[OPERATOR] All virtual garden access Secrets have to be labeled with with resources.gardener.cloud/class=shoot. Otherwise the virtual-GRM won't consider the Secrets and won't renew them. by @rfranzke#8883
[OPERATOR] The ContainerdRegistryHostsDir feature gate has been promoted to beta and is now turned on by default. by @ialidzhikov#8873
[DEVELOPER] Support for the deprecated NetworkPolicy annotations networking.resources.gardener.cloud/from-policy-allowed-ports and networking.resources.gardener.cloud/from-policy-pod-label-selector has been removed. Use networking.resources.gardener.cloud/from-<some-alias>-allowed-ports instead (documentation). by @rfranzke#8883
📰 Noteworthy
[DEVELOPER] The local Gardener environments for e2e tests running in Prow are now backed by the registry-cache extensions enabled in the Prow cluster. This should have a positive impact on the network I/O for image pulls and resulting costs. by @oliver-goetz#8880
[OPERATOR] The WorkerlessShoots has been promoted to GA and is now locked to "enabled by default". by @acumino#8906
✨ New Features
[USER] It is now possible to configure the resources encrypted in the ETCD for shoot clusters, see this document for more details. by @shafeeqes#8842
[USER] The shoots/viewerkubeconfig subresource now also restricts viewer access to resources which are specified in the spec.kubernetes.kubeAPIServer.encryptionConfig in the Shoot in addition to Secrets. by @shafeeqes#8966
[USER] It is now possible to request a kubeconfig with read-only access (all APIs except core/v1.Secret) for shoot clusters by using the new shoots/viewerkubeconfig subresource. Read all about it here. by @rfranzke#8870
[OPERATOR] The vpn-seed-server component now supports IPv4 seed clusters hosting IPv6 shoot clusters. by @DockToFuture#8830
[OPERATOR] It is now possible to configure the resources encrypted in the ETCD for the virtual garden cluster, see this document for more details. by @shafeeqes#8842
🐛 Bug Fixes
[DEPENDENCY] extension library: An issue causing the Worker restore operation to fail for hibernated Shoots is now fixed. by @ialidzhikov#8943
[OPERATOR] A bug causing the Shoot to use the wrong istio load balancer if the ExposureClass name and the exposureclass handler name are not the same is now fixed. by @shafeeqes#8926
[OPERATOR] Fixed a bug where a Shoot with an expired machine image or Kubernetes version could be created.
For machine images: only allow updating to a higher expired machine image version for an existing worker pool
For Kubernetes versions: do not allow creation of a worker pool with an expired K8s version, but still allow updating an existing worker pool to a higher expired version. by @danielfoehrKn#8854
[OPERATOR]gardener-node-agent's OperatingSystemConfig controller now respects the reconciliation timeout and aborts the reconciliation if it takes too long. by @rfranzke#8907
[OPERATOR]gardener-node-agent now creates temporary directories and files under /var/lib/gardener-node-agent/tmp instead of /tmp. This fixes issues during OperatingSystemConfig reconciliation which occur when /var and /tmp are backed by different file systems or devices. by @rfranzke#8894
[OPERATOR]gardener-node-agent now skips disablement and stop attempts of deleted units in case their unit files have already been cleaned up by third parties. by @rfranzke#8898
[OPERATOR]gardener-node-agent now converts the hostname to lower case to match kubelet behaviour when it maintains the kubernetes.io/hostname label on Nodes. by @rfranzke#8902
🏃 Others
[OPERATOR]gardener-node-agent now stops waiting for systemd command results if they don't respond back after 10s. by @rfranzke#8919
[OPERATOR] Add unhealthy nodes dashboard. by @adenitiu#8869
[OPERATOR] Add egressCIDRs field to the infrastructureStatus resource. This allows provider-extensions to specify a list of stable CIDRs used as source IP for traffic generated by the shoot's worker nodes. by @kon-angelo#8888
[DEVELOPER] Add support for optional SCRIPT_ROOT environment var in vgopath enabled hack scripts by @afritzler#8935
[gardener/vpn2]
⚠️ Breaking Changes
[OPERATOR] Change OCI Image Registry from GCR (eu.gcr.io/gardener-project) to Artifact-Registry (europe-docker.pkg.dev/gardener-project/releases). Users should update their references. by @ccwienkgardener/vpn2#62
📰 Noteworthy
[OPERATOR] added ipv6 single-stack support by @nschadgardener/vpn2#45
[OPERATOR] Add iptables backend detection to firewall script. by @axel7borngardener/vpn2#64
[gardener/apiserver-proxy]
📰 Noteworthy
[OPERATOR] Remove the optional creation of iptables rules and the flag--setup-iptables. by @axel7borngardener/apiserver-proxy#70
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/gardener/gardener from 1.80.3 to 1.86.0.
Release notes
Sourced from github.com/gardener/gardener's releases.
... (truncated)
Commits
cee1201
Release v1.86.0483cda3
[release-v1.86] Revert "Spread Istio Ingress Gateway pods across hosts if the...c75e3b6
[release-v1.86] Prevent reading encrypted resources with `shoots/viewerkubeco...0a20f87
Delete MCM before deleting the MCM resources in the Shoot force deletion flow...e6f98fa
egress cidrs (#8888)9748682
Upgrade vpn-seed-server and vpn-shoot-client (#8958)f31674b
typo (#8955)8077ed3
[scheduler] Clean up technical debt in defaulting code (#8832)fd95bd4
Add e2e test for cpm of hibernated shoot (#8952)3374afd
Fix CPM for hibernated Shoots (#8943)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show