1. Docs
  2. Changes and releases

Workload cluster release azure-27.0.0 for CAPZ

CAPZ releases releases azure-27.0.0

Changes compared to v26.0.0

Components

  • cluster-azure from v0.18.0 to v1.0.0
  • Flatcar from v3815.2.4 to v3815.2.5
  • Kubernetes from v1.26.15 to v1.27.16

cluster-azure v0.18.0…v1.0.0

Changed

  • Chart: Update cluster to v1.1.0. (#325)
    • Machine Template: Adapt new image format.
    • Apps: Enable observability-policies.

Apps

  • azure-cloud-controller-manager from v1.26.22-gs2 to v1.27.18-gs1
  • azure-cloud-node-manager from v1.26.22-gs2 to v1.27.18-gs1
  • cert-exporter from v2.9.0 to v2.9.1
  • cert-manager from v3.7.6 to v3.8.1
  • k8s-audit-metrics from v0.9.0 to v0.10.0
  • k8s-dns-node-cache from v2.6.2 to v2.8.1
  • net-exporter from v1.19.0 to v1.21.0
  • observability-bundle from v1.3.4 to v1.5.3
  • observability-policies v0.0.1
  • security-bundle from v1.7.1 to v1.8.0
  • teleport-kube-agent from v0.9.0 to v0.9.2
  • vertical-pod-autoscaler from v5.2.2 to v5.2.4

azure-cloud-controller-manager v1.26.22-gs2…v1.27.18-gs1

Changed

  • Chart: Update to upstream v1.27.18. (#81)

azure-cloud-node-manager v1.26.22-gs2…v1.27.18-gs1

Changed

  • Chart: Update to upstream v1.27.18. (#70)

cert-exporter v2.9.0…v2.9.1

Changed

  • Chart: Update PolicyExceptions to v2beta1. (#358)

cert-manager v3.7.6…v3.8.1

Added

  • Improves container security by setting runAsGroup and runAsUser greater than zero for all deployments.

Changed

  • Bump architect-orb@5.3.1 to fix CVE-2024-24790.
  • Improves cainjector’s Vertical Pod Autoscaler
  • Remove quotes from acme-http01-solver-image argument. The quotes are used when looking up the image which causes an error.
  • Changed the way registry is being parsed in helm templates
  • Enable VPA by default

k8s-audit-metrics v0.9.0…v0.10.0

Changed

  • Add securityContext.readOnlyRootFilesystem helm value (default true).

k8s-dns-node-cache v2.6.2…v2.8.1

Changed

  • Make the app visible for all providers.
  • Reduce security exceptions #89.
    • Enable readOnly FS moving config to emptyDir volume.
    • Remove NET_ADMIN and drop ALL capabilities.
    • Add NET_BIND_SERVICE capability.
    • Add policy exception for require-non-root-groups/autogen-check-runasgroup.
    • Remove disallow-capabilities-* policy exceptions.
  • Update PolicyException CR version to v2beta1.

net-exporter v1.19.0…v1.21.0

Changed

  • Enable readOnlyRootFilesystem in securityContext (#376)[https://github.com/giantswarm/net-exporter/pull/376].
  • Update module google.golang.org/grpc to v1.65.0 (#373).
  • Update k8s modules to v0.30.2 (#375).
  • Update quay.io/giantswarm/alpine Docker tag to v3.20.1 (#372).
  • Add node and app labels in ServiceMonitor.

observability-bundle v1.3.4…v1.5.3

Added

  • Add alloy v0.3.0 as alloy-logs

Changed

  • Rename alloy-logs app to camel case alloyLogs.
  • Fix CNP issues (allow traffic from pods in kube-system to nginx-ingress-controller)
    • Upgrade grafana-agent to 0.4.5.
    • Upgrade alloy to 0.3.1.
    • Upgrade promtail to 1.5.4.
  • Upgrade prometheus-operator-crd to 11.0.1.
  • prometheus-operator will not check promql syntax for prometheusRules that are labelled application.giantswarm.io/prometheus-rule-kind: loki
  • Upgrade kube-prometheus-stack to 11.0.0 and prometheus-operator-crd to 11.0.0. This upgrade mainly consists in:
    • kube-prometheus-stack dependency chart upgraded from 56.21.2 to 61.0.0
    • prometheus upgrade from 2.50.1 to 2.53.0
    • thanos ruler upgrade from 0.34.1 to 0.35.1
    • kube-state-metrics from 2.10.0 to 2.12.0
    • prometheus-operator from 0.71.2 0.75.0 - adding remoteWrite.proxyFromEnvironment and Scrape Class support
    • prometheus-node-exporter upgraded from 1.8.0 to 1.8.1
  • Upgrade grafana-agent from 0.4.3 to 0.4.4
    • This version enables the override the grafana agent CiliumNetworkPolicy egress and ingress sections.

observability-policies v0.0.1

Added

  • Add a ClusterPolicy to prevent prometheus-operator CRDs deletion.
  • Create observability-policies app to deploy Kyverno Observability Policies into clusters.

security-bundle v1.7.1…v1.8.0

Added

  • Add kyverno-crds app to handle Kyverno CRD install.

Changed

  • Update kyverno (app) to v0.17.15. This version disables the CRD install job in favor of kyverno-crds App.

teleport-kube-agent v0.9.0…v0.9.2

Changed

  • Introduced podAntiAffinity so teleport-kube-agent pods run on different control-plane nodes also increased the number of replicas to 3 to maintain better high availability.
  • Changed the way registry is being parsed in helm templates

vertical-pod-autoscaler v5.2.2…v5.2.4

Changed

  • Chart: Update Helm release vertical-pod-autoscaler to v9.8.3. (#301)
  • Chart: Change restartPolicy to OnFailure for the CRD job. (#298)

This part of our documentation refers to our vintage product. The content may be not valid anymore for our current product. Please check our new documentation hub for the latest state of our docs.