Release Notes v1.73

23KE release notes and upgrade guide

No special steps needed, please refer to the gardener release notes below.

Related upstream release notes / changelogs

Update provider-aws to 1.44.0

[gardener-extension-provider-aws]

✨ New Features

• [USER] Enable awslabs/volume-modifier-for-k8s by default (gardener/gardener-extension-provider-aws#754, @kon-angelo)
• [OPERATOR] Flow-based infrastructure reconciliation without Terraformer (gardener/gardener-extension-provider-aws#603, @MartinWeindel)

🐛 Bug Fixes

• [OPERATOR] Allow patching events for aws-custom-route-controller (gardener/gardener-extension-provider-aws#742, @MartinWeindel)

📖 Documentation

• [DEPENDENCY] The flags which went out-of-support in MCM v0.49.0 have been cleaned up from MCM deployment yaml. (gardener/gardener-extension-provider-aws#739, @himanshu-kun)

🏃 Others

• [OPERATOR] Block public access for newly created S3 buckets. (gardener/gardener-extension-provider-aws#738, @shreyas-s-rao)
• [OPERATOR] The admission/validation component is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/gardener-extension-provider-aws#747, @rfranzke)
• [OPERATOR] Update go to v1.20.4 (gardener/gardener-extension-provider-aws#753, @kon-angelo)
• [OPERATOR] Update ebs driver to v1.19.0 (gardener/gardener-extension-provider-aws#754, @kon-angelo)
• [OPERATOR] The following images have been updated: (gardener/gardener-extension-provider-aws#757, @dkistner)
  • mtu-customizer: alpine:3.16.2 → alpine:3.18.0
• [OPERATOR] provider-aws does now define proper create and delete timeouts for aws_internet_gateway. Now, these timeouts are aligned with the terraformer's timeout. Previously the timeouts were not aligned and provider-aws was not able to properly report the aws_internet_gateway related error. (gardener/gardener-extension-provider-aws#761, @ialidzhikov)
• [DEPENDENCY] The following dependency is updated: (gardener/gardener-extension-provider-aws#749, @shafeeqes)
  • github.com/gardener/gardener: v1.67.1 -> v1.71.0
  • k8s.io/* : v0.26.2 -> v0.26.3
  • sigs.k8s.io/controller-runtime: v0.14.5-> v0.14.6

[aws-custom-route-controller]

🏃 Others

• [OPERATOR] Update builder image from golang:1.20.2 to golang:1.20.4 (gardener/aws-custom-route-controller#14, @MartinWeindel)
• [OPERATOR] updated kubernetes dependencies from v0.25.4 to v0.26.4 (gardener/aws-custom-route-controller#15, @MartinWeindel)
• [OPERATOR] improved timestamp format for JSON logging; added command-line options for log level and format. (gardener/aws-custom-route-controller#15, @MartinWeindel)

[machine-controller-manager]

⚠️ Breaking Changes

• [OPERATOR] Removal of the following flags (and corresponding fields in associated structs): 'machine-creation-timeout' 'machine-drain-timeout', 'machine-pv-detach-timeout', 'machine-health-timeout=10m', 'machine-safety-apiserver-statuscheck-timeout', 'machine-safety-apiserver-statuscheck-period', 'machine-safety-orphan-vms-period', 'machine-max-evict-retries', 'node-conditions', 'bootstrap-token-auth-extra-groups', 'delete-migrated-machine-class'. The MCM no longer accepts these flags since these are options handled by the Machine Controller invoked by platform specific provider launchers. (gardener/machine-controller-manager#769, @elankath)
• [DEVELOPER] Deletion of 'Driver.GenerateMachineClassForMigration'. Providers need to adapt to this. (gardener/machine-controller-manager#769, @elankath)

✨ New Features

• [USER] Machine object won't turn from Pending to Running state if node.gardener.cloud/critical-components-not-ready taint is there on the corresponding node. (gardener/machine-controller-manager#778, @SimonKienzler)

🐛 Bug Fixes

• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#803, @himanshu-kun)
• [USER] Fix a bug in the bootstrap token creation that caused node to not be able to join the cluster due to an expired bootstrap token. (gardener/machine-controller-manager#773, @schrodit)
• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#804, @himanshu-kun)
• [USER] An edge case where outdated DesiredReplicas annotation blocked a rolling update is fixed. (gardener/machine-controller-manager#822, @rishabh-11)
• [OPERATOR] An issue causing nil pointer panic on scaleup of the machinedeployment along with trigger of rolling update, is fixed (gardener/machine-controller-manager#817, @himanshu-kun)

📖 Documentation

• [DEVELOPER] Added proposal for hot-update of resources (instance/Nic/Disk) (gardener/machine-controller-manager#761, @himanshu-kun)

🏃 Others

• [OPERATOR] CrashloopBackoff machines will turn to Running quicker (gardener/machine-controller-manager#806, @rishabh-11)
• [OPERATOR] CVE categorization for MCM has been added. (gardener/machine-controller-manager#791, @dkistner)
• [DEVELOPER] The API generation now works again. Previously the API docs was generated to a location that was ignored by git and other API docs file was maintained. (gardener/machine-controller-manager#800, @ialidzhikov)
• [DEVELOPER] Bump k8s.io/* dependencies to v1.26.2 (gardener/machine-controller-manager#792, @afritzler)

[machine-controller-manager-provider-aws]

⚠️ Breaking Changes

• [OPERATOR] Support for migration of machineClass is dropped by the mcm-provider (gardener/machine-controller-manager-provider-aws#118, @himanshu-kun)

🐛 Bug Fixes

• [OPERATOR] Fix handling of capacity reservations in MachineClass that prevented correct scale up (gardener/machine-controller-manager-provider-aws#115, @saley89)

🏃 Others

• [OPERATOR] Updated golang version to 1.20.4 (gardener/machine-controller-manager-provider-aws#121, @rishabh-11)
• [DEPENDENCY] upgraded dependency: (gardener/machine-controller-manager-provider-aws#118, @himanshu-kun)
  • github.com/gardener/machine-controller-manager -> v0.49.1

[terraformer]

🏃 Others

• [OPERATOR] Update alpine base image to v3.17.3 (gardener/terraformer#136, @kon-angelo)
• [OPERATOR] Terrafomer base image has been updated from alpine:3.17.2 to alpine:3.18.0 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Builder base image has been updated from golang:1.19.6 to golang:1.20.4 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Gardener dependency has been updated from v1.59.1 to v1.71.2 (gardener/terraformer#137, @MartinWeindel)

Update provider-azure to 1.36.0

[gardener-extension-provider-azure]

📖 Documentation

• [DEPENDENCY] The flags which went out-of-support in MCM v0.49.0 have been cleaned up from MCM deployment yaml. (gardener/gardener-extension-provider-azure#674, @himanshu-kun)

🏃 Others

• [OPERATOR] The admission/validation component is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/gardener-extension-provider-azure#683, @rfranzke)
• [OPERATOR] The following dependency has been updated: (gardener/gardener-extension-provider-azure#685, @acumino)
  • github.com/gardener/gardener 1.67.1 -> 1.70.2
• [OPERATOR] Update golang to v1.20.4 (gardener/gardener-extension-provider-azure#690, @kon-angelo)
• [OPERATOR] Update cloud-controller-manager v1.24.17 -> v1.24.20 (gardener/gardener-extension-provider-azure#691, @kon-angelo)
• [OPERATOR] Update cloud-controller-manager v1.25.11 -> v1.25.14 (gardener/gardener-extension-provider-azure#691, @kon-angelo)
• [OPERATOR] Update cloud-controller-manager v1.26.7 -> v1.26.10 (gardener/gardener-extension-provider-azure#691, @kon-angelo)
• [OPERATOR] Update azurefile-csi v1.26.1 -> v1.28.0 (gardener/gardener-extension-provider-azure#691, @kon-angelo)
• [OPERATOR] Prevent shoot clusters from being configured with calico and overlay network as this is not supported on azure (gardener/gardener-extension-provider-azure#669, @ScheererJ)
• [OPERATOR] Restore terraform behavior to delete the azure resource group even if it contains other resources. (gardener/gardener-extension-provider-azure#671, @kon-angelo)

[machine-controller-manager]

⚠️ Breaking Changes

• [OPERATOR] Removal of the following flags (and corresponding fields in associated structs): 'machine-creation-timeout' 'machine-drain-timeout', 'machine-pv-detach-timeout', 'machine-health-timeout=10m', 'machine-safety-apiserver-statuscheck-timeout', 'machine-safety-apiserver-statuscheck-period', 'machine-safety-orphan-vms-period', 'machine-max-evict-retries', 'node-conditions', 'bootstrap-token-auth-extra-groups', 'delete-migrated-machine-class'. The MCM no longer accepts these flags since these are options handled by the Machine Controller invoked by platform specific provider launchers. (gardener/machine-controller-manager#769, @elankath)
• [DEVELOPER] Deletion of 'Driver.GenerateMachineClassForMigration'. Providers need to adapt to this. (gardener/machine-controller-manager#769, @elankath)

✨ New Features

• [USER] Machine object won't turn from Pending to Running state if node.gardener.cloud/critical-components-not-ready taint is there on the corresponding node. (gardener/machine-controller-manager#778, @SimonKienzler)

🐛 Bug Fixes

• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#804, @himanshu-kun)
• [USER] An edge case where outdated DesiredReplicas annotation blocked a rolling update is fixed. (gardener/machine-controller-manager#822, @rishabh-11)
• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#803, @himanshu-kun)
• [USER] Fix a bug in the bootstrap token creation that caused node to not be able to join the cluster due to an expired bootstrap token. (gardener/machine-controller-manager#773, @schrodit)
• [OPERATOR] An issue causing nil pointer panic on scaleup of the machinedeployment along with trigger of rolling update, is fixed (gardener/machine-controller-manager#817, @himanshu-kun)

📖 Documentation

• [DEVELOPER] Added proposal for hot-update of resources (instance/Nic/Disk) (gardener/machine-controller-manager#761, @himanshu-kun)

🏃 Others

• [OPERATOR] CrashloopBackoff machines will turn to Running quicker (gardener/machine-controller-manager#806, @rishabh-11)
• [OPERATOR] CVE categorization for MCM has been added. (gardener/machine-controller-manager#791, @dkistner)
• [DEVELOPER] The API generation now works again. Previously the API docs was generated to a location that was ignored by git and other API docs file was maintained. (gardener/machine-controller-manager#800, @ialidzhikov)
• [DEVELOPER] Bump k8s.io/* dependencies to v1.26.2 (gardener/machine-controller-manager#792, @afritzler)

[machine-controller-manager-provider-azure]

⚠️ Breaking Changes

• [OPERATOR] Support for migration of machineClass is dropped by the mcm-provider (gardener/machine-controller-manager-provider-azure#96, @himanshu-kun)

🏃 Others

• [USER] Updated golang version to 1.20.4 (gardener/machine-controller-manager-provider-azure#99, @rishabh-11)
• [OPERATOR] CVE categorization for mcm-provider-azure has been added. (gardener/machine-controller-manager-provider-azure#82, @dkistner)
• [OPERATOR] removed the use of defer in printing logs for resource creation methods (gardener/machine-controller-manager-provider-azure#87, @rishabh-11)
• [DEPENDENCY] upgraded dependency: (gardener/machine-controller-manager-provider-azure#96, @himanshu-kun)
  • github.com/gardener/machine-controller-manager -> v0.49.1

📰 Noteworthy

• [USER] Fixed VM creation and update when sshAccess is disabled. (gardener/machine-controller-manager-provider-azure#80, @AleksandarSavchev)

[terraformer]

🏃 Others

• [OPERATOR] Update alpine base image to v3.17.3 (gardener/terraformer#136, @kon-angelo)
• [OPERATOR] Terrafomer base image has been updated from alpine:3.17.2 to alpine:3.18.0 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Builder base image has been updated from golang:1.19.6 to golang:1.20.4 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Gardener dependency has been updated from v1.59.1 to v1.71.2 (gardener/terraformer#137, @MartinWeindel)

Update provider-openstack to 1.34.0

[gardener-extension-provider-openstack]

🐛 Bug Fixes

• [USER] Allow changing share network section in InfrastructureConfig for existing cluster. (gardener/gardener-extension-provider-openstack#633, @MartinWeindel)
• [OPERATOR] Add missing network policy labels to extension controller pod template (gardener/gardener-extension-provider-openstack#607, @afritzler)

📖 Documentation

• [DEPENDENCY] The flags which went out-of-support in MCM v0.49.0 have been cleaned up from MCM deployment yaml. (gardener/gardener-extension-provider-openstack#610, @himanshu-kun)

🏃 Others

• [OPERATOR] Add topology awareness support for Manila (gardener/gardener-extension-provider-openstack#613, @kon-angelo)
• [OPERATOR] Add observability configuration for Manila CSI Driver. (gardener/gardener-extension-provider-openstack#614, @kon-angelo)
• [OPERATOR] The admission/validation component is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/gardener-extension-provider-openstack#620, @rfranzke)
• [OPERATOR] Restrict security group ingress port-range to kubernetes node-port range (gardener/gardener-extension-provider-openstack#621, @tedteng)
• [OPERATOR] add a bastion ingress rule in the worker node security group to establish the ssh connection to fit different networks. (gardener/gardener-extension-provider-openstack#621, @tedteng)
• [OPERATOR] The bastion with try to reserve Floating IPs from the router's external subnet (gardener/gardener-extension-provider-openstack#623, @kon-angelo)
• [OPERATOR] Update golang to v1.20.4 (gardener/gardener-extension-provider-openstack#627, @kon-angelo)
• [DEPENDENCY] The following dependency is updated: (gardener/gardener-extension-provider-openstack#624, @shafeeqes)
  • github.com/gardener/gardener: v1.67.1 -> v1.71.0
  • k8s.io/* : v0.26.2 -> v0.26.3
  • sigs.k8s.io/controller-runtime: v0.14.5-> v0.14.6

[machine-controller-manager]

⚠️ Breaking Changes

• [USER] node field is removed from machine status. controller will now depend on the node label which already was present in the machine object's metadata. If you(or your controller) are dependent on the status.node field of the machine object, then kindly use node label under .metadata.labels (gardener/machine-controller-manager#745, @rishabh-11)
• [OPERATOR] Removal of the following flags (and corresponding fields in associated structs): 'machine-creation-timeout' 'machine-drain-timeout', 'machine-pv-detach-timeout', 'machine-health-timeout=10m', 'machine-safety-apiserver-statuscheck-timeout', 'machine-safety-apiserver-statuscheck-period', 'machine-safety-orphan-vms-period', 'machine-max-evict-retries', 'node-conditions', 'bootstrap-token-auth-extra-groups', 'delete-migrated-machine-class'. The MCM no longer accepts these flags since these are options handled by the Machine Controller invoked by platform specific provider launchers. (gardener/machine-controller-manager#769, @elankath)
• [DEVELOPER] Deletion of 'Driver.GenerateMachineClassForMigration'. Providers need to adapt to this. (gardener/machine-controller-manager#769, @elankath)

✨ New Features

• [USER] Machine object won't turn from Pending to Running state if node.gardener.cloud/critical-components-not-ready taint is there on the corresponding node. (gardener/machine-controller-manager#778, @SimonKienzler)
• [USER] MachineDeployment would now have Progressing condition even when no progress Deadline is specified. This condition would never go to the reason ProgressDeadlineExceeded in that case. (gardener/machine-controller-manager#762, @himanshu-kun)
• [OPERATOR] Using kubectl get machines will display Node of the corresponding machine as a column. If -owide flag is used then the corresponding ProviderID will also be displayed. (gardener/machine-controller-manager#746, @rishabh-11)
• [OPERATOR] Added new short names for machine(mc), machineClass(mcc), machineDeployment(mcd), and machineSet(mcs) resources. (gardener/machine-controller-manager#749, @rishabh-11)

🐛 Bug Fixes

• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#803, @himanshu-kun)
• [USER] Fix a bug in the bootstrap token creation that caused node to not be able to join the cluster due to an expired bootstrap token. (gardener/machine-controller-manager#773, @schrodit)
• [USER] Fix a bug in the bootstrap token creation that caused node to not be able to join the cluster due to an expired bootstrap token. (gardener/machine-controller-manager#777, @himanshu-kun)
• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#804, @himanshu-kun)
• [USER] An edge case where outdated DesiredReplicas annotation blocked a rolling update is fixed. (gardener/machine-controller-manager#822, @rishabh-11)
• [OPERATOR] An issue causing nil pointer panic on scaleup of the machinedeployment along with trigger of rolling update, is fixed (gardener/machine-controller-manager#817, @himanshu-kun)

📖 Documentation

• [DEVELOPER] Added proposal for hot-update of resources (instance/Nic/Disk) (gardener/machine-controller-manager#761, @himanshu-kun)

🏃 Others

• [USER] Updated golang version to v1.19.2 (gardener/machine-controller-manager#753, @rishabh-11)
• [USER] If during a rolling update scale-up is done, MCM scales up only the new machineSet, while in case of scale-down the scale-down amount is split among old machineSets, in proportion to their sizes. (gardener/machine-controller-manager#765, @himanshu-kun)
• [OPERATOR] CrashloopBackoff machines will turn to Running quicker (gardener/machine-controller-manager#806, @rishabh-11)
• [OPERATOR] CVE categorization for MCM has been added. (gardener/machine-controller-manager#791, @dkistner)
• [DEVELOPER] The API generation now works again. Previously the API docs was generated to a location that was ignored by git and other API docs file was maintained. (gardener/machine-controller-manager#800, @ialidzhikov)
• [DEVELOPER] Bump k8s.io/* dependencies to v1.26.2 (gardener/machine-controller-manager#792, @afritzler)
• [DEVELOPER] go version updated to 1.19.4 in pipeline and Dockerfile (gardener/machine-controller-manager#766, @himanshu-kun)

[machine-controller-manager-provider-openstack]

⚠️ Breaking Changes

• [OPERATOR] Support for migration of machineClass is dropped by the mcm-provider (gardener/machine-controller-manager-provider-openstack#89, @kon-angelo)

🏃 Others

• [USER] Updated golang version to v1.19.4 (gardener/machine-controller-manager-provider-openstack#75, @rishabh-11)
• [USER] Update golang to v1.20.4 (gardener/machine-controller-manager-provider-openstack#90, @kon-angelo)
• [OPERATOR] CVE categorization for mcm-provider-openstack has been added. (gardener/machine-controller-manager-provider-openstack#81, @dkistner)
• [DEPENDENCY] Revendor gardener to v1.69.3 (gardener/machine-controller-manager-provider-openstack#89, @kon-angelo)
• [DEPENDENCY] Revendor MCM to v0.49.0 (gardener/machine-controller-manager-provider-openstack#89, @kon-angelo)
• [DEPENDENCY] upgraded dependency: (gardener/machine-controller-manager-provider-openstack#92, @himanshu-kun)
  • github.com/gardener/machine-controller-manager -> v0.49.1

[terraformer]

🏃 Others

• [OPERATOR] Update alpine base image to v3.17.3 (gardener/terraformer#136, @kon-angelo)
• [OPERATOR] Terrafomer base image has been updated from alpine:3.17.2 to alpine:3.18.0 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Builder base image has been updated from golang:1.19.6 to golang:1.20.4 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Gardener dependency has been updated from v1.59.1 to v1.71.2 (gardener/terraformer#137, @MartinWeindel)

Update provider-aws to 1.44.1

[gardener-extension-provider-aws]

🐛 Bug Fixes

• [OPERATOR] Fix the name of the aws-csi-volume-modifier container the in the respective VPA resource. (gardener/gardener-extension-provider-aws#764, @kon-angelo)

Update provider-azure to 1.36.1

[gardener-extension-provider-azure]

🏃 Others

• [OPERATOR] Add calico scheme to azure-validator. (gardener/gardener-extension-provider-azure#697, @kon-angelo)

Update gardener-controlplane to 1.72.1

[gardener]

🐛 Bug Fixes

• [USER] Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in kube-system namespace only if there is no objectSelector provided in webhook. (gardener/gardener#8045, @gardener-ci-robot)
• [OPERATOR] A bug has been fixed in the HighAvailabilityConfig-Webhook which caused duplicated entries for zone affinities. (gardener/gardener#8049, @gardener-ci-robot)

🏃 Others

• [OPERATOR] The worker count for the NetworkPolicy controller in GRM was increased to 20. This is necessary to create and update NetworkPolicies in time, esp. on larger seed clusters. (gardener/gardener#8044, @timuthy)

Update gardener-controlplane to 1.72.1

[gardener]

🐛 Bug Fixes

• [USER] Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in kube-system namespace only if there is no objectSelector provided in webhook. (gardener/gardener#8045, @gardener-ci-robot)
• [OPERATOR] A bug has been fixed in the HighAvailabilityConfig-Webhook which caused duplicated entries for zone affinities. (gardener/gardener#8049, @gardener-ci-robot)

🏃 Others

• [OPERATOR] The worker count for the NetworkPolicy controller in GRM was increased to 20. This is necessary to create and update NetworkPolicies in time, esp. on larger seed clusters. (gardener/gardener#8044, @timuthy)

Update gardenlet to 1.72.1

[gardener]

🐛 Bug Fixes

• [USER] Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in kube-system namespace only if there is no objectSelector provided in webhook. (gardener/gardener#8045, @gardener-ci-robot)
• [OPERATOR] A bug has been fixed in the HighAvailabilityConfig-Webhook which caused duplicated entries for zone affinities. (gardener/gardener#8049, @gardener-ci-robot)

🏃 Others

• [OPERATOR] The worker count for the NetworkPolicy controller in GRM was increased to 20. This is necessary to create and update NetworkPolicies in time, esp. on larger seed clusters. (gardener/gardener#8044, @timuthy)

Update runtime-gvisor to 0.10.0

[gardener-extension-runtime-gvisor]

🐛 Bug Fixes

• [OPERATOR] The stale healthcheck conditions from the runtime-gvisor extension are now properly cleaned up. (gardener/gardener-extension-runtime-gvisor#79, @shafeeqes)

🏃 Others

• [OPERATOR] Added NoExecute/NoSchedule tolerations to the gvisor daemonset to prevent reporting of misscheduled pods on node scale-down operations. (gardener/gardener-extension-runtime-gvisor#81, @bd3lage)
• [OPERATOR] The gVisor runtime extension is now built with Golang 1.20 and uses Gardener 1.70.2 libraries. (gardener/gardener-extension-runtime-gvisor#83, @MrBatschner)
• [DEPENDENCY] The following dependency is updated: (gardener/gardener-extension-runtime-gvisor#79, @shafeeqes)
  • github.com/gardener/gardener: v1.65.0 -> v1.65.3

Update external-dns-management to 0.15.4

[external-dns-management]

🏃 Others

• [OPERATOR] The Helm chart is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/external-dns-management#306, @rfranzke)
• [OPERATOR] Bump builder image from golang:1.20.4 to golang:1.20.5 (gardener/external-dns-management#308, @MartinWeindel)

Update cert-management to 0.10.6

[cert-management]

✨ New Features

• [OPERATOR] Added metrics named cert_management_cert_object_expire for certificate expiration date. (gardener/cert-management#131, @MartinWeindel)

🏃 Others

• [OPERATOR] The Helm chart is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/cert-management#128, @rfranzke)
• [OPERATOR] Updated golang builder image from version 1.20.4 to 1.20.5. (gardener/cert-management#131, @MartinWeindel)

Update provider-aws to 1.44.2

[gardener-extension-provider-aws]

🐛 Bug Fixes

• [OPERATOR] Handle S3 bucket policy IAM ARN for China and GovCloud (US) regions. (gardener/gardener-extension-provider-aws#769, @kon-angelo)

Update os-ubuntu to 1.22.0

[gardener-extension-os-ubuntu]

🏃 Others

• [OPERATOR] The Ubuntu OS extension is now built with Golang 1.20 and uses Gardener 1.70.2 libraries. (gardener/gardener-extension-os-ubuntu#81, @MrBatschner)

Update shoot-cert-service to 1.33.0

[gardener-extension-shoot-cert-service]

✨ New Features

• [USER] The shoot-cert-service extension now supports workerless Shoots. (gardener/gardener-extension-shoot-cert-service#164, @acumino)

🏃 Others

• [OPERATOR] Add dashboard panel for certificate object expire date. (gardener/gardener-extension-shoot-cert-service#166, @MartinWeindel)
• [OPERATOR] Updated golang from version 1.20.4 to 1.20.5. (gardener/gardener-extension-shoot-cert-service#166, @MartinWeindel)
• [OPERATOR] Old and obsolete logging configurations are cleaned up. (gardener/gardener-extension-shoot-cert-service#168, @vlvasilev)
• [DEPENDENCY] The following dependency is updated: (gardener/gardener-extension-shoot-cert-service#164, @acumino)
  • github.com/gardener/gardener: v1.65.3 -> v1.71.0
  • k8s.io/* : v0.26.1 -> v0.26.3
  • sigs.k8s.io/controller-runtime: v0.14.4-> v0.14.6

[cert-management]

✨ New Features

• [OPERATOR] Added metrics named cert_management_cert_object_expire for certificate expiration date. (gardener/cert-management#131, @MartinWeindel)

🏃 Others

• [OPERATOR] The Helm chart is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/cert-management#128, @rfranzke)
• [OPERATOR] Updated golang builder image from version 1.20.4 to 1.20.5. (gardener/cert-management#131, @MartinWeindel)

Update shoot-dns-service to 1.35.0

[gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] Update golang image from version 1.20.4 to 1.20.5. (gardener/gardener-extension-shoot-dns-service#214, @MartinWeindel)
• [OPERATOR] Old and obsolete logging configurations are cleaned up. (gardener/gardener-extension-shoot-dns-service#215, @vlvasilev)

[external-dns-management]

🏃 Others

• [OPERATOR] The Helm chart is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/external-dns-management#306, @rfranzke)
• [OPERATOR] Bump builder image from golang:1.20.4 to golang:1.20.5 (gardener/external-dns-management#308, @MartinWeindel)

Update cloudprofiles to 0.6.3

What's Changed

• Deprecates old versions automatically (instead of removing) by @23t-machine-user in https://github.com/gardener-community/cloudprofiles/pull/24

Full Changelog: https://github.com/gardener-community/cloudprofiles/compare/0.6.2...0.6.3

Update provider-gcp to 1.29.4

[gardener-extension-provider-gcp]

🏃 Others

• [OPERATOR] The following dependencies were updated: (gardener/gardener-extension-provider-gcp#620, @vpnachev)
  • registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver v1.9.4 -> v1.9.5

Update gardener-controlplane to 1.73.0

[gardener]

⚠️ Breaking Changes

• [OPERATOR] The field .spec.secretRef in the Seed API has been deprecated and will be removed in a future release of Gardener. (gardener/gardener#8064, @acumino)
• [OPERATOR] Before upgrading to this gardener version, operators should configure gardener-apiserver to encrypt the internalsecrets.core.gardener.cloud resource in etcd. (gardener/gardener#8078, @timebertt)
• [OPERATOR] The GA-ed feature gates SeedChange and CopyEtcdBackupsDuringControlPlaneMigration have been removed. (gardener/gardener#8008, @rfranzke)
• [OPERATOR] The feature gates FullNetworkPolicies and HAControlPlanes have been promoted to GA and are now locked to "unconditionally enabled". (gardener/gardener#8008, @rfranzke)
• [OPERATOR] The deprecated feature gate APIServerSNI has been removed. (gardener/gardener#8062, @rfranzke)
• [DEVELOPER] Functions controllerutils.GetAndCreateOrMergePatch, controllerutils.GetAndCreateOrStrategicMergePatch, controllerutils.CreateOrGetAndMergePatch and controllerutils.CreateOrGetAndStrategicMergePatch were incompatibly changed and now accept a controllerutils.PatchOption instead of client.MergeFromOption. (gardener/gardener#8043, @timuthy)
  • If your controllers use one of these functions with client.MergeFromOption, you should update it to controllerutils.PatchOption.
  • The controllerutils.PatchOption can hold two options today:
  • client.MergeFromOption which is passed to the underlying patch function.
  • controllerutils.SkipEmptyPatch which prevents sending empty patches ({}).

✨ New Features

• [OPERATOR] A new alpha feature gate DisableScalingClassesForShoots has been introduced on gardenlet. If turned on, initial resource requests for kube-apiservers of shoot clusters running on seed clusters which enable the HVPA feature gate are assigned statically and no longer by a scaling class determined by maximum node count. This helps to reduce resource waste for clusters with little usage. (gardener/gardener#8003, @voelzmo)
• [OPERATOR] A new alpha feature gate named MachineControllerManagerDeployment has been introduced in gardenlet. Only enable it when all registered provider extensions in your landscape support this feature. (gardener/gardener#8018, @rfranzke)
• [OPERATOR] gardener-apiserver now exposes a new core.gardener.cloud/v1beta1.InternalSecret API, see the documentation for more information. (gardener/gardener#8025, @timebertt)
• [OPERATOR] The gardenlet's ManagedSeed controller now cleans up the referred seed secret when .spec.secretRef is unset in the seed template. (gardener/gardener#8039, @shafeeqes)
• [DEVELOPER] It is now easier to annotate Services related to extensions serving webhook handlers that must be reached by kube-apiservers running in separate namespaces such that the respective network traffic gets allowed. Please refer to this guide for all information. Extensions serving shoot webhook should make use of this new approach - the old functionality deploying dedicated NetworkPolicys is deprecated and will be removed in the future. (gardener/gardener#8076, @rfranzke)
• [DEVELOPER] gardenlet's ControllerInstallation controller now populates the feature gate of gardenlet via the Helm values to extensions when they are getting installed. The information is populated via the .gardener.gardenlet.featureGates key. It contains a map whose keys are feature gates names and whose values are booleans (depicting the enablement status). (gardener/gardener#8011, @rfranzke)
• [DEVELOPER] Provider extensions should be adapted such that they only inject their provider-specific machine-controller-manager sidecar container into the machine-controller-manager deployment instead of managing the full deployment themselves. In the future, gardenlet will take over managing it. Please see https://github.com/gardener/gardener/pull/8019 for an example how provider-local was adapted and replicate it for your provider extensions. (gardener/gardener#8018, @rfranzke)
• [DEVELOPER] Provider extensions should be adapted such that they no longer perform health checks specific to the machine-controller-manager deployment or the machines/nodes. In the future, gardenlet will take over performing these checks. Please see https://github.com/gardener/gardener/pull/8019 for an example how provider-local was adapted and replicate it for your provider extensions. (gardener/gardener#8056, @rfranzke)

🐛 Bug Fixes

• [USER] A bug causing the shoot provider label in the infrastructure secret to not get cleaned up is now fixed. (gardener/gardener#7994, @shafeeqes)
• [USER] Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in kube-system namespace only if there is no objectSelector provided in webhook. (gardener/gardener#8034, @acumino)
• [OPERATOR] A bug has been fixed in the garden/fluent-bit that caused a failure in creating networkpolicies for scraping metrics. (gardener/gardener#8069, @timuthy)
• [OPERATOR] A bug has been fixed in the HighAvailabilityConfig-Webhook which caused duplicated entries for zone affinities. (gardener/gardener#8042, @timuthy)
• [OPERATOR] The terraformer library will now skip deletion of the Terraformer pod when the request context has been canceled. This change aims to prevent inconsistencies in Terraform state by attempting to allow uninterrupted execution of healthy Terraformer pods. (gardener/gardener#8059, @kon-angelo)
• [DEVELOPER] pkg/resourcemanager/controller/garbagecollector/references.InjectAnnotations now also handles pods.spec.imagePullSecrets. (gardener/gardener#8028, @vpnachev)

🏃 Others

• [OPERATOR] The shoot namespace in seeds is redeployed during shoot deletion to update the zones in use. (gardener/gardener#8079, @timuthy)
• [OPERATOR] nginx-ingress-controller-seed image is updated to v1.8.0 for 1.24.x+ seeds. (gardener/gardener#8021, @shafeeqes)
• [OPERATOR] The following image is updated: (gardener/gardener#8029, @nickytd)
  • quay.io/brancz/kube-rbac-proxy: v0.14.0 -> v0.14.2
• [OPERATOR] The worker count for the NetworkPolicy controller in GRM was increased to 20. This is necessary to create and update NetworkPolicies in time, esp. on larger seed clusters. (gardener/gardener#8035, @timuthy)
• [DEVELOPER] gardenlet is taking over management of the CustomResourceDefinitions for the machine.sapcloud.io/v1alpha1 API group, hence extensions do no longer need to take care. Consequently, the extensions/pkg/controller/worker.Options struct as well as the extensions/pkg/controller/worker.ApplyMachineResources{ForConfig} functions are deprecated and will be removed in a future release. (gardener/gardener#8015, @rfranzke)
• [DEVELOPER] Go version is updated to 1.20.5. (gardener/gardener#8037, @shafeeqes)
• [DEVELOPER] The kind clusters are now unified to use garden.local.gardener.cloud DNS name in the containerd config when configuring registry mirror hostnames. Previously, to access the pull through registry cache some kind clusters were configured to use garden.local.gardener.cloud, others - the Node name of the control plane Node. (gardener/gardener#8063, @ialidzhikov)

Update gardener-controlplane to 1.73.0

[gardener]

⚠️ Breaking Changes

• [OPERATOR] The field .spec.secretRef in the Seed API has been deprecated and will be removed in a future release of Gardener. (gardener/gardener#8064, @acumino)
• [OPERATOR] Before upgrading to this gardener version, operators should configure gardener-apiserver to encrypt the internalsecrets.core.gardener.cloud resource in etcd. (gardener/gardener#8078, @timebertt)
• [OPERATOR] The GA-ed feature gates SeedChange and CopyEtcdBackupsDuringControlPlaneMigration have been removed. (gardener/gardener#8008, @rfranzke)
• [OPERATOR] The feature gates FullNetworkPolicies and HAControlPlanes have been promoted to GA and are now locked to "unconditionally enabled". (gardener/gardener#8008, @rfranzke)
• [OPERATOR] The deprecated feature gate APIServerSNI has been removed. (gardener/gardener#8062, @rfranzke)
• [DEVELOPER] Functions controllerutils.GetAndCreateOrMergePatch, controllerutils.GetAndCreateOrStrategicMergePatch, controllerutils.CreateOrGetAndMergePatch and controllerutils.CreateOrGetAndStrategicMergePatch were incompatibly changed and now accept a controllerutils.PatchOption instead of client.MergeFromOption. (gardener/gardener#8043, @timuthy)
  • If your controllers use one of these functions with client.MergeFromOption, you should update it to controllerutils.PatchOption.
  • The controllerutils.PatchOption can hold two options today:
  • client.MergeFromOption which is passed to the underlying patch function.
  • controllerutils.SkipEmptyPatch which prevents sending empty patches ({}).

✨ New Features

• [OPERATOR] A new alpha feature gate DisableScalingClassesForShoots has been introduced on gardenlet. If turned on, initial resource requests for kube-apiservers of shoot clusters running on seed clusters which enable the HVPA feature gate are assigned statically and no longer by a scaling class determined by maximum node count. This helps to reduce resource waste for clusters with little usage. (gardener/gardener#8003, @voelzmo)
• [OPERATOR] A new alpha feature gate named MachineControllerManagerDeployment has been introduced in gardenlet. Only enable it when all registered provider extensions in your landscape support this feature. (gardener/gardener#8018, @rfranzke)
• [OPERATOR] gardener-apiserver now exposes a new core.gardener.cloud/v1beta1.InternalSecret API, see the documentation for more information. (gardener/gardener#8025, @timebertt)
• [OPERATOR] The gardenlet's ManagedSeed controller now cleans up the referred seed secret when .spec.secretRef is unset in the seed template. (gardener/gardener#8039, @shafeeqes)
• [DEVELOPER] It is now easier to annotate Services related to extensions serving webhook handlers that must be reached by kube-apiservers running in separate namespaces such that the respective network traffic gets allowed. Please refer to this guide for all information. Extensions serving shoot webhook should make use of this new approach - the old functionality deploying dedicated NetworkPolicys is deprecated and will be removed in the future. (gardener/gardener#8076, @rfranzke)
• [DEVELOPER] gardenlet's ControllerInstallation controller now populates the feature gate of gardenlet via the Helm values to extensions when they are getting installed. The information is populated via the .gardener.gardenlet.featureGates key. It contains a map whose keys are feature gates names and whose values are booleans (depicting the enablement status). (gardener/gardener#8011, @rfranzke)
• [DEVELOPER] Provider extensions should be adapted such that they only inject their provider-specific machine-controller-manager sidecar container into the machine-controller-manager deployment instead of managing the full deployment themselves. In the future, gardenlet will take over managing it. Please see https://github.com/gardener/gardener/pull/8019 for an example how provider-local was adapted and replicate it for your provider extensions. (gardener/gardener#8018, @rfranzke)
• [DEVELOPER] Provider extensions should be adapted such that they no longer perform health checks specific to the machine-controller-manager deployment or the machines/nodes. In the future, gardenlet will take over performing these checks. Please see https://github.com/gardener/gardener/pull/8019 for an example how provider-local was adapted and replicate it for your provider extensions. (gardener/gardener#8056, @rfranzke)

🐛 Bug Fixes

• [USER] A bug causing the shoot provider label in the infrastructure secret to not get cleaned up is now fixed. (gardener/gardener#7994, @shafeeqes)
• [USER] Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in kube-system namespace only if there is no objectSelector provided in webhook. (gardener/gardener#8034, @acumino)
• [OPERATOR] A bug has been fixed in the garden/fluent-bit that caused a failure in creating networkpolicies for scraping metrics. (gardener/gardener#8069, @timuthy)
• [OPERATOR] A bug has been fixed in the HighAvailabilityConfig-Webhook which caused duplicated entries for zone affinities. (gardener/gardener#8042, @timuthy)
• [OPERATOR] The terraformer library will now skip deletion of the Terraformer pod when the request context has been canceled. This change aims to prevent inconsistencies in Terraform state by attempting to allow uninterrupted execution of healthy Terraformer pods. (gardener/gardener#8059, @kon-angelo)
• [DEVELOPER] pkg/resourcemanager/controller/garbagecollector/references.InjectAnnotations now also handles pods.spec.imagePullSecrets. (gardener/gardener#8028, @vpnachev)

🏃 Others

• [OPERATOR] The shoot namespace in seeds is redeployed during shoot deletion to update the zones in use. (gardener/gardener#8079, @timuthy)
• [OPERATOR] nginx-ingress-controller-seed image is updated to v1.8.0 for 1.24.x+ seeds. (gardener/gardener#8021, @shafeeqes)
• [OPERATOR] The following image is updated: (gardener/gardener#8029, @nickytd)
  • quay.io/brancz/kube-rbac-proxy: v0.14.0 -> v0.14.2
• [OPERATOR] The worker count for the NetworkPolicy controller in GRM was increased to 20. This is necessary to create and update NetworkPolicies in time, esp. on larger seed clusters. (gardener/gardener#8035, @timuthy)
• [DEVELOPER] gardenlet is taking over management of the CustomResourceDefinitions for the machine.sapcloud.io/v1alpha1 API group, hence extensions do no longer need to take care. Consequently, the extensions/pkg/controller/worker.Options struct as well as the extensions/pkg/controller/worker.ApplyMachineResources{ForConfig} functions are deprecated and will be removed in a future release. (gardener/gardener#8015, @rfranzke)
• [DEVELOPER] Go version is updated to 1.20.5. (gardener/gardener#8037, @shafeeqes)
• [DEVELOPER] The kind clusters are now unified to use garden.local.gardener.cloud DNS name in the containerd config when configuring registry mirror hostnames. Previously, to access the pull through registry cache some kind clusters were configured to use garden.local.gardener.cloud, others - the Node name of the control plane Node. (gardener/gardener#8063, @ialidzhikov)

Update gardenlet to 1.73.0

[gardener]

⚠️ Breaking Changes

• [OPERATOR] The field .spec.secretRef in the Seed API has been deprecated and will be removed in a future release of Gardener. (gardener/gardener#8064, @acumino)
• [OPERATOR] Before upgrading to this gardener version, operators should configure gardener-apiserver to encrypt the internalsecrets.core.gardener.cloud resource in etcd. (gardener/gardener#8078, @timebertt)
• [OPERATOR] The GA-ed feature gates SeedChange and CopyEtcdBackupsDuringControlPlaneMigration have been removed. (gardener/gardener#8008, @rfranzke)
• [OPERATOR] The feature gates FullNetworkPolicies and HAControlPlanes have been promoted to GA and are now locked to "unconditionally enabled". (gardener/gardener#8008, @rfranzke)
• [OPERATOR] The deprecated feature gate APIServerSNI has been removed. (gardener/gardener#8062, @rfranzke)
• [DEVELOPER] Functions controllerutils.GetAndCreateOrMergePatch, controllerutils.GetAndCreateOrStrategicMergePatch, controllerutils.CreateOrGetAndMergePatch and controllerutils.CreateOrGetAndStrategicMergePatch were incompatibly changed and now accept a controllerutils.PatchOption instead of client.MergeFromOption. (gardener/gardener#8043, @timuthy)
  • If your controllers use one of these functions with client.MergeFromOption, you should update it to controllerutils.PatchOption.
  • The controllerutils.PatchOption can hold two options today:
  • client.MergeFromOption which is passed to the underlying patch function.
  • controllerutils.SkipEmptyPatch which prevents sending empty patches ({}).

✨ New Features

• [OPERATOR] A new alpha feature gate DisableScalingClassesForShoots has been introduced on gardenlet. If turned on, initial resource requests for kube-apiservers of shoot clusters running on seed clusters which enable the HVPA feature gate are assigned statically and no longer by a scaling class determined by maximum node count. This helps to reduce resource waste for clusters with little usage. (gardener/gardener#8003, @voelzmo)
• [OPERATOR] A new alpha feature gate named MachineControllerManagerDeployment has been introduced in gardenlet. Only enable it when all registered provider extensions in your landscape support this feature. (gardener/gardener#8018, @rfranzke)
• [OPERATOR] gardener-apiserver now exposes a new core.gardener.cloud/v1beta1.InternalSecret API, see the documentation for more information. (gardener/gardener#8025, @timebertt)
• [OPERATOR] The gardenlet's ManagedSeed controller now cleans up the referred seed secret when .spec.secretRef is unset in the seed template. (gardener/gardener#8039, @shafeeqes)
• [DEVELOPER] It is now easier to annotate Services related to extensions serving webhook handlers that must be reached by kube-apiservers running in separate namespaces such that the respective network traffic gets allowed. Please refer to this guide for all information. Extensions serving shoot webhook should make use of this new approach - the old functionality deploying dedicated NetworkPolicys is deprecated and will be removed in the future. (gardener/gardener#8076, @rfranzke)
• [DEVELOPER] gardenlet's ControllerInstallation controller now populates the feature gate of gardenlet via the Helm values to extensions when they are getting installed. The information is populated via the .gardener.gardenlet.featureGates key. It contains a map whose keys are feature gates names and whose values are booleans (depicting the enablement status). (gardener/gardener#8011, @rfranzke)
• [DEVELOPER] Provider extensions should be adapted such that they only inject their provider-specific machine-controller-manager sidecar container into the machine-controller-manager deployment instead of managing the full deployment themselves. In the future, gardenlet will take over managing it. Please see https://github.com/gardener/gardener/pull/8019 for an example how provider-local was adapted and replicate it for your provider extensions. (gardener/gardener#8018, @rfranzke)
• [DEVELOPER] Provider extensions should be adapted such that they no longer perform health checks specific to the machine-controller-manager deployment or the machines/nodes. In the future, gardenlet will take over performing these checks. Please see https://github.com/gardener/gardener/pull/8019 for an example how provider-local was adapted and replicate it for your provider extensions. (gardener/gardener#8056, @rfranzke)

🐛 Bug Fixes

• [USER] A bug causing the shoot provider label in the infrastructure secret to not get cleaned up is now fixed. (gardener/gardener#7994, @shafeeqes)
• [USER] Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in kube-system namespace only if there is no objectSelector provided in webhook. (gardener/gardener#8034, @acumino)
• [OPERATOR] A bug has been fixed in the garden/fluent-bit that caused a failure in creating networkpolicies for scraping metrics. (gardener/gardener#8069, @timuthy)
• [OPERATOR] A bug has been fixed in the HighAvailabilityConfig-Webhook which caused duplicated entries for zone affinities. (gardener/gardener#8042, @timuthy)
• [OPERATOR] The terraformer library will now skip deletion of the Terraformer pod when the request context has been canceled. This change aims to prevent inconsistencies in Terraform state by attempting to allow uninterrupted execution of healthy Terraformer pods. (gardener/gardener#8059, @kon-angelo)
• [DEVELOPER] pkg/resourcemanager/controller/garbagecollector/references.InjectAnnotations now also handles pods.spec.imagePullSecrets. (gardener/gardener#8028, @vpnachev)

🏃 Others

• [OPERATOR] The shoot namespace in seeds is redeployed during shoot deletion to update the zones in use. (gardener/gardener#8079, @timuthy)
• [OPERATOR] nginx-ingress-controller-seed image is updated to v1.8.0 for 1.24.x+ seeds. (gardener/gardener#8021, @shafeeqes)
• [OPERATOR] The following image is updated: (gardener/gardener#8029, @nickytd)
  • quay.io/brancz/kube-rbac-proxy: v0.14.0 -> v0.14.2
• [OPERATOR] The worker count for the NetworkPolicy controller in GRM was increased to 20. This is necessary to create and update NetworkPolicies in time, esp. on larger seed clusters. (gardener/gardener#8035, @timuthy)
• [DEVELOPER] gardenlet is taking over management of the CustomResourceDefinitions for the machine.sapcloud.io/v1alpha1 API group, hence extensions do no longer need to take care. Consequently, the extensions/pkg/controller/worker.Options struct as well as the extensions/pkg/controller/worker.ApplyMachineResources{ForConfig} functions are deprecated and will be removed in a future release. (gardener/gardener#8015, @rfranzke)
• [DEVELOPER] Go version is updated to 1.20.5. (gardener/gardener#8037, @shafeeqes)
• [DEVELOPER] The kind clusters are now unified to use garden.local.gardener.cloud DNS name in the containerd config when configuring registry mirror hostnames. Previously, to access the pull through registry cache some kind clusters were configured to use garden.local.gardener.cloud, others - the Node name of the control plane Node. (gardener/gardener#8063, @ialidzhikov)

Update provider-gcp to 1.30.0

[gardener-extension-provider-gcp]

📖 Documentation

• [DEPENDENCY] The flags which went out-of-support in MCM v0.49.0 have been cleaned up from MCM deployment yaml. (gardener/gardener-extension-provider-gcp#585, @himanshu-kun)

🏃 Others

• [OPERATOR] a sustainable way to look for available bastion OS images (gardener/gardener-extension-provider-gcp#568, @tedteng)
• [OPERATOR] machineDeployment will have the label topology.gke.io/zone when created. (gardener/gardener-extension-provider-gcp#591, @elankath)
• [OPERATOR] The admission/validation component is now adapted such that it works well in garden cluster with enabled NetworkPolicy protection (default since gardener/gardener@v1.71 when garden cluster is managed by gardener-operator). (gardener/gardener-extension-provider-gcp#594, @rfranzke)
• [OPERATOR] Update go version to v1.20.4 (gardener/gardener-extension-provider-gcp#599, @kon-angelo)
• [OPERATOR] Update cloud-provider-gcp image v1.24.9 -> v1.24.13 (gardener/gardener-extension-provider-gcp#600, @kon-angelo)
• [OPERATOR] Update cloud-provider-gcp image v1.25.5 -> v1.25.9 (gardener/gardener-extension-provider-gcp#600, @kon-angelo)
• [OPERATOR] Update cloud-provider-gcp image v1.26.1 -> v1.26.4 (gardener/gardener-extension-provider-gcp#600, @kon-angelo)
• [OPERATOR] Support for CMEK Disk Encryption for volumes (gardener/gardener-extension-provider-gcp#607, @elankath)
• [OPERATOR] Update CCM configuration to always enable the route controller regardless if overlay is used. This is done to prevent a race condition that would mark an otherwise healthy node with the NetworkUnavailable condition. (gardener/gardener-extension-provider-gcp#613, @kon-angelo)
• [OPERATOR] The following dependencies were updated: (gardener/gardener-extension-provider-gcp#619, @vpnachev)
  • registry.k8s.io/cloud-provider-gcp/gcp-compute-persistent-disk-csi-driver v1.9.4 -> v1.9.5
• [OPERATOR] Introduce flow-based infrastructure reconciliation without Terraformer. To use it, the Shoot or Infrastructure objects must be annotated with gcp.provider.extensions.gardener.cloud/use-flow=true. (gardener/gardener-extension-provider-gcp#495, @kon-angelo)
• [DEPENDENCY] The following dependency is updated: (gardener/gardener-extension-provider-gcp#596, @shafeeqes)
  • github.com/gardener/gardener: v1.67.1 -> v1.70.2

[machine-controller-manager]

⚠️ Breaking Changes

• [OPERATOR] Removal of the following flags (and corresponding fields in associated structs): 'machine-creation-timeout' 'machine-drain-timeout', 'machine-pv-detach-timeout', 'machine-health-timeout=10m', 'machine-safety-apiserver-statuscheck-timeout', 'machine-safety-apiserver-statuscheck-period', 'machine-safety-orphan-vms-period', 'machine-max-evict-retries', 'node-conditions', 'bootstrap-token-auth-extra-groups', 'delete-migrated-machine-class'. The MCM no longer accepts these flags since these are options handled by the Machine Controller invoked by platform specific provider launchers. (gardener/machine-controller-manager#769, @elankath)
• [DEVELOPER] Deletion of 'Driver.GenerateMachineClassForMigration'. Providers need to adapt to this. (gardener/machine-controller-manager#769, @elankath)

✨ New Features

• [USER] Machine object won't turn from Pending to Running state if node.gardener.cloud/critical-components-not-ready taint is there on the corresponding node. (gardener/machine-controller-manager#778, @SimonKienzler)

🐛 Bug Fixes

• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#803, @himanshu-kun)
• [USER] Fix a bug in the bootstrap token creation that caused node to not be able to join the cluster due to an expired bootstrap token. (gardener/machine-controller-manager#773, @schrodit)
• [USER] An edge case where all the machineSets were scaled down to zero has been dealt with. (gardener/machine-controller-manager#804, @himanshu-kun)
• [USER] An edge case where outdated DesiredReplicas annotation blocked a rolling update is fixed. (gardener/machine-controller-manager#822, @rishabh-11)
• [OPERATOR] An issue causing nil pointer panic on scaleup of the machinedeployment along with trigger of rolling update, is fixed (gardener/machine-controller-manager#817, @himanshu-kun)

📖 Documentation

• [DEVELOPER] Added proposal for hot-update of resources (instance/Nic/Disk) (gardener/machine-controller-manager#761, @himanshu-kun)

🏃 Others

• [OPERATOR] CrashloopBackoff machines will turn to Running quicker (gardener/machine-controller-manager#806, @rishabh-11)
• [OPERATOR] CVE categorization for MCM has been added. (gardener/machine-controller-manager#791, @dkistner)
• [DEVELOPER] The API generation now works again. Previously the API docs was generated to a location that was ignored by git and other API docs file was maintained. (gardener/machine-controller-manager#800, @ialidzhikov)
• [DEVELOPER] Bump k8s.io/* dependencies to v1.26.2 (gardener/machine-controller-manager#792, @afritzler)

[machine-controller-manager-provider-gcp]

⚠️ Breaking Changes

• [OPERATOR] Support for migration of machineClass is dropped by the mcm-provider (gardener/machine-controller-manager-provider-gcp#80, @himanshu-kun)

🏃 Others

• [USER] Updated golang version to 1.20.4 (gardener/machine-controller-manager-provider-gcp#83, @rishabh-11)
• [USER] CMEK disk encryption is now supported for disks attached to VM. Refer https://github.com/gardener/machine-controller-manager-provider-gcp/blob/master/kubernetes/machine-class.yaml for example (gardener/machine-controller-manager-provider-gcp#84, @elankath)
• [USER] Updated golang version to 1.20.5 (gardener/machine-controller-manager-provider-gcp#87, @rishabh-11)
• [OPERATOR] CVE categorization for mcm-provider-gcp has been added. (gardener/machine-controller-manager-provider-gcp#72, @dkistner)
• [DEVELOPER] Enhanced Dev Testing Doc for CMEK (gardener/machine-controller-manager-provider-gcp#85, @elankath)
• [DEPENDENCY] upgraded dependency: (gardener/machine-controller-manager-provider-gcp#80, @himanshu-kun)
  • github.com/gardener/machine-controller-manager -> v0.49.1

[terraformer]

🏃 Others

• [OPERATOR] Update alpine base image to v3.17.3 (gardener/terraformer#136, @kon-angelo)
• [OPERATOR] Terrafomer base image has been updated from alpine:3.17.2 to alpine:3.18.0 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Builder base image has been updated from golang:1.19.6 to golang:1.20.4 (gardener/terraformer#137, @MartinWeindel)
• [OPERATOR] Gardener dependency has been updated from v1.59.1 to v1.71.2 (gardener/terraformer#137, @MartinWeindel)

Update etcd to 5.3.1

What's Changed

• Removes, (potentially) conflicting lines in backup credentials secret template by @mxmxchere in https://github.com/gardener-community/etcd/pull/11

Full Changelog: https://github.com/gardener-community/etcd/compare/5.3.0...5.3.1

Update etcd to 5.3.1

What's Changed

• Removes, (potentially) conflicting lines in backup credentials secret template by @mxmxchere in https://github.com/gardener-community/etcd/pull/11

Full Changelog: https://github.com/gardener-community/etcd/compare/5.3.0...5.3.1

Update external-dns-management to 0.15.5

[external-dns-management]

✨ New Features

• [USER] Add annotation dns.gardener.cloud/owner-id to set owner id (gardener/external-dns-management#309, @MartinWeindel)

Update shoot-dns-service to 1.36.0

[external-dns-management]

✨ New Features

• [USER] Add annotation dns.gardener.cloud/owner-id to set owner id (gardener/external-dns-management#309, @MartinWeindel)

Update provider-openstack to 1.35.0

[gardener-extension-provider-openstack]

⚠️ Breaking Changes

• [OPERATOR] With https://github.com/gardener/gardener-extension-provider-openstack/pull/297 provider-openstack migrated the volumesnapshot CRDs to a new dedicated ManagedResources. provider-openstack does now remove the ignored CRDs. (gardener/gardener-extension-provider-openstack#635, @ialidzhikov)
  • Before updating to this version of provider-openstack, make sure that the migration of the volumesnapshot CRDs from the extension-controlplane-shoot to the extension-controlplane-shoot-crds ManagedResource completed. If the migration did not complete yet, GRM will interpret the removal of the CRDs as deletion and will delete the CRDs.

✨ New Features

• [USER] The provider-openstack extension does now support shoot clusters with Kubernetes version 1.27. You should consider the Kubernetes release notes before upgrading to 1.27. (gardener/gardener-extension-provider-openstack#632, @ary1992)

🏃 Others

• [OPERATOR] Update cloud-provider-openstack images v1.25.5 -> v1.25.6 (gardener/gardener-extension-provider-openstack#642, @kon-angelo)
• [OPERATOR] Update cloud-provider-openstack images v1.26.2 -> v1.26.3 (gardener/gardener-extension-provider-openstack#642, @kon-angelo)
• [OPERATOR] Old and obsolete logging configurations are removed. (gardener/gardener-extension-provider-openstack#639, @vlvasilev)
• [DEPENDENCY] The following dependencies were updated: (gardener/gardener-extension-provider-openstack#640, @dimityrmirchev)
  • registry.k8s.io/sig-storage/csi-provisioner v3.4.0 -> v3.4.1

Update networking-calico to 1.34.1

[gardener-extension-networking-calico]

🏃 Others

• [OPERATOR] networking-calico does no longer use Gardener GCR copies for the calico images. Instead, the upstream quay.io container images are used (quay.io/calico/node, quay.io/calico/cni, quay.io/calico/typha, quay.io/calico/kube-controllers). (gardener/gardener-extension-networking-calico#277, @ialidzhikov)