CAPA Releases

  • This release updates the cluster-aws chart and the underlying cluster chart to address an issue around Helm values schema validation uncovered by newer Helm versions.

    Changes compared to v31.1.0

    Components

    • cluster-aws from v3.6.0 to v3.6.1

    cluster-aws v3.6.0…v3.6.1

    Changed

    • Chart: Update cluster to v2.5.1.
  • This release updates the cluster-aws chart and the underlying cluster chart to address an issue around Helm values schema validation uncovered by newer Helm versions.

    Changes compared to v30.1.4

    Components

    • cluster-aws from v3.2.3 to v3.2.4

    cluster-aws v3.2.3…v3.2.4

    Changed

    • Chart: Update cluster to v2.2.2.
  • This release backports a fix for reducing IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security. For clusters in ENI mode, all nodes are rolled when upgrading to this release.

    Changes compared to v30.1.3

    Components

    • cluster-aws from v3.2.2 to v3.2.3

    cluster-aws v3.2.2…v3.2.3

    Changed

    • Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.

    Apps

  • This release backports a fix for reducing IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security. For clusters in ENI mode, all nodes are rolled when upgrading to this release.

    Changes compared to v29.6.3

    Components

    • cluster-aws from v2.6.3 to v2.6.4

    cluster-aws v2.6.3…v2.6.4

    Changed

    • Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.

    Apps

  • This release updates Kubernetes to the latest patch release v1.31.11.

    During control plane upgrades, short-term warnings are now prevented by setting a fixed instead of dynamic AMI lookup string. This leads to nodes being rolled once when upgrading to this release.

    We added an option to set the IMDSv2 request hop limit for EC2 instances ‒ this is usually not needed, except if security requirements such as AWS SCPs (service control policies) dictate a maximum.

    Karpenter support keeps getting better: node-termination-handler is not installed anymore if only Karpenter node pools are used, as the same function is built into Karpenter (pod draining and EC2 instance termination handling). Nodes in such pools now also use the reduced IAM permission set (can be toggled in exceptional cases).

    Changes compared to v31.0.0

    Components

    • cluster-aws from v3.4.0 to v3.6.0
    • Kubernetes from v1.31.9 to v1.31.11

    cluster-aws v3.4.0…v3.6.0

    Added

    • Add giantswarm.io/role: nodes by default to private subnets used for nodes. Can be overwritten.
    • Make IMDSv2 hop limit configurable

    Changed

    • Chart: Update cluster to v2.5.0.
    • Only deploy node-termination-handler when there are non-karpenter node pools because karpenter takes care of node draining
    • Change imageLookupFormat to use a static string rather than CAPI replacing the OS and Kubernetes versions. This rolls control plane nodes.

    Fixed

    • Use reduced IAM permissions on karpenter worker nodes instance profile. This can be toggled back with global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers.

    Apps

    • aws-nth-bundle from v1.2.1 to v1.2.2
    • capi-node-labeler from v1.1.1 to v1.1.2
    • cert-exporter from v2.9.7 to v2.9.8
    • cilium from v1.2.1 to v1.2.2
    • cluster-autoscaler from v1.31.2-gs2 to v1.31.3-gs1
    • coredns from v1.25.0 to v1.26.0
    • etcd-defrag from v1.0.5 to v1.0.6
    • etcd-k8s-res-count-exporter from v1.10.5 to v1.10.6
    • k8s-audit-metrics from v0.10.4 to v0.10.5
    • k8s-dns-node-cache from v2.8.1 to v2.9.0
    • karpenter-bundle from v2.0.0 to v2.1.0
    • karpenter-nodepools from v0.1.0 to v0.2.0
    • node-exporter from v1.20.3 to v1.20.4
    • security-bundle from v1.11.0 to v1.12.0
    • teleport-kube-agent from v0.10.5 to v0.10.6

    aws-nth-bundle v1.2.1…v1.2.2

    Changed

    • Upgrade Node Termination Handler to 1.21.0.

    capi-node-labeler v1.1.1…v1.1.2

    Changed

    • Go: Update dependencies.

    cert-exporter v2.9.7…v2.9.8

    Changed

    • Go: Update dependencies.

    cilium v1.2.1…v1.2.2

    Changed

    • Upgrade Cilium to v1.17.6.
    • Updated E2E tests to use apptest-framework v1.14.0
    • Increase Cilium operator resource limits.

    Removed

    • Remove deprecated “partial” mode from Kube Proxy Replacement options.

    cluster-autoscaler v1.31.2-gs2…v1.31.3-gs1

    Changed

    • Chart: Update to upstream v1.31.3.

    coredns v1.25.0…v1.26.0

    Changed

    • Update coredns image to 1.12.2.

    etcd-defrag v1.0.5…v1.0.6

    Changed

    • Chart: Update dependency ahrtr/etcd-defrag to v0.29.0. (#43)

    etcd-k8s-res-count-exporter v1.10.5…v1.10.6

    Changed

    • Go: Update dependencies.

    k8s-audit-metrics v0.10.4…v0.10.5

    Changed

    • Go: Update dependencies.

    k8s-dns-node-cache v2.8.1…v2.9.0

    Changed

    • Upgrade application to version 1.26.4 (includes coredns 1.11.3)
    • Increase ServiceMonitor’s scrapping interval to 1m.
    • Remove obsolete PSPs

    karpenter-bundle v2.0.0…v2.1.0

    Removed

    • Remove capa-karpenter-taint-remover because nodes are now in the MachinePool CR, so the taint will be removed by CAPI.

    karpenter-nodepools v0.1.0…v0.2.0

    Changed

    • Improve json schema.
    • Change subnet selector to avoid CNI subnets.

    node-exporter v1.20.3…v1.20.4

    Changed

    • Go: Update to v1.24.5.

    security-bundle v1.11.0…v1.12.0

    Changed

    • Update trivy-operator (app) to v0.11.1.
    • Update trivy (app) to v0.14.0.
    • Update falco (app) to v0.10.1.
    • Update cloudnative-pg (app) to v0.0.10.
    • Update starboard-exporter (app) to v0.8.2.
    • Updated E2E tests to use apptest-framework v1.14.0

    teleport-kube-agent v0.10.5…v0.10.6

    Changed

    • AppVersion upgrade to 17.5.4
  • Upgrade cluster-aws to handle IMDS Hop Limit and patch kubernetes version.

    Changes compared to v28.5.4

    Components

    • cluster-aws from v1.3.10 to v1.3.11

    cluster-aws v1.3.10…v1.3.11

    Changed

    • Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.
  • Upgrade cluster-aws to handle IMDS Hop Limit.

    Changes compared to v27.5.3

    Components

    • cluster-aws from v1.3.10 to v1.3.11

    cluster-aws v1.3.10…v1.3.11

    Changed

    • Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.
  • Upgrade cluster-aws to handle IMDS Hop Limit.

    Changes compared to v26.4.3

    Components

    • cluster-aws from v1.3.10 to v1.3.11

    cluster-aws v1.3.10…v1.3.11

    Changed

    • Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.
  • This release along with k8s and application upgrades also brings several new features for the product. Node Pools have been extended with new Karpenter type, integrating the solution fully with the Giant Swarm cluster lifecycle instead of a Managed Application. Karpenter application will now be deployed as a part of the Giant Swarm clusters out of the box if configured. For further configuration please check our example of the Karpenter Node Pool usage.

    Additionally, we have extended the Cluster configuration to support multiple VPC CIDRs under global.connectivity.network.vpcCidr, please read the schema documentation for more details.

    Finally we are slowly introducing changes to IAM roles for service accounts (IRSA) management on GS side, where the infrastructure required will be fully managed by Crossplane instead of irsa-operator and capa-iam-operator. There is no impact for customers, but the change will allow Giant Swarm to pair the IAM permissions for required applications with their actual releases and deployments, moving away from single operators implementing all the roles. The Karpenter application will be the first one to use it.

    For any questions regarding new features or their usage, please reach out to Giant Swarm. For customers running Karpenter as a Managed Application from Giant Swarm catalog, it is save to upgrade to this release without any changes. The application will work as expected until migrated to the new node pool type.

    Changes compared to v30.1.3

    Components

    • cluster-aws from v3.2.2 to v3.4.0
    • Flatcar from v4152.2.1 to v4152.2.3
    • Kubernetes from v1.30.11 to v1.31.9
    • os-tooling from v1.24.0 to v1.26.1

    cluster-aws v3.2.2…v3.4.0

    Added

    • Adopt IRSA infrastructure with Crossplane. It can be disabled to use IRSA Operator.
    • Support multiple VPC CIDRs
    • Add karpenter support
      • Expose new values to configure karpenter node pools.
      • Deploy karpenter app when karpenter node pools are configured.
    • Add cert-manager-crossplane-resources App in private clusters so DNS01 clusterIssuer.
    • Add configuration for DNS01 clusterIssuer deployed by cert-manager-app in private clusters.
    • Apply startup taint ebs.csi.aws.com/agent-not-ready for AWS EBS CSI driver on worker nodes.

    Changed

    • Reduce IMDS Response Hop Limit to 2 if pod networking is in ENI mode to increase security.
    • Configure HelmReleases to retry indefinitely when installation or upgrade fails by setting retries: -1.
    • Chart: Update cluster to v2.4.0.

    Apps

    • Added cert-manager-crossplane-resources v0.1.0
    • Added karpenter-bundle v2.0.0
    • Added karpenter-nodepools v0.1.0
    • capi-node-labeler from v1.0.2 to v1.1.1
    • cert-exporter from v2.9.5 to v2.9.7
    • cert-manager from v3.9.0 to v3.9.1
    • cilium from v0.31.5 to v1.2.1
    • cilium-crossplane-resources from v0.2.0 to v0.2.1
    • cloud-provider-aws from v1.30.8-gs1 to v1.31.5-gs1
    • cluster-autoscaler from v1.30.4-gs1 to v1.31.2-gs2
    • coredns from v1.24.0 to v1.25.0
    • etcd-defrag from v1.0.2 to v1.0.5
    • etcd-k8s-res-count-exporter from v1.10.3 to v1.10.5
    • k8s-audit-metrics from v0.10.2 to v0.10.4
    • net-exporter from v1.22.0 to v1.23.0
    • node-exporter from v1.20.2 to v1.20.3
    • observability-bundle from v1.11.0 to v2.0.0
    • observability-policies from v0.0.1 to v0.0.2
    • security-bundle from v1.10.1 to v1.11.0
    • teleport-kube-agent from v0.10.4 to v0.10.5
    • vertical-pod-autoscaler from v5.4.0 to v5.5.1
    • vertical-pod-autoscaler-crd from v3.2.0 to v3.3.1

    capi-node-labeler v1.0.2…v1.1.1

    Changed

    • Go: Update dependencies.
    • Improve Control Plane node detection.
    • Taint Control Plane nodes if not already tainted.
    • Go: Update dependencies.

    cert-exporter v2.9.5…v2.9.7

    Changed

    • Go: Update dependencies.
    • Fix linting issues.
    • Go: Update dependencies.

    cert-manager v3.9.0…v3.9.1

    Added

    • Added Vertical Pod Autoscaler support for controller pods.
    • Added renovate configutarion

    Removed

    • Removed dependabot configuration

    cert-manager-crossplane-resources v0.1.0

    Added

    • Added support for Azure
    • Included the giantswarm.io/cluster label

    Changed

    • Restructured Chart to support multiple cloud providers

    cilium v0.31.5…v1.2.1

    Changed

    • Enable conntrack accounting in Cilium agent by default.
    • Re-enable Cilium agent and operator metrics port.
    • Add resource requests and limits to Hubble UI and Relay.
    • Add resource requests and limits to Cilium Operator.
    • Upgrade Cilium to v1.17.4.
    • Cilium v1.17.4 disables kubernetes api connectivity check for liveness probes. (Upstream PR: https://github.com/cilium/cilium/pull/38703)
    • Upgrade Cilium to v1.17.3.
    • Upgrade Cilium to v1.17.2.
    • Remove cleanup kube-proxy patch.
    • Identity computation label exclusion list regular expressions. Remove controller-uid, since this is excluded by default now.
    • Upgrade Cilium to v1.17.0.
    • Use upstream default value for prometheus.metrics.
    • Enable Envoy Proxy in standalone DaemonSet.

    cilium-crossplane-resources v0.2.0…v0.2.1

    Added

    • Included the giantswarm.io/cluster label

    cloud-provider-aws v1.30.8-gs1…v1.31.5-gs1

    Changed

    • Chart: Update to upstream v1.31.5.

    cluster-autoscaler v1.30.4-gs1…v1.31.2-gs2

    Added

    • Add additional labels to ignore during ASG balancing check
    • Support adding additional labels to the PodMonitor resource via the podMonitor.additionalLabels value.

    Changed

    • Chart: Use v1.31.2.
    • Chart: Update to upstream v1.31.2. (#325)

    coredns v1.24.0…v1.25.0

    Changed

    • Update coredns image to 1.12.1.

    etcd-defrag v1.0.2…v1.0.5

    Changed

    • Chart: Update dependency ahrtr/etcd-defrag to v0.28.0. (#34)
    • Chart: Update dependency ahrtr/etcd-defrag to v0.27.0. (#29)
    • Chart: Update dependency ahrtr/etcd-defrag to v0.26.0. (#22)

    etcd-k8s-res-count-exporter v1.10.3…v1.10.5

    Changed

    • Go: Update dependencies.

    Fixed

    • Fix linting issues.
    • Go: Update dependencies.

    k8s-audit-metrics v0.10.2…v0.10.4

    Changed

    • Go: Update dependencies.

    Fixed

    • Fix linting issues.
    • Go: Update dependencies.

    karpenter-bundle v2.0.0

    Added

    • First release

    Changed

    • Add karpenter-app dependency on karpenter-crossplane-resources app.
    • Bump karpenter to v1.5.0.
    • Bump karpenter-app to v0.14.0.
    • Update karpenter-capa-taint-remover to allow scheduling on all taints.
    • Update karpenter-crossplane-resources app version to add support for vintage OIDC issuer on migrated clusters
    • Update karpenter to update flowschema API
    • Update interruption queue settings
    • Update SQS Policy URL

    karpenter-nodepools v0.1.0

    Changed

    • changed: app.giantswarm.io label group was changed to application.giantswarm.io

    net-exporter v1.22.0…v1.23.0

    Changed

    • Check for errors when closing connections.
    • Switch from Endpoints to EndpointSlices for neighbors discovery.

    node-exporter v1.20.2…v1.20.3

    Changed

    • Go: Update dependencies.

    observability-bundle v1.11.0…v2.0.0

    Added

    • Add support for enabling pre-configured custom resources in KSM
    • Add metrics containing labels for Crossplane resources

    Changed

    • Upgrade alloy-app from 0.10.0 to 0.11.0
      • This bumps the version of Alloy from 1.8.3 to 1.9.0
    • Upgrade alloy-app from 0.9.0 to 0.10.0
      • This bumps the version of Alloy from 1.7.1 to 1.8.3
    • Reconfigure Flux-related part of the KSM to use wildcards instead of hardcoded versions.
    • Rename Flux-related metrics produced by the KSM.
    • Upgrade kube-prometheus-stack to 72.3.0
      • Bumps prometheus-operator to 0.82.0
      • Bumps prometheus-operator CRDs to 0.82.0
    • Upgrade kube-prometheus-stack to 72.3.0
      • Bumps prometheus-operator to 0.82.0
    • Upgrade kube-prometheus-stack from 69.5.1 to 70.1.1
      • Bumps prometheus-operator to 0.81.0
      • Bumps prometheus to 3.2.1

    Fixed

    • Fix catalog for alloy apps as it is now pushed to the default catalog.

    Removed

    • Clean up old and deprecated telemetry collectors:
      • promtail
      • grafana-agent
      • promtheus-agent
    • Disable PodSecurityPolicies by default as PodSecurityPolicies are deprecated and removed in Kubernetes v1.25+ clusters

    observability-policies v0.0.1…v0.0.2

    Changed

    security-bundle v1.10.1…v1.11.0

    Added

    • Add policy-api-crds app to manage Policy API CRDs.

    Changed

    • Update trivy (app) to v0.13.4.
    • Update cloudnative-pg (app) to v0.0.7.
    • Update starboard-exporter (app) to v0.8.1.
    • Update kyverno-policy-operator (app) to v0.0.11.
    • Update cloudnative-pg (app) to v0.0.9.

    Notes

    Note: Kyverno PolicyExceptions (API group kyverno.io) versions v2alpha1 and v2beta1 are deprecated and will be removed in the next Kyverno minor release (v1.14). Please update all Kyverno PolicyExceptions to v2. No action is required for Giant Swarm Policy API PolicyExceptions (API group policy.giantswarm.io), which are handled automatically.

    teleport-kube-agent v0.10.4…v0.10.5

    Added

    • Set Home URL in chart metadata.

    vertical-pod-autoscaler v5.4.0…v5.5.1

    Changed

    • Chart: Update Helm release vertical-pod-autoscaler to v10.2.1. (#355)
    • Chart: Update Helm release vertical-pod-autoscaler to v10.1.0. (#350)
    • Chart: Update Helm release vertical-pod-autoscaler to v10.2.0. (#351)
    • Chart: Update Helm release vertical-pod-autoscaler to v10.0.1. (#346)

    vertical-pod-autoscaler-crd v3.2.0…v3.3.1

    Changed

    • Chart: Sync to upstream. (#146)
    • Chart: Sync to upstream. (#140)
    • Chart: Sync to upstream. (#136)
  • This release re-enables metrics ingestion of Cilium.

    Changes compared to v30.1.2

    Apps

    • cilium from v0.31.4 to v0.31.5
    • cilium-servicemonitors from v0.1.2 to v0.1.3

    cilium v0.31.4…v0.31.5

    Changed

    • Reenable Cilium agent metrics.

    cilium-servicemonitors v0.1.2…v0.1.3

    Changed

    • Fix home URL in chart metadata
    • Change ownership from phoenix to cabbage.
    • Use the app-build-suite.