2024/12/18 - v1.109 and v1.110 Releases

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The deprecated and unconditionally disabled HVPA and HVPAForShootedSeed feature gates are removed. […] #10853

• 🪓 [DEVELOPER] Extension webhooks need to remove the provider type Predicates and add an ObjectSelector against the object’s provider type label instead. #10896

• 🐛 [OPERATOR] seed-authorizer and structured authorization webhooks of shoot kube-apiservers no longer use the default TTL for AuthorizedTTL and UnauthorizedTTL. #10703

  ---

2024/12/11 - Hack The Garden Wrap Up

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪪 Support More Use-Cases For TokenRequestor. Summary

• 👀 Watch ManagedResources In Shoot Care Controller. Summary

• 👨🏼‍💻 Make cluster-autoscaler Work In Local Setup. Summary

• 🧹 Use Structured Authorization In Local KinD Cluster. Summary

• 🧹 Drop Internal Versions From Component Configuration APIs. Summary

• 🐛 Fix Non-Functional Shoot Node Logging In Local Setup. Summary

• 🧹 No Longer Generate Empty Secret For reconcile OperatingSystemConfigs. Summary

• 🖥️ Generic Monitoring Extension. Summary

  ---

2024/11/20 - v1.108 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [OPERATOR] Fixed an issue that that could occur during control plane migration causing the core.gardener.cloud/v1beta1.BackupEntry to be reconciled after it was successfully migrated, but before it was restored. #10761

• ✨ [USER] The URLs of Shoot plutono, prometheus and alertmanager are now stored as annotations in <shoot-name>.monitoring secret in the project namespace. #10735

  ---

2024/11/06 - v1.107 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] A new required controller was added to gardener-operator. It maintains the RequiredRuntime condition for Extension resources to indicate that the extension deployment is required in the Garden-Runtime cluster. #10650

• ✨ [USER] Gardener reports the cluster’s egress CIDRs in Shoot.status.networking.egressCIDRs if supported by the used provider extension. #10240

• 🪓 [OPERATOR] The gardener/controlplane Helm chart has been deprecated and will be removed after v1.135 has been released (around beginning of 2026). We urge you to switch to a gardener-operator-based installation. Read all about it here. #10706

  ---

2024/10/23 - v1.106 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The HVPA and HVPAForShootedSeed feature gates have been deprecated and locked to false. Disable the HVPA and HVPAForShootedSeed feature gates if you have them enabled before upgrading to this version of Gardener. #10659

• ✨ [OPERATOR] Gardener generated certificates are valid 1 minute before issuance to handle some amount of clock skew. #10603

• ✨ [DEVELOPER] Allow gosec to be consumed from gardener/gardener. #10642

  ---

2024/10/16 - ApeiroRA Special Edition & v1.105 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [OPERATOR] When checking whether a Deployment rollout is complete, stale Pods are now ignored and no longer counted. #10548

• ✨ [OPERATOR] gardenlet now performs garbage collection of stale Pods in all namespaces (except kube-system) in the seed cluster. #10548

• ✨ [OPERATOR] The TopologySpreadConstraint calculation was improved for workload spread across multiple zones. This especially leads to a more balanced distribution of kube-apiserver and istio replicas in seed clusters. #10608

  ---

2024/09/25 - v1.104 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] The gardener-operator metrics are now automatically scraped by the garden Prometheus. #10464

• ✨ [OPERATOR] Alerts based on the proposals_failed_total metric of the etcd cluster are not raised anymore. #10524

  ---

2024/09/11 - v1.103 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] kube-proxy now has a readiness probe so that a Node will only become ready for workloads after kube-proxy was ready at least once. #10407

• ✨ [OPERATOR] Host spread for shoots with failure tolerance node (.spec.controlPlane.highAvailability.failureTolerance.type) is now accomplished via minDomains. Earlier, this happened at a best effort basis only. If a seed was having less than 3 nodes at the time the control-plane pods were scheduled, the desired pod distribution was not possible. #10400

  ---

2024/08/28 - v1.102 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] When the NewWorkerPoolHash feature gate is enabled, the calculation now also rolls worker nodes of Shoots when changing systemReserved in the kubelet configuration. Worker pools are not rolled if the sum of kubeReserved and systemReserved does not change. […] #10290

• 🐛 [USER] Fixes a bug preventing shoot clusters with annotation shoot.gardener.cloud/skip-readiness: "true" to be created. #10317

• ✨ [OPERATOR] The .spec.deployment.vpa field in the seedmanagement.gardener.cloud/v1alpha1.{Gardenlet,ManagedSeed} APIs is deprecated and has no effect anymore. It will be removed in a future version. Now, gardenlet deploys its own VPA as part of the Seed reconciliation (after it ensured the VPA CRD exists). #10299

• 📖 [DEVELOPER] This document now contains a guide for developers how to handle deprecations and backwards-compatibility of changes. #10294

  ---

2024/08/14 - v1.101 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [DEVELOPER] The IPv4 addresses for the local Gardener setup was changed from 127.0.0.x to 172.18.255.x (default kind subnet) to resolve an issue on developer machines which can’t use additional IP addressed from the 127.0.0.0/8 space. […] #10019

• 🪓 [DEVELOPER] The legacy method of providing monitoring configuration via ConfigMaps labeled with extensions.gardener.cloud/configuration=monitoring has been removed. See this instead. #10220

• 🐛 [OPERATOR] Fixed a bug in the vpa-eviction-requirements controller causing etcds to be evicted for downscaling outside of their maintenance window. #10202

  ---

2024/07/31 - v1.100 Release

Demo Agenda 📋

No topics available for presentation, hence, meeting was canceled.

No Demo, But Still Worth Celebrating 🎉

• 🐛 [USER] A bug causing sshd running in cluster pods to receive a SIGTERM when SSHAccess for worker nodes is disabled is now fixed. #10123

• ✨ [USER] Added document in which we share our pod autoscaling best practices with end users. #10083

• ✨ [OPERATOR] Scrape vpa-admission-controller metrics with prometheus. #10033

  ---

2024/07/24 - v1.99 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [USER] Erroneous warnings for incomplete shoots credentials rotation has been fixed. #10059

  ---

2024/07/17 - v1.98 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The Resource Size Validator of the gardener-admission-controller ignores status subresource and metadata.managedFields for resource size limits. […] #10011

• 🪓 [DEPENDENCY] The extensions/pkg/webhook/cloudprovider.Args#EnableObjectSelector field is now removed. The corresponding webhook’s object selector is now enforced unconditionally. #10027

• ✨ [OPERATOR] kube-apiserver HPA’s max replicas count from 3 to 6 in VPAAndHPA autoscaling mode to support very large control planes. #9971

• ✨ [OPERATOR] The data in ManagedResource secrets is now compressed with Brotli and stored under a single data key data.yaml.br. #9964

  ---

2024/06/19 - v1.97 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [DEVELOPER] gardener-operator local development setup supports creating seeds, shoots and managed-seeds now. #9763

• ✨ [OPERATOR] gardenlet is now capable of keeping itself updated by pulling configuration and deployment values from the garden cluster. #9874

• 🐛 [OPERATOR] Fix a regression where etcd alerts for the virtual Garden cluster did not work. #9973

• 🪓 [DEVELOPER] The deprecated fields .spec.{reloadConfigFilePath,command} and .status.{units,files} have been removed from the extensions.gardener.cloud/v1alpha1.OperatingSystemConfig API. #9885

  ---

2024/06/05 - v1.96 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [DEVELOPER] The allow-shoot-networks NetworkPolicy has been dropped entirely, hence, the networking.gardener.cloud/to-shoot-networks=allowed label has no effect anymore and should be removed. #9752

• 🪓 [DEPENDENCY] The extensions/pkg/webhook/controlplane/genericmutator.Ensurer#EnsureKubeAPIServerService func is removed. This func was used before the introduction of ManagedIstio/APIServerSNI (when the kube-apiserver Service was of type LoadBalancer) to set cloud provider specific annotations to the Service. […] #9770

• ✨ [OPERATOR] A new core.gardener.cloud/v1 API version is introduced which only includes the ControllerDeployment resource for now. The new version of the ControllerDeployment drops the type and providerConfig fields in favor of a well-structured section for helm-based ControllerDeployments. #9771

• ✨ [OPERATOR] It is now possible to specify an OCI repository in ControllerDeployments describing from where the Helm chart can be pulled (instead of specifying a base64-encoded chart in the specification). #9823, Summary

  ---

2024/05/29 - v1.95 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ❗️ [DEVELOPER] The legacy method for extensions to provide observability configuration for shoot clusters (via ConfigMaps labelled with extensions.gardener.cloud/configuration=monitoring) is deprecated and will be removed in a future release. Please refer to this document to get information about the new, recommended way, and start migrating to it. #9695

• ❗️ [DEVELOPER] The extensions.gardener.cloud/v1alpha1.Worker resource now has a new .spec.pools[].userDataSecretRef field which references a Secret containing the actual user data. The .spec.pools[].userData field is deprecated and will be removed in a future version. […] #9722

• 🐛 [USER] A bug has has been fixed which caused unneeded gardener-node-agent reconciliations after each Shoot reconciliation even if the underlying OperatingSystemConfig did not contain relevant changes. #9723

  ---

2024/05/22 - Hack The Garden Wrap Up

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ An approach for supporting Cilium v1.15+ for highly-available Shoots has been developed. Summary

• ✨ The contents of the machine-controller-manager-provider-local repository have been merged into the gardener repository to improve development productivity. Summary

• ✨ The vendor folder is going to be removed from OS extensions. Summary

• ✨ Embedded files are now considered for local image builds with Skaffold. Summary

  ---

2024/05/08 - v1.94 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ❗️ [OPERATOR] Five minutes Infrastructure Cleanup Wait Period during shoot deletion was removed. Shoot annotation shoot.gardener.cloud/infrastructure-cleanup-wait-period-seconds which could be used to configure this period was removed, too. #9632

• ✨ [OPERATOR] gardener-node-agent no longer watches all Nodes in the cluster but restricts to only the Node it is responsible for (with the help of label/field selectors). This should lead to a significant reduction of network I/O, especially for shoot clusters with many nodes. #9672

• 🐛 [OPERATOR] gardener-operator is now capable of reconciling shoot cluster-specific NetworkPolicys in case the garden cluster is a seed cluster at the same time. #9658

  ---

2024/04/24 - v1.93 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ❗️ [OPERATOR] Set kube-apiserver maxReplicas=3 for all Shoots that are not annotated with alpha.control-plane.scaling.shoot.gardener.cloud/scale-down-disabled=true. #9605

• ✨ [OPERATOR] A new gardenlet feature gate called ShootManagedIssuer was introduced. This feature gate guards the functionality described in GEP-24 until all of the components mentioned in the enhancement proposal are implemented by Gardener. #9489

• 🐛 [OPERATOR] Istio-ingress gateway dashboard now shows the correct sent tcp traffic metric and the correct memory usage. #9596

  ---

2024/04/10 - v1.92 Release

Demo Agenda 📋

No topics available for presentation, hence, meeting was canceled.

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The graduated UseGardenerNodeAgent feature gate has been dropped. […]. #9477

• 🪓 [DEVELOPER] The deprecated oscommon package has been removed. #9477

• ✨ [OPERATOR] Secret openvpn-diffie-hellman-key in the garden namespace containing the Diffie-Hellmann key can be deleted from landscapes as it is no longer needed. #9386

• ✨ [DEVELOPER] A new extension lifecycle strategy reconcile: AfterWorker is now available for Extensions to use in their ControllerRegistration. #9472

  ---

2024/03/27 - v1.91 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] Operators can create duplicate istio ingress gateways for migration if the zone names should be changed in the Seed specification. #9304

• ✨ [DEVELOPER] The {garden,seed,shoot}-care controllers now incorporate ManagedResources into all relevant conditions, and it is possible to override the condition type into which a ManagedResource’s status gets incorporated via the care.gardener.cloud/condition-type label. […] #9313

  ---

2024/03/13 - v1.90 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions == 1.24. Make sure to upgrade all existing clusters before upgrading to this Gardener version. #8989

• 🐛 [DEPENDENCY] An issue was fixed that sometimes led to leaked extension-controlplane-shoot-webhooks which blocked the shoot deletion. #9209

• ✨ [OPERATOR] The UseGardenerNodeAgent feature gate has been promoted to GA. It was already enabled by default and can now no longer be turned off. The feature gate will be removed in a future release. #9208

  ---

2024/02/28 - v1.89 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] The shoot cluster CA bundle is now stored in a ConfigMap in the project namespace of the garden cluster, in addition to storing it in a Secret. This ConfigMap shares the same name as the pre-existing Secret, which is <shoot-name>.ca-cluster. The Secret will be removed in a future Gardener release. […] #9123

• ✨ [OPERATOR] The UseGardenerNodeAgent feature gate has been promoted to beta and is now turned on by default. #9161

• ✨ [OPERATOR] Add condition type ObservabilityComponentsHealthy for extension health check, it will allow extensions to register with this type. #9092

  ---

2024/02/14 - v1.88 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The docker CRI is no longer supported for machine images in the CloudProfile. Docker CRI was already not supported for Shoots with Kubernetes versions >= v1.23, so adding this CRI is a no-op currently. Please remove all the usages of docker CRI from your CloudProfiles before upgrading to this version. #9135

• 🐛 [OPERATOR] A bug has been fixed which was preventing valitail systemd services on shoot workers from starting when the UseGardenerNodeAgent feature gate is enabled. #9149

• 🐛 [USER] The kube-apiserver deployment is annotated to mark the completion of labeling the resources for encrytion so that this step is not repeated in case the “label removal” step fails and resources are partially without the label. #9147

• ✨ [OPERATOR] BackupEntrys and Shoots are now labelled with seed.gardener.cloud/<seed-name>=true where <seed-name> is the value of .spec.seedName or .status.seedName. This allows for server-side filtering when watching these resources by leveraging a label selector. #9089

  ---

2024/01/31 - v1.87 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The deprecated field seed.spec.secretRef has been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. #8896

• 🪓 [OPERATOR] Migration code for Plutono and Vali is now removed. Consider manual cleanup for longterm broken Shoots as described in the PR to avoid leaking Loki’s PV. #8999

• ✨ [OPERATOR] The components managed by gardener now use PDBs with unhealthyPodEvictionPolicy: AlwaysAllow for clusters with kubernetes version >= 1.26. […] #8969

  ---

2024/01/24 - v1.86 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [DEVELOPER] Support for the deprecated NetworkPolicy annotations networking.resources.gardener.cloud/from-policy-allowed-ports and networking.resources.gardener.cloud/from-policy-pod-label-selector has been removed. Use networking.resources.gardener.cloud/from-<some-alias>-allowed-ports instead (documentation). #8883
• 🐛 [OPERATOR] A bug causing the Shoot to use the wrong istio load balancer if the ExposureClass name and the exposureclass handler name are not the same is now fixed. #8926
• ✨ [OPERATOR] Add egressCIDRs field to the infrastructureStatus resource. This allows provider-extensions to specify a list of stable CIDRs used as source IP for traffic generated by the shoot’s worker nodes. #8888

2023/12/06 - v1.85 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] All the functionality related to the deprecated field .spec.secretRef in Seeds has been removed and subsequently .spec.secretRef will be dropped from the Seed API in a later release of Gardener. Please check your Seeds and remove any usage before upgrading to this Gardener version. #8833

• ✨ [OPERATOR] The gardener-resource-manager deployment procedure was improved. Earlier, GRM was unnecessarily rolled during shoot reconciliation if worker nodes contained custom taints. #8835

  ---

2023/11/29 - v1.84 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [USER] A validation rule was added that forbids changing the primary DNS provider in .spec.dns.providers as soon as the Shoot was scheduled. #8761

• 🪓 [OPERATOR] ⚠️ The deprecated fields spec.settings.dependencyWatchdog.endpoint and spec.settings.dependencyWatchdog.probe have been removed from the Seed API. Please check your Seeds and remove any usage before upgrading to this Gardener version. #8747

• 🐛 [OPERATOR] During the restore phase of control plane migration, the machine-controller-manager is deployed with 0 replicas if it did not exist before or if it existed and was not scaled up yet. This fixes an issue that could cause the Shoot’s nodes to get recreated during control plane migration. #8742

• ✨ [DEVELOPER] Vendoring has been removed from the project, i.e., there is no vendor folder anymore. #8775

  ---

2023/11/22 - v1.83 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [OPERATOR] A bug has been fixed which caused ServiceAccounts related to garden access secrets for extensions to leak in the seed namespace in the garden cluster after uninstallation of said extensions. #8697

• ✨ [OPERATOR] The .status.lastOperation in core.gardener.cloud/v1beta1.Seed and operator.gardener.cloud/v1alpha1.Garden resources is now only updated each 5s during a reconciliation. Previously, it was updated immediately when a task was finished. #8705

  ---

2023/11/15 - Hack The Garden Wrap Up

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] A discussion about air-gapped shoot clusters was conducted. Summary

• ✨ [DEVELOPER] A new script hack/update-skaffold-deps.sh has been added for automatically updating Skaffold dependencies for the binaries. Previously, you had to update them manually in the skaffold.yaml file. Summary

  ---

2023/10/25 - v1.82 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [DEPENDENCY] The MachineClassKind(), MachineClass(), and MachineClassList() methods have been dropped from the generic Worker actuator’s interface and do not need to be implemented anymore. #8559

• 🪓 [DEPENDENCY] The no longer required --gardenlet-manages-mcm option has been removed. All code in provider extensions related to management/deployment of machine-controller-manager should be removed. #8596

• 🪓 [DEVELOPER] The extensions/pkg/controller/operatingsystemconfig/oscommon package is deprecated and will be removed as soon as the UseGardenerNodeAgent feature gate has been promoted to GA. OS extension developers should start adapting to this new feature, see documentation and example based on provider-local. #8647

  ---

2023/10/11 - v1.81 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [USER] Gardener refined the scope of the problematic webhook matcher for Endpoints objects. Earlier, shoot clusters were assigned a constraint reporting a problem with a failurePolocy: Fail webhook acting on these objects. Now, only Endpoints in the kube-system and default namespaces are considered for this check. #8521

• ✨ [OPERATOR] The MachineControllerManagerDeployment has been promoted to beta and is now enabled by default. Make sure that all registered provider extensions support this feature gate before upgrading to this version of Gardener. #8526

• ✨ [OPERATOR] The DisableScalingClassesForShoots feature gates has been promoted to GA (and is now always enabled). #8526

  ---

2023/09/27 - v1.80 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [USER] A bug has been fixed which was allowing users to specify an extension of the same type in .spec.extensions[].type more than once in the Shoot API. #8457

• ✨ [USER] Gardener now reports nodes for which the checksum/cloud-config-data hasn’t been populated yet. This could point towards an error on the node and that not all Gardener related configuration happened successfully. #8448

• ✨ [OPERATOR] gardener-operator now refuses to start if operators attempt to downgrade or skip minor Gardener versions. Please see this document for more information. #8413

• ✨ [DEVELOPER] The following golang dependencies have been upgraded, please consult the upstream release notes and this issue for guidance on upgrading your golang dependencies when vendoring this gardener version: k8s.io/* to v0.28.2, sigs.k8s.io/controller-runtime to v0.16.2. #8464

  ---

2023/09/13 - v1.79 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] When the Kubernetes control plane version is at least v1.28, it is now possible to set the worker pool Kubernetes version to be at most three versions behind the control plane version. Earlier, only a skew of at most two versions was allowed. Find more details here. #8402

• ✨ [OPERATOR] The DisablingScalingClassesForShoots feature gate has been promoted to beta. #8428

• ✨ [OPERATOR] The WorkerlessShoots feature gate has been promoted to beta and is now turned on by default. Before deploying this Gardener version, make sure that all your registered extensions support this feature gate. #8417

  ---

2023/08/30 - v1.78 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] It is possible now to trigger a Seed reconciliation by annotating the Seed with gardener.cloud/operation=reconcile. #8347

• ✨ [OPERATOR] Status of Garden now includes the ObservabilityComponentsHealthy condition which show the health of observability components in the garden runtime-cluster. #8346

• ✨ [DEPENDENCY] BackupBucket/BackupEntry controllers: watch secret metadata only. #8348

  ---

2023/08/16 - v1.77 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🔄 [OPERATOR] gardenlet no longer reports the Bootstrapped condition on Seeds. Instead, it now reports the progress in .status.lastOperation, similar to how it’s done for Shoots. #8290

• 🔎 [OPERATOR] Operators can now view and manage dashboards for compaction jobs running in shoot control plane. #8206

• 📈 [OPERATOR] gardener-operator now takes over management of fluent-operator and vali. #8240

  ---

2023/08/02 - v1.76 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] Removed service.beta.kubernetes.io/aws-load-balancer-type: nlb annotation from istio-ingressgateway service template. Set this annotation in Seed configuration. […] #8214

• ✨ [USER] It is now possible to enable disabled APIs for workerless shoot clusters via spec.kubernetes.kubeAPIServer.runtimeConfig. #8258

• 🐛 [USER] An issue has been fixed which caused CoreDNS to not rewrite CNAME values in DNS answers. #8231

  ---

2023/07/19 - v1.75 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [DEVELOPER] Shoot fields .spec.dns.providers[].domains and .spec.dns.providers[].zones are now deprecated and expected to be removed in version v1.87. Please plan ahead to drop using those fields in extensions. #8199

• 🪓 [USER] Adding Gardener-managed finalizers (e.g., gardener or gardener.cloud/reference-protection) to the Shoot on creation is now forbidden. #8209

• 🐛 [OPERATOR] A bug causing the gardenlet to panic when a ETCD encryption key rotation operation is triggered for a hibernated Shoot is now fixed. Now, triggering ETCD encryption key rotation or ServiceAccount signing key rotation is forbidden when the Shoot is in waking up phase. #8184

  ---

2023/07/05 - v1.74 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions < 1.22. Make sure to upgrade all existing clusters before upgrading to this Gardener version. #8087

• 🐛 [OPERATOR] gardener-resource-manager’s system-components-config webhook no longer adds the toleration for the ToBeDeletedByClusterAutoscaler taint to system components in shoot clusters. The ToBeDeletedByClusterAutoscaler taint is maintained by the cluster-autoscaler. This was breaking cluster-autoscaler’s drain mechanism when scaling down an under-utilized node. It was causing just evicted system components from to be deleted node to be scheduled again on the to be deleted node. #8172

  ---

2023/06/21 - v1.73 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] The field .spec.secretRef in the Seed API has been deprecated and will be removed in a future release of Gardener. #8064

• ✨ [OPERATOR] gardener-apiserver now exposes a new core.gardener.cloud/v1beta1.InternalSecret API, see the documentation for more information. #8025

• ✨ [DEVELOPER] It is now easier to annotate Services related to extensions serving webhook handlers that must be reached by kube-apiservers running in separate namespaces such that the respective network traffic gets allowed. Please refer to this guide for all information. […]. #8076

• ✨ [DEVELOPER] gardenlet’s ControllerInstallation controller now populates the feature gate of gardenlet via the Helm values to extensions when they are getting installed. The information is populated via the .gardener.gardenlet.featureGates key. It contains a map whose keys are feature gates names and whose values are booleans (depicting the enablement status). #8011

  ---

2023/06/14 - v1.72 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] It is required to have ControllerRegistrations for Kinds ControlPlane, Infrastructure and Worker with the same types used for seeds (.spec.provider.type). […]. #7928

• ✨ [USER] The core/v1alpha1 API version is dropped. Make sure that you don’t use the core/v1alpha1 API version in your machinery. #7965

• ✨ [USER] The certificate chains served by kube-apiservers does now include the CA certificates used to sign their server certificates. #7961

• 🐛 [USER] A bug that prevented finalizers from being added to referenced Secrets or ConfigMaps in .spec.resources in Shoots has been fixed. #7995

  ---

2023/06/07 - v1.71 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [DEVELOPER] Extensions vendoring this gardener/gardener version need to provide RBAC privileges for PATCH apps/depoyments/scale. #7868

• ✨ [OPERATOR] The HAControlPlanes feature gate has been promoted to beta and is now turned on by default. #7867

• ✨ [OPERATOR] It is now possible to provide namespace selectors for additional namespaces which should be covered by the NetworkPolicy controllers of gardener-operator or gardenlet. […] #7929

• ✨ [DEVELOPER] In order to allow kube-apiserver pods of shoot or garden clusters to reach webhook servers, they must no longer be explicitly labeled with networking.resources.gardener.cloud/to-<service-name>-<protocol>-<port>=allowed. Instead, it is enough to annotate the Service of the webhook server with networking.resources.gardener.cloud/from-all-webhook-targets-allowed-ports=<ports>. #7907

• 📖 [DEVELOPER] A guideline for developers regarding TODO statements has been introduced. #7939

  ---

2023/05/31 - Hack The Garden Wrap Up

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ The machine-controller-manager deployment procedure has been moved from the generic Worker actuator used in extensions controllers into gardenlet. Summary

• ✨ The accuracy for local control plane migration e2e tests has been increased as much as possible. Summary

• ✨ A few of the necessary steps for supporting ETCD encryption for custom resources have been addressed. Summary

• 🧹 The apiserver-proxy-pod-mutator webhook has been moved into gardener-resource-manager. Summary

  ---

2023/05/10 - v1.70 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] Gardener now supports seed clusters with Kubernetes versions up to v1.26. #7831

• ✨ [OPERATOR] The highavailabilityconfig webhook configures topology spread constraints with minDomains=<number-of- zones>. […]. #7826

• ✨ [OPERATOR] Annotations in seed.spec.settings.loadBalancerServices.annotations are now applied to the nginx-ingress load balancer service in the seed cluster. #7835

• 🧹 [OPERATOR] The promoted or deprecated feature gates ManagedIstio and ReversedVPN have been removed. #7830

  ---

2023/04/26 - v1.69 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] The SeedChange and CopyEtcdBackupsDuringControlPlaneMigration feature gates have been promoted to GA and are now locked to true. #7763

• 🐛 [OPERATOR] Fixed potential leaks of ShootStates that could happen when a Shoot cluster is deleted. This is achieved by no longer exiting early from the deletion flow if the shoot’s seed Namespace has been deleted. The same logic has been applied to the migration flow for consistency. #7789

• 🐛 [OPERATOR] A bug causing kube-controller-manager to fail to clean up ShootState resources is now fixed. #7793

• 🧹 [OPERATOR] The .spec.settings.ownerChecks field of the Seed configuration is deprecated. The “bad-case” control plane migration is being removed in favor of the HA Shoot control planes […]. #7748

  ---

2023/04/12 - v1.68 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] Enable memory-saver mode for the VPA recommender. It stops tracking resource consumption for Containers without matching VPAs and frees up memory. #7746

• ✨ [DEVELOPER] The server certificate of the kube-apiserver deployment now contains the <service-name>.<namespace>.svc.cluster.local SAN. #7735

• 🐛 [OPERATOR] A bug causing the gardenlet to be unable to access the BackupBucket generated secret in garden namespace is now fixed. #7708

• 🐛 [OPERATOR] A bug has been fixed for the Gardener Operator that occasionally caused “404 not-found” errors when garden resources where applied and the operator ran with multiple replicas. #7739

  ---

2023/04/05 - Special Edition

Demo Agenda 📋

2023/03/29 - v1.67 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [OPERATOR] An issue has been fixed which caused undesired PATCH requests when updating the state in the Worker or ShootState resources. #7637

• 🐛 [DEVELOPER] A bug in managedresources.NewRegistry that was leading to excessive memory usage when this function is called multiple times has been fixed. #7694

• ✨ [DEVELOPER] Shoot clusters using provider-local can now have multiple worker nodes with calico as CNI. #7684

• ✨ [DEVELOPER] The local deployment of Gardener with extensions can now deal with multiple seeds. Additional seeds can be added and removed again. #7673

  ---

2023/03/15 - v1.66 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🐛 [USER] Updates to the AuditPolicy referenced by Shoots are now also validated against the Kubernetes versions of those shoot clusters. This fixes an issue where it was possible to specify an unsupported audit.k8s.io version when updating the ConfigMap which contains the AuditPolicy. #7563

• 🐛 [USER] Fixes control-plane migration of hibernated shoot being stuck if shoot was hibernated for 24h. #7608

• 🪓 [OPERATOR] The ForceRestore feature gate has been removed. #7543

• ✨ [OPERATOR] The ManagedSeed controller does no longer try to sync the Seed kubeconfig Secret when Shoot’s static token kubeconfig is not enabled. #7546

  ---

2023/03/01 - v1.65 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• 🪓 [USER] The core.gardener.cloud/v1alpha1 API is deprecated and will be removed soon. The core.gardener.cloud/v1beta1 API is already available since a very long time and should be used instead. #7443

• 🪓 [OPERATOR] Before upgrading to this Gardener version, Seeds using .spec.dns.ingressDomain must now finally be switched to using .spec.ingress and .spec.dns.provider […]. #7515

• 🐛 [OPERATOR] Fix a bug in the etcd deploy flow that erroneously unsets etcd.spec.etcd.peerUrlTls in the Etcd CRs of high available shoots when marked for hibernation. #7514

  ---

2023/02/15 - v1.64 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] The istio-system namespace in seed clusters is now labeled with gardener.cloud/role=istio-system. All istio-ingress* namespaces are now labeled with gardener.cloud/role=istio-ingress. #7389

• 🐛 [OPERATOR] When deleting a seed the cluster-identity config map in kube-system namespace is not deleted anymore if it was already existing on seed creation. #7436

• 🐛 [OPERATOR] A bug has been fixed which caused the conditions of Shoots to be set to Unknown too fast in case the responsible gardenlet is no longer posting its heartbeat. #7404

• ✨ [DEVELOPER] Add bootstrapping a local IPv6 KinD cluster with make kind-up IPFAMILY=ipv6. #7388

  ---

2023/02/08 - v1.63 Release (Part III)

Demo Agenda 📋

2023/02/01 - v1.63 Release (Part II)

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] The ServiceAccount signing key rotation procedure has been improved and should work better for clusters with lots of ServiceAccounts or intermittent creations/deletions of new/old ServiceAccount secrets. #7313

• 🐛 [USER] A bug in the kubelet-monitor script running on all shoot worker nodes has been fixed which was causing to also kill processes other than kubelet only. #7278

• ✨ [OPERATOR] The legacy VPN solution has been removed. The feature gates ReversedVPN, ManagedIstio and APIServerSNI are unconditionally enabled (locked to their default values) now. #7167

• ✨ [OPERATOR] gardener-operator is now managing the load balancer Service for exposing the virtual-garden-kube-apiserver as part of the virtual garden cluster control plane. It is possible to specify annotations for it via .spec.runtimeCluster.settings.loadBalancerServices.annotations in the Garden resource. #7238

• 🐛 [OPERATOR] When deploying kube-apiserver version v1.24, Gardener will add the --shutdown-send-retry-after=true command line flag to the kube-apiserver command. […]. #7250

• ✨ [DEVELOPER] The HighAvailabilityConfig webhook now also mutates replica settings of HPA and HVPA resources. To make use of this handling, please label respective resources with the well known high-availability-config.resource.gardener.cloud/type label […]. #7226

• ✨ [DEVELOPER] It is now possible to make secrets manager adopt existing secrets. Find out more in this document. #7243

• 📖 [DEVELOPER] The Gardener project has introduced a policy for the number of supported Kubernetes versions read it here. #7300

  ---

2023/01/25 - v1.63 Release (Part I)

Demo Agenda 📋

2023/01/18 - v1.62 Release

Demo Agenda 📋

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] gardener-admission-controller now validates Shoot Kubernetes version compatibility with Audit Policy API version on Shoot update request. #7205
• ✨ [USER] It is now possible to configure the general log verbosity and the verbosity for HTTP access logs for the kube-apiserver via the Shoot specification. #7094
• 🐛 [OPERATOR] Prevent updating Shoots which are scheduled to a Seed with less then 3 zones to spec.controlPlane.failureTolerance.type: zone #7195
• 📖 [DEVELOPER] A new document for developers has been added with a checklist for what to pay attention to when adding new components to garden, seed, or shoot clusters. Read it here. #7125