Update k8s packages (minor)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gardener/gardener	v1.133.5 → v1.136.2
k8s.io/api	v0.34.4 → v0.35.1
k8s.io/apiextensions-apiserver	v0.34.4 → v0.35.1
k8s.io/apimachinery	v0.34.4 → v0.35.1
k8s.io/client-go	v0.34.4 → v0.35.1
k8s.io/code-generator	v0.34.4 → v0.35.1
k8s.io/component-base	v0.34.4 → v0.35.1
sigs.k8s.io/controller-runtime	v0.22.5 → v0.23.1

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.136.2

Compare Source

[github.com/gardener/gardener:v1.136.2]

🐛 Bug Fixes

• [OPERATOR] A bug is fixed in the extension scrape configuration in the seed Prometheus, where the scrape address was not correctly configured on IPv4 setups. by @​vicwicker [#​14118]
• [OPERATOR] Fixed an issue with the maximum batch size that the OpenTelemetry Collector instances can send. by @​rrhubenov [#​14120]
• [USER] An issue which lead to a nil pointer in gardenlet when a Shoot had an empty .spec.addons structure defined is now fixed. by @​timuthy [#​14123]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.136.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.136.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.136.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.136.2

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.136.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.136.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.136.2
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.136.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.136.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.136.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.136.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.136.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.136.2

v1.136.1

Compare Source

[github.com/gardener/gardener:v1.136.1]

🐛 Bug Fixes

• [OPERATOR] An issue causing the control-plane migration to get stuck if the source backup entry deployment was retried is now fixed. by @​shafeeqes [#​14097]

🏃 Others

• [DEPENDENCY] make format target supports sequential run (again) by passing MODE=sequential. by @​LucaBernstein [#​14084]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.61.1 to v0.61.2. Release Notes
  • github.com/gardener/machine-controller-manager from v0.61.1 to v0.61.2. by @​ary1992 [#​14095]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.136.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.136.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.136.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.136.1

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.136.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.136.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.136.1
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.136.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.136.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.136.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.136.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.136.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.136.1

v1.136.0

Compare Source

[github.com/gardener/gardener:v1.136.0]

⚠️ Breaking Changes

• [OPERATOR] The Garden's .spec.virtualCluster.kubernetes.kubeAPIServer.eventTTL field's valid values range is restricted from [0, 168h] to [0, 24h]. The new range is imposed for new Garden creations and for field value updates. Already existing Gardens which specify invalid values (more than 24h) are not affected. by @​ialidzhikov [#​13830]
• [OPERATOR] The ManagedSeedSet's .spec.shootTemplate.spec.kubernetes.kubeAPIServer.eventTTL field's valid values range is restricted from [0, 168h] to [0, 24h]. The new range is imposed for new ManagedSeedSet creations and for field value updates. Already existing ManagedSeedSets which specify invalid values (more than 24h) are not affected. by @​ialidzhikov [#​13830]
• [USER] Shoot addons (.spec.addons) have been deprecated and will be forbidden starting with Kubernetes 1.35. Their usage was already discouraged for productive clusters, as they now only include unmaintained components (Kubernetes dashboard and Ingress NGINX Controller). by @​timuthy [#​13845]
• [USER] The shoot field .spec.kubernetes.kubeScheduler.kubeMaxPDVols has been deprecated and will be forbidden starting with Kubernetes 1.35. The maximum number of attachable volumes is maintained by the respective CSI plugin. by @​timuthy [#​13845]
• [USER] The Shoot's .spec.kubernetes.kubeAPIServer.eventTTL field's valid values range is restricted from [0, 168h] to [0, 24h]. The new range is imposed for new Shoots creations and for field value updates. Already existing Shoots which specify invalid values (more than 24h) are not affected. by @​ialidzhikov [#​13830]
• [USER] Downgrading the machine image version (.spec.provider.workers[].machine.image.version) is not allowed for worker pools using the AutoInPlaceUpdate or ManualInPlaceUpdate strategy, as Gardener does not support machine image downgrades for any operating system currently. For AutoRollingUpdate, the entire node is replaced, so this limitation does not apply. by @​shafeeqes [#​13828]
• [USER] The shoot field .spec.kubernetes.kubeAPIServer.watchCacheSizes.default has been deprecated and will be forbidden starting with Kubernetes 1.35. Watch cache sizes are automatically sized by Kubernetes. by @​timuthy [#​13845]
• [USER] Setting .spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication in the Shoot spec is forbidden for clusters with Kubernetes version >= 1.35. Users that enable anonymous authentication should use Structured Authentication with anonymous authenticator instead. by @​dimityrmirchev [#​13707]
• [DEVELOPER] The healthcheck controller now supports the garden extension class. Health check client interfaces have been renamed from SeedClient/ShootClient to SourceClient/TargetClient for better abstraction across extension classes. The PreCheckFunc method signature has been changed to accept any for cluster or garden object. by @​theoddora [#​13789]

📰 Noteworthy

• [OPERATOR] New health and readiness checks have been added to vpn-seed-server to improve availability and reduce log clutter. by @​domdom82 [#​13802]
• [OPERATOR] The Shoot spec has a new field spec.kubernetes.kubeAPIServer.encryptionConfig.provider.type, which currently can only be set to aescbc. by @​AleksandarSavchev [#​13732]
• [OPERATOR] For Kubernetes virtual clusters >= 1.33, we now deploy both Endpoints and EndpointSlice resources for the APIService connection between virtual-garden-kube-apiserver and gardener-apiserver. by @​acumino [#​14041]
• [OPERATOR] The Garden spec has 2 new fields spec.virtualCluster.kubernetes.kubeAPIServer.encryptionConfig.provider.typeand spec.virtualCluster.gardener.gardenerAPIServer.encryptionConfig.provider.type, which currently can only be set to aescbc. by @​AleksandarSavchev [#​13732]
• [OPERATOR] The OpenTelemetryCollector feature gate has been promoted to Beta and is enabled by default. by @​rrhubenov [#​13851]
• [USER] The field .spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication in the Shoot spec will be automatically set to nil if users set it false as these two are equivalent across the codebase. The field is deprecated and users that enable anonymous authentication should migrate to Structured Authentication with anonymous authenticator instead. by @​dimityrmirchev [#​13707]
• [USER] It is now explicitly supported to use short worker OS image versions in the CloudProfile, which are not defaulted when creating or updating the Shoot spec. by @​Gerrit91 [#​13785]
• [USER] The shoot deletion flow has been enhanced to tolerate leftover resources in the following situations:
  • Objects that belong to namespaces which have already been deleted (finalized).
  • Objects that were created after the cleanup process began for the first time, plus the finalize grace period. by @​timuthy [#​13918]

✨ New Features

• [OPERATOR] Gardener now supports pulling Helm charts from OCI registries that use custom or self-signed TLS certificates. This is particularly useful for air-gapped environments or when using private container registries with custom certificate authorities.

  A new caBundleSecretRef field has been added to the ociRepository configuration in the following resources:

  • core.gardener.cloud/v1.ControllerDeployment: .helm.ociRepository.caBundleSecretRef
  • core.gardener.cloud/v1beta1.ControllerDeployment: .helm.ociRepository.caBundleSecretRef
  • operator.gardener.cloud/v1alpha1.Extension: .spec.deployment.{admission.{runtimeCluster,virtualCluster},extension}.helm.ociRepository.caBundleSecretRef

  The field references a secret in the garden namespace containing a PEM-encoded CA certificate bundle (data key: bundle.crt). For gardenlet usage, the secret must be labeled with gardener.cloud/role=oci-ca-bundle. by @​shafeeqes [#​13868]

• [OPERATOR] The gardener-controller-manager now increases all ResourceQuotas in project namespaces when a Gardener update leads to Gardener creating more resources in them. This was introduced to prevent failing Shoot reconciliations when ResourceQuotas of projects are near their limit. by @​tobschli [#​13850]

• [OPERATOR] Introduce fluent-bit-plugin v1 with OTLP support behind the OpenTelemetryCollector feature gate and adjust fluent-bit resources to select OTLP. by @​nickytd [#​13961]

• [OPERATOR] Introduced the Victoria Operator as a component to Seed & Garden Clusters. by @​rrhubenov [#​13708]

• [OPERATOR] When configuring a custom CNI path for containerd, GNA will now - in addition to checking the version of the config.toml config file - query containerd for its version and use the bin_dirs path with a string array if the config file version is 3 and containerd >= 2.2 is detected. by @​MrBatschner [#​13826]

• [OPERATOR] An instance of OpenTelemetry Collector is now deployed to the garden namespace of both Garden and Seed clusters. by @​rrhubenov [#​13481]

• [OPERATOR] Gardener can now support clusters with Kubernetes version 1.35. To allow creation/update of 1.35 clusters you will have to update the version of your provider extension(s) to a version that supports 1.35 as well. Please consult the respective releases and notes in the provider extension's repository. by @​timuthy [#​13845]

• [USER] The Shoot field .spec.seedSelector can now be adjusted for already scheduled shoots, as long as the new selector still selects the assigned seed. by @​timuthy [#​13920]

• [DEVELOPER] gardenctl in local setup by @​hown3d [#​13842]

• [DEVELOPER] Gardener can now support clusters with Kubernetes version 1.35. Extension developers have to prepare individual extensions as well to work with 1.35. by @​timuthy [#​13845]

• [DEVELOPER] Environment variable MAX_PARALLEL_WORKERS can now be used to control the number of parallel workers that are spawned during the call to the make generate target. by @​rrhubenov [#​13903]

🐛 Bug Fixes

• [OPERATOR] An issue causing unwanted reconciliations of Secrets and other objects due to cache resyncs in the project activity reconciler is now fixed. by @​shafeeqes [#​13945]
• [OPERATOR] This PR fixes webhook certificate reconciliation to properly apply changes in webhook configurations. by @​acumino [#​13971]
• [OPERATOR] Fixes a bug when feature gate UseUnifiedHTTPProxyPort was used in conjunction with a seed load balancer using proxy protocol. by @​maboehm [#​13832]
• [OPERATOR] Fixes a bug in the UsesUnifiedHTTPProxyPort constraint, when feature gate UseUnifiedHTTPProxyPort was used and then disabled again by @​maboehm [#​13844]
• [USER] gardener-apiserver: An issue in gardener-apiserver v1.135.0 causing kubectl apply for a Shoot to be wrongly rejected with "spec.dns.providers[0]: Required value: non-primary DNS providers must specify type and credentialsRef" in some cases is now fixed. by @​ialidzhikov [#​13861]
• [DEVELOPER] Enable MCM (cluster-autoscaler) to scale provider-local Nodes. by @​LucaBernstein [#​13804]

🏃 Others

• [OPERATOR] Audit policy configmap for the gardener API server referenced in the garden resource is now validated. by @​acumino [#​13478]
• [OPERATOR] Upon gardenlet start all existing opentelemetry collector pipelines in shoot control planes will be migrated to the expected content. by @​nickytd [#​14054]
• [OPERATOR] The mutating ShootDNS admission plugin is now also a validating one. Validations which are executed by this admission plugin during the mutation phase are now moved to the validating ShootDNS admission plugin. by @​ialidzhikov [#​13910]
• [OPERATOR] Add Prometheus health check rule in the cache Prometheus to ensure the presence of kubelet volume stats metrics. by @​vicwicker [#​13855]
• [OPERATOR] Federate shoot:node_operating_system:sum time series from the garden to the longterm Prometheus. by @​vicwicker [#​13805]
• [OPERATOR] Fix flaky test for latest MCM release v0.61.x by @​r4mek [#​13916]
• [OPERATOR] The majority of the VerticalPodAutoscaler resources managed by Gardener are enhanced to define an explicit container policy for all containers that need to be auto-scaled and to have a catch-all container policy (containerName: '*' and mode: Off) always. by @​voelzmo [#​13819]
• [OPERATOR] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.60.2 to v0.61.1. Release Notes by @​aaronfern [#​13865]
• [OPERATOR] The existing TooManyEtcdSnapshotCompactionJobsFailing alert has been renamed to EtcdSnapshotCompactionJobsFailingForSeed and its expression has been fixed to correctly measure the fraction of namespaces with failures.
  Two new per-namespace alerts (EtcdSnapshotCompactionJobsFailingForNamespace and EtcdFullSnapshotsFailingForNamespace) have been added to help operators identify specific shoot clusters where compaction jobs or full snapshots are failing above the 10% threshold. by @​anveshreddy18 [#​14053]
• [OPERATOR] Use Kubernetes 1.34.3 in the local setup. by @​vicwicker [#​13855]
• [USER] Allow NamespacedCloudProfile.spec.limits to be decreased. by @​LucaBernstein [#​13724]
• [DEVELOPER] The component checklist rule for Define a VerticalPodAutoscaler is enhanced with the convention that a VPA should define an explicit container policy for all containers that need to be auto-scaled and should have a catch-all container policy (containerName: '*' and mode: Off) always. For more details, refer to the Component Checklist. by @​voelzmo [#​13819]
• [DEVELOPER] The TM tests are now adapted to run against Kubernetes 1.35. by @​ialidzhikov [#​13995]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/etcd-druid from v0.34.0 to v0.35.0. Release Notes
  • github.com/gardener/etcd-druid/api from v0.34.0 to v0.35.0. by @​renormalize [#​13950]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.3 to 1.83.4. Release Notes by @​gardener-ci-robot [#​13970]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.14.1 to v1.14.2. by @​gardener-ci-robot [#​13880]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.4 to 1.83.5. Release Notes by @​gardener-ci-robot [#​13983]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/cpa/cluster-proportional-autoscaler from v1.9.0 to v1.10.3. by @​gardener-ci-robot [#​13905]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.27.5 to 1.27.6.
  • gcr.io/istio-release/proxyv2 from 1.27.5 to 1.27.6.
  • istio.io/api from v1.27.5 to v1.27.6. by @​gardener-ci-robot [#​13986]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.2 to 1.83.3. Release Notes by @​gardener-ci-robot [#​13917]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/terminal-controller-manager from v0.34.0 to v0.35.0. Release Notes by @​gardener-ci-robot [#​13953]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/vpn2 from 0.46.1 to 0.46.2. Release Notes by @​gardener-ci-robot [#​13959]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/prometheus/alertmanager from v0.30.1 to v0.31.0. by @​gardener-ci-robot [#​13931]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/metrics-server/metrics-server from v0.8.0 to v0.8.1. by @​gardener-ci-robot [#​13912]
• [DEPENDENCY] The following dependencies have been updated:
  • registry.k8s.io/ingress-nginx/controller-chroot from v1.14.2 to v1.14.3. by @​gardener-ci-robot [#​13940]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/alpine-conntrack from 3.23.2 to 3.23.3. Release Notes by @​gardener-ci-robot [#​13948]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 2.4.0 to 2.5.0. by @​gardener-ci-robot [#​13839]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.136.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.136.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.136.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.136.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.136.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.136.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.136.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.136.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.136.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.136.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.136.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.136.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.136.0

v1.135.3

Compare Source

[github.com/gardener/gardener:v1.135.3]

🐛 Bug Fixes

• [OPERATOR] A bug is fixed in the extension scrape configuration in the seed Prometheus, where the scrape address was not correctly configured on IPv4 setups. by @​vicwicker [#​14117]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.135.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.135.3
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.135.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.135.3

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.135.3
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.135.3
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.135.3
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.135.3
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.135.3
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.135.3
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.135.3
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.135.3
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.135.3

v1.135.2

Compare Source

[github.com/gardener/gardener:v1.135.2]

🐛 Bug Fixes

• [OPERATOR] This PR fixes webhook certificate reconciliation to properly apply changes in webhook configurations. by @​acumino [#​13981]
• [OPERATOR] An issue causing the control-plane migration to get stuck if the source backup entry deployment was retried is now fixed. by @​shafeeqes [#​14096]

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • gardener/machine-controller-manager from v0.60.2 to v0.60.3. Release Notes
  • github.com/gardener/machine-controller-manager from v0.60.2 to v0.60.3. by @​takoverflow [#​14101]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.135.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.135.2
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.135.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.135.2

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.135.2
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.135.2
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.135.2
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.135.2
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.135.2
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.135.2
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.135.2
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.135.2
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.135.2

v1.135.1

Compare Source

[github.com/gardener/gardener:v1.135.1]

🐛 Bug Fixes

• [USER] gardener-apiserver: An issue in gardener-apiserver v1.135.0 causing kubectl apply for a Shoot to be wrongly rejected with "spec.dns.providers[0]: Required value: non-primary DNS providers must specify type and credentialsRef" in some cases is now fixed. by @​ialidzhikov [#​13921]

🏃 Others

• [DEPENDENCY] The following dependencies have been updated:
  • gardener/dashboard from 1.83.2 to 1.83.3. Release Notes by @​gardener-ci-robot [#​13925]

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.135.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.135.1
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.135.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.135.1

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.135.1
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.135.1
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.135.1
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.135.1
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.135.1
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.135.1
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.135.1
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.135.1
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.135.1

v1.135.0

Compare Source

[github.com/gardener/gardener:v1.135.0]

⚠️ Breaking Changes

• [OPERATOR] Internal dns configuration for seeds .spec.dns.internal is now required. Make sure to set this field in your templates before upgrading Gardener to the current version. by @​dimityrmirchev [#​13529]
• [OPERATOR] gardener-resource-manager now enforces the desired OwnerReferences for objects it manages. Previously, it set OwnerReferences only when creating objects and did not update them afterwards. by @​oliver-goetz [#​13606]
• [USER] ⚠️ The Seed API field spec.dns.provider.secretRef has been deprecated in favor of spec.dns.provider.credentialsRef. The secretRef field will be removed in Gardener version >= v1.139.0, until then - please consider migrating to the new credentialsRef field.
  • :info: Gardener takes care to keep both fields in sync when the configured credentials is of type Secret. by @​vpnachev [#​13680]
• [USER] ⚠️ The Shoot API field spec.dns.providers.secretName has been deprecated in favor of spec.dns.providers.credentialsRef. The secretName field will be disallowed to be used by shoots running on Kubernetes 1.35 or newer, until then - please consider migrating to the new credentialsRef field.
  • Gardener API server takes care to keep both fields in sync when Secret is the type of the configured credentials. by @​vpnachev [#​13552]
• [DEVELOPER] Change the registry port in the local setup to :5001. by @​LucaBernstein [#​13661]
• [DEVELOPER] The extension-class flag has been renamed to extension-classes to support multiple extension classes per controller deployment. If the extension depends on cmd.ReconcilerOptions, the renaming will automatically take effect. Please adjust your deployment manifest to reflect this change. by @​timuthy [#​13718]
• [DEVELOPER] The SecretData field has been removed from the github.com/gardener/gardener/pkg/component/extensions/dnsrecord.Values struct, use github.com/gardener/gardener/pkg/component/extensions/dnsrecord.CredentialsDeployFunc instead to deploy secret data into a secret. by @​vpnachev [#​13720]
• [DEVELOPER] The function github.com/gardener/gardener/pkg/utils/gardener.GenerateDNSProviderName has been removed. by @​vpnachev [#​13552]
• [DEVELOPER] github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderSecretNamesEqual has been removed, use github.com/gardener/gardener/pkg/apis/core/v1beta1/helper.ShootDNSProviderCredentialsRefsEqual instead. by @​vpnachev [#​13552]
• [DEVELOPER] The SecretData field of the github.com/gardener/gardener/pkg/utils/gardener.Domain struct has been replaced with Credentials field of type sigs.k8s.io/controller-runtime/pkg/client.Object. by @​vpnachev [#​13720]
• [DEPENDENCY] The naming logic for automatically generated webhooks has changed. If the extension name passed to extensionscmdwebhook.NewAddToManagerOptions starts with gardener-, the extension's webhook names are no longer prefixed with gardener-extension-. by @​timuthy [#​13786]
• [DEPENDENCY] The signature of the github.com/gardener/gardener/extensions/pkg/webhook/cmd.NewAddToManagerOptions function has been changed. It now accepts a new github.com/gardener/gardener/extensions/pkg/controller/cmd.GeneralOptions parameter at 4th position. by @​timuthy [#​13786]
• [DEPENDENCY] The signature of the github.com/gardener/gardener/pkg/utils/secrets/manager.New function has been changed. The namespace parameter was previously the 5th parameter passed to the function. Instead, the function now accepts namespaces as a variadic parameter. by @​rfranzke [#​13575]

📰 Noteworthy

• [OPERATOR] Adapted the policy in the Kubernetes version support process to retain only the latest 4 minor versions, improving security by dropping older, unpatched versions. Additionally, a minimum period of 14 months has been added, during which Gardener will maintain support for any given Kubernetes version before removing it again. by @​marc1404 [#​13471]
• [USER] The order of entries in the NamespacedCloudProfile.Status.CloudProfileSpec is now the same as in the parent CloudProfile.Spec. by @​LucaBernstein [#​13772]
• [DEVELOPER] The function github.com/gardener/gardener/pkg/utils/kubernetes.GetCredentialsByObjectReference has been changed to accept client.Reader instead of client.Client. by @​vpnachev [#​13552]
• [DEVELOPER] The script hack/vgopath-setup.sh and hack/tools.mk entry for $(VGOPATH) are deprecated and will be removed after gardener/gardener@v1.142 has been released. It is recommended that consumers stop using them from the gardener/gardener repository. by @​LucaBernstein [#​13556]
• [DEVELOPER] Source code changes that break various aspects of the monitoring stack in ways that were previously unnoticed are now detected during pull request validation. by @​vicwicker [#​13341]
• [DEVELOPER] The generic actuator of the control plane now wraps seed-related charts into ManagedResources . Any imperative logic in your provider extension that does not consider management through the gardener-resource-manager can potentially be cleaned up. by @​kon-angelo [#​13585]
• [DEVELOPER] The usages of VGOPATH have been removed. by @​LucaBernstein [#​13556]
• [DEVELOPER] A new rule was added to the Component Checklist - Drop unutilised capabilities. Additionally, the Do not run containers as root rule was extended. For more details, check the Component Checklist. by @​mstueer [#​13204]
• [DEPENDENCY] CredentialsBindings can now reference core.gardener.cloud/v1beta1.InternalSecret resources. Provider extensions should start validating them similar to references for v1.Secret resources. by @​rfranzke [#​13759]

✨ New Features

• [OPERATOR] A new VPNBondingModeRoundRobin feature gate is introduced for gardenlet. When enabled, HA VPN uses round-robin bonding mode to increase availability under network degradation. by @​domdom82 [#​13649]
• [OPERATOR] gardenlet can now propagate static manifests stored in the seed cluster's garden namespace to all shoot namespaces. Read all about it here. by @​rfranzke [#​13614]
• [OPERATOR] Support replacement of individual assets for the gardener dashboard (gardener/dashboard#2687) by @​grolu [#​13640]
• [OPERATOR] Extend gardener-operator and gardenlet care controllers to query the Prometheus instances for health checks of the monitoring components. If the new health checks fail, they are reflected in the status condition of the Shoot, Seed or Garden resources. These health checks are introduced behind a feature gate PrometheusHealthChecks that is disabled by default. by @​vicwicker [#​13341]
• [OPERATOR] It is now possible to configure custom namespaces in the virtual cluster that the virtual-garden-gardener-resource-manager should handle. Use .spec.virtualCluster.gardener.gardenerResourceManager.additionalTargetNamespaces in Garden resource. by @​rfranzke [#​13761]
• [OPERATOR] WorkloadIdentity credentials are now allowed to be used for Shoot DNS domains, Seed ingress, default and internal DNS domains. by @​vpnachev [#​13720]
• [OPERATOR] Add new Plutono dashboard for monitoring VPA Updater operations across Shoot, Seed and Garden clusters. by @​vitanovs [#​13477]
• [USER] Rotation for the ssh keypair for worker nodes, observability passwords and etcd encryption key can now be done in the maintenance window via the .spec.maitenance.autoRotation.credentials field of a Shoot. by @​AleksandarSavchev [#​13493]
• [USER] A new Seed API field credentialsRef has been introduced in spec.dns.provider structure. It is designed to support diverse types of credentials, as of now v1.Secrets and security.gardener.cloud/v1alpha1.WorkloadIdentity are allowed, but only Secrets are supported. by @​vpnachev [#​13680]
• [USER] You can now specify nftables as proxy mode implementation of kube-proxy in the Shoot spec like so if your Kubernetes version is >= 1.31: .spec.kubernetes.kubeProxy.mode=NFTables, please consult https://kubernetes.io/blog/2025/02/28/nftables-kube-proxy/ for all glory details. by @​majst01 [#​13558]
• [USER] A new optional Shoot API field credentialsRef has been introduced in spec.dns.providers structure. It is designed to support diverse types of credentials. As of now only v1.Secrets are supported. by @​vpnachev [#​13552]
• [USER] The Shoot resource does now support configuring the vpa-recommender concurrent workers to update VerticalPodAutoscalers and VerticalPodAutoscalerCheckpoints via the new .spec.kubernetes.verticalPodAutoscaler.recommenderUpdateWorkerCount field. by @​voelzmo [#​13591]
• [DEVELOPER] Shoots and Seeds are now allowed to reference WorkloadIdentity resources via their respective field spec.resources, extensions can leverage this mechanism in order to use workload identity credentials for authentication with external services supporting trust based authentication. by @​vpnachev [#​13469]
• [DEVELOPER] CredentialsBindings can now reference core.gardener.cloud/v1beta1.InternalSecret resources. This can be beneficial if shoot credentials are not managed directly by end-users but by the service provider/Gardener operators. by @​rfranzke [#​13759]
• [DEVELOPER] It is now possible to create a SecretsManager based on a Garden resource. Extensions can, for instance, manage certificates for webhooks in the garden runtime cluster while leveraging Gardener's certificate automation features (such as CA rotation, renewal, etc.). by @​timuthy [#​13662]
• [DEPENDENCY] The certificate library for extension webhooks now supports skipping the component name prefixing with gardener-extension when DoNotPrefixComponentName is set to true. by @​rfranzke [#​13765]
• [DEPENDENCY] extensionscmdcontroller.GeneralOptions can now be shared between controllers and webhooks. It contains general deployment information that are relevant to both. by @​timuthy [#​13786]

🐛 Bug Fixes

• [OPERATOR] Refactor the collector journald receiver to capture kernel logs via a more stable method. by @​rrhubenov [#​13664]
• [OPERATOR] An issue causing credentials rotation for the Garden resource to fail is now fixed. by @​ialidzhikov [#​13735]
• [OPERATOR] A bug has been fix which could lead to pending ManagedResources in the shoot's control plane namespace (effectively, blocking Shoot deletion). by @​rfranzke [#​13858]
• [OPERATOR] A bug has been fixed which was preventing removing image vector overwrite configurations from gardenlets deployed via seedmanagement.gardener.cloud/v1alpha1.Gardenlet resources (even though .spec.deployment.{imageVectorOverwrite,componentImageVectorOverwrite} was removed). by @​rfranzke [#​13646]
• [OPERATOR] The token requestor will check the UID of a referenced ServiceAccount and request a new token before the former one issued for a different UID expired. by @​LucaBernstein [#​13630]
• [USER] A bug has been fixed which was causing invalid high-availability configuration for system components in case a Shoot was configured with a worker pool with maximum=0. by @​rfranzke [#​13873]
• [USER] Project admins are allowed to set ownerReference with kind: Shoot and blockOwnerDeletion: true for Secrets/ConfigMaps when the OwnerReferencesPermissionEnforcement admission plugin is enabled for the virtual kube-apiserver. by @​ialidzhikov [#​13743]
• [USER] Fix a bug that prevents updating expiration dates of overridden machine image versions in NamespacedCloudProfiles. by @​LucaBernstein [#​13754]
• [USER] Fixed an issue where the Manual Worker Pool Rollout feature worked only when there is only one machine deployment per worker. by @​rrhubenov [#​13670]
• [USER] A bug causing Shoot

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 37 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.24.5 -> 1.25.6
istio.io/api	v1.27.3 -> v1.27.6
github.com/coreos/go-systemd/v22	v22.6.0 -> v22.7.0
github.com/cyphar/filepath-securejoin	v0.6.0 -> v0.6.1
github.com/gardener/etcd-druid/api	v0.33.0 -> v0.35.0
github.com/gardener/machine-controller-manager	v0.60.2 -> v0.61.2
github.com/go-openapi/swag	v0.23.1 -> v0.25.1
github.com/goccy/go-yaml	v1.18.0 -> v1.19.2
github.com/google/cel-go	v0.26.0 -> v0.26.1
github.com/grpc-ecosystem/grpc-gateway/v2	v2.27.2 -> v2.27.3
github.com/open-telemetry/opentelemetry-operator	v0.139.0 -> v0.143.0
github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring	v0.87.0 -> v0.89.0
github.com/prometheus/common	v0.67.4 -> v0.67.5
github.com/prometheus/otlptranslator	v0.0.2 -> v1.0.0
github.com/prometheus/procfs	v0.17.0 -> v0.19.2
github.com/stoewer/go-strcase	v1.3.0 -> v1.3.1
go.opentelemetry.io/collector/featuregate	v1.37.0 -> v1.45.0
go.opentelemetry.io/otel	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/exporters/prometheus	v0.60.0 -> v0.61.0
go.opentelemetry.io/otel/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/sdk/metric	v1.38.0 -> v1.39.0
go.opentelemetry.io/otel/trace	v1.38.0 -> v1.39.0
go.opentelemetry.io/proto/otlp	v1.7.1 -> v1.9.0
golang.org/x/exp	v0.0.0-20251113190631-e25ba8c21ef6 -> v0.0.0-20260112195511-716be5621a96
golang.org/x/oauth2	v0.32.0 -> v0.34.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250825161204-c5933d9347a5 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/genproto/googleapis/rpc	v0.0.0-20251022142026-3a174f9686a8 -> v0.0.0-20251202230838-ff82c1b0f217
google.golang.org/grpc	v1.76.0 -> v1.77.0
google.golang.org/protobuf	v1.36.10 -> v1.36.11
helm.sh/helm/v3	v3.19.2 -> v3.19.5
k8s.io/gengo/v2	v2.0.0-20250820003526-c297c0c1eb9d -> v2.0.0-20250922181213-ec3ebc5fd46b
k8s.io/kube-aggregator	v0.34.2 -> v0.34.3
k8s.io/kube-openapi	v0.0.0-20250814151709-d7b6acb124c3 -> v0.0.0-20250910181357-589584f1c912
k8s.io/kubelet	v0.34.2 -> v0.34.3
k8s.io/metrics	v0.34.2 -> v0.34.3
sigs.k8s.io/structured-merge-diff/v6	v6.3.0 -> v6.3.2-0.20260122202528-d9cc6641c482