Releases: gardener/documentation
Releases · gardener/documentation
v1.12.2
[dependency-watchdog]
Improvements
- [OPERATOR] Fix panic during shoot spec and status check. (gardener/dependency-watchdog#29, @amshuman-kr)
- [OPERATOR] Improve logging while scaling. (gardener/dependency-watchdog#24, @amshuman-kr)
- [OPERATOR] Probe is stopped for clusters that are hibernating, or in hibernation or are still waking up from hibernation (gardener/dependency-watchdog#23, @ggaurav10)
[gardener]
Action Required
- [USER]
apiserver-proxy
now listens on port16910
on all Nodes ifAPIServerSNI
feature gate is enabled. It causes a conflict with workloads withhostNetwork: true
and listening on0.0.0.0:16910
, so it's required to change your workload's bind port. (gardener/gardener#3044, @mvladev) - [USER] DNS providers not used for the shoot's
.spec.dns.domain
, also known as additional, non-primary providers, must now be specified with.type
and.secretName
. Such providers were previously removed automatically from the shoot specification during create or update requests. (gardener/gardener#3036, @timuthy) - [OPERATOR] The seed taints
seed.gardener.cloud/{disable-capacity-reservation,disable-dns,invisible}
are no longer respected and are disallowed in gardener version v1.12 (will be enabled again in the next minor version without any special semantic like previously). They are automatically removed from the seed resources , please use the respective seed.spec.settings fields from now on. (gardener/gardener#2955, @vpnachev) - [OPERATOR] Kubernetes 1.16+ is required for Seed clusters which have
ManagedIstio
feature gate. (gardener/gardener#2866, @mvladev) - [OPERATOR]
global.apiserver.admissionConfig
configuration ofcharts/gardener/controlplane
is no longer used. Existing plugin configuration must be migrated to use the newglobal.apiserver.admission.plugins
list.ValidatingAdmissionWebhook
orMutatingAdmissionWebhook
plugins must not be used. (gardener/gardener#2673, @mvladev) - [DEVELOPER] Some commonly used test utils and gomega matchers have been moved to
pkg/utils/test(/matchers)
and isolated from unneeded dependencies to make them easier to reuse. (gardener/gardener#2912, @timebertt) - [DEVELOPER] The
flow
package's progress reporter option has been changed to return the newProgressReporter
interface. You can callflow.NewImmediateProgressReporter
with your reporter function as a replacement. (gardener/gardener#2908, @rfranzke) - [DEVELOPER]
./hack/test.sh
now executes tests viago test
instead ofginkgo
. Please adapt your extensions'Makefile
s, if you use the vendored hack scripts. (gardener/gardener#2809, @timebertt) - [DEVELOPER] Machine dependency hook methods
DeployMachineDependencies
andDeployMachineDependencies
need to be implemented in the worker controllers of the provider extensions. (gardener/gardener#2806, @dkistner) - [DEVELOPER] The provider extension need to transform the existing
GetMachineImages()
in the implementation of theWorkerDelegate
interface to the newUpdateMachineImageStatus()
method. The provider extensions need now to update the provider status on their own in the newUpdateMachineImageStatus()
method instead of returning it. (gardener/gardener#2806, @dkistner)
Most notable changes
- [USER] Defaults reserved PIDs for kubelet and container runtime to 20k. (gardener/gardener#3042, @BeckerMax)
- [USER] When a Shoot load balancer (vpn-shoot or addons-nginx-ingress-controller) cannot be ensured, gardenlet now fetches the involved object events (with type Warning) and adds them to the error message which is shown in the Shoot status. In this way users and operators will be able to identify better issues in which load balancer cannot be ensured because of invalid cloud provider credentials or another cloud provider issue. (gardener/gardener#3028, @ialidzhikov)
- [USER] Failed conditions on
Shoot
s do now transition fromFalse
status toProgressing
in case the reason or message changes (if thresholds are defined in the gardenlet component config only, otherwiseProgressing
is not used anyways). (gardener/gardener#3013, @rfranzke) - [USER] The
KonnectivityTunnel
feature can now be configured for a single shoot cluster via thealpha.featuregates.shoot.gardener.cloud/konnectivity-tunnel
annotation on theShoot
(true
to enable it,false
to disable it). (gardener/gardener#3007, @DockToFuture) - [USER] The
EveryNodeReady
condition onShoot
resources does now reflect kubelet version mismatches for shoot worker nodes (e.g., its status will beFalse
if a kubelet wasn't updated after a patch version change, for example). (gardener/gardener#3002, @rfranzke) - [USER] Gardener now protects DNS provider secrets from deletion requests as long as they are still being referenced by one or multiple shoot clusters. More information can be found in the documentation. (gardener/gardener#2771, @timuthy)
- [OPERATOR]
apiserver-proxy
overload's manager is removed. (gardener/gardener#3063, @mvladev) - [OPERATOR] It is now possible to submit provider configuration (for the
.spec.provider.providerConfig
field inSeed
resources) when creating shooted seeds. Please consult the documentation for more information (gardener/gardener#3035, @MartinWeindel) - [OPERATOR]
gardener-apiserver
now has a new feature gateSeedChange
. If set, this feature gate enables updating thespec.seedName
field during shoot validation from a non-empty value in order to trigger shoot control plane migration. (gardener/gardener#3024, @stoyanr) - [OPERATOR] The
vpa-exporter
is now deployed again into thegarden
namespace of seed clusters (also for shooted seeds). (gardener/gardener#3022, @wyb1) - [OPERATOR] gardenlet is now deleting all
VolumeAttachment
s on shoot hibernation. As during hibernation machine-controller-manager performs a "force" deletion of machines and does not wait for volumes to detach, kube-controller-manager is not able to delete the correspondingVolumeAttachment
s (and also the external-attacher to notice this deletion and remove its finalizer from the VolumeAttachment). DeletingVolumeAttachment
s on hibernation should preventVolumeAttachment
s to be orphaned. Currently in the upstream kube-controller-manager, there is no garbage collection forVolumeAttachment
s (see kubernetes/kubernetes#77324). (gardener/gardener#2963, @ialidzhikov) - [OPERATOR] Change the shoot namespace matching regex of fluent-bit to
shoot-
(gardener/gardener#2933, @vlvasilev) - [OPERATOR] Change the promtail batch wait to 30 seconds (gardener/gardener#2933, @vlvasilev)
- [OPERATOR] Deletion of a Seed is now possible with an existing Backup Bucket (but having no Shoots deployed!). The Bucket is deleted automatically during the Seed reconciliation flow. (gardener/gardener#2931, @danielfoehrKn)
- [OPERATOR] Machines without
.spec.providerID
or.status.node
will no longer be persisted in theWorker
'.status.state
field. This is to prevent unnecessary updates to theShootState
resources. (gardener/gardener#2909, @rfranzke) - [OPERATOR] It is now possible to delay the progress reporting for shoot operations by setting the
.controllers.shoot.progressReportPeriod
field in the gardenlet component config. This might helpful in large landscape where a lot of shoots exist to limit the number of updates to theShoot
s'status
sections. (gardener/gardener#2908, @rfranzke) - [OPERATOR] The
ControllerRegistration
resource does now support the newAlwaysExceptNoShoots
deployment policy. Respective extension controllers using this policy are only being deployed to seeds if there is at least one shoot. (gardener/gardener#2896, @rfranzke) - [OPERATOR] Gardener validating webhooks have been moved from the
Gardener-Controller-Manager
to a dedicated componentGardener-Admission-Controller
. Therefore, new values have been added to the Gardener Helm chart (charts/gardener/controlplane
). Please consult the documentation (docs/concepts/admission-controller.md
) for more information about theGardener-Admission-Controller
. (gardener/gardener#2832, @timuthy) - [OPERATOR] The Gardener Controller Manager is now equipped with a validation handler which checks incoming resource requests against configured quota configurations. It especially enables operators to restrict the maximum size of a single resource (e.g. shoot, plant, secret, ...) users apply to the Garden cluster and is at the same time a measure against DoS attacks. Please consult the documentation
docs/concepts/controller-manager.md#Resource-Size-Validator
for more details. (gardener/gardener#2781, @timuthy) - [OPERATOR]
global.apiserver.admission.plugins
can now be used to configure admission plugins of the Gardener API Server. ValidatingAdmissionWebhookor
MutatingAdmissionWebhook` plugins must not be used. (gardener/gardener#2673, @mvladev) - [OPERATOR]
global.apiserver.admission.validatingWebhook
andglobal.apiserver.admission.mutatingWebhook
can now be used to configure validating/mutating admission plugins of the Gardener API Server. If enabled, Service Account Token Volume Projection is could be used to generate tokens which are used for authentication against webhooks. (gardener/gardener#2673, @mvladev) - [OPERATOR] The Gardener API server now supports the usage of
ResourceQuota
s for Gardener API groups and resources likeShoot
s,Seed
s,SecretBinding
s, etc.. At the moment the quota supports object counts only, e.g. `count/shoot...
v1.11.0
[documentation]
Most notable changes
- [DEVELOPER] Documentation bundles delivered at gardener.cloud website are now generated, based on a manifest file maintained in the documentation repo - documentation.yaml. At present this change is transparent but as documentation will gradually move to respective repositories, it will be necessary to maintain material that needs to be presented on the website in this "bill-of-material" manifest. (#134, @g-pavlov)
Improvements
- [USER] Information about Gardener's DNS management for shoot clusters has been updated. (#119, @timuthy)
- [OPERATOR] The X.509 guide has been improved to better differentiate between Gardener extensions for managed certificates and DNS records. (#127, @timuthy)
- [OPERATOR] Updated the tutorial 'Shoot Maintenance' according to GEP5 that is available since Gardener version 1.4. (#102, @danielfoehrKn)
- [OPERATOR] The developer documentation now contains information on how to request certificates for custom domains. (#86, @timuthy)
v1.10.0
Prepare Next Dev Cycle v1.12.0-dev