Release Notes v1.71

23KE release notes and upgrade guide

• Before upgrade
  • The 23KE configuration chart was unified and moved, so resources need to be annotated to get adopted by the new chart name. To prevent the old charts from deleting resources when they get removed, they need to get suspended first.

  flux suspend hr pre-gardener-configuration
  flux suspend hr gardener-configuration
  kubectl -n flux-system annotate Secret -l helm.toolkit.fluxcd.io/name=pre-gardener-configuration meta.helm.sh/release-name=configuration --overwrite
  kubectl -n flux-system annotate Secret -l helm.toolkit.fluxcd.io/name=gardener-configuration meta.helm.sh/release-name=configuration --overwrite
  kubectl -n garden annotate Secret -l helm.toolkit.fluxcd.io/name=gardener-configuration meta.helm.sh/release-name=certificates --overwrite
  kubectl -n garden annotate certificates.cert.gardener.cloud -l helm.toolkit.fluxcd.io/name=gardener-configuration meta.helm.sh/release-name=certificates --overwrite
  kubectl -n flux-system annotate Certificate -l helm.toolkit.fluxcd.io/name=gardener-configuration meta.helm.sh/release-name=certificates --overwrite
  kubectl -n flux-system annotate Issuer -l helm.toolkit.fluxcd.io/name=gardener-configuration meta.helm.sh/release-name=certificates --overwrite
  If something goes wrong or the charts weren't suspended, other charts might complain about their -base-values Secret missing. To remedy,suspend and then resume the new configuration HelmRelease so it re-generates those Secrets.

Related upstream release notes / changelogs

Update provider-azure to 1.35.3

[gardener-extension-provider-azure]

🏃 Others

• [OPERATOR] Remove the error code check from NodesChecker to prevent nil pointer panic. (gardener/gardener-extension-provider-azure#684, @acumino)

Update provider-aws to 1.43.2

[gardener-extension-provider-aws]

🏃 Others

• [OPERATOR] Remove the error code check from NodesChecker to prevent nil pointer panic. (gardener/gardener-extension-provider-aws#748, @acumino)

Update provider-gcp to 1.29.3

[gardener-extension-provider-gcp]

🏃 Others

• [OPERATOR] Remove the error code check from NodesChecker to prevent nil pointer panic. (gardener/gardener-extension-provider-gcp#595, @acumino)

Update provider-openstack to 1.33.3

[gardener-extension-provider-openstack]

🏃 Others

• [OPERATOR] Remove the error code check from NodesChecker to prevent nil pointer panic. (gardener/gardener-extension-provider-openstack#622, @acumino)

Update gardener-controlplane to 1.70.2

[gardener]

⚠️ Breaking Changes

• [USER] Gardener denies setting Shoot.Spec.ControlPlane.HighAvailability.FailureTolerance.Type if shoot is hibernated. (gardener/gardener#7920, @gardener-ci-robot)

🐛 Bug Fixes

• [USER] A bug has been fixed which could cause kube-proxys from being missing after a Shoot has been woken up from hibernation. (gardener/gardener#7917, @gardener-ci-robot)
• [OPERATOR] An issue has been fixed that caused traffic from outside of the cluster to Istio-Ingress being blocked. This is only relevant if seed(s) specify additional load balancer annotations via seed.spec.settings.loadBalancerServices.annotations. (gardener/gardener#7911, @gardener-ci-robot)

🏃 Others

• [OPERATOR] An issue causing panic in the health check for extension is fixed. (gardener/gardener#7914, @gardener-ci-robot)

Update cloudprofiles to 0.6.2

What's Changed

• Regiocloud: Change regiocloud-a to RegionA by @JensAc in https://github.com/gardener-community/cloudprofiles/pull/23

Full Changelog: https://github.com/gardener-community/cloudprofiles/compare/0.6.1...0.6.2

Update provider-alicloud to 1.46.0

[gardener-extension-provider-alicloud]

📖 Documentation

• [DEPENDENCY] The flags which went out-of-support in MCM v0.49.0 have been cleaned up from MCM deployment yaml. (gardener/gardener-extension-provider-alicloud#595, @himanshu-kun)

🏃 Others

• [OPERATOR] The gardener-extension-admission-alicloud Service in the gardener-extension-admission-alicloud chart can now be configured to be topology-aware. (gardener/gardener-extension-provider-alicloud#591, @ialidzhikov)
• [OPERATOR] The admission/validation component is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/gardener-extension-provider-alicloud#599, @rfranzke)
• [OPERATOR] The following dependency has been updated: (gardener/gardener-extension-provider-alicloud#600, @acumino)
  • github.com/gardener/gardener 1.67.1 -> 1.70.2

[machine-controller-manager]

⚠️ Breaking Changes

• [OPERATOR] Removal of the following flags (and corresponding fields in associated structs): 'machine-creation-timeout' 'machine-drain-timeout', 'machine-pv-detach-timeout', 'machine-health-timeout=10m', 'machine-safety-apiserver-statuscheck-timeout', 'machine-safety-apiserver-statuscheck-period', 'machine-safety-orphan-vms-period', 'machine-max-evict-retries', 'node-conditions', 'bootstrap-token-auth-extra-groups', 'delete-migrated-machine-class'. The MCM no longer accepts these flags since these are options handled by the Machine Controller invoked by platform specific provider launchers. (gardener/machine-controller-manager#769, @elankath)
• [DEVELOPER] Deletion of 'Driver.GenerateMachineClassForMigration'. Providers need to adapt to this. (gardener/machine-controller-manager#769, @elankath)

✨ New Features

• [USER] Machine object won't turn from Pending to Running state if node.gardener.cloud/critical-components-not-ready taint is there on the corresponding node. (gardener/machine-controller-manager#778, @SimonKienzler)

🐛 Bug Fixes

• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#803, @himanshu-kun)
• [USER] Fix a bug in the bootstrap token creation that caused node to not be able to join the cluster due to an expired bootstrap token. (gardener/machine-controller-manager#773, @schrodit)

📖 Documentation

• [DEVELOPER] Added proposal for hot-update of resources (instance/Nic/Disk) (gardener/machine-controller-manager#761, @himanshu-kun)

🏃 Others

• [OPERATOR] CrashloopBackoff machines will turn to Running quicker (gardener/machine-controller-manager#806, @rishabh-11)
• [OPERATOR] CVE categorization for MCM has been added. (gardener/machine-controller-manager#791, @dkistner)
• [DEVELOPER] The API generation now works again. Previously the API docs was generated to a location that was ignored by git and other API docs file was maintained. (gardener/machine-controller-manager#800, @ialidzhikov)
• [DEVELOPER] Bump k8s.io/* dependencies to v1.26.2 (gardener/machine-controller-manager#792, @afritzler)

[terraformer]

🏃 Others

• [OPERATOR] Update alpine base image to v3.17.3 (gardener/terraformer#136, @kon-angelo)

Docker Images

gardener-extension-provider-alicloud: eu.gcr.io/gardener-project/gardener/extensions/provider-alicloud:v1.46.0 gardener-extension-admission-alicloud: eu.gcr.io/gardener-project/gardener/extensions/admission-alicloud:v1.46.0

Update shoot-dns-service to 1.34.0

[gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] The admission/validation component is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/gardener-extension-shoot-dns-service#210, @rfranzke)
• [OPERATOR] Exclude external kube-apiserver domain from the external DNSProvider (gardener/gardener-extension-shoot-dns-service#213, @MartinWeindel)
• [DEPENDENCY] The following dependency is updated: (gardener/gardener-extension-shoot-dns-service#212, @shafeeqes)
  • github.com/gardener/gardener: v1.65.3 -> v1.71.0
  • k8s.io/* : v0.26.1 -> v0.26.3
  • sigs.k8s.io/controller-runtime: v0.14.4-> v0.14.6

Update os-gardenlinux to 0.20.0

[gardener-extension-os-gardenlinux]

🏃 Others

• [OPERATOR] golang version is now updated to 1.20.4. (gardener/gardener-extension-os-gardenlinux#97, @dependabot[bot])
• [OPERATOR] Update go.mod to golang 1.20. (gardener/gardener-extension-os-gardenlinux#100, @danielfoehrKn)
• [OPERATOR] The following dependency is updated: (gardener/gardener-extension-os-gardenlinux#94, @dependabot[bot])
  • github.com/gardener/gardener: v1.66.0 -> v1.70.2

Update provider-hcloud to 0.6.17

[gardener-extension-provider-hcloud] v0.6.17

Update dashboard to 1.69.1

[dashboard]

⚠️ Breaking Changes

• [OPERATOR] The default ingress class annotation under Values.global.dashboard.ingress.annotations['kubernetes.io/ingress.class'] will not be set anymore. Instead, the ingress class name will be set using Values.global.dashboard.ingress.ingressClassName (gardener/dashboard#1499, @petersutter)

🐛 Bug Fixes

• [OPERATOR] Fixed an issue where the helm deployment failed with the error annotations.kubernetes.io/ingress.class: Invalid value: "nginx": can not be set when the class field is also set (gardener/dashboard#1499, @petersutter)

Update gardener-controlplane to 1.71.3

[gardener]

🐛 Bug Fixes

• [OPERATOR] A bug causing gardenlet to panic when admission-controller is upgraded to v1.71 but gardenlet is still on v1.70. (gardener/gardener#7989, @acumino)
• [OPERATOR] Several low timeouts (30s) that were introduced in v1.71.0 for several steps are now reverted as in some cases the Network/ControlPlane reconciliation cannot succeed for 30s. (gardener/gardener#8006, @gardener-ci-robot)