gardener-robot-ci-1
commented
1 year ago .com/gardener/gardener #8640 @oliver-goetz
maxSurge for kube-apiserver and gardener-apiserver of the virtual garden cluster is set to 100%.
```bugfix user github.com/gardener/gardener #8122 @timuthy
A regression was fixed that prevented deletions for shoot clusters which were created with a wrong configuration (e.g. with an unavailable domain name).Removed dead metrics code and refactored the remaining metrics code`nginx-ingress-controller-seed` image is updated to `v1.7.1` for `1.24.x+` seeds.`gardener-operator` now takes over management of `plutono`.Druid now exposes metrics related to snapshot compaction, on default port 8080. Please expose the desired metrics port via the etcd-druid service to allow metrics to be scraped by a Prometheus instance.The worker count for the [NetworkPolicy controller](https://github.com/gardener/gardener/blob/master/docs/concepts/resource-manager.md#networkpolicy-controller) in GRM was increased to `20`. This is necessary to create and update `NetworkPolicies` in time, esp. on larger seed clusters.Concurrent empty machines bulk deletion can now be configured for `cluster-autoscaler` via the field `.spec.kubernetes.clusterAutoscaler.maxEmptyBulkDelete` in the `Shoot` API .It is now possible to configure `.spec.virtualCluster.gardener.gardenerAPIServer.auditWebhook` in the `Garden` API.Etcd druid will now not support `policy/v1beta1` for `PodDisruptionBudget`s and will only use `policy/v1` for `PodDisruptionBudget`sGardener-based e2e test for the event-logger.unit tests framework introduced to test implemented methods of `Cloudprovider` and `Nodegroup` interfaceAn issue causing several tasks from the Shoot reconciliation flow to fail with transient errors of type `duplicate filename in registry` is now fixed.Etcd-backup-restore now uses a distroless image as its base image. It is no longer compatible with [etcd-custom-image](https://github.com/gardener/etcd-custom-image), and must be used with [etcd-wrapper](https://github.com/gardener/etcd-wrapper) instead. The no longer required `--gardenlet-manages-mcm` option has been removed. All code in provider extensions related to management/deployment of `machine-controller-manager` should be removed.While scaling up a non-HA etcd cluster to HA skipping the scale-up checks for first member of etcd cluster as first member can never be a part of scale-up scenarios.extension library: State update for a Worker object can be now skipped by annotating it with `worker.gardener.cloud/skip-state-update=true`.Bumped up the custom image version to v3.4.13-bootstrap-11The `gardener-operator` now enables full `NetworkPolicy` protection for the garden cluster. In case your garden cluster is a seed at the same time, make sure to keep the values of the `FullNetworkPoliciesInRuntimeCluster` feature gate in sync for both `gardener-operator` and `gardenlet`.`gardenlet` no longer reports the `Bootstrapped` condition on `Seed`s. Instead, it now reports the progress in `.status.lastOperation`, similar to how it's done for `Shoot`s.Eliminated `RoleBinding` helm charts and converted into Golang component with added unit tests.Shoot addon `nginx-ingress-controller` image is updated to `v1.3.0` for `v1.22+` shoots.When Seed's `spec.settings.ownerChecks.enabled=false` gardenlet is now able to delete the owner DNSRecord for a Shoot stuck in deletion where the kube-apiserver Deployment is missing but the Infrastructure is present and cannot be deleted for some reason (infrastructure dependency, invalid credentials). Fix an issue, where DNS lookups for non-existing pods of a StatefulSet yielded one of the existing pods even when it should not have. Vali is now updated to version v2.2.6The following Golang dependencies have been updated:
- `k8s.io/*` from `v0.28.2` to `v0.28.3`
- `sigs.k8s.io/controller-runtime` from `v0.16.2` to `v0.16.3`Add new flag `metrics-scrape-wait-duration` for compaction controller to set a wait duration at the end of every compaction job, to allow for metrics to be scraped by a Prometheus instance.The shoot namespace in seeds is redeployed during shoot deletion to update the zones in use.The [`highavailabilityconfig` webhook](https://github.com/gardener/gardener/blob/master/docs/concepts/resource-manager.md#high-availability-config) configures topology spread constraints with `minDomains=<number-of- zones>`. This configuration only takes effect for clusters which enabled feature gate `MinDomainsInPodTopologySpread` (default as of Kubernetes `v1.27`). Please note, this configuration will require at least one worker node per registered availability zone so that Kubernetes can spread the respective seed, shoot and control-plane pods across zones.`fluent-operator` is now installed in the `garden` namespace of seed clusters and will take care of the entire lifecycle of the `fluent-bit` `DaemonSet`.The deprecated feature gate `APIServerSNI` has been removed.Adding Gardener-managed finalizers (e.g., `gardener` or `gardener.cloud/reference-protection`) to the `Shoot` on creation is now forbidden. If you are using `provider-extension` setup you should adapt your files in `example/provider-extensions/garden/controlplane` because `default-domain` and `internal-domain` secrets are removed from `gardener-controlplane` Helm chart.A new alpha feature gate `DisableScalingClassesForShoots` has been introduced on `gardenlet`. If turned on, initial resource requests for `kube-apiserver`s of shoot clusters running on seed clusters which enable the `HVPA` feature gate are assigned statically and no longer by a scaling class determined by maximum node count. This helps to reduce resource waste for clusters with little usage.Update golang base container image to 1.21.0.`gardener-operator` now runs a new controller which protects `Secret`s and `ConfigMap`s with a finalizer in case they are referenced in `Garden` resources.The `lastUpdateTime` of extension conditions is no longer considered. Ensure that all registered extensions populate the `lastHeartbeatTime` field instead.A bug is fixed that rendered the "CPU usage" panel of the "VPN" Plutono dashboard blank.:warning: `etcd.Status.ClusterSize`, `etcd.Status.ServiceName`, `etcd.Status.UpdatedReplicas` have been marked as deprecated and users should refrain from depending on these fields.Run `make ci-e2e-kind` to run the e2e tests on local machineIntroduced `delta-snapshot-retention-period` CLI flag to extend the configurable retention period for delta snapshots in `etcd-backup-restore`, enhancing flexibility for backup retention.Gardener autoscaler now backs-off early from a node-group (i.e. machinedeployment) in case of `ResourceExhausted` error. Refer docs at `https://github.com/gardener/autoscaler/blob/machine-controller-manager-provider/cluster-autoscaler/FAQ.md#when-does-autoscaler-backs-off-early-from-a-node-group` for details.The admission controllers of common provider extensions are automatically installed in the local extensions development setupAdd new grafana dashboard of seed deployment replicas Deactivate leader election, health and readiness checks when running `make *-debug.`The local deployment of Gardener is extended so that it is now possible to create a second single zone HA `Seed`. This `Seed` can be used to test the control plane migration scenario for HA `Shoot`s. Additionally, make targets were added to trigger the control plane migration integration test with HA `Shoot`s: `test-e2e-local-migration-ha-single-zone` to test the migration locally, and `ci-e2e-kind-migration-ha-single-zone` mainly intended to be used in Gardener prow jobs.The target cache for `gardener-resource-manager` is now unconditionally enabled, leading to faster reconciliations and less network I/O.`machinepriority.machine.sapcloud.io` annotation on machine is now reset to 3 by autoscaler if the corresponding node doesn't have `ToBeDeletedByClusterAutoscaler` taintThis PR aligns container build targets with project CI supporting multi-platform builds and simplifies overall Makefile structure.⚠️ The deprecated field `.spec.kubernetes.kubeAPIServer.enableBasicAuthentication` has been removed from the Shoot API. Please check your `Shoot`s manifests and remove the `.spec.kubernetes.kubeAPIServer.enableBasicAuthentication` field.Extensions have to implement the `ForceDelete` function in the actuator with the logic of forcefully deleting all the resources deployed by them.The GA-ed feature gates `SeedChange` and `CopyEtcdBackupsDuringControlPlaneMigration` have been removed.Extensions running on seed clusters can get access to the garden cluster by using the injected kubeconfig specified by the `GARDEN_KUBECONFIG` environment variable. You can read about the details in this [doc](https://github.com/gardener/gardener/blob/master/docs/extensions/garden-api-access.md).The `{github.com/gardener/gardener/pkg/apis/core/helper,github.com/gardener/gardener/pkg/apis/core/v1beta1/helper}.SeedSettingOwnerChecksEnabled` will now return `false` if the corresponding Seed setting is `nil`. Previously, the func was returning `true` when the Seed setting is `nil`.A bug has been fixed in the `garden/fluent-bit` that caused a failure in creating `networkpolicies` for scraping metrics.Introduce flag `metrics-scrape-wait-duration` to `etcdbrctl compact` command, that specifies a wait duration at the end of a snapshot compaction, to allow Prometheus to scrape metrics related to compaction before the `etcdbrctl` process exits.The `pkg/utils/secrets` package now signs certificates with 3072 bit RSA keys.Deprecated annotation `alpha.featuregates.shoot.gardener.cloud/node-local-dns` is removed. Use field `.spec.systemComponents.nodeLocalDNS.enabled` in `Shoot` instead. Switching on node-local-dns via shoot specification will roll the nodes even if node-local-dns was enabled beforehand via annotation.`UseEtcdWrapper` feature gate has been introduced to allow users to opt for the new [etcd-wrapper](https://github.com/gardener/etcd-wrapper) image.Extensions that wish to be scraped by the `seed-prometheus` must annotate their pods with `prometheus.io/scrape=true` along with `prometheus.io/name=<name>`. See https://github.com/gardener/gardener/blob/master/docs/monitoring/README.md#seed-prometheus for more details.Upgrade to go 1.20.3.Update base image of `ingress-default-backend` to alpine:3.18.3The following images are updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.5` -> `v1.21.6` (for Kubernetes `1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.22.5` -> `v1.22.6` (for Kubernetes `1.22`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.23.3` -> `v1.23.4` (for Kubernetes `1.23`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.24.2` -> `v1.24.3` (for Kubernetes `1.24`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.25.2` -> `v1.25.3` (for Kubernetes `1.24`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.26.1` -> `v1.26.2` (for Kubernetes `1.26`)Update golang 1.19.5 -> 1.20.4The unused `github.com/gardener/gardener/pkg/controllerutils/predicate.IsBeingMigratedPredicate`, `github.com/gardener/gardener/pkg/controllerutils/predicate.IsObjectBeingMigrated` and `github.com/gardener/gardener/pkg/utils/gardener.IsObjectBeingMigrated` funcs are now removed.A bug has been fixed which could cause `kube-proxy`s from being missing after a `Shoot` has been woken up from hibernation.The `extensions/pkg/controller.Use{TokenRequestor,ServiceAccountTokenVolumeProjection}` functions have been removed since they always return `true`.The shoot namespace in seeds is redeployed during the shoot migration flow to update the zones in use.Probes will not be created for shoots with no workers.`extensions.gardener.cloud/v1alpha1.ControlPlane` is now deployed after `kube-apiserver` in the Shoot reconciliation flow.So far the `github.com/gardener/gardener/pkg/utils/managedresources.{NewForShoot,CreateForShoot}` funcs were ignoring the passed `origin` func parameter and were always using `gardener` as value. These funcs will now respect and use the passed `origin` value.Now the vali ingress definition points to the shoot logging service.Bump builder image golang from `1.19.5` to `1.20.2``Shoot`s allow to optionally configure a specific scheduler via `.spec.schedulerName`. The `default-scheduler` is used in case non is configured. Please note, that `Shoot`s will remain `Pending` in case a scheduler name is configured but an adequate scheduler is not available in the landscape.A bug is fixed in the Prometheus alert definitions that caused false positive KubePodNotReadyControlPlane alerts related to the etcd compaction job.Deprecated annotation `alpha.featuregates.shoot.gardener.cloud/node-local-dns-force-tcp-to-{cluster-dns, upstream-dns}` is removed. Use field `.spec.systemComponents.nodeLocalDNS.{forceTCPToClusterDNS, forceTCPToUpstreamDNS}` in `Shoot` instead.Updated to go v1.20.5Improves client recreate during cluster reconcile.⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions < 1.22. Make sure to upgrade all existing clusters before upgrading to this Gardener version.Annotation `alpha.featuregates.shoot.gardener.cloud/node-local-dns-force-tcp-to-{cluster-dns, upstream-dns}` is deprecated and will be removed in future releases. Use field `.spec.systemComponents.nodeLocalDNS.{forceTCPToClusterDNS, forceTCPToUpstreamDNS}` in `Shoot` instead.`default-domain`, `internal-domain`, `alerting` and `openvpn-diffie-hellman` secrets are removed from `gardener-controlplane` Helm chart. Please ensure to update them in a different way before upgrading Gardener. If you would like to prevent Helm from deleting these secret during the upgrade, you could annotate them with `"helm.sh/resource-policy": keep`.Go version is updated to 1.20.6.The following image is updated:
- `quay.io/prometheus/alertmanager`: `v0.24.0` -> `v0.26.0`Block public access for S3 buckets created by integration tests.A bug causing unnecessary reorder of extension in `Shoot` `spec.extensions` is fixed.Status of `garden` now includes the `ObservabilityComponentsHealthy` condition which show the health of observability components in the garden runtime-cluster.⚠️ The deprecated field `.spec.settings.ownerChecks` has been removed from the Seed API. Please check your `Seed`s and remove any usage before upgrading to this Gardener version.All components in the gardener logging stack are now updated to the following respective versions. Fluent-bit to 2.1.4, Fluent-operator to 2.3.0 and logging to 0.55.3A bug is fixed that prevented scraping the metrics of etcd in the shoot control plane.An issue causing deletion of a legacy (wrongly configured) Shoot cluster to be denied because of network ranges overlapping with the default VPN network is now fixed.Gardener now uses 3072 bit RSA keys in order to generate TLS certificates.`leader-election-resource-lock` flag is dropped and the leader-election resource-lock is hard coded to leases.Using internal API versions in `providerConfig` fields is no longer permitted (deprecated since more than `2y`). Ensure that you always use a versioned API.`nginx-ingress-controller` image is updated to `v1.8.1` for Kubernetes`v1.24+` clusters.Annotations in `seed.spec.settings.loadBalancerServices.annotations` are now applied to the Nginx-Ingress load balancer service in the seed cluster.A new alpha feature gate named `MachineControllerManagerDeployment` has been introduced in `gardenlet`. Only enable it when all registered provider extensions in your landscape support this feature.For Shoot clusters using Kubernetes version `1.27` and higher, the `.spec.kubernetes.kubeControllerManager.podEvictionTimeout` field has no effect anymore since the backing `--pod-eviction-timeout` CLI flag has been removed.Updated go to 1.19.9The `fluent-bit-vali-plugin` now supports fluent-bit v2.1.0 and above.Provider extensions must now pass the `cluster.Cluster` object for the garden cluster to the `genericactuator.NewActuator` function. See [this](https://github.com/gardener/gardener/blob/8d2f116aa606e5181cd430e5063dd798629bdc78/cmd/gardener-extension-provider-local/app/app.go#L228-L246) for an example how to create such a `cluster.Cluster` object.An issue causing nil pointer panic on scaleup of the machinedeployment along with trigger of rolling update, is fixedThe `Deploying Shoot namespace in Seed` step was slightly improved. Earlier it failed at some occasions when it tried to read zone information for volumes that have not been created yet. This was a transient error that dissolved in subsequent reconcile runs.Gardenlet can now set feature gates for `etcd-druid`. They can be specified via the gardenlet configuration `GardenletConfiguration.EtcdConfig.FeatureGates`The `ResourcesProgressing` condition appearing in the status of `ManagedResource`s now checks for non-terminated `Pod`s before reporting `status=False`.Prometheus scrape job configs for targets in the shoot cluster have been improved.update client-go version and exclude the old one in go.modEtcd snapshot compaction jobs will now be named `<etcd-name>-compactor` for better readability for human operators.Revendors the bbolt from `v1.3.6` to `v1.3.7``gardener-operator` configures SNI components in order to expose the `virtual-garden-kube-apiserver` via the `istio-ingressgateway` in the Garden cluster.
With this change, operators can start to switch DNS records from the `virtual-garden-kube-apiserver` service to the `istio-ingress` service endpoint. The type of the `virtual-garden-kube-apiserver` service will soon be switched from `LoadBalancer` to `ClusterIP`.`AllMembersReady` condition has now been fixed to eventually show the correct overall readiness of an etcd cluster.gardenlet: A regression causing metering related recording rules for the aggregate-prometheus not to be applied is now fixed.Introduces a skaffold local development pipeline to fluent-bit-vali-pluginProvider extensions should be adapted such that they only inject their provider-specific `machine-controller-manager` sidecar container into the `machine-controller-manager` deployment instead of managing the full deployment themselves. In the future, `gardenlet` will take over managing it. Please see https://github.com/gardener/gardener/pull/8019 for an example how `provider-local` was adapted and replicate it for your provider extensions.Add an alert for VPNHAShootNoPods when shoot in HA (high availability) mode.The following dependencies are updated:
- `k8s.io/*` : `v0.26.4` -> `v0.27.5`
- `sigs.k8s.io/controller-runtime`: `v0.14.6` -> `v0.15.2`The logging components: vali and valitail are now updated to v2.2.8.HVPA supports k8s versions >= 1.25 by switching to `k8s.io/autoscaling/v2` when necessary for all API calls.Gardener Scheduler's Minimal Distance strategy can take scheduling decisions based on region distances configured by operators. This especially improves the allocation for shoots of providers regions for which the standard Levenshtein distance is inappropriate. Please see `docs/concepts/scheduler.md` for more information.Makefile targets have changed: Introduced gardener-setup, gardener-restore, gardener-local-mcm-up, non-gardener-setup, non-gardener-restore, non-gardener-local-mcm-up. Users can also directly use the scripts which are used by these makefile targets.Package `pkg/utils/managedresources` now works with immutable secrets for managed resources under the hood. Existing secrets will be marked for garbage collection and replaced with immutable ones during the first reconciliation of the managed resource.It is possible now to create a workerless shoot cluster when the `WorkerlessShoots` feature gate in the `gardener-apiserver` is enabled. Please see [this document](https://github.com/gardener/gardener/blob/master/docs/usage/shoot_workerless.md) for more details.Prevent fluent-bit-to-vali plugin panic when Cluster is updated and its Shoot has no lastOperation setChange `log` mount path of `node-problem-detector` from `/var/log` to `/var/log/journal`.The `DisablingScalingClassesForShoots` feature gate has been promoted to beta.The `.{source,target}ClientConnection.namespace` field has been renamed to `namespaces` and now takes a list of namespaces. The `.targetClientConnection.disableCachedClient` field has been removed.The `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler` image has been updated from `v1.26.2` to `v1.27.0` (for Kubernetes `>= 1.27`).Feature gate `APIServerFastRollout` for `gardenlet` is introduced and enabled by default. When enabled, `maxSurge` for `kube-apiservers` of `Shoot`s is set to `100%`. Introduce DEP-04 [EtcdMember Custom Resource](https://github.com/gardener/etcd-druid/blob/master/docs/proposals/04-etcd-member-custom-resource.md).When the `ShootForceDeletion` featuregate in the apiserver is turned on, users will be able to force-delete the Shoot. You **MUST** ensure that all the resources created in the IaaS account are cleaned up to prevent orphaned resources. Gardener will **NOT** delete any resources in the Shoot cloud-provider account. See [Shoot Force Deletion](https://github.com/gardener/gardener/blob/master/docs/usage/shoot_operations.md#force-deletion) for more details.Applying Gardener resources server-side has caused the `the server is currently unable to handle the request` error which is now fixed.Removed apiserver-proxy pod webhook as it is now included in Gardener Resource Manager.Since `Namespace`s are no longer deleted (and forcefully finalized after some grace period), the `shoot.gardener.cloud/cleanup-namespaces-finalize-grace-period-seconds` annotation does no longer have any effect. Relevant Kubernetes resources are still cleaned up (see [this document](https://github.com/gardener/gardener/blob/master/docs/usage/shoot_cleanup.md)) for more information.The deprecated `.spec.virtualCluster.dns.domain` field has been dropped from the `Garden` API. Make use of `.spec.virtualCluster.dns.domains`.Force drain and delete volume attachments for nodes un-healthy due to `ReadOnlyFileSystem` and `NotReady` for too longGrafana and Loki are replaced with the fork of their last Apache 2.0 licensed releases: Plutono and Vali, that will continue to receive security updates.Bump g/g version to remove stale client-go dependencyThe `HAControlPlanes` feature gate has been promoted to beta and is now turned on by default.The project vendors the latest released gardener version - v1.73.0Gardener now allows to omit or to only partially define Kubernetes versions in `Shoot`s. The version will automatically be defaulted to the latest minor and/or patch version found in the linked `CloudProfile`.`hack/generate.sh` has been renamed to `hack/generate-sequential.sh`.If the `kubeletCSRApprover` controller is enabled, it is now mandatory to specify the namespace in the source cluster in which the `Machine` resources reside via `.controllers.kubeletCSRApprover.machineNamespace`.etcd-custom-image updates from `v3.4.13-bootstrap-9` to `v3.4.13-bootstrap-10`The following image is updated:
- `quay.io/prometheus/prometheus`: `v2.43.1` -> `v2.47.0`A new controller in `gardenlet` for periodically backing up the `ShootState` for `Shoot`s has been introduced. This controller is only activated when `gardenlet` is responsible for an unmanaged `Seed` (i.e., one not backed by a `ManagedSeed` object). By default, backups are taken roughly each `6h`.A `generate-admin-kubeconf.sh` script which can be used to generate an admin kubeconfig for a local shoot cluster was added in the `hack/usage` directory.`uncachedObjects` under pkg/client/kubernetes/options.go is now removed from Config struct which is used to set options for new ClientSets. Now the uncached objects can be directly set under `clientOptions.Cache.DisableFor` field.Several low timeouts (30s) that were introduced in v1.71.0 for several steps are now reverted as in some cases the Network/ControlPlane reconciliation cannot succeed for 30s. Allow the kubelet configuration to define swap behaviour {LimitedSwap / UnlimitedSwap} for k8s >= 1.22The `register-kind2-env` and `tear-down-kind2-env` will no longer try to deploy and delete the `seed-local` `Secret`. This fixes an issue where `tear-down-kind2-env` would hang as it deletes and then waits for the `seed-local` `Secret` to be deleted which can not happen as long as the `local` `Seed` which uses it still exists. A bug causing incorrect volume mount path for `Etcd`s and `EtcdCopyBackupsTask`s using `Local` snapshot storage provider while using distroless etcd-backup-restore image `v0.25.x` has been resolved.Provider extensions should be adapted such that they no longer perform health checks specific to the `machine-controller-manager` deployment or the machines/nodes. In the future, `gardenlet` will take over performing these checks. Please see https://github.com/gardener/gardener/pull/8019 for an example how `provider-local` was adapted and replicate it for your provider extensions.An edge case where outdated DesiredReplicas annotation blocked a rolling update is fixed.The `charts/images.yaml` file was moved to `imagevector/images.yaml`.The kind cluster used in local setup does now use the new way in containerd to configure registry mirrors.Added an example for `AdminKubeconfigRequest` via the Python Kubernetes client.The GA-ed `DisableScalingClassesForShoots` feature gate has been removed.Methods `SkipIf` and `DoIf` for `TaskFn` have been dropped. A new field `SkipIf` is introduced in `Task`, If set to true the task will be skipped and will also not be reported by the progress reporter.Any resource with a kind other than `ConfigMap` or `Secret` in `.spec.resources` in `Shoot`s is now forcefully removed. New validation has been introduced to prevent adding other resources in the future.The regression is now fixed and the control plane logs shall be visible in the Plutono dashboards.Gardener uses an `InternalSecret` per Shoot for syncing the client CA to the project namespace in the garden cluster (named `<shoot-name>.ca-client`). The `shoots/adminkubeconfig` subresource signs short-lived client certificates by retrieving the CA from the `InternalSecret`.The deprecated `core.gardener.cloud/apiserver-exposure` label and handling has been dropped.The `shootstate-extensions` and `shootstate-secret` controllers have been dropped. The `gardenlet`'s component config file should be updated to no longer specify related configuration (`.controllers.{shootSecret,shootStateSync}`).During the `Migrate` phase of a control plane migration of a `Shoot`, the state is now only persisted after all extension resources have been migrated. Consequently, make sure that you have added all state to the `.status.state` field of the respective extension object when running `Migrate()`.`github.com/gardener/gardener/pkg/utils/gardener.ShootAccessSecret` was renamed to `AccessSecret`.A bug has been fixed which was causing the garbage collector in `gardener-resource-manager` to wrongfully collect `Secret`s related to `ManagedResource`s when the source and the target cluster are equal.Added pod security enforce level `baseline` label to Istio-related namespaces. The `garden` and shoot namespaces have the `privileged` level. For extension namespaces, the new `security.gardener.cloud/pod-security-standard-enforce` annotation on `ControllerRegistration` resources specifies the level. When set, the `extension` namespace is created with `pod-security.kubernetes.io/enforce` label set to `security.gardener.cloud/pod-security-standard-enforce`'s value.New metrics introduced:
- api_request_duration_seconds -> tracks time taken for successful invocation of provider APIs. This metric can be filtered by provider and service.
- driver_request_duration_seconds -> tracks total time taken to successfully complete driver method invocation. This metric can be filtered by provider and operation.
- driver_requests_failed_total -> records total number of failed driver API requests. This metric can be filtered by provider, operations and error_code.The `.spec.kubernetes.kubeAPIServer.serviceAccountConfig.acceptedIssuers` field of the `Shoot` spec no longer allows duplicate values.Custodian controller no longer watches leases owned by the etcd resources, thus reducing frequency of etcd status updates and now honouring `custodian-sync-period` value.The `VerticalPodAutoscaler` resources for `kube-proxy`s is no longer recreated when the Kubernetes patch version of the `Shoot` or the respective worker pools is updated. This ensures updated `kube-proxy`s keep the same CPU/memory resource requirements as before the patch version update. In order to put this change into effect, all existing `VerticalPodAutoscaler`s for `kube-proxy`s are getting recreated.Add support for `Local` provider for e2e tests.The feature gates `FullNetworkPolicies` and `HAControlPlanes` have been promoted to GA and are now locked to "unconditionally enabled".`kubectl get garden` now features additional printer column `Observability` providing information about the Observability components of the runtime cluster.An issue causing `VPN Seed (CPU| Memory) Usage` dashboards not showing data is now fixed.`gardenlet`'s `ControllerInstallation` controller now populates the feature gate of `gardenlet` via the Helm values to extensions when they are getting installed. The information is populated via the `.gardener.gardenlet.featureGates` key. It contains a map whose keys are feature gates names and whose values are booleans (depicting the enablement status).A bug was fixed which was causing existing `Bastion` resources on the garden cluster to not be deleted when `SSHAccess` is disabled on a Shoot cluster.It is required to have `ControllerRegistrations`s for Kinds `ControlPlane`, `Infrastructure` and `Worker` with the same types used for seeds (`seed.spec.provider.type`). This is already the case if seeds and shoots share the same cloud provider. The seed reconciliation flow waits for the associated `ControllerInstallation` to be ready before continuing rolling out seed system components. It allows Gardener provider extensions to ship components that not only act on shoot control-plane but also on seed system components.Added a new metric that will allow to get the number of stale (due to unhealthiness) machines that are getting terminatedThe kind clusters are now unified to use `garden.local.gardener.cloud` DNS name in the containerd config when configuring registry mirror hostnames. Previously, to access the pull through registry cache some kind clusters were configured to use `garden.local.gardener.cloud`, others - the Node name of the control plane Node.Add CVE categorization for etcd-druid.Base image on `telegraf` and `tune2fs` is upgraded from 3.17.2 to 3.18.0Webhooks remediator sets the timeoutSeonds to 3 seconds for webhook affecting lease resources in `kube-system` namespace only if there is no objectSelector provided in webhook.The certificate chains served by `kube-apiserver`s does now include the CA certificates used to sign their server certificates.`gardener-operator` is now managing the `kube-controller-manager` instance as part of the virtual garden cluster control plane.Decouple progess update of gardener operator from task flow logic and thereby prevent concurrency bugs.`gardener-operator` no longer reports the `Reconciled` condition. Instead, it now reports the progress in `.status.lastOperation`, similar to how it's done for `Shoot`s.Add CVE categorization for etcd-backup-restore.
gardener-robot
Release Notes: