0.30.0

[gardener]

Action Required

• [USER] As the Kubernetes community is in the process of deprecating basic authentication for the kube-apiserver newly created 1.16 shoot clusters don't enable it by default anymore. Similarly, the default authentication mode for the kubernetes-dashboard addon is token instead of basic. You can still enable it manually, but you should consider migrating away from it. We will drop basic authentication support in a future release when Kubernetes doesn't support it anymore. (#1443, @rfranzke)
• [USER] The subdomain for the the user monitoring has changed from g-users to gu. (#1417, @wyb1)
• [OPERATOR] In order to support Kubernetes 1.16 you must use at least v0.13.0 of the provider extension controllers. (#1443, @rfranzke)
• [OPERATOR] The old garden.sapcloud.io/v1beta1.BackupInfrastructure resources are deprecated and will be removed in the next release. The core.gardener.cloud/v1alpha1.BackupBucket and core.gardener.cloud/v1alpha1 are the replacement. (#1427, @swapnilgm)
• [OPERATOR] The subdomain for the the operator monitoring has changed from g-operators to go. (#1417, @wyb1)
• [OPERATOR] The false positive KubeEtcdFullBackupFailed alert has been fixed. This requires at least version 0.12.0 of the gardener-extensions (containing 0.7.3 of etcd-backup-restore). (#1381, @wyb1)

Most notable changes

• [USER] Gardener does now support shoot clusters with Kubernetes version 1.16. You should consider the Kubernetes release notes before upgrading to 1.16. (#1443, @rfranzke)
• [USER] The CoreDNS version for all shoots has been upgraded from 1.4.0 to 1.6.3. (#1443, @rfranzke)
• [USER] The deprecated .spec.backup section in the garden.sapcloud.io/v1beta1.Shoot resource has been removed. (#1430, @rfranzke)
• [USER] It is now possible to specify a CA certificate bundle per worker pool. Gardener will automatically install the CA certificates on every worker node of this pool. (#1430, @rfranzke)
• [USER] Gardener does now feature a new Shoot resource which is part of the core.gardener.cloud/v1alpha1 API group. It is fully forwards and backwards compatible to the old Shoot resource in the garden.sapcloud.io/v1beta1 API group. It will be the new default, and the old garden.sapcloud.io/v1beta1.Shoot resource are deprecated now. It will be removed in a future version. Consider switching to using the new core.gardener.cloud/v1alpha1.Shoot resource. The example directory contains proper example manifests. (#1430, @rfranzke)
• [USER] Gardener does now feature a new CloudProfile resource which is part of the core.gardener.cloud/v1alpha1 API group. It is fully forwards and backwards compatible to the old CloudProfile resource in the garden.sapcloud.io/v1beta1 API group. It will be the new default, and the old garden.sapcloud.io/v1beta1.CloudProfile resource are deprecated now. It will be removed in a future version. Consider switching to using the new core.gardener.cloud/v1alpha1.CloudProfile resource. The example directory contains proper example manifests. (#1403, @rfranzke)
• [USER] Cluster Autoscaler now balances similar worker-groups while scaling-up. Similar worker-groups are defined as those having nodes with the same resource capacities and exactly the same labels. Refer doc for more info. (#1401, @hardikdr)
• [USER] The new OpenIDConnectPreset resource allows for specifying OpenID Connect configurations which are applied to Shoot namespace-wide. (#1394, @mvladev)
• [USER] A new optional field in Shoot specification has been added spec.kubernetes.kubeAPIServer.oidcConfig.clientAuthentication. It can specify OpenID Connect settings used for kubeconfig generation. (#1394, @mvladev)
• [OPERATOR] It is now possible to configure which domains shall be included or excluded for DNS providers. If you are using a custom domain for your shoot then you can use .spec.dns.includeDomains, .spec.dns.excludeDomains. (#1430, @rfranzke)
• [OPERATOR] The orphaned BackupInfrastructure resources post reconciliation of shoots using Gardener 0.29+ are now getting deleted. (#1427, @swapnilgm)
  • ⚠️ For hibernated cluster it now guarantees only latest snapshot will be there on shared bucket. It doesn't migrate the old snapshots and hence break the policy of the configured deletion grace period. If you want to keep the old data you would need to download it manually from the buckets before upgrading to this Gardener version.
• [OPERATOR] The new ClusterOpenIDConnectPreset resource allows for specifying OpenID Connect configurations which are applied to Projects and Shoot cluster-wide. (#1394, @mvladev)
• [OPERATOR] Two new mutation admission controllers are introduced - ClusterOpenIDConnectPreset and OpenIDConnectPreset. Those controllers can are enabled by default and can be disabled with --disable-admission-plugins flag on gardener-apiserver. (#1394, @mvladev)
• [OPERATOR] The client configuration for the Kubernetes clients for the garden cluster, seed clusters, and shoot clusters has been separated. You can configure them individually in the gardener-controller-manager's componentconfig. (ddfdc74)
• [OPERATOR] The memory limits for the kube-controller-manager have been significantly increased. Also, the kube-apiserver CPU and memory requests and limits have been increased for shooted seeds. The same happened for the nginx-ingress-controller. (5d5a890)
• [DEVELOPER] The gardener-scheduler is now working only with core.gardener.cloud/v1alpha1 instead of garden.sapcloud.io/v1beta1 resources. (#1435, @rfranzke)
• [DEVELOPER] The garden.sapcloud.io.CIDR and garden.sapcloud.io/v1beta1.CIDR type has been replaced with string type. (#1430, @rfranzke)
• [DEVELOPER] The .spec.kubernetes.kubeAPIServer.admissionPlugins[].config type has been changed from *string to *ProviderConfig (which effectively is a *runtime.RawExtension). (#1430, @rfranzke)
• [DEVELOPER] ./hack/dev-setup-register-gardener must be ran to register the new settings.gardener.cloud API group. (#1394, @mvladev)

Improvements

• [USER] Users can now use an Alertmanager if they configured their shoot to receive alerts. (#1417, @wyb1)
• [OPERATOR] Increase shoot prometheus retention to 30d. Retention is guaranteed if prometheus exceeds 15GB of storage. (#1444, @wyb1)
• [OPERATOR] Vertical pod autoscaling can be enabled for the gardener-apiserver, gardener-controller-manager and gardener-scheduler. To enable VPA for each component global.apiserver.vpa, global.controller.vpa and global.scheduler.vpa must be set to true respectively. (#1440, @wyb1)
• [OPERATOR] Fix bug in maintenance-controller not respecting spec.maintenance.autoUpdate.kubernetesVersion: false in the Shoot when the Kubernetes version does not exist in the CloudProfile. (#1423, @danielfoehrKn)
• [OPERATOR] Volume plugin directory on the kubelet is now statically configured to /var/lib/kubelet/volumeplugins, this is to support Calico versions >= 3.8 on CoreOS which does not have write access to the defaule volume-plugin-dir. (#1414, @zanetworker)
• [OPERATOR] Prometheus image is upgraded to 2.12.0 (#1410, @wyb1)
• [OPERATOR] Upgraded monitoring images. Some metrics have changed or were removed. (#1406, @wyb1)
• [OPERATOR] Operators can now access all aggregate monitoring components using one set of basic auth credentials. The basic auth credentials are stored in the garden cluster in the secret garden/seed-monitoring-ingress-credentials. (#1405, @wyb1)
• [OPERATOR] A bug that prevented managed resources from getting properly labeled has been fixed. (ea72650)
• [OPERATOR] The admission plugins inside the gardener-apiserver now also react for resources migrated to the new core.gardener.cloud/v1alpha1 API. (9b73a90)
• [OPERATOR] Shooted seeds default backup provider is now correctly set to the shoot provider (instead of the seed provider). (e821852)
• [OPERATOR] The Seed object for shooted seeds does no longer have an owner reference to the respective Shoot because Seed is cluster-scoped while Shoot is namespaced, and according to https://kubernetes.io/docs/concepts/workloads/controllers/garbage-collection/ this is not supported. (0dc122c)
• [DEVELOPER] Add alert rule for failed etcd restorations. (#1426, @shreyas-s-rao)
• [DEVELOPER] The golang version has been updated to 1.13. Please upgrade your local go installation to 1.13. (#1425, @ialidzhikov)

[gardener-resource-manager]

Improvements

• [OPERATOR] The resource manager now observes version updates for objects and supports configurable api group migrations. (gardener-attic/gardener-resource-manager#16, @mandelsoft)
• [OPERATOR] An issue has been resolved which caused the Gardener-Resource-Manage to throw errors for Kinds belonging to a recently deployed CRD. (gardener-attic/gardener-resource-manager#14, @timuthy)
• [OPERATOR] ManagedResource status is now enriched with two conditions - ResourcesApplied and ResourcesHealthy. (gardener-attic/gardener-resource-manager#11, @ialidzhikov)
• [OPERATOR] Fixes an issue which left resources in the target cluster even though they were supposed to be deleted through a change or removal of the ManagedResource. (gardener-attic/gardener-resource-manager#8, @timuthy)
• [DEVELOPER] The golang version has been updated to 1.13. Please upgrade your local go installation to 1.13. (gardener-attic/gardener-resource-manager#12, @ialidzhikov)

[terraformer]

Most notable changes

• [OPERATOR] Provider versions are upgraded: (gardener/terraformer#23, @mvladev)
  • aws 1.60.0 -> 2.26.0
  • google 1.20.0 -> 2.14.0
  • azurerm 1.22.1 -> 1.33.1
  • openstack 1.16.0 -> 1.21.1
  • alicloud 1.31.0 -> 1.55.2
  • packet 1.7.2 -> 2.3.0

Improvements

• [OPERATOR] Provider versions are upgraded: (gardener/terraformer#26, @ialidzhikov)
  • template 1.0.0 -> 2.1.2
  • null 1.0.0 -> 2.1.2
• [OPERATOR] Added google beta provider (gardener/terraformer#25, @DockToFuture)
• [OPERATOR] tzdata package is now used instead of assets/zoneinfo.zip to make all timezones available. (gardener/terraformer#24, @ialidzhikov)

Docker Images

gardener-apiserver: eu.gcr.io/gardener-project/gardener/apiserver:0.30.0
gardener-controller-manager: eu.gcr.io/gardener-project/gardener/controller-manager:0.30.0
gardener-scheduler: eu.gcr.io/gardener-project/gardener/scheduler:0.30.0