3.7.0

[garden-setup]

🐛 Bug Fixes

• [OPERATOR] Fixed a bug that occurred when trying to deactivate backups which would otherwise have been stored in a GCS bucket. (#417, @Diaphteiros)

🏃 Others

• [OPERATOR] Upgrade Gardener extension networking-calico to v1.16.0 (#418, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension shoot-cert-service to v1.12.0 (#418, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension provider-vsphere to v0.6.0 (#418, @Diaphteiros)
• [OPERATOR] Upgrade Gardener extension provider-aws to v1.21.0 (#418, @Diaphteiros)

📰 Noteworthy

• [OPERATOR] Upgrade Gardener to v1.18.1 (#418, @Diaphteiros)

[cert-management]

🏃 Others

• [USER] events are created on reconciliation of certificate objects (gardener/cert-management#66, @MartinWeindel)
• [USER] tuning timeouts to better deal with long dns propagation for some DNS backends (gardener/cert-management#65, @MartinWeindel)

[gardener]

⚠️ Breaking Changes

• [OPERATOR] The gardener-admission-controller configuration API and http endpoints were changed in several aspects: (gardener/gardener#3577, @timebertt)
  • the fields server.https.tls.server{Cert,Key}Path have been removed in favor of server.https.tls.serverCertDir (the cert directory is expected to contain a tls.crt and tls.key file)
  • metrics and health endpoints are now exposed as plain HTTP endpoints on dedicated ports (configurable via server.{healthProbes,metrics}.port
  • the gardener-admission-controller service included in Gardener's helm chart has a new named port (metrics) for exposing the metrics endpoint
  • If you deploy this component/configuration manually, please adapt your usage accordingly. Gardener's helm charts were adapted to the changes.
• [OPERATOR] The .controllers.shootedSeedRegistration field has been removed from the GardenletConfiguration in favor of the newly introduced ManagedSeed controller (configurable via .controllers.managedSeed). Please adapt your Gardenlet Helm chart values and/or example Gardenlet configuration files. (gardener/gardener#3418, @stoyanr)
• [DEVELOPER] Semantics of controllerutils.{EnsureFinalizer,RemoveFinalizer} were changed. Both funcs now use PATCH requests instead of UPDATE and RemoveFinalizer expects an additional client.Reader for reading from the API server. (gardener/gardener#3641, @timebertt)
  • Please use controllerutils.{PatchFinalizers,PatchRemoveFinalizers} preferably were applicable, if your controller is able to tolerate conflict errors tolerated by stale reads.
• [DEVELOPER] The .controllers.shootedSeedRegistration field has been removed from the GardenletConfiguration in favor of the newly introduced ManagedSeed controller (configurable via .controllers.managedSeed). Please run make dev-setup or manually copy example/20-componentconfig-gardenlet.yaml over your old configuration file. (gardener/gardener#3418, @stoyanr)
• [DEPENDENCY] Semantics of controllerutils.{EnsureFinalizer,RemoveFinalizer} were changed. Both funcs now use PATCH requests instead of UPDATE and RemoveFinalizer expects an additional client.Reader for reading from the API server. (gardener/gardener#3641, @timebertt)
  • extensioncontroller.{EnsureFinalizer,DeleteFinalizer} have been removed in favor of the funcs in controllerutils.
  • controllerutils.PatchFinalizers was renamed to PatchAddFinalizers.
• [DEPENDENCY] The mocks for Gardener packages were moved to dedicated folders in the respective package directories, i.e., if there is package foo in ./pkg/path/to/foo then the mock would be in pkg/path/to/foo/mock instead of ./pkg/mock/gardener/path/to/foo. Only the mocks for third-party/vendored packages remain in ./pkg/mock. (gardener/gardener#3640, @rfranzke)
• [DEPENDENCY] The already deprecated packages github.com/gardener/gardener/pkg/version and github.com/gardener/gardener/pkg/version/verflag are now removed. (gardener/gardener#3626, @ialidzhikov)

✨ New Features

• [OPERATOR] It is now configurable for which shoot purposes the BackupEntry deletion grace period applies. An empty list (default) means that it applies for all shoot purposes (as it was earlier). If you want to only select specific purposes then please configure .controllers.backupEntry.deletionGracePeriodShootPurposes[] in the gardenlet's component configuration. (gardener/gardener#3637, @rfranzke)
• [OPERATOR] CoreDNS deployment of shoot clusters can now be automatically restarted during the shoot's maintenance time window. This is used to solve problems with clients stuck to single replica of the deployment and thus overloading it. The feature can be enabled via the ControllerManagerConfiguration under .controllers.shootMaintecance.enableShootCoreAddonRestarter (see example/20-componentconfig-gardener-controller-manager.yaml). (gardener/gardener#3596, @vpnachev)
• [OPERATOR] An additional change detection mechanism for the file download-cloud-config.sh is now used to ensure the file is up-to-date even after VM reboot. (gardener/gardener#3583, @vpnachev)
• [OPERATOR] A new Seed reconciler was added to the Gardener-Controller-Manager. It creates a dedicated namespace per seed in the Garden cluster seed-<seed-name> and copies common secrets from the garden Namespace (labelled with gardener.cloud/role) to the seed namespace. Gardenlets are supposed to read secrets (or namespaced objects in general) from seed dedicated namespaces only in the future. (gardener/gardener#3582, @timuthy)
• [OPERATOR] gardener-admission-controller now exposes several metrics about its webhooks (e.g. controller_runtime_webhook_latency_seconds_bucket, controller_runtime_webhook_requests_in_flight and controller_runtime_webhook_requests_total) (gardener/gardener#3577, @timebertt)
  • The metric gardener_admission_controller_invalid_webhook_requests_total was removed in favor of the newly added metrics.
• [OPERATOR] Seed resources now have a new condition type BackupBucketsReady that is added when the corresponding seed has a backup configuration or related BackupBuckets. Seeds whose BackupBucketsReady condition is status: "False" are considered NotReady and thus are excluded from scheduling during that time. (gardener/gardener#3531, @timuthy)
• [OPERATOR] A new ManagedSeed resource and its corresponding controller have been added and the existing shooted seed registration controller has been reworked to use them. (gardener/gardener#3418, @stoyanr)

🐛 Bug Fixes

• [USER] A potential nil pointer exception in the Shoot validation (leading to 503 responses from gardener-apiserver) when validating PID reservations (e.g., in kubeReserved or systemReserved) has been fixed. (gardener/gardener#3632, @rfranzke)
• [OPERATOR] An issue preventing kube-controller-manager to approve the CSR for kubelet certificate renewal is now fixed. (gardener/gardener#3704, @ialidzhikov)
• [OPERATOR] The istiod deployment in the istio-system namespace now has replicas set to 2 and can be properly scaled by its corresponding VPA. (gardener/gardener#3692, @ialidzhikov)
• [OPERATOR] Added resource requests and limits to the apiserver-proxy-pod-mutator container which should allow the corresponding HPA to properly read CPU metrics from the kube-apiserver when SNI is enabled. (gardener/gardener#3692, @ialidzhikov)
• [OPERATOR] A bug preventing seed deletion to hang due to already deleted CRD etcds.druid.gardener.cloud is now fixed. (gardener/gardener#3689, @vpnachev)
• [OPERATOR] An issue causing gardenlet to fail to remove the finalizer of the Seed Secret (.spec.secretRef) is now fixed. (gardener/gardener#3678, @ialidzhikov)
• [OPERATOR] Fixed nil pointer exception that occurs when there are still extension resources in the Seed, but the Cluster resource has been deleted. (gardener/gardener#3622, @plkokanov)
• [OPERATOR] Fix a bug where cloud-config-downloder systemd service is set to Failed with status start-limit-hit if it is requested to be restarted via the node annotation worker.gardener.cloud/restart-systemd-services. (gardener/gardener#3593, @vpnachev)
• [OPERATOR] Fixed an issue with enabling KonnectivtyTunnel via annotation (alpha.featuregates.shoot.gardener.cloud/konnectivity-tunnel: "false") on APIServerSNI-enabled Seed cluster causing the tunnel to not be opened. (gardener/gardener#3586, @mvladev)
• [OPERATOR] An issue causing gardener-controller-manager to not be able to delete a Plant when the Plant Secret is not found is now fixed. (gardener/gardener#3584, @ialidzhikov)
• [OPERATOR] gardener-controller-manager now waits for a project's namespace to be empty before continuing with releasing the namespace and deleting the project. (gardener/gardener#3578, @timebertt)

🏃 Others

• [USER] The external DNS record for the kubernetes API server is now deleted after the kubernetes API server. This is useful for shoot cluster owners that need to clean some kubernetes resources that can cause the shoot cluster deletion to stuck. (gardener/gardener#3576, @vpnachev)
• [OPERATOR] VPA minAllowed configuration for metrics-server. (gardener/gardener#3695, @vpnachev)
• [OPERATOR] A new error code for retryable configuration problems (for example misconfigured PodDisruptoinBudget that does not allow voluntary Pod evictions) is now added. (gardener/gardener#3665, @danielfoehrKn)
• [OPERATOR] istiod is now scaled automatically by VerticalPodAutoscaler instead of HorizontalPodAutoscaler. This fixes OOMKilled issues on big Seed clusters. (gardener/gardener#3613, @mvladev)
• [OPERATOR] Gardener now deploys the Cluster-Autoscaler earlier during the shoot creation which enables self healing for creation failures due to over-provisioned small machines. (gardener/gardener#3612, @timuthy)
• [OPERATOR] Node exporter provides the metric node_uname_info (gardener/gardener#3587, @dschmo)
• [OPERATOR] gardener-admission-controller's webhooks now also accept reviews in version admission/v1. Also, webhook timeouts have been lowered to 10s. (gardener/gardener#3577, @timebertt)
• [OPERATOR] Use PATCH to update the extensions' state and relevant resource data to the ShootState. (gardener/gardener#3550, @plkokanov)

📰 Noteworthy

• [USER] When a shoot is erroring with ERR_INFRA_INSUFFICIENT_PRIVILEGES, ERR_INFRA_QUOTA_EXCEEDED or ERR_INFRA_DEPENDENCIES then it is now immediately set to the Failed status (this already happens also for ERR_INFRA_UNAUTHORIZED or ERR_CONFIGURATION_PROBLEM). This prevents Gardener from automatically retrying the operation. If you are hit by it, please manually retry the operation once you have resolved the issue. (gardener/gardener#3669, @rfranzke)
• [USER] When a shoot is erroring with ERR_INFRA_INSUFFICIENT_PRIVILEGES, ERR_INFRA_QUOTA_EXCEEDED or ERR_INFRA_DEPENDENCIES then it is now immediately set to the Failed status (this already happens also for ERR_INFRA_UNAUTHORIZED or ERR_CONFIGURATION_PROBLEM). This prevents Gardener from automatically retrying the operation. If you are hit by it, please manually retry the operation once you have resolved the issue. (gardener/gardener#3662, @rfranzke)
• [OPERATOR] Starting with Gardener v1.18, the shoot.gardener.cloud/use-as-seed annotation is deprecated. The new ManagedSeed resource should be used instead to register shoots as seeds. (gardener/gardener#3579, @stoyanr)
• [DEPENDENCY] In the generic worker actuator's migration flow, the MCM finalizer of the secret that is referenced by the Worker is not removed. We have now added functionality that checks that secret and removes only the MCM finalizers if necessary. (gardener/gardener#3560, @kris94)
• [DEPENDENCY] The Terraformer interface has now a new function RemoveTerraformerFinalizerFromConfig which will remove the "terraformer" finalizer from the Secret/ConfigMap resources. (gardener/gardener#3556, @kris94)

[gardener-extension-networking-calico]

🏃 Others

• [OPERATOR] Calico is configured to use IP_AUTODETECTION_METHOD=cidr=cidrRange with the nodeCidr as cidrRange to prevent the using the wrong interface on the node. (gardener/gardener-extension-networking-calico#72, @DockToFuture)
• [OPERATOR] Add security context to install-cni container (gardener/gardener-extension-networking-calico#68, @DockToFuture)
• [OPERATOR] Vendor to gardener v1.16.0 and update controller runtime to v0.7.1 (gardener/gardener-extension-networking-calico#67, @DockToFuture)

[gardener-extension-provider-aws]

✨ New Features

• [OPERATOR] It is now possible to specify the leader election resource lock via the command line flag --leader-election-resource-lock (defaults to configmapsleases) and the chart value leaderElection.resourceLock. Please be careful when changing the resource lock and always migrate via multilocks in order to prevent situations where multiple instances of the controller are running with leader election and thus acting on the same resources. (gardener/gardener-extension-provider-aws#263, @timebertt)

🐛 Bug Fixes

• [USER] The following images are updated (see CHANGELOG for more details): (gardener/gardener-extension-provider-aws#278, @ialidzhikov)
  • quay.io/k8scsi/csi-snapshotter: v2.1.3 -> v2.1.4
  • quay.io/k8scsi/snapshot-controller: v2.1.3 -> v2.1.4
• [OPERATOR] The Pods of the mtu-customizer DaemonSet now use the same PriorityClass like provider-aws Pods, to ensure the Pods are always scheduled on all Nodes. (gardener/gardener-extension-provider-aws#286, @timebertt)
• [OPERATOR] Allow deletion of machine whose providerID is empty. (gardener/gardener-extension-provider-aws#274, @gardener-robot-ci-3)
• [OPERATOR] An issue causing the generic Worker actuator to not wait until the finalizer of the out-of-tree machine controller provider is removed from the credentials secret is now fixed. (gardener/gardener-extension-provider-aws#269, @ialidzhikov)

🏃 Others

• [USER] The following image is updated: (gardener/gardener-extension-provider-aws#292, @ialidzhikov)
  • k8s.gcr.io/provider-aws/aws-ebs-csi-driver: v0.8.0 -> v0.9.0 (see CHANGELOG)
• [USER] The load balancers and security groups are no longer explicitly deleted by the AWS provider extension when a shoot cluster of at least Kubernetes v1.16 is being deleted. Instead, it now relies on the service-controller in the cloud-controller-manager to properly clean up. (gardener/gardener-extension-provider-aws#290, @rfranzke)
• [OPERATOR] The cloud-controller-manager VPA does now specify minAllowed values to prevent too low resource recommendations from VPA that lead to OOM. (gardener/gardener-extension-provider-aws#288, @MartinWeindel)
• [OPERATOR] An issue causing Shoots to be marked as Failed (and no longer retried) on transient not found error is now fixed. (gardener/gardener-extension-provider-aws#273, @prashanth26)

📰 Noteworthy

• [OPERATOR] The validator/admission component's Helm chart is now deploying a VerticalPodAutoscaler resource by default. If undesired or no VPA is available in the garden cluster then it can be turned of via .Values.global.vpa.enabled=false. (gardener/gardener-extension-provider-aws#271, @rfranzke)

[gardener-extension-provider-vsphere]

⚠️ Breaking Changes

• [OPERATOR] The ValidatingWebhookConfiguration of the vpshere admission controller has been changed from version v1beta1 to v1. Please make sure to deploy the admission controller only to clusters with a Kubernetes version >= 1.16 (gardener/gardener-extension-provider-vsphere#123, @timuthy)

🏃 Others

• [OPERATOR] The cloud-controller-manager VPA does now specify minAllowed values to prevent too low resource recommendations from VPA that lead to OOM. (gardener/gardener-extension-provider-vsphere#132, @ialidzhikov)
• [OPERATOR] Added a command line option --version to show version (gardener/gardener-extension-provider-vsphere#130, @MartinWeindel)
• [OPERATOR] Cloud provider config for the cloud controller manager is now stored in a Secret instead of a ConfigMap. (gardener/gardener-extension-provider-vsphere#124, @MartinWeindel)
• [DEVELOPER] Vendor gardener/gardener@570ae178874b. (gardener/gardener-extension-provider-vsphere#121, @vpnachev)

📰 Noteworthy

• [OPERATOR] The validator/admission component's Helm chart is now deploying a VerticalPodAutoscaler resource by default. If undesired or no VPA is available in the garden cluster then it can be turned of via .Values.global.vpa.enabled=false. (gardener/gardener-extension-provider-vsphere#126, @rfranzke)

[gardener-extension-shoot-cert-service]

🏃 Others

• [OPERATOR] add controlplane role for cert-manager-controller (gardener/gardener-extension-shoot-cert-service#63, @MartinWeindel)
• [OPERATOR] add monitoring scraping and Grafana dashboard (gardener/gardener-extension-shoot-cert-service#56, @MartinWeindel)

[gardener-resource-manager]

⚠️ Breaking Changes

• [OPERATOR] Gardener-Resource-Manager now needs permission to get, create, update and watch Lease objects named gardener-resource-manager in order to perform leader election. For a reference, please have a look at the pre-delivered Helm chart in charts/gardener-resource-manager. (gardener-attic/gardener-resource-manager#105, @timuthy)

✨ New Features

• [OPERATOR] Gardener-Resource-Manager now adds latest warning events to a ManagedResource's .status.conditions in case a Kubernetes Service cannot be deleted. This allows to get more context about the underlying problem e.g., when Cloud-Controller-Manager cannot delete the backing load balancer. (gardener-attic/gardener-resource-manager#106, @timuthy)
• [OPERATOR] If a ManagedResource refers to a Service object of type LoadBalancer, the Gardener Resource Manager now regularly checks if the Service has an Ingress status and contributes the result of this check to the ResourcesHealthy condition. (gardener-attic/gardener-resource-manager#106, @timuthy)
• [OPERATOR] With this release for all objects managed by a ManagedResource an annotation resources.gardener.cloud/origin is set describing the ManagedResource that caused this object to be created. The format of the origin annotation is [cluster id:]namespace/object-name. For multi-cluster scenarios the GRM can be started with a --cluster-id options to enable the extended annotation format (see https://github.com/gardener/gardener-resource-manager/blob/master/docs/concepts/managed-resource.md for further details). (gardener-attic/gardener-resource-manager#89, @mandelsoft)

🐛 Bug Fixes

• [OPERATOR] A problem with long running ManagedResource reconciliations caused by unavailable APIServices was fixed. (gardener-attic/gardener-resource-manager#112, @timebertt)
• [OPERATOR] The client QPS and burst settings do now also apply for the uncached client. (gardener-attic/gardener-resource-manager#111, @rfranzke)
• [OPERATOR] The .spec.loadBalancerIP value for Services is now preserved. (gardener-attic/gardener-resource-manager#108, @deitch)

🏃 Others

• [OPERATOR] The CheckDaemonSet function does now lead to more accurate results. (gardener-attic/gardener-resource-manager#103, @rfranzke)

📰 Noteworthy

• [OPERATOR] The controller reconciliations are now limited to 1m. (gardener-attic/gardener-resource-manager#102, @rfranzke)
• [DEVELOPER] Go dependencies have been updated to: (gardener-attic/gardener-resource-manager#105, @timuthy)
  • github.com/gardener/gardener v1.16.0
  • sigs.k8s.io/controller-runtime v0.7.1
  • k8s.io/* v0.19.6

[machine-controller-manager]

⚠️ Breaking Changes

• [DEVELOPER] machine-controller-manager now checks for misconfigured PodDisruptionBudgets (ones that require zero voluntary evictions and make impossible the graceful Node drain) and sets better Machine .status.lastOperation.description for such Machines. This change is breaking as out-of-tree providers need new RBAC permissions - list and watch access for PodDisruptionBudgets in the target cluster. (gardener/machine-controller-manager#591, @ialidzhikov)

🏃 Others

• [OPERATOR] Avoid the deletion of the machines in CrashLoopBackoff state by the safety controller (gardener/machine-controller-manager#589, @AxiomSamarth)

[machine-controller-manager-provider-aws]

🏃 Others

• [USER] Validation for block devices is now improved (gardener/machine-controller-manager-provider-aws#21, @prashanth26)

📰 Noteworthy

• [USER] Fixes regressions while supporting multiple volumes support for EC2 instances (gardener/machine-controller-manager-provider-aws#21, @prashanth26)

[machine-controller-manager-provider-vsphere]

🏃 Others

• [OPERATOR] updated machine-controller-manager dependency to v0.37.0 (gardener/machine-controller-manager-provider-vsphere#10, @MartinWeindel)

[terraformer]

🐛 Bug Fixes

• [OPERATOR] A bug was fixed that caused terraform to leak its finalizer on ConfigMaps and Secrets in case of an interrupt during terraform destroy. (gardener/terraformer#71, @timebertt)
• [OPERATOR] A bug was fixed that caused terraform to leak its finalizer on ConfigMaps and Secrets in case of an interrupt during terraform destroy. (gardener/terraformer#72, @timebertt)

🏃 Others

• [OPERATOR] The Terraformer now instantly removes its finalizer from the state ConfigMap if the state is empty and destroy is called. A separate Terraform destroy is not executed. (gardener/terraformer#80, @timuthy)
• [OPERATOR] Terraformer will now publish an additional image without any pre-installed terraform plugins. (gardener/terraformer#77, @Diaphteiros)
• [OPERATOR] Provides support for the Equinix Metal provider, which replaces the Packet one (gardener/terraformer#73, @deitch)
• [OPERATOR] The terraformer-openstack use now the openstack provider in version v1.37.0 (gardener/terraformer#70, @kon-angelo)
• [OPERATOR] The terraformer-openstack use now the openstack provider in version v1.36.0 (gardener/terraformer#68, @dkistner)

📰 Noteworthy

• [OPERATOR] Curl has been removed from the Terraformer image. (gardener/terraformer#69, @timuthy)