Release Notes v1.87

YAKE release notes and upgrade guide

Related upstream release notes / changelogs

Update dashboard to 1.71.1

[gardener/dashboard]

🐛 Bug Fixes

• [USER] Fixed an issue where the error message _all is not a function was displayed on the ALL PROJECTS page. by @holgerkoser [#1663]

Docker Images

• dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.71.1

Update dashboard to 1.71.1

[gardener/dashboard]

🐛 Bug Fixes

• [USER] Fixed an issue where the error message _all is not a function was displayed on the ALL PROJECTS page. by @holgerkoser [#1663]

Docker Images

• dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.71.1

Update external-dns-management to 0.16.1

[gardener/external-dns-management]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [#342]
• [OPERATOR] rfc2136 provider expects TSIGSecret in base64 encoded format (previously base64 decoded was expected) by @Avarei [#347]

✨ New Features

• [USER] [AWS Route53] Create an additional alias AAAA record for load balancers (NLBs) if load balancer target domain name has an IPv6 address. by @MartinWeindel [#341]

🏃 Others

• [OPERATOR] Bumps golang from 1.21.4 to 1.21.5. by @dependabot[bot] [#338]
• [DEVELOPER] Remove vendoring by @MartinWeindel [#345]

Docker Images

• dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager:v0.16.1

Update shoot-dns-service to 1.42.0

[gardener/external-dns-management]

⚠️ Breaking Changes

• [OPERATOR] rfc2136 provider expects TSIGSecret in base64 encoded format (previously base64 decoded was expected) by @Avarei [gardener/external-dns-management#347]
• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [gardener/external-dns-management#342]

✨ New Features

• [USER] [AWS Route53] Create an additional alias AAAA record for load balancers (NLBs) if load balancer target domain name has an IPv6 address. by @MartinWeindel [gardener/external-dns-management#341]

🏃 Others

• [DEVELOPER] Remove vendoring by @MartinWeindel [gardener/external-dns-management#345]
• [OPERATOR] Bumps golang from 1.21.4 to 1.21.5. by @dependabot[bot] [gardener/external-dns-management#338]

[gardener/gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] Bump github.com/gardener/gardener from 1.85.0 to 1.86.0. by @MartinWeindel [#268]
• [DEVELOPER] Remove vendoring from project by @MartinWeindel [#268]

Update cloudprofiles to 0.6.10

Full Changelog: https://github.com/gardener-community/cloudprofiles/compare/0.6.9...0.6.10

Update provider-azure to 1.40.0

[gardener/gardener-extension-provider-azure]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [#762]

🐛 Bug Fixes

• [OPERATOR] A bug which caused an empty vmType under certain conditions has been fixed. Empty vmTypes prevent load balancers from being deleted on Kubernetes v1.28 shoots. by @oliver-goetz [#754]

🏃 Others

• [DEVELOPER] Add new unit tests. by @axel7born [#751]
• [OPERATOR] Updated azurecsi-file image -> v1.29.2 by @kon-angelo [#760]
• [OPERATOR] Set azurefile-csi CSIDriver object to support ephemeral disks. by @kon-angelo [#756]
• [OPERATOR] Add new flow-based infrastructure reconciler. by @kon-angelo [#739]
• [OPERATOR] Set azurefile-csi CSIDriver object with attachRequired to false. by @kon-angelo [#756]
• [DEPENDENCY] Vendor gardener v1.83.3 by @kon-angelo [#764]

Docker Images

• gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.40.0
• gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.40.0

Update shoot-dns-service to 1.42.1

[gardener/gardener-extension-shoot-dns-service]

🐛 Bug Fixes

• [OPERATOR] An issue has been fixed that led to invalid webhook configurations after the admission controller rotated the CA and server certificates. by @timuthy [#278]

Update shoot-dns-service to 1.42.2

[gardener/gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] Downgrade dns-controller-manager from v0.16.1 to v0.16.0 to disable newly introduced feature "Create alias AAAA records for load balancers if target domain name has an IPv6 address" because of leaking AAAA under some circumstances. by @MartinWeindel [#279]

Update provider-azure to 1.40.1

[gardener/gardener-extension-provider-azure]

🐛 Bug Fixes

• [USER] Disk detachment step is skipped while terminating terminal state vms. Terminal state vms have provisioningState as Failed by @himanshu-kun [#773]

Docker Images

• gardener-extension-admission-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-azure:v1.40.1
• gardener-extension-provider-azure: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/provider-azure:v1.40.1

Update shoot-networking-problemdetector to 0.20.0

[gardener/network-problem-detector]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienk [gardener/network-problem-detector#53]

🏃 Others

• [OPERATOR] Bumps golang from 1.21.3 to 1.21.4. by @dependabot[bot] [gardener/network-problem-detector#51]
• [OPERATOR] Fix image repository for releases by @MartinWeindel [gardener/network-problem-detector#55]
• [OPERATOR] Bumps golang from 1.21.4 to 1.21.5. by @dependabot[bot] [gardener/network-problem-detector#52]
• [DEVELOPER] remove vendoring by @MartinWeindel [gardener/network-problem-detector#54]

[gardener/gardener-extension-shoot-networking-problemdetector]

🏃 Others

• [OPERATOR] Bump github.com/gardener/gardener from 1.84.0 to 1.84.1. by @dependabot[bot] [#106]
• [OPERATOR] Bump github.com/gardener/gardener from 1.81.1 to 1.82.0. by @dependabot[bot] [#99]
• [OPERATOR] Bump github.com/gardener/gardener from 1.83.0 to 1.84.0. by @dependabot[bot] [#105]
• [OPERATOR] Bump github.com/gardener/gardener from 1.82.0 to 1.82.1. by @dependabot[bot] [#100]
• [OPERATOR] Bump github.com/gardener/gardener from 1.85.0 to 1.86.0. by @dependabot[bot] [#111]
• [OPERATOR] Bump github.com/gardener/gardener from 1.82.1 to 1.83.0. by @dependabot[bot] [#102]
• [OPERATOR] Bumps github.com/gardener/gardener from 1.80.1 to 1.81.1. by @dependabot[bot] [#97]
• [OPERATOR] Bump github.com/gardener/gardener from 1.84.1 to 1.85.0. by @dependabot[bot] [#108]

Docker Images

• gardener-extension-shoot-networking-problemdetector: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-networking-problemdetector:v0.20.0

Update gardener-controlplane to 1.86.1

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @shreyas-s-rao [gardener/etcd-druid#756]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Dynamic loading of IaaS credentials is now optimized to make use of file system information instead of calculating a hash of the credentials to detect changes. by @renormalize [gardener/etcd-backup-restore#670]
• [OPERATOR] A regression in chunk deletion behavior for openstack provider has now been fixed. by @shreyas-s-rao [gardener/etcd-backup-restore#703]
• [OPERATOR] Add unit tests for chunk deletion by @anveshreddy18 [gardener/etcd-backup-restore#685]
• [USER] Add support for overriding storage API endpoint for provider GCS, by setting environment variable GOOGLE_STORAGE_API_ENDPOINT, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for copy subcommand, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-backup-restore#691]

Docker Images

• admission-controller-linux-amd64: eu.gcr.io/gardener-project/gardener/admission-controller:v1.86.1
• apiserver-linux-amd64: eu.gcr.io/gardener-project/gardener/apiserver:v1.86.1
• controller-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/controller-manager:v1.86.1
• gardenlet-linux-amd64: eu.gcr.io/gardener-project/gardener/gardenlet:v1.86.1
• node-agent-linux-amd64: eu.gcr.io/gardener-project/gardener/node-agent:v1.86.1
• operator-linux-amd64: eu.gcr.io/gardener-project/gardener/operator:v1.86.1
• resource-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/resource-manager:v1.86.1
• scheduler-linux-amd64: eu.gcr.io/gardener-project/gardener/scheduler:v1.86.1

Update gardener-controlplane to 1.86.1

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @shreyas-s-rao [gardener/etcd-druid#756]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Dynamic loading of IaaS credentials is now optimized to make use of file system information instead of calculating a hash of the credentials to detect changes. by @renormalize [gardener/etcd-backup-restore#670]
• [OPERATOR] A regression in chunk deletion behavior for openstack provider has now been fixed. by @shreyas-s-rao [gardener/etcd-backup-restore#703]
• [OPERATOR] Add unit tests for chunk deletion by @anveshreddy18 [gardener/etcd-backup-restore#685]
• [USER] Add support for overriding storage API endpoint for provider GCS, by setting environment variable GOOGLE_STORAGE_API_ENDPOINT, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for copy subcommand, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-backup-restore#691]

Docker Images

• admission-controller-linux-amd64: eu.gcr.io/gardener-project/gardener/admission-controller:v1.86.1
• apiserver-linux-amd64: eu.gcr.io/gardener-project/gardener/apiserver:v1.86.1
• controller-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/controller-manager:v1.86.1
• gardenlet-linux-amd64: eu.gcr.io/gardener-project/gardener/gardenlet:v1.86.1
• node-agent-linux-amd64: eu.gcr.io/gardener-project/gardener/node-agent:v1.86.1
• operator-linux-amd64: eu.gcr.io/gardener-project/gardener/operator:v1.86.1
• resource-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/resource-manager:v1.86.1
• scheduler-linux-amd64: eu.gcr.io/gardener-project/gardener/scheduler:v1.86.1

Update gardenlet to 1.86.1

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @shreyas-s-rao [gardener/etcd-druid#756]

[gardener/etcd-backup-restore]

🏃 Others

• [OPERATOR] Dynamic loading of IaaS credentials is now optimized to make use of file system information instead of calculating a hash of the credentials to detect changes. by @renormalize [gardener/etcd-backup-restore#670]
• [OPERATOR] A regression in chunk deletion behavior for openstack provider has now been fixed. by @shreyas-s-rao [gardener/etcd-backup-restore#703]
• [OPERATOR] Add unit tests for chunk deletion by @anveshreddy18 [gardener/etcd-backup-restore#685]
• [USER] Add support for overriding storage API endpoint for provider GCS, by setting environment variable GOOGLE_STORAGE_API_ENDPOINT, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for copy subcommand, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-backup-restore#691]

Docker Images

• admission-controller-linux-amd64: eu.gcr.io/gardener-project/gardener/admission-controller:v1.86.1
• apiserver-linux-amd64: eu.gcr.io/gardener-project/gardener/apiserver:v1.86.1
• controller-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/controller-manager:v1.86.1
• gardenlet-linux-amd64: eu.gcr.io/gardener-project/gardener/gardenlet:v1.86.1
• node-agent-linux-amd64: eu.gcr.io/gardener-project/gardener/node-agent:v1.86.1
• operator-linux-amd64: eu.gcr.io/gardener-project/gardener/operator:v1.86.1
• resource-manager-linux-amd64: eu.gcr.io/gardener-project/gardener/resource-manager:v1.86.1
• scheduler-linux-amd64: eu.gcr.io/gardener-project/gardener/scheduler:v1.86.1

Update cloudprofiles to 0.6.11

Full Changelog: https://github.com/gardener-community/cloudprofiles/compare/0.6.10...0.6.11

Update dashboard to 1.72.0

[gardener/dashboard]

⚠️ Breaking Changes

• [USER] Removed support for deprecated annotations. These annotations have been deprecated long time ago:
  • garden.sapcloud.io/createdBy. If you still have a cluster using this annotation, you can migrate it manually to dashboard.gardener.cloud/created-by if you need to
  • shoot.garden.sapcloud.io/ignore: If you still have a cluster using this annotation, you can migrate it manually to shoot.gardener.cloud/ignore if you need to by @grolu [#1669]

✨ New Features

• [USER] Streamlined Kubernetes cluster upgrades for enhanced user experience. We've removed non-eligible versions from the upgrade selection, replacing them with a hint to indicate the existence of more versions. Additionally, only supported versions are now highlighted on the version chip. To aid in version management, chips for deprecated versions will now display in a warning color, alerting users to the need for an upgrade by @grolu [#1683]
• [USER] Hidden GitHub comments will no longer be displayed on the Cluster Details page. by @holgerkoser [#1675]
• [USER] Added support to request a time-limited kubeconfig on the cluster details page. The lifetime can be configured on the settings page. This feature is disabled by default and can be enabled by the gardener dashboard operator. by @grolu [#1666]
• [OPERATOR] The feature to request a time-limited kubeconfig is disabled by default. You can enabled it via .Values.global.dashboard.frontendConfig.shootAdminKubeconfig.enabled. The maximum expiration seconds can be controlled via .Values.global.dashboard.frontendConfig.shootAdminKubeconfig.maxExpirationSeconds. by @grolu [#1666]

🐛 Bug Fixes

• [USER] The broken link to the permission configuration documentation for Azure secrets was fixed. by @MrBatschner [#1667]
• [USER] Fixed an issue on the member management page. Update members and service account dialog did not render correctly because of an issue with the input validation by @grolu [#1686]
• [USER] Project list: fixed issue where the second entry is highlighted on key-down in some cases by @petersutter [#1687]
• [USER] Fixed email check for account names: Non email user accounts are no longer converted to a mailto link by @grolu [#1669]
• [USER] Resolved an issue from Dashboard version 1.70 that prevented the display of descriptions in the 'Update Cluster Version' dropdown selection by @grolu [#1672]
• [USER] Improved Navigation in project list filter: Disabled spell check to enhance arrow key navigation reliability. This update addresses an issue where spell check functionality occasionally interfered with keyboard navigation by @grolu [#1696]
• [USER] Resolved a styling issue that affected the hover functionality in the Safari browser by @grolu [#1696]

🏃 Others

• [USER] Introduced tonal variations to our chips and alert designs, previously defined with outline styles by @grolu [#1681]

📖 Documentation

• [USER] Enhanced the Connect Kubectl documentation by @petersutter [#1679]
• [DEVELOPER] Updated the Project Operations kubeconfig documentation by @n-boshnakov [#1673]

Docker Images

• dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.72.0

Update dashboard to 1.72.0

[gardener/dashboard]

⚠️ Breaking Changes

• [USER] Removed support for deprecated annotations. These annotations have been deprecated long time ago:
  • garden.sapcloud.io/createdBy. If you still have a cluster using this annotation, you can migrate it manually to dashboard.gardener.cloud/created-by if you need to
  • shoot.garden.sapcloud.io/ignore: If you still have a cluster using this annotation, you can migrate it manually to shoot.gardener.cloud/ignore if you need to by @grolu [#1669]

✨ New Features

• [USER] Streamlined Kubernetes cluster upgrades for enhanced user experience. We've removed non-eligible versions from the upgrade selection, replacing them with a hint to indicate the existence of more versions. Additionally, only supported versions are now highlighted on the version chip. To aid in version management, chips for deprecated versions will now display in a warning color, alerting users to the need for an upgrade by @grolu [#1683]
• [USER] Hidden GitHub comments will no longer be displayed on the Cluster Details page. by @holgerkoser [#1675]
• [USER] Added support to request a time-limited kubeconfig on the cluster details page. The lifetime can be configured on the settings page. This feature is disabled by default and can be enabled by the gardener dashboard operator. by @grolu [#1666]
• [OPERATOR] The feature to request a time-limited kubeconfig is disabled by default. You can enabled it via .Values.global.dashboard.frontendConfig.shootAdminKubeconfig.enabled. The maximum expiration seconds can be controlled via .Values.global.dashboard.frontendConfig.shootAdminKubeconfig.maxExpirationSeconds. by @grolu [#1666]

🐛 Bug Fixes

• [USER] The broken link to the permission configuration documentation for Azure secrets was fixed. by @MrBatschner [#1667]
• [USER] Fixed an issue on the member management page. Update members and service account dialog did not render correctly because of an issue with the input validation by @grolu [#1686]
• [USER] Project list: fixed issue where the second entry is highlighted on key-down in some cases by @petersutter [#1687]
• [USER] Fixed email check for account names: Non email user accounts are no longer converted to a mailto link by @grolu [#1669]
• [USER] Resolved an issue from Dashboard version 1.70 that prevented the display of descriptions in the 'Update Cluster Version' dropdown selection by @grolu [#1672]
• [USER] Improved Navigation in project list filter: Disabled spell check to enhance arrow key navigation reliability. This update addresses an issue where spell check functionality occasionally interfered with keyboard navigation by @grolu [#1696]
• [USER] Resolved a styling issue that affected the hover functionality in the Safari browser by @grolu [#1696]

🏃 Others

• [USER] Introduced tonal variations to our chips and alert designs, previously defined with outline styles by @grolu [#1681]

📖 Documentation

• [USER] Enhanced the Connect Kubectl documentation by @petersutter [#1679]
• [DEVELOPER] Updated the Project Operations kubeconfig documentation by @n-boshnakov [#1673]

Docker Images

• dashboard: europe-docker.pkg.dev/gardener-project/releases/gardener/dashboard:1.72.0

Update external-dns-management to 0.17.0

[gardener/external-dns-management]

✨ New Features

• [USER] [aws-route53] Support dual-stack AWS load balancers by creating additional AAAA record with alias target if annotation service.beta.kubernetes.io/aws-load-balancer-ip-address-type=dualstack (services only) or dns.gardener.cloud/ip-stack=dual-stack (ingresses,dnsentries, and services) is set. by @MartinWeindel [#350]

🏃 Others

• [DEVELOPER] Move canonicalhostedzone map of aws-route53 provider to own package to allow reuse in gardener/provider-aws. by @MartinWeindel [#348]

Docker Images

• dns-controller-manager: europe-docker.pkg.dev/gardener-project/releases/dns-controller-manager:v0.17.0

Update shoot-dns-service to 1.43.0

[gardener/external-dns-management]

✨ New Features

• [USER] [aws-route53] Support dual-stack AWS load balancers by creating additional AAAA record with alias target if annotation service.beta.kubernetes.io/aws-load-balancer-ip-address-type=dualstack (services only) or dns.gardener.cloud/ip-stack=dual-stack (ingresses,dnsentries, and services) is set. by @MartinWeindel [gardener/external-dns-management#350]

🏃 Others

• [DEVELOPER] Move canonicalhostedzone map of aws-route53 provider to own package to allow reuse in gardener/provider-aws. by @MartinWeindel [gardener/external-dns-management#348]

[gardener/gardener-extension-shoot-dns-service]

🏃 Others

• [OPERATOR] The requirement for the admission controller to need cluster-wide read permissions for secrets has been dropped. by @timuthy [#280]
• [OPERATOR] Bumps golang from 1.21.5 to 1.21.6. by @dependabot[bot] [#283]
• [DEVELOPER] An issue causing the testmachinery test to fail to due to an outdated golang version in the TestDefinition is now fixed. by @ialidzhikov [#282]

Docker Images

• gardener-extension-admission-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/admission-shoot-dns-service:v1.43.0
• gardener-extension-shoot-dns-service: europe-docker.pkg.dev/gardener-project/releases/gardener/extensions/shoot-dns-service:v1.43.0

Update gardener-controlplane to 1.87.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The signature of github.com/gardener/gardener/pkg/chartrenderer.RenderedChart#Files has changed. by @acumino [#8877]
• [OPERATOR] The deprecated field seed.spec.secretRef has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @acumino [#8896]
• [OPERATOR] Migration code for Plutono and Vali is now removed. Consider manual cleanup for longterm broken Shoots as described in the PR to avoid leaking Loki's PV. by @rickardsjp [#8999]
• [DEVELOPER] The pkg/resourcemanager/predicate.ClassFilter.Active function was replaced by IsTransferringResponsibility and IsWaitForCleanupRequired.
  • pkg/resourcemanager/predicate.ClassFilter.IsTransferringResponsibility should be used to check whether the .spec.class field of a ManagedResource has changed and let the controller which was previously responsible for the ManagedResource perform any additional/cleanup tasks.
  • pkg/resourcemanager/predicate.ClassFilter.IsWaitForCleanupRequired should be used by the controller to which the responsibility was transferred to determine whether it should wait for any tasks/cleanup activities made by the previously responsible controller. by @Kostov6 [#8886]

📰 Noteworthy

• [OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to GA and is now locked to "enabled by default". by @ialidzhikov [#8979]

✨ New Features

• [OPERATOR] When hibernating a cluster, Gardener now assigns an error code ERR_CLEANUP_CLUSTER_RESOURCES to shoot clusters if (user) pods are still running in namespaces other than kube-system. by @benedictweis [#9060]
• [OPERATOR] node-agent checks health of containerd and kubelet now. This replaces the previous bash implementation of these health checks. by @majst01 [#8786]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.29. To allow creation/update of 1.29 clusters you will have to update the version of your provider extension(s) to a version that supports 1.29 as well. Please consult the respective releases and notes in the provider extension's repository. by @acumino [#8976]
• [OPERATOR] The components managed by gardener now use PDBs with unhealthyPodEvictionPolicy: AlwaysAllow for clusters with kubernetes version >= 1.26. (For v1.26 clusters (shoots and virtual-garden cluster), the featuregate PDBUnhealthyPodEvictionPolicy needs to be turned on in the kube-apiserver. From v1.27 this is enabled by default.) by @shafeeqes [#8969]
• [DEVELOPER] Add local setup for dual-stack seeds. by @axel7born [#8983]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.29. Extension developers have to prepare individual extensions as well to work with 1.29. by @acumino [#8976]

🐛 Bug Fixes

• [OPERATOR] False positive PrometheusCantScrape alerts for the etcd-druid job in the shoot control plane are no longer firing, even if the --enable-backup-compaction feature of etcd-druid is not turned on. by @istvanballok [#8988]
• [OPERATOR] Allow the dependency-watchdog-prober to patch deployments and deployments/scale resources. by @aaronfern [#9036]
• [DEVELOPER] Local single-zone gardener development setups should now work as expected again even if the istio ingress pods are not scheduled on the control plane node. by @ScheererJ [#8998]
• [DEVELOPER] Local gardener-operator and multi-zone gardener development setups now use externalTrafficPolicy: Local for inbound communication to mitigate cross-node network problems. by @ScheererJ [#8972]

🏃 Others

• [OPERATOR] The following dependency has been updated:
  • k8s.io/helm@v2.17.0+incompatible -> helm.sh/helm/v3@v3.10.3 by @acumino [#8877]
• [OPERATOR] Spreading istio pods across hosts is now enforced if there are enough hosts in a particular zone. by @ScheererJ [#8970]
• [OPERATOR] The following images are updated:
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-operator: v2.3.0 -> v2.7.0
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-bit: v2.1.4 -> v2.2.0 by @nickytd [#9031]
• [OPERATOR] The reliability of kube-state-metrics in the garden namespace of the Seed cluster has been improved to minimize periods of unavailability for Prometheus metric collection by @petersutter [#8931]
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/prometheus: v2.47.0 -> v2.48.1 by @istvanballok [#8994]
• [OPERATOR] kube-proxy is now running in non-privileged mode for K8s >= 1.29 Shoots. The work that needs privileged mode is extracted to an init container. See https://www.kubernetes.dev/blog/2024/01/05/kube-proxy-non-privileged/. by @shafeeqes [#9000]
• [OPERATOR] Plutono is updated to v7.5.28. Vali and Valitail are updated to v2.2.13. by @nickytd [#9010]
• [OPERATOR] nginx-ingress-controller image is updated to v1.9.5. by @shafeeqes [#8997]
• [OPERATOR] Istio ingress gateway dashboard now always shows a graph for all istio namespaces even if no traffic was received in some of them. by @ScheererJ [#9032]
• [OPERATOR] kube-proxy's sidecar container no longer installs its tools at runtime, but comes with its toolset pre-installed. by @ScheererJ [#9006]
• [DEVELOPER] On startup, gardenlet now removes the resources.gardener.cloud/gardener-resource-manager finalizer from Secrets related to ManagedResources. by @Kostov6 [#8912]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] EtcdWrapper has progressed from the alpha stage to the beta stage, which now allows for its default usage in etcd-druid. If you prefer to continue using the etcd-custom-image, you can disable the EtcdWrapper by adjusting the feature flag. by @ishan16696 [gardener/etcd-druid#744]

✨ New Features

• [USER] Add support for overriding storage API endpoint for provider GCS, by adding new field storageAPIEndpoint in the GCP/GCS backup secret, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for EtcdCopyBackupsTasks, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-druid#737]

🏃 Others

• [OPERATOR] Adds documentation for local setup of Etcd Druid by @anveshreddy18 [gardener/etcd-druid#721]
• [OPERATOR] Documentation for the controllers of etcd-druid by @renormalize [gardener/etcd-druid#722]
• [DEVELOPER] Upgrade to go 1.21.4 by @seshachalam-yv [gardener/etcd-druid#727]

[gardener/vpn2]

🏃 Others

• [USER] Security improvements to the openvpn configuration. Due to backwards incompatible change between the vpn server and client a short downtime is to be expected during the initial upgrade. by @dimityrmirchev [gardener/vpn2#53]

[gardener/etcd-wrapper]

🏃 Others

• [OPERATOR] The etcd process now runs with umask set to 0077, this way the files it creates have no permissions on group and others level. by @AleksandarSavchev [gardener/etcd-wrapper#16]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.87.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.87.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.87.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.87.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.87.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.87.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.87.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.87.0

Update gardener-controlplane to 1.87.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The signature of github.com/gardener/gardener/pkg/chartrenderer.RenderedChart#Files has changed. by @acumino [#8877]
• [OPERATOR] The deprecated field seed.spec.secretRef has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @acumino [#8896]
• [OPERATOR] Migration code for Plutono and Vali is now removed. Consider manual cleanup for longterm broken Shoots as described in the PR to avoid leaking Loki's PV. by @rickardsjp [#8999]
• [DEVELOPER] The pkg/resourcemanager/predicate.ClassFilter.Active function was replaced by IsTransferringResponsibility and IsWaitForCleanupRequired.
  • pkg/resourcemanager/predicate.ClassFilter.IsTransferringResponsibility should be used to check whether the .spec.class field of a ManagedResource has changed and let the controller which was previously responsible for the ManagedResource perform any additional/cleanup tasks.
  • pkg/resourcemanager/predicate.ClassFilter.IsWaitForCleanupRequired should be used by the controller to which the responsibility was transferred to determine whether it should wait for any tasks/cleanup activities made by the previously responsible controller. by @Kostov6 [#8886]

📰 Noteworthy

• [OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to GA and is now locked to "enabled by default". by @ialidzhikov [#8979]

✨ New Features

• [OPERATOR] When hibernating a cluster, Gardener now assigns an error code ERR_CLEANUP_CLUSTER_RESOURCES to shoot clusters if (user) pods are still running in namespaces other than kube-system. by @benedictweis [#9060]
• [OPERATOR] node-agent checks health of containerd and kubelet now. This replaces the previous bash implementation of these health checks. by @majst01 [#8786]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.29. To allow creation/update of 1.29 clusters you will have to update the version of your provider extension(s) to a version that supports 1.29 as well. Please consult the respective releases and notes in the provider extension's repository. by @acumino [#8976]
• [OPERATOR] The components managed by gardener now use PDBs with unhealthyPodEvictionPolicy: AlwaysAllow for clusters with kubernetes version >= 1.26. (For v1.26 clusters (shoots and virtual-garden cluster), the featuregate PDBUnhealthyPodEvictionPolicy needs to be turned on in the kube-apiserver. From v1.27 this is enabled by default.) by @shafeeqes [#8969]
• [DEVELOPER] Add local setup for dual-stack seeds. by @axel7born [#8983]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.29. Extension developers have to prepare individual extensions as well to work with 1.29. by @acumino [#8976]

🐛 Bug Fixes

• [OPERATOR] False positive PrometheusCantScrape alerts for the etcd-druid job in the shoot control plane are no longer firing, even if the --enable-backup-compaction feature of etcd-druid is not turned on. by @istvanballok [#8988]
• [OPERATOR] Allow the dependency-watchdog-prober to patch deployments and deployments/scale resources. by @aaronfern [#9036]
• [DEVELOPER] Local single-zone gardener development setups should now work as expected again even if the istio ingress pods are not scheduled on the control plane node. by @ScheererJ [#8998]
• [DEVELOPER] Local gardener-operator and multi-zone gardener development setups now use externalTrafficPolicy: Local for inbound communication to mitigate cross-node network problems. by @ScheererJ [#8972]

🏃 Others

• [OPERATOR] The following dependency has been updated:
  • k8s.io/helm@v2.17.0+incompatible -> helm.sh/helm/v3@v3.10.3 by @acumino [#8877]
• [OPERATOR] Spreading istio pods across hosts is now enforced if there are enough hosts in a particular zone. by @ScheererJ [#8970]
• [OPERATOR] The following images are updated:
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-operator: v2.3.0 -> v2.7.0
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-bit: v2.1.4 -> v2.2.0 by @nickytd [#9031]
• [OPERATOR] The reliability of kube-state-metrics in the garden namespace of the Seed cluster has been improved to minimize periods of unavailability for Prometheus metric collection by @petersutter [#8931]
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/prometheus: v2.47.0 -> v2.48.1 by @istvanballok [#8994]
• [OPERATOR] kube-proxy is now running in non-privileged mode for K8s >= 1.29 Shoots. The work that needs privileged mode is extracted to an init container. See https://www.kubernetes.dev/blog/2024/01/05/kube-proxy-non-privileged/. by @shafeeqes [#9000]
• [OPERATOR] Plutono is updated to v7.5.28. Vali and Valitail are updated to v2.2.13. by @nickytd [#9010]
• [OPERATOR] nginx-ingress-controller image is updated to v1.9.5. by @shafeeqes [#8997]
• [OPERATOR] Istio ingress gateway dashboard now always shows a graph for all istio namespaces even if no traffic was received in some of them. by @ScheererJ [#9032]
• [OPERATOR] kube-proxy's sidecar container no longer installs its tools at runtime, but comes with its toolset pre-installed. by @ScheererJ [#9006]
• [DEVELOPER] On startup, gardenlet now removes the resources.gardener.cloud/gardener-resource-manager finalizer from Secrets related to ManagedResources. by @Kostov6 [#8912]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] EtcdWrapper has progressed from the alpha stage to the beta stage, which now allows for its default usage in etcd-druid. If you prefer to continue using the etcd-custom-image, you can disable the EtcdWrapper by adjusting the feature flag. by @ishan16696 [gardener/etcd-druid#744]

✨ New Features

• [USER] Add support for overriding storage API endpoint for provider GCS, by adding new field storageAPIEndpoint in the GCP/GCS backup secret, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for EtcdCopyBackupsTasks, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-druid#737]

🏃 Others

• [OPERATOR] Adds documentation for local setup of Etcd Druid by @anveshreddy18 [gardener/etcd-druid#721]
• [OPERATOR] Documentation for the controllers of etcd-druid by @renormalize [gardener/etcd-druid#722]
• [DEVELOPER] Upgrade to go 1.21.4 by @seshachalam-yv [gardener/etcd-druid#727]

[gardener/vpn2]

🏃 Others

• [USER] Security improvements to the openvpn configuration. Due to backwards incompatible change between the vpn server and client a short downtime is to be expected during the initial upgrade. by @dimityrmirchev [gardener/vpn2#53]

[gardener/etcd-wrapper]

🏃 Others

• [OPERATOR] The etcd process now runs with umask set to 0077, this way the files it creates have no permissions on group and others level. by @AleksandarSavchev [gardener/etcd-wrapper#16]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.87.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.87.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.87.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.87.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.87.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.87.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.87.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.87.0

Update gardenlet to 1.87.0

[gardener/gardener]

⚠️ Breaking Changes

• [DEPENDENCY] The signature of github.com/gardener/gardener/pkg/chartrenderer.RenderedChart#Files has changed. by @acumino [#8877]
• [OPERATOR] The deprecated field seed.spec.secretRef has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. by @acumino [#8896]
• [OPERATOR] Migration code for Plutono and Vali is now removed. Consider manual cleanup for longterm broken Shoots as described in the PR to avoid leaking Loki's PV. by @rickardsjp [#8999]
• [DEVELOPER] The pkg/resourcemanager/predicate.ClassFilter.Active function was replaced by IsTransferringResponsibility and IsWaitForCleanupRequired.
  • pkg/resourcemanager/predicate.ClassFilter.IsTransferringResponsibility should be used to check whether the .spec.class field of a ManagedResource has changed and let the controller which was previously responsible for the ManagedResource perform any additional/cleanup tasks.
  • pkg/resourcemanager/predicate.ClassFilter.IsWaitForCleanupRequired should be used by the controller to which the responsibility was transferred to determine whether it should wait for any tasks/cleanup activities made by the previously responsible controller. by @Kostov6 [#8886]

📰 Noteworthy

• [OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to GA and is now locked to "enabled by default". by @ialidzhikov [#8979]

✨ New Features

• [OPERATOR] When hibernating a cluster, Gardener now assigns an error code ERR_CLEANUP_CLUSTER_RESOURCES to shoot clusters if (user) pods are still running in namespaces other than kube-system. by @benedictweis [#9060]
• [OPERATOR] node-agent checks health of containerd and kubelet now. This replaces the previous bash implementation of these health checks. by @majst01 [#8786]
• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.29. To allow creation/update of 1.29 clusters you will have to update the version of your provider extension(s) to a version that supports 1.29 as well. Please consult the respective releases and notes in the provider extension's repository. by @acumino [#8976]
• [OPERATOR] The components managed by gardener now use PDBs with unhealthyPodEvictionPolicy: AlwaysAllow for clusters with kubernetes version >= 1.26. (For v1.26 clusters (shoots and virtual-garden cluster), the featuregate PDBUnhealthyPodEvictionPolicy needs to be turned on in the kube-apiserver. From v1.27 this is enabled by default.) by @shafeeqes [#8969]
• [DEVELOPER] Add local setup for dual-stack seeds. by @axel7born [#8983]
• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.29. Extension developers have to prepare individual extensions as well to work with 1.29. by @acumino [#8976]

🐛 Bug Fixes

• [OPERATOR] False positive PrometheusCantScrape alerts for the etcd-druid job in the shoot control plane are no longer firing, even if the --enable-backup-compaction feature of etcd-druid is not turned on. by @istvanballok [#8988]
• [OPERATOR] Allow the dependency-watchdog-prober to patch deployments and deployments/scale resources. by @aaronfern [#9036]
• [DEVELOPER] Local single-zone gardener development setups should now work as expected again even if the istio ingress pods are not scheduled on the control plane node. by @ScheererJ [#8998]
• [DEVELOPER] Local gardener-operator and multi-zone gardener development setups now use externalTrafficPolicy: Local for inbound communication to mitigate cross-node network problems. by @ScheererJ [#8972]

🏃 Others

• [OPERATOR] The following dependency has been updated:
  • k8s.io/helm@v2.17.0+incompatible -> helm.sh/helm/v3@v3.10.3 by @acumino [#8877]
• [OPERATOR] Spreading istio pods across hosts is now enforced if there are enough hosts in a particular zone. by @ScheererJ [#8970]
• [OPERATOR] The following images are updated:
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-operator: v2.3.0 -> v2.7.0
  • europe-docker.pkg.dev/gardener-project/releases/3rd/kubesphere/fluent-bit: v2.1.4 -> v2.2.0 by @nickytd [#9031]
• [OPERATOR] The reliability of kube-state-metrics in the garden namespace of the Seed cluster has been improved to minimize periods of unavailability for Prometheus metric collection by @petersutter [#8931]
• [OPERATOR] The following image is updated:
  • quay.io/prometheus/prometheus: v2.47.0 -> v2.48.1 by @istvanballok [#8994]
• [OPERATOR] kube-proxy is now running in non-privileged mode for K8s >= 1.29 Shoots. The work that needs privileged mode is extracted to an init container. See https://www.kubernetes.dev/blog/2024/01/05/kube-proxy-non-privileged/. by @shafeeqes [#9000]
• [OPERATOR] Plutono is updated to v7.5.28. Vali and Valitail are updated to v2.2.13. by @nickytd [#9010]
• [OPERATOR] nginx-ingress-controller image is updated to v1.9.5. by @shafeeqes [#8997]
• [OPERATOR] Istio ingress gateway dashboard now always shows a graph for all istio namespaces even if no traffic was received in some of them. by @ScheererJ [#9032]
• [OPERATOR] kube-proxy's sidecar container no longer installs its tools at runtime, but comes with its toolset pre-installed. by @ScheererJ [#9006]
• [DEVELOPER] On startup, gardenlet now removes the resources.gardener.cloud/gardener-resource-manager finalizer from Secrets related to ManagedResources. by @Kostov6 [#8912]

[gardener/etcd-druid]

⚠️ Breaking Changes

• [OPERATOR] EtcdWrapper has progressed from the alpha stage to the beta stage, which now allows for its default usage in etcd-druid. If you prefer to continue using the etcd-custom-image, you can disable the EtcdWrapper by adjusting the feature flag. by @ishan16696 [gardener/etcd-druid#744]

✨ New Features

• [USER] Add support for overriding storage API endpoint for provider GCS, by adding new field storageAPIEndpoint in the GCP/GCS backup secret, with the value in the format http[s]://host[:port]/storage/v1/. ⚠️ Note: GCS storage API endpoint will not be overridden for EtcdCopyBackupsTasks, since backup buckets may reside in different regions. by @shreyas-s-rao [gardener/etcd-druid#737]

🏃 Others

• [OPERATOR] Adds documentation for local setup of Etcd Druid by @anveshreddy18 [gardener/etcd-druid#721]
• [OPERATOR] Documentation for the controllers of etcd-druid by @renormalize [gardener/etcd-druid#722]
• [DEVELOPER] Upgrade to go 1.21.4 by @seshachalam-yv [gardener/etcd-druid#727]

[gardener/vpn2]

🏃 Others

• [USER] Security improvements to the openvpn configuration. Due to backwards incompatible change between the vpn server and client a short downtime is to be expected during the initial upgrade. by @dimityrmirchev [gardener/vpn2#53]

[gardener/etcd-wrapper]

🏃 Others

• [OPERATOR] The etcd process now runs with umask set to 0077, this way the files it creates have no permissions on group and others level. by @AleksandarSavchev [gardener/etcd-wrapper#16]

Docker Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.87.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.87.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.87.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.87.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.87.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.87.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.87.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.87.0