[OPERATOR] When the NewWorkerPoolHash feature gate is enabled, the calculation now also rolls worker nodes of Shoots when changing systemReserved in the kubelet configuration. Worker pools are not rolled if the sum of kubeReserved and systemReserved does not change. If the feature gate is already enabled, then the worker pools of Shoots with non-zero values in systemReserved will be rolled once. by @MichaelEischer#10290
📰 Noteworthy
[USER] The spec.client field in the {Cluster}OpenIDConnectPreset APIs is deprecated and will be removed after support for Kubernetes 1.30 is dropped. by @AleksandarSavchev#10253
[USER] The spec.kubernetes.kubeAPIServer.oidcConfig.clientAuthentication field in the Shoot API is deprecated and will be removed after support for Kubernetes 1.30 is dropped. by @AleksandarSavchev#10253
[USER] The Shoot specification field .spec.kubernetes.kubeAPIServer.oidcConfig.signingAlgs for Kubernetes versions >= v1.30 is not supported anymore. by @AleksandarSavchev#10244
[OPERATOR] The .spec.deployment.vpa field in the seedmanagement.gardener.cloud/v1alpha1.{Gardenlet,ManagedSeed} APIs is deprecated and has no effect anymore. It will be removed in a future version. Now, gardenlet deploys its own VPA as part of the Seed reconciliation (after it ensured the VPA CRD exists). by @rfranzke#10299
✨ New Features
[USER] Structured authentication configuration can now be set by creating a ConfigMap in the project namespace with the AuthenticationConfiguration file set in the config.yaml data key and referencing the ConfigMap in the new Shoot specification field .spec.kubernetes.kubeAPIServer.structuredAuthentication.configMapName for Kubernetes versions >= v1.30. Only one authenticator can be set via the authentication configuration until k8s.io/* Golang dependencies are upgraded to version >= v0.30. by @AleksandarSavchev#10244
[USER] The following vpa-recommender flags are now configurable via the Shoot specification:
--recommendation-upper-bound-memory-percentile: .spec.kubernetes.verticalPodAutoscaler.recommendationUpperBoundMemoryPercentile by @ialidzhikov#10221
[OPERATOR] Performing control plane migration across Seeds with different provider types is now possible. Before triggering the migration, make sure that pods in the Shoot's control plane, once it is moved to the Destination Seed, will have network connectivity to the storage provider of the Source Seed (so that ETCD backups can be copied automatically). Additionally, make sure that the Shoot's nodes will have network connectivity to the Shoot's control plane after it is moved to the Destination Seed. by @plkokanov#10323
[OPERATOR]gardenlet now runs a new controller called TokenRequestorWorkloadIdentity which requests workload identity tokens and writes them into Secret resources in the seed cluster. These tokens can be then used by control plane components in order to present the said WorkloadIdentity before external systems. Please see here for more details. by @dimityrmirchev#10298
[USER] Fixes a bug preventing shoot clusters with annotation shoot.gardener.cloud/skip-readiness: "true" to be created. by @ScheererJ#10317
[OPERATOR] An issue causing the vpn-seed-server VPA's to be created with wrong targetRef for highly available Shoots is now fixed. by @ialidzhikov#10366
🏃 Others
[OPERATOR] vpa-updater and vpa-recommender components do now run with leader election enabled (unconditionally) and support running in HA mode. by @ialidzhikov#10302
[OPERATOR] Gardener now temporarily uses a vpa-recommender built from a fork to add additional logging and metrics for debugging an issue where the vpa-recommender could recommend lower than minAllowed memory requests for pods that actually have high memory usage. by @plkokanov#10342
[OPERATOR] Migrate VPA metrics to CustomResourceState metrics and upgrade kube-state-metrics to v2.13.0. by @vicwicker#9941
[OPERATOR] An issue in gardener-node-agent causing registry hosts probe to fail when the spec.criConfig.containerd.registries.hosts.caCerts field of OperatingSystemConfig is set is now fixed. by @dimitar-kostadinov#10375
[OPERATOR] Shoot clusters with Kubernetes version >= v1.30 will use cluster-autoscaler v1.30.0. Release Notes. by @ashwani2k#10309
[DEPENDENCY] The quay.io/prometheus-operator/prometheus-config-reloader image has been updated to v0.76.0. by @gardener-ci-robot#10332
[USER] Grant get, list and watch permissions to the customresourcedefinitions resource in the virtual cluster for authenticated users. Shoot owners can now generate their own shoot metrics using custom resource state configurations by kube-state-metrics. by @vicwicker#10293
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Bumps github.com/gardener/gardener from 1.99.1 to 1.102.0.
Release notes
Sourced from github.com/gardener/gardener's releases.
... (truncated)
Commits
1040631
Release v1.102.0fa42ac0
[release-v1.102] Fix Shoot Structured Authentication API conflict (#10385)adc2419
Fix registry hosts probing when OSC `criConfig.containerd.registries.hosts.ca...a9d81c0
Fix vpn-seed-server VPA's targerRef when HA is enabled (#10366)4427e10
Prevent reconciliation errors in hibernated shoots while migrating KSM (#10363)ae04623
Support for Structured Authentication forShoot
s >= Kubernetes v1.30 (#10244)4c29c97
fix(deps): update module k8s.io/autoscaler/vertical-pod-autoscaler to v1.2.1 ...f307d8a
Allow control plane migration across seeds w/ different provider types (#10323)84d4cb2
update CA image for k8s v1.25 and v1.26 (#10362)ad1bb57
Allow quota scope to reference WorkloadIdentity (#10346)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show