Highlights for the week ending 2024-07-25

Observability

  • alloy-app version 0.3.0 introduces the following changes: - Add kyverno policy exception for run as non root - Upgrade alloy upstream chart from 0.4.0 to 0.5.1 - This bumps the version of alloy from 1.2.0 to 1.2.1
  • logging-operator version 0.7.0 adds support for Alloy as logging agent. It adds --logging-agent flag too, to toggle between Promtail and Alloy.
  • loki-app version 0.21.0 upgrades upstream chart from 6.6.4 to 6.7.1 - see changelog for more information. The loki version goes from 3.0.0 to 3.1.0.
  • object-storage-operator version 0.8.0 introduces the following changes: - ReclaimPolicy added in the Bucket CR to manage the data clean up (retain or delete). - Add a finalizer on the Azure secret to prevent its deletion. - Empty all the objects in the S3 bucket in case of bucket deletion.
  • observability-bundle version 1.5.1 upgrades prometheus-operator-crd to 11.0.1. In addition version 1.5.0 introduces the following changes: - Add alloy v0.3.0 as alloy-logs - prometheus-operator will not check promql syntax for prometheusRules that are labelled application.giantswarm.io/prometheus-rule-kind: loki
  • observability-operator version 0.3.0 deletes monitoring resources if monitoring is disabled at the installation or cluster level using the giantswarm.io/monitoring label.
  • prometheus-operator-crd version 11.0.1 adds helm.sh/resource-policy: keep annotation to all CRDs to avoid deletion during Helm operations.
  • prometheus-rules version 4.8.0 moves alloy to monitoring namespace. The version 4.7.0 introduces the following changes: - Support for loki rules to management clusters in alloy config - grafana datasource for MC loki ruler - Make dns-operator-azure capz only. - Fix PromtailDown alert to fire only when the node is ready.
  • kube-downscaler-app version 0.3.0 pushes kube-downscaler app to all collections, and version 0.2.0 adds enabled field in values to disable whole chart if needed.

Authentication and Authorization

  • dex-app version 1.42.11 brings the following changes: - Default ingress.tls.clusterIssuer values to letsencrypt-giantswarm - Update cert-manager.io/cluster-issuer annotation to use default.
  • teleport-kube-agent-app version 0.9.2 introduces podAntiAffinity so teleport-kube-agent pods run on different control-plane nodes also increases the number of replicas to 3 to maintain better high availability.

Connectivity

  • k8s-dns-node-cache-app version v2.8.1 fixes an issue with app-exporter metrics that were happening on Cluster API installation by removing provider specific restrictions. Now the all app-exporter metrics are available on all providers.

Security

  • kyverno-policies-connectivity version 0.6.0 introduces the following changes: - Update kubectl container image to version v1.26.0 for WorkloadCluster Ip Job - Increase pod and container SecurityContext settings for WorkloadCluster Ip Job - Execute kubectl apply with --server-side=true --field-manager='kubectl-client-side-apply' --force-conflicts flags in WorkloadCluster Ip Job - Remove unused tests under helm directory.
  • security-bundle version 1.8.0 introduces the following changes: - Add kyverno-crds app to handle Kyverno CRD install. - Update kyverno (app) to v0.17.15. This version disables the CRD install job in favor of kyverno-crds App.
  • kyverno-app version 0.17.15 brings the following changes: - Set VPA max 6 CPU / 24Gi memory and adjust default requests/limits for reports-controller. - Set VPA max 4 CPU / 8Gi memory and adjust default requests/limits for background-controller. - Set starting CPU limit of request+25% for cleanup-controller. - Disable Kyverno CRDs install Job in favor of kyverno-crds App.
  • kyverno-crds version 1.11.1 removes unpopulated labels and fixes the team label.

Cluster management

Docs