Highlights for the week ending 2024-07-25

Observability

• alloy-app version 0.3.0 introduces the following changes: - Add kyverno policy exception for run as non root - Upgrade alloy upstream chart from 0.4.0 to 0.5.1 - This bumps the version of alloy from 1.2.0 to 1.2.1
• logging-operator version 0.7.0 adds support for Alloy as logging agent. It adds --logging-agent flag too, to toggle between Promtail and Alloy.
• loki-app version 0.21.0 upgrades upstream chart from 6.6.4 to 6.7.1 - see changelog for more information. The loki version goes from 3.0.0 to 3.1.0.
• object-storage-operator version 0.8.0 introduces the following changes: - ReclaimPolicy added in the Bucket CR to manage the data clean up (retain or delete). - Add a finalizer on the Azure secret to prevent its deletion. - Empty all the objects in the S3 bucket in case of bucket deletion.
• observability-bundle version 1.5.1 upgrades prometheus-operator-crd to 11.0.1. In addition version 1.5.0 introduces the following changes: - Add alloy v0.3.0 as alloy-logs - prometheus-operator will not check promql syntax for prometheusRules that are labelled application.giantswarm.io/prometheus-rule-kind: loki
• observability-operator version 0.3.0 deletes monitoring resources if monitoring is disabled at the installation or cluster level using the giantswarm.io/monitoring label.
• prometheus-operator-crd version 11.0.1 adds helm.sh/resource-policy: keep annotation to all CRDs to avoid deletion during Helm operations.
• prometheus-rules version 4.8.0 moves alloy to monitoring namespace. The version 4.7.0 introduces the following changes: - Support for loki rules to management clusters in alloy config - grafana datasource for MC loki ruler - Make dns-operator-azure capz only. - Fix PromtailDown alert to fire only when the node is ready.
• kube-downscaler-app version 0.3.0 pushes kube-downscaler app to all collections, and version 0.2.0 adds enabled field in values to disable whole chart if needed.

Authentication and Authorization

• dex-app version 1.42.11 brings the following changes: - Default ingress.tls.clusterIssuer values to letsencrypt-giantswarm - Update cert-manager.io/cluster-issuer annotation to use default.
• teleport-kube-agent-app version 0.9.2 introduces podAntiAffinity so teleport-kube-agent pods run on different control-plane nodes also increases the number of replicas to 3 to maintain better high availability.

Connectivity

• k8s-dns-node-cache-app version v2.8.1 fixes an issue with app-exporter metrics that were happening on Cluster API installation by removing provider specific restrictions. Now the all app-exporter metrics are available on all providers.

Security

• kyverno-policies-connectivity version 0.6.0 introduces the following changes: - Update kubectl container image to version v1.26.0 for WorkloadCluster Ip Job - Increase pod and container SecurityContext settings for WorkloadCluster Ip Job - Execute kubectl apply with --server-side=true --field-manager='kubectl-client-side-apply' --force-conflicts flags in WorkloadCluster Ip Job - Remove unused tests under helm directory.
• security-bundle version 1.8.0 introduces the following changes: - Add kyverno-crds app to handle Kyverno CRD install. - Update kyverno (app) to v0.17.15. This version disables the CRD install job in favor of kyverno-crds App.
• kyverno-app version 0.17.15 brings the following changes: - Set VPA max 6 CPU / 24Gi memory and adjust default requests/limits for reports-controller. - Set VPA max 4 CPU / 8Gi memory and adjust default requests/limits for background-controller. - Set starting CPU limit of request+25% for cleanup-controller. - Disable Kyverno CRDs install Job in favor of kyverno-crds App.
• kyverno-crds version 1.11.1 removes unpopulated labels and fixes the team label.

Cluster management

• aws-cloud-controller-manager-app version 1.29.3-gs1 updates component to upstream version v1.29.3.

• cluster-api-provider-azure-app version 1.12.4-gs2 removes kube-rbac-proxy from azure-service-operator. Additionally, the image of azure-service-operator is now fetched from gsoci.azurecr.io.

• cluster-azure version 0.16.1 introduces an improvement respecting global.apps.externalDnsPrivate to overwrite configuration of external-dns-private app.

• cloud-provider-cloud-director-app version 0.3.0 rollbacks CPI from 1.6.0 to 1.5.0 due to IP Spaces incompatibility.

• cluster-cloud-director version:

  • 0.56.1
    • Rollback CPI from 1.6.0 to 1.5.0 due to VCD version incompatibility.
  • 0.56.0
    • Bump Kubernetes to 1.27.14.
  • 0.55.0
    • Bump Kubernetes to 1.26.14.

• cluster-vsphere version 0.56.1 unpauses Cluster resource as part of cleanup hook after deletion in order to prevent leftover resources.

• default-apps-cloud-director version 0.9.0 introduces the following changes: - Update cert-exporter to v2.9.1. - Update cert-manager-app to v3.8.0. - Update k8s-dns-node-cache-app to v2.8.1. - Update net-exporter to v1.21.0 - Update observability-bundle to v1.4.0. - Update security-bundle to v1.7.1. - Update teleport-kube-agent-app to v0.9.2. - Update vertical-pod-autoscaler-app to v5.2.4.

• azure-private-endpoint-operator version 0.2.3

• cluster version 0.36.0 removes the CronJobTimeZone feature gate as it becomes stable and is included in Kubernetes v1.29.

• cluster-autoscaler-app version [1.29.3-gs1](https://github.com/giantswarm/cluster-autoscaler- app/compare/v1.28.5-gs1…v1.29.3-gs1) updates the upstream app version to v1.29.3.

Docs

• Learn how to configure your cluster to add new metrics and use Grafana mimir to control your workloads.