v1.15.5

[gardener]

⚠️ Breaking Changes

• [OPERATOR] If the nginx-ingress addon for a shoot used as seed is disabled then you can no longer enable it anymore. Instead, use the new managed ingress controller feature. You can find more information about it here. Existing shoots used as seeds with .spec.addons.nginxIngress.enabled=true will continue to work. (gardener/gardener#3131, @BeckerMax)

✨ New Features

• [OPERATOR] It is now possible to specify the spec.settings.loadBalancerServices.annotations field for shooted seeds via the "shoot.gardener.cloud/use-as-seed" annotation. You can do this by specifying the loadBalancerServices.annotations.* option - for example loadBalancerServices.annotations.service.beta.kubernetes.io/aws-load-balancer-type=nlb. (gardener/gardener#3344, @ialidzhikov)
• [OPERATOR] The gardener admission controller now exposes metrics (gardener/gardener#3293, @wyb1)
• [OPERATOR] Gardener now offers to manage a dedicated ingress controller for seed clusters (earlier, this was a manual operator task when registering seeds). You can find more information about it here. (gardener/gardener#3131, @BeckerMax)
• [DEVELOPER] Gardener can now support shoot clusters with Kubernetes version 1.20. In order to allow creation/update of 1.20 clusters you will have to update the version of your provider extension(s) to a version that supports 1.20 as well. Please consult the respective releases and notes in the provider extension's repository. (gardener/gardener#3296, @rfranzke)

🐛 Bug Fixes

• [USER] A bug has been fixed that prevented shoot clusters from coming up in case .spec.kubernetes.allowPrivilegedContainers=false. (gardener/gardener#3410, @rfranzke)
• [USER] An race issue causing immediate wake up after hibernation to fail is now fixed. The hibernation is now waiting until the kube-apiserver Service is cleaned up. (gardener/gardener#3289, @ialidzhikov)
• [OPERATOR] Fixes a bug causing newly created Seeds to fail during bootstrap (gardener/gardener#3401, @BeckerMax)
• [OPERATOR] A bug that was renewing the bootstrap token secret on each reconciliation has been fixed. (gardener/gardener#3323, @vpnachev)
• [OPERATOR] An issue has been fixed which did not enable VPA for the aggregate Prometheus Pod in new seed clusters. (gardener/gardener#3312, @timuthy)
• [OPERATOR] By default, gardener-apiserver now invokes in-tree admission plugins before invoking the webhook plugins. (gardener/gardener#3298, @timebertt)
• [OPERATOR] An issue has been fixed that prevented the execution of the Kube-API-Server's configured preStop hooks for >=1.19.x clusters. (gardener/gardener#3295, @timuthy)
• [OPERATOR] Gardener health checks now take the effective Shoot specification into consideration if .spec.maintenance.confineSpecRollout is used. Earlier, EveryNodeReady or ControlPlaneHealthy conditions reported an invalid state if the specification was changed but not yet effective due to a rollout during shoot maintenance (confineSpecRollout: true). (gardener/gardener#3286, @timuthy)
• [OPERATOR] An issue in the API validation has been fixed which prevented the managed ingress feature for seeds being enabled. (gardener/gardener@4bfccae)
• [OPERATOR] A bug has been fixed which prevented proper auto-scaling of components under control of HVPA. (gardener/gardener@3d0859f)
• [OPERATOR] fix CRD for extension types to allow storing anything in status.state. (gardener/gardener@f29a08a)
• [OPERATOR] The generic Worker actuator does now wait until the machine-controller-manager finalizer is removed from the credentials secret that is referenced from the machine classes. (gardener/gardener@b8cbfee)
• [OPERATOR] A side-car container is added to kube-proxy that deletes the incorrect conntrack table entries which sometime occur after restart of kube-proxy and prevent the establishment of a tcp connection to the api-server. (gardener/gardener@243cfeb)
• [OPERATOR] An issue causing a NetworkPolicy to do not allow egress from prometheus Pod to alertmanager and vpa-exporter Pods is now fixed. (gardener/gardener@3d27d2e)
• [OPERATOR] An issue causing gardenlet to do not properly compute the .status.clusterIdentity field is now fixed. (gardener/gardener@b9a4257)
• [DEVELOPER] The Seed and Shoot logging stack deletion is separated in two functions to avoid accidental deletion of cluster scoped resources. (gardener/gardener#3437, @vlvasilev)
• [DEPENDENCY] Ensure a stable order of self-registered webhooks in extensions to avoid unnecessary rollouts of control plane components. (gardener/gardener#3320, @timebertt)

📖 Documentation

• [USER] API reference documentation for kubernetes types now points to version v1.19. (gardener/gardener#3303, @mvladev)
• [OPERATOR] Gardener's scheduler documentation has been enhanced. It concisely explains the algorithm used to determine seed candidates. (gardener/gardener#3316, @timuthy)

🏃 Others

• [OPERATOR] Gardener now considers the seed.spec.ingress.domain field when passing the value via gradener.seed.ingressDomain to ControllerRegistration charts. (gardener/gardener#3443, @timuthy)
• [OPERATOR] An issue has been fixed which caused unwanted restarts for Grafana instances. (gardener/gardener#3404, @ialidzhikov)
• [OPERATOR] NumberOfBatchIDs for the fluent-bit-to-loki plugin is set to 5 numbers. (gardener/gardener#3403, @vlvasilev)
• [OPERATOR] The Loki initialDelaySeconds for the readinessProbe is reduces to 80 seconds. (gardener/gardener#3333, @vlvasilev)
• [OPERATOR] The vpa-admission-controller and vpa-updater pods are now ensured with some minimal CPU and memory resources. (gardener/gardener#3330, @vpnachev)
• [OPERATOR] Gardener will now check seed clusters for VPA functionality as a prerequisite. (gardener/gardener#3312, @timuthy)
• [OPERATOR] Upgrade Prometheus to v2.23.0 (gardener/gardener#3297, @wyb1)
• [OPERATOR] Change pod anti-affinity to preferredDuringSchedulingIgnoredDuringExecution for gardener-seed-admission-controller deployment in the garden namespaces of seed clusters. (gardener/gardener#3294, @hardikdr)
• [OPERATOR] The pre-delivered cluster role gardener.cloud:admin now contains full access permissions for Events and ResourceQuotas. (gardener/gardener#3291, @timuthy)
• [OPERATOR] Add panels to the Kubernetes API Server Details Dashboard for dropped requests. (gardener/gardener#3284, @wyb1)
• [OPERATOR] Alerts are added for the custom metrics for fluent-bit GardenerLoki plugin (gardener/gardener#3283, @Kristian-ZH)
• [OPERATOR] Required connections from Gardenlet to the Garden cluster has been reduced which will have positive effects on scalability and costs. (gardener/gardener#3277, @timuthy)
• [OPERATOR] Fix gardener-seed-admission controller, etcd backup-restore and extension parsers time format. (gardener/gardener@283ee10)
• [OPERATOR] Fixed a bug of the managed istio feature flag where the istio rolebinding was created in the wrong namespace. (gardener/gardener@848a8b9)
• [OPERATOR] A bug has been fixed in gardener-controller-manager's Project controller that can lead to a continuous reconciliation of Project resources if they are stuck in Terminating state. (gardener/gardener@56b5c5a)
• [DEVELOPER] The golang version is updated to 1.15.7. (gardener/gardener@6dab5ea)
• [DEPENDENCY] Guestbook integration test dependencies are now fetched from bitnami repo instead of deprecated/shutdown helm repo. (gardener/gardener#3314, @dguendisch)
• [DEPENDENCY] Making the implementation of the function GetMachineControllerManagerCloudCredentials in the WorkerDelegate optional. Alternatively, extensions can now use the field in the machine class spec.credentialsSecretRef so that all machine classes refer to the same secret from the Worker field spec.secretRef. See here for more details. (gardener/gardener#3308, @danielfoehrKn)

📰 Noteworthy

• [USER] The version for the nginx-ingress addon for shoots has been updated to v0.41.2 ONLY for Kubernetes 1.20 shoot clusters. All shoot clusters with Kubernetes < 1.20 will remain with the current v0.22.0 version. Please be reminded that the nginx-ingress addon is not recommended for production scenarios and that you should deploy (+ customize) your own ingress controller instead. Please use it only for development/evaluation purposes. (gardener/gardener#3315, @rfranzke)
• [OPERATOR] The ingress domain configuration for Seeds is now immutable. (gardener/gardener@ba65cf6)

[logging]

🏃 Others

• [OPERATOR] Batch IDs are configurable via NumberOfBatchIDs. (gardener/logging#83, @vlvasilev)
• [OPERATOR] Add ControllerSyncTimeout to control the informer sync period. Prior it was infinity time. (gardener/logging#83, @vlvasilev)
• [OPERATOR] ReplaceOutOfOrderTS is replaces by SortByTimestamp. The timestamp is no longer replaced. Instead the logs are sorted by their timestamp. (gardener/logging#83, @vlvasilev)