Bump github.com/gardener/gardener from 1.70.2 to 1.71.1

[dependabot[bot]]

Bumps github.com/gardener/gardener from 1.70.2 to 1.71.1.

Release notes

Sourced from github.com/gardener/gardener's releases.

v1.71.1

[logging]

🐛 Bug Fixes

• [OPERATOR] Remove lastOperation check in fluent-bit-to-vali plugin. (gardener/logging#197, @​vlvasilev)

v1.71.0

[gardener]

⚠️ Breaking Changes

• [USER] Since Namespaces are no longer deleted (and forcefully finalized after some grace period), the shoot.gardener.cloud/cleanup-namespaces-finalize-grace-period-seconds annotation does no longer have any effect. Relevant Kubernetes resources are still cleaned up (see this document) for more information. (gardener/gardener#7864, @​rfranzke)
• [USER] Using internal API versions in providerConfig fields is no longer permitted (deprecated since more than 2y). Ensure that you always use a versioned API. (gardener/gardener#7868, @​rfranzke)
• [USER] As of Kubernetes v1.27, Gardener enforces a worker.maximum configuration for system component worker pools. The value must be greater or equal to the number of zones configured for this pool. This ensures, that the pool has the minimum required nodes to schedule system component across nodes. (gardener/gardener#7878, @​timuthy)
• [USER] The static token kubeconfig can no longer be enabled for Shoot clusters using Kubernetes version 1.27 and higher. (gardener/gardener#7883, @​ary1992)
• [USER] For Shoot clusters using Kubernetes version 1.27 and higher, the .spec.kubernetes.kubeControllerManager.podEvictionTimeout field has no effect anymore since the backing --pod-eviction-timeout CLI flag has been removed. (gardener/gardener#7883, @​ary1992)
• [USER] ⚠️ The deprecated field .spec.kubernetes.kubeAPIServer.enableBasicAuthentication has been removed from the Shoot API. Please check your Shoots manifests and remove the .spec.kubernetes.kubeAPIServer.enableBasicAuthentication field. (gardener/gardener#7886, @​dimitar-kostadinov)
• [USER] Gardener denies setting Shoot.Spec.ControlPlane.HighAvailability.FailureTolerance.Type if shoot is hibernated. (gardener/gardener#7894, @​aaronfern)
• [OPERATOR] All fluent-bit-related configuration options have been removed from gardenlet's component configuration. (gardener/gardener#7568, @​Kristian-ZH)
• [OPERATOR] The FullNetworkPoliciesInRuntimeCluster feature gate has been promoted to beta and is now turned on by default. Before deploying this Gardener version, make sure that all your registered extensions support this feature gate. (gardener/gardener#7866, @​rfranzke)
• [OPERATOR] The HAControlPlanes feature gate has been promoted to beta and is now turned on by default. (gardener/gardener#7867, @​timuthy)
• [OPERATOR] The deprecated allow-{to,from}-shoot-apiserver NetworkPolicys have been dropped. Ensure that all registered extensions have been adapted. (gardener/gardener#7868, @​rfranzke)
• [OPERATOR] The deprecated identity value is no longer passed when ControllerInstallation Helm charts are deployed. (gardener/gardener#7868, @​rfranzke)
• [OPERATOR] The lastUpdateTime of extension conditions is no longer considered. Ensure that all registered extensions populate the lastHeartbeatTime field instead. (gardener/gardener#7868, @​rfranzke)
• [DEVELOPER] The pkg/operation/botanist/component/* resources have been moved to pkg/component/*. (gardener/gardener#7938, @​rfranzke)
• [DEVELOPER] gardenlet will no longer respect ConfigMaps labeled with extensions.gardener.cloud/configuration=logging. The way to deploy a new filter or parser configuration is to create ClusterFilters or ClusterParsers custom resources in the seed cluster. (gardener/gardener#7568, @​Kristian-ZH)
• [DEVELOPER] Extensions vendoring this gardener/gardener version need to provide RBAC privileges for PATCH apps/depoyments/scale. (gardener/gardener#7868, @​rfranzke)
• [DEPENDENCY] Extensions that wish to be scraped by the seed-prometheus must annotate their pods with prometheus.io/scrape=true along with prometheus.io/name=<name>. See https://github.com/gardener/gardener/blob/master/docs/monitoring/README.md#seed-prometheus for more details. (gardener/gardener#7885, @​shafeeqes)

✨ New Features

• [USER] It is possible now to create a workerless shoot cluster when the WorkerlessShoots feature gate in the gardener-apiserver is enabled. Please see this document for more details. (gardener/gardener#7882, @​shafeeqes)
• [OPERATOR] fluent-operator is now installed in the garden namespace of seed clusters and will take care of the entire lifecycle of the fluent-bit DaemonSet. (gardener/gardener#7568, @​Kristian-ZH)
• [OPERATOR] The gardener-operator now enables full NetworkPolicy protection for the garden cluster. In case your garden cluster is a seed at the same time, make sure to keep the values of the FullNetworkPoliciesInRuntimeCluster feature gate in sync for both gardener-operator and gardenlet. (gardener/gardener#7859, @​rfranzke)
• [OPERATOR] gardenlet and gardener-operator managed deployments and statefulsets can now be equipped with toleration seconds for taints node.kubernetes.io/not-ready and node.kubernetes.io/unreachable. (gardener/gardener#7861, @​timuthy)
  • Please consult the respective component config examples (gardenlet, gardener-operator) for more information.
• [OPERATOR] The gardenlet and gardener-operator Helm charts allow to define toleration seconds for node.kubernetes.io/not-ready and node.kubernetes.io/unreachable. This configuration considered for their own Deployment as well as the Gardenlet's or Operator's config. The values are set to 60s by default. (gardener/gardener#7861, @​timuthy)
• [OPERATOR] An optional field workerlessSupported is added under spec.resources in the ControllerRegistration API. (gardener/gardener#7863, @​ary1992)
• [OPERATOR] gardener-operator is now managing the gardener-resource-manager instance as part of the virtual garden cluster control plane. It provides a TokenRequest API-based kubeconfig for gardener-operator to access the virtual garden cluster. The static token kubeconfig is now unconditionally disabled. (gardener/gardener#7881, @​oliver-goetz)
• [OPERATOR] It is now possible to provide namespace selectors for additional namespaces which should be covered by the NetworkPolicy controllers of gardener-operator or gardenlet. The selectors must be provided via their component configs. Please consult this document for further insights. (gardener/gardener#7929, @​rfranzke)
• [OPERATOR] gardener-operator is now managing the kube-controller-manager instance as part of the virtual garden cluster control plane. (gardener/gardener#7931, @​rfranzke)
• [DEVELOPER] In order to allow kube-apiserver pods of shoot or garden clusters to reach webhook servers, they must no longer be explicitly labeled with networking.resources.gardener.cloud/to-<service-name>-<protocol>-<port>=allowed. Instead, it is enough to annotate the Service of the webhook server with networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports=<ports>. (gardener/gardener#7907, @​rfranzke)
• [DEPENDENCY] To support workerless Shoots, extensions reconciling extensions.gardener.cloud/v1alpha1.Extension resources need to make adaptions if needed and then set spec.resources[].workerlessSupported to true in the ControllerRegistration for their respective extension type. (gardener/gardener#7863, @​ary1992)

🐛 Bug Fixes

• [USER] An issue has been fixed which might have caused the deletion of Shoot clusters to stuck when a namespace was forcefully removed before all relevant resources have been cleaned up. (gardener/gardener#7864, @​rfranzke)
• [USER] A bug has been fixed which could cause kube-proxys from being missing after a Shoot has been woken up from hibernation. (gardener/gardener#7912, @​rfranzke)
• [OPERATOR] An issue causing VPN Seed (CPU| Memory) Usage dashboards not showing data is now fixed. (gardener/gardener#7865, @​Sallyan)
• [OPERATOR] A bug has been fixed which prevented components using the networking.resources.gardener.cloud/from-world-to-ports annotation from being reached from internal IP addresses when the cluster was using Cilium as CNI. (gardener/gardener#7884, @​ScheererJ)
• [OPERATOR] A bug which was causing race conditions to occur during reconciliation of extension resources was fixed. (gardener/gardener#7906, @​dimityrmirchev)
• [OPERATOR] An issue causing panic in the health check for extension, when the health check result is empty, is fixed. (gardener/gardener#7908, @​acumino)
• [OPERATOR] An issue has been fixed that caused traffic from outside of the cluster to Istio-Ingress being blocked. This is only relevant if seed(s) specify additional load balancer annotations via seed.spec.settings.loadBalancerServices.annotations. (gardener/gardener#7910, @​timuthy)

📖 Documentation

• [DEVELOPER] A guideline for developers regarding TODO statements has been introduced. (gardener/gardener#7939, @​rfranzke)

🏃 Others

• [USER] The --node-monitor-grace-period flag of kube-controller-manager is now defaulted to 40s for Shoot clusters using Kubernetes version 1.27 and higher. (gardener/gardener#7883, @​ary1992)

... (truncated)

Commits

• b0921ed Release v1.71.1
• 33ad751 Upgrade telegraf (#7972)
• c10d9d4 Prepare next Dev Cycle v1.71.1-dev
• 2daab6d Release v1.71.0
• 5ff8217 [ci:component:github.com/gardener/logging:v0.53.0->v0.55.1] (#7967)
• fd0c2af Drop Kubernetes version support timeline docs (#7960)
• 9df6e45 Reconcile infrastructure when status is outdated (#7966)
• 5d3ce00 Fixed vpn dashboard location after workerless shoot monitoring change (#7962)
• 1e3af41 Fix Seed logging test (#7957)
• 9a66e52 Fix NetworkPolicy for scraping machine-controller-manager (#7950)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[gardener-robot]

@dependabot[bot] Thank you for your contribution.

[gardener-robot-ci-3]

Thank you @dependabot[bot] for your contribution. Before I can start building your PR, a member of the organization must set the required label(s) {'reviewed/ok-to-test'}. Once started, you can check the build status in the PR checks section below.

[dependabot[bot]]

Superseded by #103.