Downgrade csi-provisioner and csi-resizer for K8S <= 1.33 to make VolumeAttributesClass available for K8S <= 1.33 (v1beta1 + enabled featureGate) and K8S >= 1.34 (v1). by @wpross [#1609][OPERATOR]Fixed issue when validating a backupBucket without providerConfig. by @wpross [#1633][OPERATOR]A bug leading to nil pointer exception in the Route53 client when Workload Identity credentials are used has been fixed. by @vpnachev [#1629]
🏃 Others
[OPERATOR]Add the ipAddressType to VPC Gateway Endpoints by @hebelsan [#1611][OPERATOR]Set --strict-topology for the external provisioner of the EBS CSI Driver. by @hebelsan [#1607][OPERATOR]Switch VPAs to control memory only by @voelzmo [#1585][OPERATOR]Improve routing table association management by @hebelsan [#1636][OPERATOR]Update aws-custom-route-controller image tag tov0.14.0. by @DockToFuture [#1587][OPERATOR]Add input validation for DNS provider secrets referenced in the shoot spec. by @wpross [#1612][OPERATOR]Update alpine to v3.32.2 by @kon-angelo [#1620][OPERATOR]Move back topublic.ecr.awsregistry foraws-load-balancer-controllerandvolume-modifier-for-k8sas it is now reachable via AAAA record. by @DockToFuture [#1597][OPERATOR]Update AWS SDK to support EUSC region by @kon-angelo [#1618][OPERATOR]Introduce automated conversions forNamespacedCloudProfile.status.spec.{machineTypes,machineImages,providerConfig}to ensure consistency and compatibility during the transition to CloudProfiles with enabledmachineCapabilities, see also GEP-33. by @Roncossek [#1515][OPERATOR]Updateaws-ipam-controllerimage toeurope-docker.pkg.dev/gardener-project/releases/gardener/aws-ipam-controller:v0.9.0. by @DockToFuture [#1627][OPERATOR]Upgrade csi-provisioner for K8S version >= 1.34 to v6.1.0. by @wpross [#1609][OPERATOR]Extension-provider logging config can now be changed via helm-values by @AndreasBurger [#1623][DEPENDENCY]The following container images have been updated:- aws-load-balancer-controller: v2.13.4 -> v2.17.1 (singleton)
- cloud-controller-manager: v1.30.9 -> v1.30.10 (patch)
- cloud-controller-manager: v1.31.8 -> v1.31.9 (patch)
- cloud-controller-manager: v1.34.0 -> v1.35.0 (minor)
- csi-driver: v1.52.1 -> v1.54.0 (singleton)
- csi-driver-efs: v2.1.14 -> v2.2.0 (singleton)
- csi-volume-modifier: v0.7.0 -> v0.9.1 (singleton)
- machine-controller-manager-provider-aws: v0.26.0 -> v0.27.0 (singleton) by @gardener-github-actions[bot] [#1562]
[DEPENDENCY]Updated dependencygardener/gardenertov1.134.0(Release Notes). by @marc1404 [#1603][DEPENDENCY]The following container images have been updated:- machine-controller-manager-provider-aws: v0.27.0 -> v0.27.1 (singleton) by @AndreasBurger [#1655]
[DEPENDENCY]The following container images have been updated:- ecr-credential-provider: v1.34.0 -> v1.34.1 (patch) by @gardener-github-actions[bot] [#1646]
Helm Charts
- admission-aws-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-application:v1.67.0 - admission-aws-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-runtime:v1.67.0 - provider-aws:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-aws:v1.67.0
Container (OCI) Images
- gardener-extension-admission-aws:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.67.0 - gardener-extension-provider-aws:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.67.0
Update shoot-networking-filter to 0.27.0
[github.com/gardener/gardener-extension-shoot-networking-filter:v0.27.0]
✨ New Features
[USER]Added support for v2 filter lists. by @axel7born [#311]
Helm Charts
- runtime-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/runtime-networking-filter:v0.27.0 - shoot-networking-filter-admission-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter-admission-application:v0.27.0 - shoot-networking-filter-admission-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter-admission-runtime:v0.27.0 - shoot-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/shoot-networking-filter:v0.27.0
Container (OCI) Images
- gardener-extension-shoot-networking-filter-admission:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-filter-admission:v0.27.0 - gardener-extension-shoot-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-filter:v0.27.0 - gardener-runtime-networking-filter:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/runtime-networking-filter:v0.27.0
Update provider-azure to 1.57.3
[github.com/gardener/gardener-extension-provider-azure:v1.57.3]
🐛 Bug Fixes
[USER]Fixes the RBAC permission setup when using VACs by @AndreasBurger [#1435]
Helm Charts
- admission-azure-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-application:v1.57.3 - admission-azure-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-azure-runtime:v1.57.3 - provider-azure:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-azure:v1.57.3
Container (OCI) Images
- gardener-extension-admission-azure:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.57.3 - gardener-extension-provider-azure:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.57.3
Update acl to 1.15.0
What's Changed
- ✨ The ACL extension now generates the required EnvoyFilters the alpha feature gate
UseUnifiedHTTPProxyPort. Users should update the extension BEFORE enabling the feature gate. https://github.com/stackitcloud/gardener-extension-acl/pull/238
🤖 Dependencies
- Update module github.com/gardener/gardener to v1.133.1 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/220
- Update dependency ko-build/ko to v0.18.1 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/221
- Update k8s.io/utils digest to 61b37f7 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/222
- Update k8s.io/utils digest to 98d557b by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/223
- Update k8s.io/utils digest to 9d40a56 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/224
- Update k8s.io/utils digest to 718f0e5 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/225
- Update k8s.io/utils digest to 0fe9cd7 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/226
- Update module github.com/gardener/gardener to v1.133.2 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/227
- Update module github.com/onsi/ginkgo/v2 to v2.27.4 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/228
- Update k8s.io/utils digest to 914a6e7 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/230
- Update module github.com/onsi/ginkgo/v2 to v2.27.5 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/233
- Update dependency go to v1.25.6 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/234
- Update module github.com/gardener/gardener to v1.133.3 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/235
- Update module sigs.k8s.io/controller-runtime to v0.22.5 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/237
- Update dependency go to v1.25.6 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/236
- Update module golang.org/x/tools to v0.41.0 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/232
- Update module github.com/onsi/gomega to v1.39.0 by @renovate[bot] in https://github.com/stackitcloud/gardener-extension-acl/pull/229
ℹ️ Other Changes
- fix spelling of we in ReadMe by @IndritFejza in https://github.com/stackitcloud/gardener-extension-acl/pull/231
- [GEP-30] Generate envoy filter for new unified http proxy port by @maboehm in https://github.com/stackitcloud/gardener-extension-acl/pull/238
New Contributors
- @IndritFejza made their first contribution in https://github.com/stackitcloud/gardener-extension-acl/pull/231
Full Changelog: https://github.com/stackitcloud/gardener-extension-acl/compare/v1.14.0...v1.15.0
Update gardener-webterminal to 0.35.0
[github.com/gardener/terminal-controller-manager:v0.35.0]
🐛 Bug Fixes
[OPERATOR]Handle terminal deletion when namespace (of garden project) is deleted by @petersutter [#408]
🏃 Others
[OPERATOR]Dropped obsolete permission to read secrets from the (virtual) garden cluster. by @petersutter [#394][OPERATOR]Terminal webhook: stricter validation for namespaces/names, RBAC RoleRefs, apiServer URL/CA data, and pod labels. by @petersutter [#452][DEVELOPER]migrate CICD-Pipeline to GitHub-Actions by @ccwienk [#404]
Container (OCI) Images
- terminal-controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/terminal-controller-manager:v0.35.0
Update gardener-webterminal to 0.35.0
[github.com/gardener/terminal-controller-manager:v0.35.0]
🐛 Bug Fixes
[OPERATOR]Handle terminal deletion when namespace (of garden project) is deleted by @petersutter [#408]
🏃 Others
[OPERATOR]Dropped obsolete permission to read secrets from the (virtual) garden cluster. by @petersutter [#394][OPERATOR]Terminal webhook: stricter validation for namespaces/names, RBAC RoleRefs, apiServer URL/CA data, and pod labels. by @petersutter [#452][DEVELOPER]migrate CICD-Pipeline to GitHub-Actions by @ccwienk [#404]
Container (OCI) Images
- terminal-controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/terminal-controller-manager:v0.35.0
Update gardener-controlplane to 1.134.3
[github.com/gardener/gardener:v1.134.3]
🐛 Bug Fixes
[OPERATOR]A bug has been fix which could lead to pendingManagedResources in the shoot's control plane namespace (effectively, blockingShootdeletion). by @rfranzke [#13860][USER]A bug has been fixed which was causing invalid high-availability configuration for system components in case aShootwas configured with a worker pool withmaximum=0. by @rfranzke [#13870][USER]Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @rrhubenov [#13813]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.3 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.3 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.3 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.3
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.3 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.3 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.3 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.3 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.3 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.3 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.3 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.3 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.3
Update gardener-controlplane to 1.134.3
[github.com/gardener/gardener:v1.134.3]
🐛 Bug Fixes
[OPERATOR]A bug has been fix which could lead to pendingManagedResources in the shoot's control plane namespace (effectively, blockingShootdeletion). by @rfranzke [#13860][USER]A bug has been fixed which was causing invalid high-availability configuration for system components in case aShootwas configured with a worker pool withmaximum=0. by @rfranzke [#13870][USER]Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @rrhubenov [#13813]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.3 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.3 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.3 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.3
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.3 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.3 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.3 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.3 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.3 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.3 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.3 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.3 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.3
Update gardenlet to 1.134.3
[github.com/gardener/gardener:v1.134.3]
🐛 Bug Fixes
[OPERATOR]A bug has been fix which could lead to pendingManagedResources in the shoot's control plane namespace (effectively, blockingShootdeletion). by @rfranzke [#13860][USER]A bug has been fixed which was causing invalid high-availability configuration for system components in case aShootwas configured with a worker pool withmaximum=0. by @rfranzke [#13870][USER]Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @rrhubenov [#13813]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.134.3 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.134.3 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.134.3 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.134.3
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.134.3 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.134.3 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.134.3 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.134.3 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.134.3 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.134.3 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.134.3 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.134.3 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.134.3
Update gardener-controlplane to 1.135.0
[github.com/gardener/gardener:v1.135.0]
⚠️ Breaking Changes
[OPERATOR]Internal dns configuration for seeds.spec.dns.internalis now required. Make sure to set this field in your templates before upgrading Gardener to the current version. by @dimityrmirchev [#13529][OPERATOR]gardener-resource-manager now enforces the desired OwnerReferences for objects it manages. Previously, it set OwnerReferences only when creating objects and did not update them afterwards. by @oliver-goetz [#13606][USER]⚠️ The Seed API fieldspec.dns.provider.secretRefhas been deprecated in favor ofspec.dns.provider.credentialsRef. ThesecretReffield will be removed in Gardener version>= v1.139.0, until then - please consider migrating to the newcredentialsReffield.- :info: Gardener takes care to keep both fields in sync when the configured credentials is of type
Secret. by @vpnachev [#13680]
- :info: Gardener takes care to keep both fields in sync when the configured credentials is of type
[USER]⚠️ The Shoot API fieldspec.dns.providers.secretNamehas been deprecated in favor ofspec.dns.providers.credentialsRef. ThesecretNamefield will be disallowed to be used by shoots running on Kubernetes 1.35 or newer, until then - please consider migrating to the newcredentialsReffield.- Gardener API server takes care to keep both fields in sync when
Secretis the type of the configured credentials. by @vpnachev [#13552]
- Gardener API server takes care to keep both fields in sync when
[DEVELOPER]Change the registry port in the local setup to:5001. by @LucaBernstein [#13661][DEVELOPER]Theextension-classflag has been renamed toextension-classesto support multiple extension classes per controller deployment. If the extension depends oncmd.ReconcilerOptions, the renaming will automatically take effect. Please adjust your deployment manifest to reflect this change. by @timuthy [#13718][DEVELOPER]TheSecretDatafield has been removed from thegithub.com/gardener/gardener/pkg/component/extensions/dnsrecord.Valuesstruct, usegithub.com/gardener/gardener/pkg/component/extensions/dnsrecord.CredentialsDeployFuncinstead to deploy secret data into a secret. by @vpnachev [#13720][DEVELOPER]The functiongithub.com/gardener/gardener/pkg/utils/gardener.GenerateDNSProviderNamehas been removed. by @vpnachev [#13552][DEVELOPER]github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderSecretNamesEqualhas been removed, usegithub.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderCredentialsRefsEqualinstead. by @vpnachev [#13552][DEVELOPER]TheSecretDatafield of thegithub.com/gardener/gardener/pkg/utils/gardener.Domainstruct has been replaced withCredentialsfield of typesigs.k8s.io/controller-runtime/pkg/client.Object. by @vpnachev [#13720][DEPENDENCY]The naming logic for automatically generated webhooks has changed. If the extension name passed toextensionscmdwebhook.NewAddToManagerOptionsstarts withgardener-, the extension's webhook names are no longer prefixed withgardener-extension-. by @timuthy [#13786]
📰 Noteworthy
[OPERATOR]Adapted the policy in the Kubernetes version support process to retain only the latest 4 minor versions, improving security by dropping older, unpatched versions. Additionally, a minimum period of 14 months has been added, during which Gardener will maintain support for any given Kubernetes version before removing it again. by @marc1404 [#13471][USER]The order of entries in theNamespacedCloudProfile.Status.CloudProfileSpecis now the same as in the parentCloudProfile.Spec. by @LucaBernstein [#13772][DEVELOPER]The functiongithub.com/gardener/gardener/pkg/utils/kubernetes.GetCredentialsByObjectReferencehas been changed to acceptclient.Readerinstead ofclient.Client. by @vpnachev [#13552][DEVELOPER]The scripthack/vgopath-setup.shandhack/tools.mkentry for$(VGOPATH)are deprecated and will be removed aftergardener/gardener@v1.142has been released. It is recommended that consumers stop using them from thegardener/gardenerrepository. by @LucaBernstein [#13556][DEVELOPER]Source code changes that break various aspects of the monitoring stack in ways that were previously unnoticed are now detected during pull request validation. by @vicwicker [#13341][DEVELOPER]The generic actuator of the control plane now wraps seed-related charts intoManagedResources . Any imperative logic in your provider extension that does not consider management through the gardener-resource-manager can potentially be cleaned up. by @kon-angelo [#13585][DEVELOPER]The usages ofVGOPATHhave been removed. by @LucaBernstein [#13556][DEVELOPER]A new rule was added to the Component Checklist -Drop unutilised capabilities. Additionally, theDo not run containers as rootrule was extended. For more details, check the Component Checklist. by @mstueer [#13204][DEPENDENCY]CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. Provider extensions should start validating them similar to references forv1.Secretresources. by @rfranzke [#13759]
✨ New Features
[OPERATOR]A newVPNBondingModeRoundRobinfeature gate is introduced for gardenlet. When enabled, HA VPN uses round-robin bonding mode to increase availability under network degradation. by @domdom82 [#13649][OPERATOR]gardenletcan now propagate static manifests stored in the seed cluster'sgardennamespace to all shoot namespaces. Read all about it here. by @rfranzke [#13614][OPERATOR]Support replacement of individual assets for the gardener dashboard (gardener/dashboard#2687) by @grolu [#13640][OPERATOR]Extendgardener-operatorandgardenletcare controllers to query the Prometheus instances for health checks of the monitoring components. If the new health checks fail, they are reflected in the status condition of theShoot,SeedorGardenresources. These health checks are introduced behind a feature gatePrometheusHealthChecksthat is disabled by default. by @vicwicker [#13341][OPERATOR]It is now possible to configure custom namespaces in the virtual cluster that thevirtual-garden-gardener-resource-managershould handle. Use.spec.virtualCluster.gardener.gardenerResourceManager.additionalTargetNamespacesinGardenresource. by @rfranzke [#13761][OPERATOR]WorkloadIdentity credentials are now allowed to be used for Shoot DNS domains, Seed ingress, default and internal DNS domains. by @vpnachev [#13720][OPERATOR]Add newPlutonodashboard for monitoringVPA Updateroperations acrossShoot,SeedandGardenclusters. by @vitanovs [#13477][USER]Rotation for the ssh keypair for worker nodes, observability passwords and etcd encryption key can now be done in the maintenance window via the.spec.maitenance.autoRotation.credentialsfield of aShoot. by @AleksandarSavchev [#13493][USER]A new Seed API fieldcredentialsRefhas been introduced inspec.dns.providerstructure. It is designed to support diverse types of credentials, as of nowv1.Secretsandsecurity.gardener.cloud/v1alpha1.WorkloadIdentityare allowed, but onlySecretsare supported. by @vpnachev [#13680][USER]You can now specifynftablesas proxy mode implementation ofkube-proxyin theShootspec like so if your Kubernetes version is>= 1.31:.spec.kubernetes.kubeProxy.mode=NFTables, please consult https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ for all glory details. by @majst01 [#13558][USER]A new optional Shoot API fieldcredentialsRefhas been introduced inspec.dns.providersstructure. It is designed to support diverse types of credentials. As of now onlyv1.Secretsare supported. by @vpnachev [#13552][USER]The Shoot resource does now support configuring the vpa-recommender concurrent workers to update VerticalPodAutoscalers and VerticalPodAutoscalerCheckpoints via the new.spec.kubernetes.verticalPodAutoscaler.recommenderUpdateWorkerCountfield. by @voelzmo [#13591][DEVELOPER]Shoots andSeeds are now allowed to referenceWorkloadIdentityresources via their respective fieldspec.resources, extensions can leverage this mechanism in order to use workload identity credentials for authentication with external services supporting trust based authentication. by @vpnachev [#13469][DEVELOPER]CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. This can be beneficial if shoot credentials are not managed directly by end-users but by the service provider/Gardener operators. by @rfranzke [#13759][DEVELOPER]It is now possible to create aSecretsManagerbased on aGardenresource. Extensions can, for instance, manage certificates for webhooks in the garden runtime cluster while leveraging Gardener's certificate automation features (such as CA rotation, renewal, etc.). by @timuthy [#13662][DEPENDENCY]The certificate library for extension webhooks now supports skipping the component name prefixing withgardener-extensionwhenDoNotPrefixComponentNameis set totrue. by @rfranzke [#13765][DEPENDENCY]extensionscmdcontroller.GeneralOptionscan now be shared between controllers and webhooks. It contains general deployment information that are relevant to both. by @timuthy [#13786]
🐛 Bug Fixes
[OPERATOR]Refactor the collectorjournaldreceiver to capture kernel logs via a more stable method. by @rrhubenov [#13664][OPERATOR]An issue causing credentials rotation for the Garden resource to fail is now fixed. by @ialidzhikov [#13735][OPERATOR]A bug has been fix which could lead to pendingManagedResources in the shoot's control plane namespace (effectively, blockingShootdeletion). by @rfranzke [#13858][OPERATOR]A bug has been fixed which was preventing removing image vector overwrite configurations fromgardenlets deployed viaseedmanagement.gardener.cloud/v1alpha1.Gardenletresources (even though.spec.deployment.{imageVectorOverwrite,componentImageVectorOverwrite}was removed). by @rfranzke [#13646][OPERATOR]The token requestor will check the UID of a referencedServiceAccountand request a new token before the former one issued for a different UID expired. by @LucaBernstein [#13630][USER]A bug has been fixed which was causing invalid high-availability configuration for system components in case aShootwas configured with a worker pool withmaximum=0. by @rfranzke [#13873][USER]Project admins are allowed to set ownerReference withkind: ShootandblockOwnerDeletion: truefor Secrets/ConfigMaps when theOwnerReferencesPermissionEnforcementadmission plugin is enabled for the virtual kube-apiserver. by @ialidzhikov [#13743][USER]Fix a bug that prevents updating expiration dates of overridden machine image versions inNamespacedCloudProfiles. by @LucaBernstein [#13754][USER]Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @rrhubenov [#13670][USER]A bug causingShootclusters to not be reconciled during their maintenance window when theShootdoes not enablesshand hasrotate-ssh-keypairoperation configured for maintenance window was fixed. by @AleksandarSavchev [#13493][DEPENDENCY]extension library: An issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from the BackupEntry Secret is now fixed. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#13775]
🏃 Others
[OPERATOR]Set static cpu requests for fluent-operator. by @voelzmo [#13788][OPERATOR]OwnerReferences now ensure that no orphan EnvoyFilters and Secrets remain in istio-ingressgateway namespaces when a shoot was purged manually. by @oliver-goetz [#13606][OPERATOR]Allow scrapingkube_node_createdfrom kube-state-metrics by adding it to the metric allowlist. by @jguipi [#13683][OPERATOR]Add Plutono dashboard for shoot control plane cost calculation by @vicwicker [#13605][OPERATOR]Refactor node local dns tests to avoid duplications and simplify structure. by @DockToFuture [#13694][OPERATOR]gardenlet now adds labels forDNSRecordresources created forShootcontrol planes. This allows using label selectors to targetDNSRecords used forShootcontrol plane components. by @hown3d [#13444][OPERATOR]Updates on oldShoots,ManagedSeedSets, andGardenare now allowed if invalid accepted issuers are unchanged. by @acumino [#13514][OPERATOR]On starup, gardenlet and gardener-operator now patch the needed VerticalPodAutoscaler resources depending on theVPAInPlaceUpdatesfeature gate value. This is needed to ensure that all VerticalPodAutoscaler resources will be updated immediately with the desired update mode when theVPAInPlaceUpdatesfeature gate is enabled or disabled. by @vitanovs [#13573][OPERATOR]Set static cpu requests for node-exporter by @voelzmo [#13790][OPERATOR]A link to theSeed-specific dashboard has been added to the annotations ofSeed-related alerts. This allows operators to quickly navigate from an alert to the relevant monitoring dashboard for faster troubleshooting. by @cathyzhang05 [#13555][OPERATOR]Change metrics port for OTel collector on the nodes from 8888 to 18888. by @dnaeon [#13798][OPERATOR]Extended RBAC rules forgardener-metrics-exporterto coverGardenletresources as well. by @RaphSku [#13806][OPERATOR]Update gardenlets values.yaml template to include the internal DNS secret for the local extension setup. by @DockToFuture [#13679][OPERATOR]The Kubernetes version check can now be explicitly disabled by setting the environment variableEXPERIMENTAL_DISABLE_KUBERNETES_VERSION_CHECKtotrue. This is intended for specific experimental or troubleshooting scenarios where temporarily bypassing the version validation is necessary. by @majst01 [#13221][OPERATOR]The mutatingManagedSeedadmission plugin is now also a validating one. Validations which are executed by this admission plugin during the mutation phase will be gradually moved to the validatingManagedSeedadmission plugin. by @ialidzhikov [#13621][USER]The.spec.kubernetes.kubeAPIServer.requests.max{Non}MutatingInflightflags can now be increased to5000(non-mutating) /2500(mutating). by @rfranzke [#13877][DEVELOPER]TheCloudProfilefor the local dev setup was updated from Kubernetes version 1.34.0 to 1.34.3. by @timuthy [#13874][DEVELOPER]The kubectl apply command for the00-namespace-garden.yamlresource now includes the--force-conflicts flag. This enhancement resolves conflicts that previously caused errors during the local extension setup, ensuring a smoother and more reliable deployment process. by @DockToFuture [#13676][DEVELOPER]Add permissions to read and watchNamespacedCloudProfiles for the dashboard. by @klocke-io [#13500][DEVELOPER]The generic control-plane webhook is now capable of ensuring thekube-apiserverandkube-controller-managerdeployments, as well asetcds, of the virtual garden cluster. by @timuthy [#13635][DEPENDENCY]The following dependencies have been updated:quay.io/prometheus/alertmanagerfromv0.30.0tov0.30.1. by @gardener-ci-robot [#13779]
[DEPENDENCY]The following dependencies have been updated:gardener/alpine-conntrackfrom3.21.3to3.23.2. Release Notes by @gardener-ci-robot [#13744]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/kube-state-metrics/kube-state-metricsfromv2.17.0tov2.18.0. by @gardener-ci-robot [#13808]
[DEPENDENCY]The following dependencies have been updated:quay.io/prometheus/alertmanagerfromv0.29.0tov0.30.0. by @gardener-ci-robot [#13663]
[DEPENDENCY]The following dependencies have been updated:credativ/valifromv2.2.29tov2.2.30. Release Notes by @gardener-ci-robot [#13689]
[DEPENDENCY]The following dependencies have been updated:quay.io/kiwigrid/k8s-sidecarfrom2.1.4to2.2.3. by @gardener-ci-robot [#13726]
[DEPENDENCY]The following dependencies have been updated:envoyproxy/envoyfromdistroless-v1.36.4tov1.37.0. Release Notes by @gardener-ci-robot [#13781]
[DEPENDENCY]The following dependencies have been updated:gcr.io/istio-release/pilotfrom1.27.4to1.27.5.gcr.io/istio-release/proxyv2from1.27.4to1.27.5.istio.io/apifromv1.27.4tov1.27.5. by @gardener-ci-robot [#13711]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/node-problem-detector/node-problem-detectorfromv0.8.22tov0.8.24. by @gardener-ci-robot [#13716]
[DEPENDENCY]The following dependencies have been updated:gardener/gardener-metrics-exporterfrom0.42.0to0.43.0. Release Notes by @gardener-ci-robot [#13760]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/node-problem-detector/node-problem-detectorfromv1.34.0tov1.34.2. by @gardener-ci-robot [#13717]
[DEPENDENCY]The following dependencies have been updated:gardener/vpn2from0.44.0to0.45.0. Release Notes by @gardener-ci-robot [#13677]
[DEPENDENCY]The following dependencies have been updated:quay.io/brancz/kube-rbac-proxyfromv0.20.1tov0.20.2. by @gardener-ci-robot [#13782]
[DEPENDENCY]The following dependencies have been updated:gardener/loggingfromv0.70.0tov0.71.0. Release Notes by @gardener-ci-robot [#13741]
[DEPENDENCY]The following dependencies have been updated:gardener/dashboardfrom1.83.1to1.83.2. Release Notes by @gardener-ci-robot [#13884]
[DEPENDENCY]The following dependencies have been updated:gardener/apiserver-proxyfromv0.19.0tov0.20.0. Release Notes by @gardener-ci-robot [#13749]
[DEPENDENCY]The following dependencies have been updated:credativ/plutonofromv7.5.44tov7.5.45. Release Notes by @gardener-ci-robot [#13690]
[DEPENDENCY]The following dependencies have been updated:envoyproxy/envoyfromdistroless-v1.36.3tov1.36.4. Release Notes by @gardener-ci-robot [#13629]
[DEPENDENCY]The following dependencies have been updated:gardener/dashboardfrom1.83.0to1.83.1. Release Notes by @gardener-ci-robot [#13836]
[DEPENDENCY]The following dependencies have been updated:quay.io/kiwigrid/k8s-sidecarfrom2.2.3to2.4.0. by @gardener-ci-robot [#13787]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.135.0 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.135.0 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.135.0 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.135.0
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.135.0 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.135.0 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.135.0 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.135.0 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.135.0 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.135.0 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.135.0 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.135.0 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.135.0
Update gardener-controlplane to 1.135.0
[github.com/gardener/gardener:v1.135.0]
⚠️ Breaking Changes
[OPERATOR]Internal dns configuration for seeds.spec.dns.internalis now required. Make sure to set this field in your templates before upgrading Gardener to the current version. by @dimityrmirchev [#13529][OPERATOR]gardener-resource-manager now enforces the desired OwnerReferences for objects it manages. Previously, it set OwnerReferences only when creating objects and did not update them afterwards. by @oliver-goetz [#13606][USER]⚠️ The Seed API fieldspec.dns.provider.secretRefhas been deprecated in favor ofspec.dns.provider.credentialsRef. ThesecretReffield will be removed in Gardener version>= v1.139.0, until then - please consider migrating to the newcredentialsReffield.- :info: Gardener takes care to keep both fields in sync when the configured credentials is of type
Secret. by @vpnachev [#13680]
- :info: Gardener takes care to keep both fields in sync when the configured credentials is of type
[USER]⚠️ The Shoot API fieldspec.dns.providers.secretNamehas been deprecated in favor ofspec.dns.providers.credentialsRef. ThesecretNamefield will be disallowed to be used by shoots running on Kubernetes 1.35 or newer, until then - please consider migrating to the newcredentialsReffield.- Gardener API server takes care to keep both fields in sync when
Secretis the type of the configured credentials. by @vpnachev [#13552]
- Gardener API server takes care to keep both fields in sync when
[DEVELOPER]Change the registry port in the local setup to:5001. by @LucaBernstein [#13661][DEVELOPER]Theextension-classflag has been renamed toextension-classesto support multiple extension classes per controller deployment. If the extension depends oncmd.ReconcilerOptions, the renaming will automatically take effect. Please adjust your deployment manifest to reflect this change. by @timuthy [#13718][DEVELOPER]TheSecretDatafield has been removed from thegithub.com/gardener/gardener/pkg/component/extensions/dnsrecord.Valuesstruct, usegithub.com/gardener/gardener/pkg/component/extensions/dnsrecord.CredentialsDeployFuncinstead to deploy secret data into a secret. by @vpnachev [#13720][DEVELOPER]The functiongithub.com/gardener/gardener/pkg/utils/gardener.GenerateDNSProviderNamehas been removed. by @vpnachev [#13552][DEVELOPER]github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderSecretNamesEqualhas been removed, usegithub.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderCredentialsRefsEqualinstead. by @vpnachev [#13552][DEVELOPER]TheSecretDatafield of thegithub.com/gardener/gardener/pkg/utils/gardener.Domainstruct has been replaced withCredentialsfield of typesigs.k8s.io/controller-runtime/pkg/client.Object. by @vpnachev [#13720][DEPENDENCY]The naming logic for automatically generated webhooks has changed. If the extension name passed toextensionscmdwebhook.NewAddToManagerOptionsstarts withgardener-, the extension's webhook names are no longer prefixed withgardener-extension-. by @timuthy [#13786]
📰 Noteworthy
[OPERATOR]Adapted the policy in the Kubernetes version support process to retain only the latest 4 minor versions, improving security by dropping older, unpatched versions. Additionally, a minimum period of 14 months has been added, during which Gardener will maintain support for any given Kubernetes version before removing it again. by @marc1404 [#13471][USER]The order of entries in theNamespacedCloudProfile.Status.CloudProfileSpecis now the same as in the parentCloudProfile.Spec. by @LucaBernstein [#13772][DEVELOPER]The functiongithub.com/gardener/gardener/pkg/utils/kubernetes.GetCredentialsByObjectReferencehas been changed to acceptclient.Readerinstead ofclient.Client. by @vpnachev [#13552][DEVELOPER]The scripthack/vgopath-setup.shandhack/tools.mkentry for$(VGOPATH)are deprecated and will be removed aftergardener/gardener@v1.142has been released. It is recommended that consumers stop using them from thegardener/gardenerrepository. by @LucaBernstein [#13556][DEVELOPER]Source code changes that break various aspects of the monitoring stack in ways that were previously unnoticed are now detected during pull request validation. by @vicwicker [#13341][DEVELOPER]The generic actuator of the control plane now wraps seed-related charts intoManagedResources . Any imperative logic in your provider extension that does not consider management through the gardener-resource-manager can potentially be cleaned up. by @kon-angelo [#13585][DEVELOPER]The usages ofVGOPATHhave been removed. by @LucaBernstein [#13556][DEVELOPER]A new rule was added to the Component Checklist -Drop unutilised capabilities. Additionally, theDo not run containers as rootrule was extended. For more details, check the Component Checklist. by @mstueer [#13204][DEPENDENCY]CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. Provider extensions should start validating them similar to references forv1.Secretresources. by @rfranzke [#13759]
✨ New Features
[OPERATOR]A newVPNBondingModeRoundRobinfeature gate is introduced for gardenlet. When enabled, HA VPN uses round-robin bonding mode to increase availability under network degradation. by @domdom82 [#13649][OPERATOR]gardenletcan now propagate static manifests stored in the seed cluster'sgardennamespace to all shoot namespaces. Read all about it here. by @rfranzke [#13614][OPERATOR]Support replacement of individual assets for the gardener dashboard (gardener/dashboard#2687) by @grolu [#13640][OPERATOR]Extendgardener-operatorandgardenletcare controllers to query the Prometheus instances for health checks of the monitoring components. If the new health checks fail, they are reflected in the status condition of theShoot,SeedorGardenresources. These health checks are introduced behind a feature gatePrometheusHealthChecksthat is disabled by default. by @vicwicker [#13341][OPERATOR]It is now possible to configure custom namespaces in the virtual cluster that thevirtual-garden-gardener-resource-managershould handle. Use.spec.virtualCluster.gardener.gardenerResourceManager.additionalTargetNamespacesinGardenresource. by @rfranzke [#13761][OPERATOR]WorkloadIdentity credentials are now allowed to be used for Shoot DNS domains, Seed ingress, default and internal DNS domains. by @vpnachev [#13720][OPERATOR]Add newPlutonodashboard for monitoringVPA Updateroperations acrossShoot,SeedandGardenclusters. by @vitanovs [#13477][USER]Rotation for the ssh keypair for worker nodes, observability passwords and etcd encryption key can now be done in the maintenance window via the.spec.maitenance.autoRotation.credentialsfield of aShoot. by @AleksandarSavchev [#13493][USER]A new Seed API fieldcredentialsRefhas been introduced inspec.dns.providerstructure. It is designed to support diverse types of credentials, as of nowv1.Secretsandsecurity.gardener.cloud/v1alpha1.WorkloadIdentityare allowed, but onlySecretsare supported. by @vpnachev [#13680][USER]You can now specifynftablesas proxy mode implementation ofkube-proxyin theShootspec like so if your Kubernetes version is>= 1.31:.spec.kubernetes.kubeProxy.mode=NFTables, please consult https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ for all glory details. by @majst01 [#13558][USER]A new optional Shoot API fieldcredentialsRefhas been introduced inspec.dns.providersstructure. It is designed to support diverse types of credentials. As of now onlyv1.Secretsare supported. by @vpnachev [#13552][USER]The Shoot resource does now support configuring the vpa-recommender concurrent workers to update VerticalPodAutoscalers and VerticalPodAutoscalerCheckpoints via the new.spec.kubernetes.verticalPodAutoscaler.recommenderUpdateWorkerCountfield. by @voelzmo [#13591][DEVELOPER]Shoots andSeeds are now allowed to referenceWorkloadIdentityresources via their respective fieldspec.resources, extensions can leverage this mechanism in order to use workload identity credentials for authentication with external services supporting trust based authentication. by @vpnachev [#13469][DEVELOPER]CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. This can be beneficial if shoot credentials are not managed directly by end-users but by the service provider/Gardener operators. by @rfranzke [#13759][DEVELOPER]It is now possible to create aSecretsManagerbased on aGardenresource. Extensions can, for instance, manage certificates for webhooks in the garden runtime cluster while leveraging Gardener's certificate automation features (such as CA rotation, renewal, etc.). by @timuthy [#13662][DEPENDENCY]The certificate library for extension webhooks now supports skipping the component name prefixing withgardener-extensionwhenDoNotPrefixComponentNameis set totrue. by @rfranzke [#13765][DEPENDENCY]extensionscmdcontroller.GeneralOptionscan now be shared between controllers and webhooks. It contains general deployment information that are relevant to both. by @timuthy [#13786]
🐛 Bug Fixes
[OPERATOR]Refactor the collectorjournaldreceiver to capture kernel logs via a more stable method. by @rrhubenov [#13664][OPERATOR]An issue causing credentials rotation for the Garden resource to fail is now fixed. by @ialidzhikov [#13735][OPERATOR]A bug has been fix which could lead to pendingManagedResources in the shoot's control plane namespace (effectively, blockingShootdeletion). by @rfranzke [#13858][OPERATOR]A bug has been fixed which was preventing removing image vector overwrite configurations fromgardenlets deployed viaseedmanagement.gardener.cloud/v1alpha1.Gardenletresources (even though.spec.deployment.{imageVectorOverwrite,componentImageVectorOverwrite}was removed). by @rfranzke [#13646][OPERATOR]The token requestor will check the UID of a referencedServiceAccountand request a new token before the former one issued for a different UID expired. by @LucaBernstein [#13630][USER]A bug has been fixed which was causing invalid high-availability configuration for system components in case aShootwas configured with a worker pool withmaximum=0. by @rfranzke [#13873][USER]Project admins are allowed to set ownerReference withkind: ShootandblockOwnerDeletion: truefor Secrets/ConfigMaps when theOwnerReferencesPermissionEnforcementadmission plugin is enabled for the virtual kube-apiserver. by @ialidzhikov [#13743][USER]Fix a bug that prevents updating expiration dates of overridden machine image versions inNamespacedCloudProfiles. by @LucaBernstein [#13754][USER]Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @rrhubenov [#13670][USER]A bug causingShootclusters to not be reconciled during their maintenance window when theShootdoes not enablesshand hasrotate-ssh-keypairoperation configured for maintenance window was fixed. by @AleksandarSavchev [#13493][DEPENDENCY]extension library: An issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from the BackupEntry Secret is now fixed. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#13775]
🏃 Others
[OPERATOR]Set static cpu requests for fluent-operator. by @voelzmo [#13788][OPERATOR]OwnerReferences now ensure that no orphan EnvoyFilters and Secrets remain in istio-ingressgateway namespaces when a shoot was purged manually. by @oliver-goetz [#13606][OPERATOR]Allow scrapingkube_node_createdfrom kube-state-metrics by adding it to the metric allowlist. by @jguipi [#13683][OPERATOR]Add Plutono dashboard for shoot control plane cost calculation by @vicwicker [#13605][OPERATOR]Refactor node local dns tests to avoid duplications and simplify structure. by @DockToFuture [#13694][OPERATOR]gardenlet now adds labels forDNSRecordresources created forShootcontrol planes. This allows using label selectors to targetDNSRecords used forShootcontrol plane components. by @hown3d [#13444][OPERATOR]Updates on oldShoots,ManagedSeedSets, andGardenare now allowed if invalid accepted issuers are unchanged. by @acumino [#13514][OPERATOR]On starup, gardenlet and gardener-operator now patch the needed VerticalPodAutoscaler resources depending on theVPAInPlaceUpdatesfeature gate value. This is needed to ensure that all VerticalPodAutoscaler resources will be updated immediately with the desired update mode when theVPAInPlaceUpdatesfeature gate is enabled or disabled. by @vitanovs [#13573][OPERATOR]Set static cpu requests for node-exporter by @voelzmo [#13790][OPERATOR]A link to theSeed-specific dashboard has been added to the annotations ofSeed-related alerts. This allows operators to quickly navigate from an alert to the relevant monitoring dashboard for faster troubleshooting. by @cathyzhang05 [#13555][OPERATOR]Change metrics port for OTel collector on the nodes from 8888 to 18888. by @dnaeon [#13798][OPERATOR]Extended RBAC rules forgardener-metrics-exporterto coverGardenletresources as well. by @RaphSku [#13806][OPERATOR]Update gardenlets values.yaml template to include the internal DNS secret for the local extension setup. by @DockToFuture [#13679][OPERATOR]The Kubernetes version check can now be explicitly disabled by setting the environment variableEXPERIMENTAL_DISABLE_KUBERNETES_VERSION_CHECKtotrue. This is intended for specific experimental or troubleshooting scenarios where temporarily bypassing the version validation is necessary. by @majst01 [#13221][OPERATOR]The mutatingManagedSeedadmission plugin is now also a validating one. Validations which are executed by this admission plugin during the mutation phase will be gradually moved to the validatingManagedSeedadmission plugin. by @ialidzhikov [#13621][USER]The.spec.kubernetes.kubeAPIServer.requests.max{Non}MutatingInflightflags can now be increased to5000(non-mutating) /2500(mutating). by @rfranzke [#13877][DEVELOPER]TheCloudProfilefor the local dev setup was updated from Kubernetes version 1.34.0 to 1.34.3. by @timuthy [#13874][DEVELOPER]The kubectl apply command for the00-namespace-garden.yamlresource now includes the--force-conflicts flag. This enhancement resolves conflicts that previously caused errors during the local extension setup, ensuring a smoother and more reliable deployment process. by @DockToFuture [#13676][DEVELOPER]Add permissions to read and watchNamespacedCloudProfiles for the dashboard. by @klocke-io [#13500][DEVELOPER]The generic control-plane webhook is now capable of ensuring thekube-apiserverandkube-controller-managerdeployments, as well asetcds, of the virtual garden cluster. by @timuthy [#13635][DEPENDENCY]The following dependencies have been updated:quay.io/prometheus/alertmanagerfromv0.30.0tov0.30.1. by @gardener-ci-robot [#13779]
[DEPENDENCY]The following dependencies have been updated:gardener/alpine-conntrackfrom3.21.3to3.23.2. Release Notes by @gardener-ci-robot [#13744]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/kube-state-metrics/kube-state-metricsfromv2.17.0tov2.18.0. by @gardener-ci-robot [#13808]
[DEPENDENCY]The following dependencies have been updated:quay.io/prometheus/alertmanagerfromv0.29.0tov0.30.0. by @gardener-ci-robot [#13663]
[DEPENDENCY]The following dependencies have been updated:credativ/valifromv2.2.29tov2.2.30. Release Notes by @gardener-ci-robot [#13689]
[DEPENDENCY]The following dependencies have been updated:quay.io/kiwigrid/k8s-sidecarfrom2.1.4to2.2.3. by @gardener-ci-robot [#13726]
[DEPENDENCY]The following dependencies have been updated:envoyproxy/envoyfromdistroless-v1.36.4tov1.37.0. Release Notes by @gardener-ci-robot [#13781]
[DEPENDENCY]The following dependencies have been updated:gcr.io/istio-release/pilotfrom1.27.4to1.27.5.gcr.io/istio-release/proxyv2from1.27.4to1.27.5.istio.io/apifromv1.27.4tov1.27.5. by @gardener-ci-robot [#13711]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/node-problem-detector/node-problem-detectorfromv0.8.22tov0.8.24. by @gardener-ci-robot [#13716]
[DEPENDENCY]The following dependencies have been updated:gardener/gardener-metrics-exporterfrom0.42.0to0.43.0. Release Notes by @gardener-ci-robot [#13760]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/node-problem-detector/node-problem-detectorfromv1.34.0tov1.34.2. by @gardener-ci-robot [#13717]
[DEPENDENCY]The following dependencies have been updated:gardener/vpn2from0.44.0to0.45.0. Release Notes by @gardener-ci-robot [#13677]
[DEPENDENCY]The following dependencies have been updated:quay.io/brancz/kube-rbac-proxyfromv0.20.1tov0.20.2. by @gardener-ci-robot [#13782]
[DEPENDENCY]The following dependencies have been updated:gardener/loggingfromv0.70.0tov0.71.0. Release Notes by @gardener-ci-robot [#13741]
[DEPENDENCY]The following dependencies have been updated:gardener/dashboardfrom1.83.1to1.83.2. Release Notes by @gardener-ci-robot [#13884]
[DEPENDENCY]The following dependencies have been updated:gardener/apiserver-proxyfromv0.19.0tov0.20.0. Release Notes by @gardener-ci-robot [#13749]
[DEPENDENCY]The following dependencies have been updated:credativ/plutonofromv7.5.44tov7.5.45. Release Notes by @gardener-ci-robot [#13690]
[DEPENDENCY]The following dependencies have been updated:envoyproxy/envoyfromdistroless-v1.36.3tov1.36.4. Release Notes by @gardener-ci-robot [#13629]
[DEPENDENCY]The following dependencies have been updated:gardener/dashboardfrom1.83.0to1.83.1. Release Notes by @gardener-ci-robot [#13836]
[DEPENDENCY]The following dependencies have been updated:quay.io/kiwigrid/k8s-sidecarfrom2.2.3to2.4.0. by @gardener-ci-robot [#13787]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.135.0 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.135.0 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.135.0 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.135.0
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.135.0 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.135.0 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.135.0 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.135.0 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.135.0 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.135.0 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.135.0 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.135.0 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.135.0
Update gardenlet to 1.135.0
[github.com/gardener/gardener:v1.135.0]
⚠️ Breaking Changes
[OPERATOR]Internal dns configuration for seeds.spec.dns.internalis now required. Make sure to set this field in your templates before upgrading Gardener to the current version. by @dimityrmirchev [#13529][OPERATOR]gardener-resource-manager now enforces the desired OwnerReferences for objects it manages. Previously, it set OwnerReferences only when creating objects and did not update them afterwards. by @oliver-goetz [#13606][USER]⚠️ The Seed API fieldspec.dns.provider.secretRefhas been deprecated in favor ofspec.dns.provider.credentialsRef. ThesecretReffield will be removed in Gardener version>= v1.139.0, until then - please consider migrating to the newcredentialsReffield.- :info: Gardener takes care to keep both fields in sync when the configured credentials is of type
Secret. by @vpnachev [#13680]
- :info: Gardener takes care to keep both fields in sync when the configured credentials is of type
[USER]⚠️ The Shoot API fieldspec.dns.providers.secretNamehas been deprecated in favor ofspec.dns.providers.credentialsRef. ThesecretNamefield will be disallowed to be used by shoots running on Kubernetes 1.35 or newer, until then - please consider migrating to the newcredentialsReffield.- Gardener API server takes care to keep both fields in sync when
Secretis the type of the configured credentials. by @vpnachev [#13552]
- Gardener API server takes care to keep both fields in sync when
[DEVELOPER]Change the registry port in the local setup to:5001. by @LucaBernstein [#13661][DEVELOPER]Theextension-classflag has been renamed toextension-classesto support multiple extension classes per controller deployment. If the extension depends oncmd.ReconcilerOptions, the renaming will automatically take effect. Please adjust your deployment manifest to reflect this change. by @timuthy [#13718][DEVELOPER]TheSecretDatafield has been removed from thegithub.com/gardener/gardener/pkg/component/extensions/dnsrecord.Valuesstruct, usegithub.com/gardener/gardener/pkg/component/extensions/dnsrecord.CredentialsDeployFuncinstead to deploy secret data into a secret. by @vpnachev [#13720][DEVELOPER]The functiongithub.com/gardener/gardener/pkg/utils/gardener.GenerateDNSProviderNamehas been removed. by @vpnachev [#13552][DEVELOPER]github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderSecretNamesEqualhas been removed, usegithub.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderCredentialsRefsEqualinstead. by @vpnachev [#13552][DEVELOPER]TheSecretDatafield of thegithub.com/gardener/gardener/pkg/utils/gardener.Domainstruct has been replaced withCredentialsfield of typesigs.k8s.io/controller-runtime/pkg/client.Object. by @vpnachev [#13720][DEPENDENCY]The naming logic for automatically generated webhooks has changed. If the extension name passed toextensionscmdwebhook.NewAddToManagerOptionsstarts withgardener-, the extension's webhook names are no longer prefixed withgardener-extension-. by @timuthy [#13786]
📰 Noteworthy
[OPERATOR]Adapted the policy in the Kubernetes version support process to retain only the latest 4 minor versions, improving security by dropping older, unpatched versions. Additionally, a minimum period of 14 months has been added, during which Gardener will maintain support for any given Kubernetes version before removing it again. by @marc1404 [#13471][USER]The order of entries in theNamespacedCloudProfile.Status.CloudProfileSpecis now the same as in the parentCloudProfile.Spec. by @LucaBernstein [#13772][DEVELOPER]The functiongithub.com/gardener/gardener/pkg/utils/kubernetes.GetCredentialsByObjectReferencehas been changed to acceptclient.Readerinstead ofclient.Client. by @vpnachev [#13552][DEVELOPER]The scripthack/vgopath-setup.shandhack/tools.mkentry for$(VGOPATH)are deprecated and will be removed aftergardener/gardener@v1.142has been released. It is recommended that consumers stop using them from thegardener/gardenerrepository. by @LucaBernstein [#13556][DEVELOPER]Source code changes that break various aspects of the monitoring stack in ways that were previously unnoticed are now detected during pull request validation. by @vicwicker [#13341][DEVELOPER]The generic actuator of the control plane now wraps seed-related charts intoManagedResources . Any imperative logic in your provider extension that does not consider management through the gardener-resource-manager can potentially be cleaned up. by @kon-angelo [#13585][DEVELOPER]The usages ofVGOPATHhave been removed. by @LucaBernstein [#13556][DEVELOPER]A new rule was added to the Component Checklist -Drop unutilised capabilities. Additionally, theDo not run containers as rootrule was extended. For more details, check the Component Checklist. by @mstueer [#13204][DEPENDENCY]CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. Provider extensions should start validating them similar to references forv1.Secretresources. by @rfranzke [#13759]
✨ New Features
[OPERATOR]A newVPNBondingModeRoundRobinfeature gate is introduced for gardenlet. When enabled, HA VPN uses round-robin bonding mode to increase availability under network degradation. by @domdom82 [#13649][OPERATOR]gardenletcan now propagate static manifests stored in the seed cluster'sgardennamespace to all shoot namespaces. Read all about it here. by @rfranzke [#13614][OPERATOR]Support replacement of individual assets for the gardener dashboard (gardener/dashboard#2687) by @grolu [#13640][OPERATOR]Extendgardener-operatorandgardenletcare controllers to query the Prometheus instances for health checks of the monitoring components. If the new health checks fail, they are reflected in the status condition of theShoot,SeedorGardenresources. These health checks are introduced behind a feature gatePrometheusHealthChecksthat is disabled by default. by @vicwicker [#13341][OPERATOR]It is now possible to configure custom namespaces in the virtual cluster that thevirtual-garden-gardener-resource-managershould handle. Use.spec.virtualCluster.gardener.gardenerResourceManager.additionalTargetNamespacesinGardenresource. by @rfranzke [#13761][OPERATOR]WorkloadIdentity credentials are now allowed to be used for Shoot DNS domains, Seed ingress, default and internal DNS domains. by @vpnachev [#13720][OPERATOR]Add newPlutonodashboard for monitoringVPA Updateroperations acrossShoot,SeedandGardenclusters. by @vitanovs [#13477][USER]Rotation for the ssh keypair for worker nodes, observability passwords and etcd encryption key can now be done in the maintenance window via the.spec.maitenance.autoRotation.credentialsfield of aShoot. by @AleksandarSavchev [#13493][USER]A new Seed API fieldcredentialsRefhas been introduced inspec.dns.providerstructure. It is designed to support diverse types of credentials, as of nowv1.Secretsandsecurity.gardener.cloud/v1alpha1.WorkloadIdentityare allowed, but onlySecretsare supported. by @vpnachev [#13680][USER]You can now specifynftablesas proxy mode implementation ofkube-proxyin theShootspec like so if your Kubernetes version is>= 1.31:.spec.kubernetes.kubeProxy.mode=NFTables, please consult https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ for all glory details. by @majst01 [#13558][USER]A new optional Shoot API fieldcredentialsRefhas been introduced inspec.dns.providersstructure. It is designed to support diverse types of credentials. As of now onlyv1.Secretsare supported. by @vpnachev [#13552][USER]The Shoot resource does now support configuring the vpa-recommender concurrent workers to update VerticalPodAutoscalers and VerticalPodAutoscalerCheckpoints via the new.spec.kubernetes.verticalPodAutoscaler.recommenderUpdateWorkerCountfield. by @voelzmo [#13591][DEVELOPER]Shoots andSeeds are now allowed to referenceWorkloadIdentityresources via their respective fieldspec.resources, extensions can leverage this mechanism in order to use workload identity credentials for authentication with external services supporting trust based authentication. by @vpnachev [#13469][DEVELOPER]CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. This can be beneficial if shoot credentials are not managed directly by end-users but by the service provider/Gardener operators. by @rfranzke [#13759][DEVELOPER]It is now possible to create aSecretsManagerbased on aGardenresource. Extensions can, for instance, manage certificates for webhooks in the garden runtime cluster while leveraging Gardener's certificate automation features (such as CA rotation, renewal, etc.). by @timuthy [#13662][DEPENDENCY]The certificate library for extension webhooks now supports skipping the component name prefixing withgardener-extensionwhenDoNotPrefixComponentNameis set totrue. by @rfranzke [#13765][DEPENDENCY]extensionscmdcontroller.GeneralOptionscan now be shared between controllers and webhooks. It contains general deployment information that are relevant to both. by @timuthy [#13786]
🐛 Bug Fixes
[OPERATOR]Refactor the collectorjournaldreceiver to capture kernel logs via a more stable method. by @rrhubenov [#13664][OPERATOR]An issue causing credentials rotation for the Garden resource to fail is now fixed. by @ialidzhikov [#13735][OPERATOR]A bug has been fix which could lead to pendingManagedResources in the shoot's control plane namespace (effectively, blockingShootdeletion). by @rfranzke [#13858][OPERATOR]A bug has been fixed which was preventing removing image vector overwrite configurations fromgardenlets deployed viaseedmanagement.gardener.cloud/v1alpha1.Gardenletresources (even though.spec.deployment.{imageVectorOverwrite,componentImageVectorOverwrite}was removed). by @rfranzke [#13646][OPERATOR]The token requestor will check the UID of a referencedServiceAccountand request a new token before the former one issued for a different UID expired. by @LucaBernstein [#13630][USER]A bug has been fixed which was causing invalid high-availability configuration for system components in case aShootwas configured with a worker pool withmaximum=0. by @rfranzke [#13873][USER]Project admins are allowed to set ownerReference withkind: ShootandblockOwnerDeletion: truefor Secrets/ConfigMaps when theOwnerReferencesPermissionEnforcementadmission plugin is enabled for the virtual kube-apiserver. by @ialidzhikov [#13743][USER]Fix a bug that prevents updating expiration dates of overridden machine image versions inNamespacedCloudProfiles. by @LucaBernstein [#13754][USER]Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @rrhubenov [#13670][USER]A bug causingShootclusters to not be reconciled during their maintenance window when theShootdoes not enablesshand hasrotate-ssh-keypairoperation configured for maintenance window was fixed. by @AleksandarSavchev [#13493][DEPENDENCY]extension library: An issue causing deletions ofextensions.BackupEntryto be stuck due to conflicts while removing the finalizer from the BackupEntry Secret is now fixed. This mostly affected the deletion of the sourceBackupEntryduring therestorephase of control plane migration. by @plkokanov [#13775]
🏃 Others
[OPERATOR]Set static cpu requests for fluent-operator. by @voelzmo [#13788][OPERATOR]OwnerReferences now ensure that no orphan EnvoyFilters and Secrets remain in istio-ingressgateway namespaces when a shoot was purged manually. by @oliver-goetz [#13606][OPERATOR]Allow scrapingkube_node_createdfrom kube-state-metrics by adding it to the metric allowlist. by @jguipi [#13683][OPERATOR]Add Plutono dashboard for shoot control plane cost calculation by @vicwicker [#13605][OPERATOR]Refactor node local dns tests to avoid duplications and simplify structure. by @DockToFuture [#13694][OPERATOR]gardenlet now adds labels forDNSRecordresources created forShootcontrol planes. This allows using label selectors to targetDNSRecords used forShootcontrol plane components. by @hown3d [#13444][OPERATOR]Updates on oldShoots,ManagedSeedSets, andGardenare now allowed if invalid accepted issuers are unchanged. by @acumino [#13514][OPERATOR]On starup, gardenlet and gardener-operator now patch the needed VerticalPodAutoscaler resources depending on theVPAInPlaceUpdatesfeature gate value. This is needed to ensure that all VerticalPodAutoscaler resources will be updated immediately with the desired update mode when theVPAInPlaceUpdatesfeature gate is enabled or disabled. by @vitanovs [#13573][OPERATOR]Set static cpu requests for node-exporter by @voelzmo [#13790][OPERATOR]A link to theSeed-specific dashboard has been added to the annotations ofSeed-related alerts. This allows operators to quickly navigate from an alert to the relevant monitoring dashboard for faster troubleshooting. by @cathyzhang05 [#13555][OPERATOR]Change metrics port for OTel collector on the nodes from 8888 to 18888. by @dnaeon [#13798][OPERATOR]Extended RBAC rules forgardener-metrics-exporterto coverGardenletresources as well. by @RaphSku [#13806][OPERATOR]Update gardenlets values.yaml template to include the internal DNS secret for the local extension setup. by @DockToFuture [#13679][OPERATOR]The Kubernetes version check can now be explicitly disabled by setting the environment variableEXPERIMENTAL_DISABLE_KUBERNETES_VERSION_CHECKtotrue. This is intended for specific experimental or troubleshooting scenarios where temporarily bypassing the version validation is necessary. by @majst01 [#13221][OPERATOR]The mutatingManagedSeedadmission plugin is now also a validating one. Validations which are executed by this admission plugin during the mutation phase will be gradually moved to the validatingManagedSeedadmission plugin. by @ialidzhikov [#13621][USER]The.spec.kubernetes.kubeAPIServer.requests.max{Non}MutatingInflightflags can now be increased to5000(non-mutating) /2500(mutating). by @rfranzke [#13877][DEVELOPER]TheCloudProfilefor the local dev setup was updated from Kubernetes version 1.34.0 to 1.34.3. by @timuthy [#13874][DEVELOPER]The kubectl apply command for the00-namespace-garden.yamlresource now includes the--force-conflicts flag. This enhancement resolves conflicts that previously caused errors during the local extension setup, ensuring a smoother and more reliable deployment process. by @DockToFuture [#13676][DEVELOPER]Add permissions to read and watchNamespacedCloudProfiles for the dashboard. by @klocke-io [#13500][DEVELOPER]The generic control-plane webhook is now capable of ensuring thekube-apiserverandkube-controller-managerdeployments, as well asetcds, of the virtual garden cluster. by @timuthy [#13635][DEPENDENCY]The following dependencies have been updated:quay.io/prometheus/alertmanagerfromv0.30.0tov0.30.1. by @gardener-ci-robot [#13779]
[DEPENDENCY]The following dependencies have been updated:gardener/alpine-conntrackfrom3.21.3to3.23.2. Release Notes by @gardener-ci-robot [#13744]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/kube-state-metrics/kube-state-metricsfromv2.17.0tov2.18.0. by @gardener-ci-robot [#13808]
[DEPENDENCY]The following dependencies have been updated:quay.io/prometheus/alertmanagerfromv0.29.0tov0.30.0. by @gardener-ci-robot [#13663]
[DEPENDENCY]The following dependencies have been updated:credativ/valifromv2.2.29tov2.2.30. Release Notes by @gardener-ci-robot [#13689]
[DEPENDENCY]The following dependencies have been updated:quay.io/kiwigrid/k8s-sidecarfrom2.1.4to2.2.3. by @gardener-ci-robot [#13726]
[DEPENDENCY]The following dependencies have been updated:envoyproxy/envoyfromdistroless-v1.36.4tov1.37.0. Release Notes by @gardener-ci-robot [#13781]
[DEPENDENCY]The following dependencies have been updated:gcr.io/istio-release/pilotfrom1.27.4to1.27.5.gcr.io/istio-release/proxyv2from1.27.4to1.27.5.istio.io/apifromv1.27.4tov1.27.5. by @gardener-ci-robot [#13711]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/node-problem-detector/node-problem-detectorfromv0.8.22tov0.8.24. by @gardener-ci-robot [#13716]
[DEPENDENCY]The following dependencies have been updated:gardener/gardener-metrics-exporterfrom0.42.0to0.43.0. Release Notes by @gardener-ci-robot [#13760]
[DEPENDENCY]The following dependencies have been updated:registry.k8s.io/node-problem-detector/node-problem-detectorfromv1.34.0tov1.34.2. by @gardener-ci-robot [#13717]
[DEPENDENCY]The following dependencies have been updated:gardener/vpn2from0.44.0to0.45.0. Release Notes by @gardener-ci-robot [#13677]
[DEPENDENCY]The following dependencies have been updated:quay.io/brancz/kube-rbac-proxyfromv0.20.1tov0.20.2. by @gardener-ci-robot [#13782]
[DEPENDENCY]The following dependencies have been updated:gardener/loggingfromv0.70.0tov0.71.0. Release Notes by @gardener-ci-robot [#13741]
[DEPENDENCY]The following dependencies have been updated:gardener/dashboardfrom1.83.1to1.83.2. Release Notes by @gardener-ci-robot [#13884]
[DEPENDENCY]The following dependencies have been updated:gardener/apiserver-proxyfromv0.19.0tov0.20.0. Release Notes by @gardener-ci-robot [#13749]
[DEPENDENCY]The following dependencies have been updated:credativ/plutonofromv7.5.44tov7.5.45. Release Notes by @gardener-ci-robot [#13690]
[DEPENDENCY]The following dependencies have been updated:envoyproxy/envoyfromdistroless-v1.36.3tov1.36.4. Release Notes by @gardener-ci-robot [#13629]
[DEPENDENCY]The following dependencies have been updated:gardener/dashboardfrom1.83.0to1.83.1. Release Notes by @gardener-ci-robot [#13836]
[DEPENDENCY]The following dependencies have been updated:quay.io/kiwigrid/k8s-sidecarfrom2.2.3to2.4.0. by @gardener-ci-robot [#13787]
Helm Charts
- controlplane:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.135.0 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.135.0 - operator:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.135.0 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.135.0
Container (OCI) Images
- admission-controller:
europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.135.0 - apiserver:
europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.135.0 - controller-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.135.0 - gardenadm:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.135.0 - gardenlet:
europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.135.0 - node-agent:
europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.135.0 - operator:
europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.135.0 - resource-manager:
europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.135.0 - scheduler:
europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.135.0
Update provider-aws to 1.67.2
[github.com/gardener/gardener-extension-provider-aws:v1.67.2]
🐛 Bug Fixes
[OPERATOR]The cloud-controller-manager image used forShootclusters running on kubernetes1.31was downgraded fromv1.31.9tov1.31.8. This was done to resolve an issue that caused reconciliations ofServices of type LoadBalancer to fail because of attempts to add already existingIpPermissionrules to the security groups created for the LoadBalancers. by @plkokanov [#1672]
Helm Charts
- admission-aws-application:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-application:v1.67.2 - admission-aws-runtime:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/admission-aws-runtime:v1.67.2 - provider-aws:
europe-docker.pkg.dev/gardener-project/releases/charts/gardener/extensions/provider-aws:v1.67.2
Container (OCI) Images
- gardener-extension-admission-aws:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-aws:v1.67.2 - gardener-extension-provider-aws:
europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-aws:v1.67.2