v1.12.2

[dependency-watchdog]

Improvements

• [OPERATOR] Fix panic during shoot spec and status check. (gardener/dependency-watchdog#29, @amshuman-kr)
• [OPERATOR] Improve logging while scaling. (gardener/dependency-watchdog#24, @amshuman-kr)
• [OPERATOR] Probe is stopped for clusters that are hibernating, or in hibernation or are still waking up from hibernation (gardener/dependency-watchdog#23, @ggaurav10)

[gardener]

Action Required

• [USER] apiserver-proxy now listens on port 16910 on all Nodes if APIServerSNI feature gate is enabled. It causes a conflict with workloads with hostNetwork: true and listening on 0.0.0.0:16910, so it's required to change your workload's bind port. (gardener/gardener#3044, @mvladev)
• [USER] DNS providers not used for the shoot's .spec.dns.domain, also known as additional, non-primary providers, must now be specified with .type and .secretName. Such providers were previously removed automatically from the shoot specification during create or update requests. (gardener/gardener#3036, @timuthy)
• [OPERATOR] The seed taints seed.gardener.cloud/{disable-capacity-reservation,disable-dns,invisible} are no longer respected and are disallowed in gardener version v1.12 (will be enabled again in the next minor version without any special semantic like previously). They are automatically removed from the seed resources , please use the respective seed.spec.settings fields from now on. (gardener/gardener#2955, @vpnachev)
• [OPERATOR] Kubernetes 1.16+ is required for Seed clusters which have ManagedIstio feature gate. (gardener/gardener#2866, @mvladev)
• [OPERATOR] global.apiserver.admissionConfig configuration of charts/gardener/controlplane is no longer used. Existing plugin configuration must be migrated to use the new global.apiserver.admission.plugins list. ValidatingAdmissionWebhook or MutatingAdmissionWebhook plugins must not be used. (gardener/gardener#2673, @mvladev)
• [DEVELOPER] Some commonly used test utils and gomega matchers have been moved to pkg/utils/test(/matchers) and isolated from unneeded dependencies to make them easier to reuse. (gardener/gardener#2912, @timebertt)
• [DEVELOPER] The flow package's progress reporter option has been changed to return the new ProgressReporter interface. You can call flow.NewImmediateProgressReporter with your reporter function as a replacement. (gardener/gardener#2908, @rfranzke)
• [DEVELOPER] ./hack/test.sh now executes tests via go test instead of ginkgo. Please adapt your extensions' Makefiles, if you use the vendored hack scripts. (gardener/gardener#2809, @timebertt)
• [DEVELOPER] Machine dependency hook methods DeployMachineDependencies and DeployMachineDependencies need to be implemented in the worker controllers of the provider extensions. (gardener/gardener#2806, @dkistner)
• [DEVELOPER] The provider extension need to transform the existing GetMachineImages() in the implementation of the WorkerDelegate interface to the new UpdateMachineImageStatus() method. The provider extensions need now to update the provider status on their own in the new UpdateMachineImageStatus() method instead of returning it. (gardener/gardener#2806, @dkistner)

Most notable changes

• [USER] Defaults reserved PIDs for kubelet and container runtime to 20k. (gardener/gardener#3042, @BeckerMax)
• [USER] When a Shoot load balancer (vpn-shoot or addons-nginx-ingress-controller) cannot be ensured, gardenlet now fetches the involved object events (with type Warning) and adds them to the error message which is shown in the Shoot status. In this way users and operators will be able to identify better issues in which load balancer cannot be ensured because of invalid cloud provider credentials or another cloud provider issue. (gardener/gardener#3028, @ialidzhikov)
• [USER] Failed conditions on Shoots do now transition from False status to Progressing in case the reason or message changes (if thresholds are defined in the gardenlet component config only, otherwise Progressing is not used anyways). (gardener/gardener#3013, @rfranzke)
• [USER] The KonnectivityTunnel feature can now be configured for a single shoot cluster via the alpha.featuregates.shoot.gardener.cloud/konnectivity-tunnel annotation on the Shoot (true to enable it, false to disable it). (gardener/gardener#3007, @DockToFuture)
• [USER] The EveryNodeReady condition on Shoot resources does now reflect kubelet version mismatches for shoot worker nodes (e.g., its status will be False if a kubelet wasn't updated after a patch version change, for example). (gardener/gardener#3002, @rfranzke)
• [USER] Gardener now protects DNS provider secrets from deletion requests as long as they are still being referenced by one or multiple shoot clusters. More information can be found in the documentation. (gardener/gardener#2771, @timuthy)
• [OPERATOR] apiserver-proxy overload's manager is removed. (gardener/gardener#3063, @mvladev)
• [OPERATOR] It is now possible to submit provider configuration (for the .spec.provider.providerConfig field in Seed resources) when creating shooted seeds. Please consult the documentation for more information (gardener/gardener#3035, @MartinWeindel)
• [OPERATOR] gardener-apiserver now has a new feature gate SeedChange. If set, this feature gate enables updating the spec.seedName field during shoot validation from a non-empty value in order to trigger shoot control plane migration. (gardener/gardener#3024, @stoyanr)
• [OPERATOR] The vpa-exporter is now deployed again into the garden namespace of seed clusters (also for shooted seeds). (gardener/gardener#3022, @wyb1)
• [OPERATOR] gardenlet is now deleting all VolumeAttachments on shoot hibernation. As during hibernation machine-controller-manager performs a "force" deletion of machines and does not wait for volumes to detach, kube-controller-manager is not able to delete the corresponding VolumeAttachments (and also the external-attacher to notice this deletion and remove its finalizer from the VolumeAttachment). Deleting VolumeAttachments on hibernation should prevent VolumeAttachments to be orphaned. Currently in the upstream kube-controller-manager, there is no garbage collection for VolumeAttachments (see kubernetes/kubernetes#77324). (gardener/gardener#2963, @ialidzhikov)
• [OPERATOR] Change the shoot namespace matching regex of fluent-bit to shoot- (gardener/gardener#2933, @vlvasilev)
• [OPERATOR] Change the promtail batch wait to 30 seconds (gardener/gardener#2933, @vlvasilev)
• [OPERATOR] Deletion of a Seed is now possible with an existing Backup Bucket (but having no Shoots deployed!). The Bucket is deleted automatically during the Seed reconciliation flow. (gardener/gardener#2931, @danielfoehrKn)
• [OPERATOR] Machines without .spec.providerID or .status.node will no longer be persisted in the Worker' .status.state field. This is to prevent unnecessary updates to the ShootState resources. (gardener/gardener#2909, @rfranzke)
• [OPERATOR] It is now possible to delay the progress reporting for shoot operations by setting the .controllers.shoot.progressReportPeriod field in the gardenlet component config. This might helpful in large landscape where a lot of shoots exist to limit the number of updates to the Shoots' status sections. (gardener/gardener#2908, @rfranzke)
• [OPERATOR] The ControllerRegistration resource does now support the new AlwaysExceptNoShoots deployment policy. Respective extension controllers using this policy are only being deployed to seeds if there is at least one shoot. (gardener/gardener#2896, @rfranzke)
• [OPERATOR] Gardener validating webhooks have been moved from the Gardener-Controller-Manager to a dedicated component Gardener-Admission-Controller. Therefore, new values have been added to the Gardener Helm chart (charts/gardener/controlplane). Please consult the documentation (docs/concepts/admission-controller.md) for more information about the Gardener-Admission-Controller. (gardener/gardener#2832, @timuthy)
• [OPERATOR] The Gardener Controller Manager is now equipped with a validation handler which checks incoming resource requests against configured quota configurations. It especially enables operators to restrict the maximum size of a single resource (e.g. shoot, plant, secret, ...) users apply to the Garden cluster and is at the same time a measure against DoS attacks. Please consult the documentation docs/concepts/controller-manager.md#Resource-Size-Validator for more details. (gardener/gardener#2781, @timuthy)
• [OPERATOR] global.apiserver.admission.plugins can now be used to configure admission plugins of the Gardener API Server. ValidatingAdmissionWebhookorMutatingAdmissionWebhook` plugins must not be used. (gardener/gardener#2673, @mvladev)
• [OPERATOR] global.apiserver.admission.validatingWebhook and global.apiserver.admission.mutatingWebhook can now be used to configure validating/mutating admission plugins of the Gardener API Server. If enabled, Service Account Token Volume Projection is could be used to generate tokens which are used for authentication against webhooks. (gardener/gardener#2673, @mvladev)
• [OPERATOR] The Gardener API server now supports the usage of ResourceQuotas for Gardener API groups and resources like Shoots, Seeds, SecretBindings, etc.. At the moment the quota supports object counts only, e.g. `count/shoot...

v1.11.0

[documentation]

Most notable changes

• [DEVELOPER] Documentation bundles delivered at gardener.cloud website are now generated, based on a manifest file maintained in the documentation repo - documentation.yaml. At present this change is transparent but as documentation will gradually move to respective repositories, it will be necessary to maintain material that needs to be presented on the website in this "bill-of-material" manifest. (#134, @g-pavlov)

Improvements

• [USER] Information about Gardener's DNS management for shoot clusters has been updated. (#119, @timuthy)
• [OPERATOR] The X.509 guide has been improved to better differentiate between Gardener extensions for managed certificates and DNS records. (#127, @timuthy)
• [OPERATOR] Updated the tutorial 'Shoot Maintenance' according to GEP5 that is available since Gardener version 1.4. (#102, @danielfoehrKn)
• [OPERATOR] The developer documentation now contains information on how to request certificates for custom domains. (#86, @timuthy)

v1.10.0

Prepare Next Dev Cycle v1.12.0-dev