1. Docs
  2. Changes and releases
  3. Highlights

Highlights

  • Highlights

    Highlights for the week ending 2024-09-26

    Observability

    • dashboardsversion 3.24.0

      • Updated Alertmanager dashboard to show related logs.
      • Add Loki mixins dashboards update script.
      • Update Mimir mixins dashboards via script.
      • Fix Alloy mixin tags.

    • alloy-app version 0.5.2 introduces the following changes:

      • Add a helm chart templating test to the ci pipeline.
      • Add tests with ats in the CI pipeline.
      • Push alloy as a gateway component in collections.

    • kyverno-policies-observability version 0.5.0

      • Remove the policy for ServiceMonitor and PodMonitor relabelling schemas as we no longer need the enforcement.

    • fluent-logshipping-app version 5.2.2

      • Fix the Nginx Parser based on the upstream parser.

    • logging-operator version 0.12.1

      • Fix usage of structured metadata for clusters before v20.
      • Move high cardinality values into structured metadata.
      • Add Kubernetes audit log resource label, filename label, and output stream label.
      • Rename the node_name label into node to match the metric label.

    • loki-app version 0.24.0

      • Add “manual e2e” testing procedure.
      • Add PR message template referring to the manual testing procedure.

    • observability-bundle version 1.6.2:

      • Fixed alloyMetrics catalog

    • observability-operator version 0.6.0:

      • Require observability-bundle >= 1.6.2 for Alloy monitoring agent support; this is due to the incorrect alloyMetrics catalogue in observability-bundle
      • Fix invalid Alloy config due to missing comma on external labels
      • Disable logger development mode to avoid panicking; use zap as a logger.
      • Fix CircleCI release pipeline.
      • Add manual e2e testing procedure and script.

    • prometheus-meta-operator version 4.79.0:

      • Remove unused #alert and #alert-test-installation slack integration.

    • prometheus-rules version 4.15.2:

      • Update MimirHPAReachedMaxReplicas operation recipe link
      • Fix aggregation rule of the slo:current_burn_rate:ratio slo.
      • Remove aggregation of slo:period_error_budget_remaining:ratio` as this value can be easily computed and creates a lot of time series in Grafana Cloud
      • Add aggregations for SLO metrics to export them to the Grafana cloud
      • Add MimirHPAReachedMaxReplicas alert to detect when Mimir’s HPAs have reached maximum capacity.
      • Added dashboards to several Mimir alerts
      • Change IRSAACMCertificateExpiringInLessThan60Days to IRSAACMCertificateExpiringInLessThan45Days. The ACM certificate is renewed 60 days before expiration, and the alert can fire prematurely.

    • tekton-dashboard-loki-proxy version 0.4.0:

      • Change app.giantswarm.io/* labels to application.giantswarm.io/
      • Update Golang to v1.23.1

    Cluster management

    • aws-pod-identity-webhook version 1.17.0:

      • Fix VPA being ineffective due to referring to a non-existing Deployment name

    • aws-crossplane-cluster-config-operator version 0.3.0

      • Configure the Crossplane ProviderConfig to use the CAPA controller role directly without going through a middleman. For this to work, the CAPA controller must have the correct trust policy granting access to the Crossplane provider’s service account.
      • Write a value oidcDomains to the config map containing all service account issuer domains, as defined by the new aws.giantswarm.io/irsa-trust-domains annotation on the AWSCluster. The primary domain is still written to value oidcDomain.

    • cluster version 1.4.1

      • Remove deprecation message for customNodeLabels and customNodeTaints, because they are not deprecated.
      • Allow configuring kube-controller-manager --node-cidr-mask-size flag.
      • Chart: Support multiple service account issuers.\ Change providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.serviceAccountIssuer to plural providerIntegration.controlPlane.kubeadmConfig.clusterConfiguration.apiServer.serviceAccountIssuers and render them in the specified order as --service-account-issuer parameters for the API server.
      • Only add the customNodeLabels value to the kubelet node-labels argument in the KubeadmConfig when customNodeLabels is defined.

    Connectivity

    Security

    • kyverno-policies-dx version 0.5.1

      • Use Enforce and Audit validationFailureAction.

    • kyverno-policies-ux version 0.7.3

      • cluster-names now targets Cluster by GVK
      • Use Enforce validationFailureAction.

    • kyverno-app version 0.18.0

      • Update Kyverno to the upstream version v1.12.5.

    • kyverno-crds version 1.12.0

      • Update Kyverno CRDs to Kyverno v1.12.

    • kyverno-policies version 0.21.0

      • Update to upstream Kyverno Policies version 1.12.5.
      • Don’t push to vsphere-app-collection, capz-app-collection, capa-app-collection or cloud-director-app-collection. We started to consume kyverno-policies from security-bundle.
  • Highlights

    Highlights for the week ending 2024-07-25

    Observability

    • alloy-app version 0.3.0 introduces the following changes: - Add kyverno policy exception for run as non root - Upgrade alloy upstream chart from 0.4.0 to 0.5.1 - This bumps the version of alloy from 1.2.0 to 1.2.1
    • logging-operator version 0.7.0 adds support for Alloy as logging agent. It adds --logging-agent flag too, to toggle between Promtail and Alloy.
    • loki-app version 0.21.0 upgrades upstream chart from 6.6.4 to 6.7.1 - see changelog for more information. The loki version goes from 3.0.0 to 3.1.0.
    • object-storage-operator version 0.8.0 introduces the following changes: - ReclaimPolicy added in the Bucket CR to manage the data clean up (retain or delete). - Add a finalizer on the Azure secret to prevent its deletion. - Empty all the objects in the S3 bucket in case of bucket deletion.
    • observability-bundle version 1.5.1 upgrades prometheus-operator-crd to 11.0.1. In addition version 1.5.0 introduces the following changes: - Add alloy v0.3.0 as alloy-logs - prometheus-operator will not check promql syntax for prometheusRules that are labelled application.giantswarm.io/prometheus-rule-kind: loki
    • observability-operator version 0.3.0 deletes monitoring resources if monitoring is disabled at the installation or cluster level using the giantswarm.io/monitoring label.
    • prometheus-operator-crd version 11.0.1 adds helm.sh/resource-policy: keep annotation to all CRDs to avoid deletion during Helm operations.
    • prometheus-rules version 4.8.0 moves alloy to monitoring namespace. The version 4.7.0 introduces the following changes: - Support for loki rules to management clusters in alloy config - grafana datasource for MC loki ruler - Make dns-operator-azure capz only. - Fix PromtailDown alert to fire only when the node is ready.
    • kube-downscaler-app version 0.3.0 pushes kube-downscaler app to all collections, and version 0.2.0 adds enabled field in values to disable whole chart if needed.

    Authentication and Authorization

    • dex-app version 1.42.11 brings the following changes: - Default ingress.tls.clusterIssuer values to letsencrypt-giantswarm - Update cert-manager.io/cluster-issuer annotation to use default.
    • teleport-kube-agent-app version 0.9.2 introduces podAntiAffinity so teleport-kube-agent pods run on different control-plane nodes also increases the number of replicas to 3 to maintain better high availability.

    Connectivity

    • k8s-dns-node-cache-app version v2.8.1 fixes an issue with app-exporter metrics that were happening on Cluster API installation by removing provider specific restrictions. Now the all app-exporter metrics are available on all providers.

    Security

    • kyverno-policies-connectivity version 0.6.0 introduces the following changes: - Update kubectl container image to version v1.26.0 for WorkloadCluster Ip Job - Increase pod and container SecurityContext settings for WorkloadCluster Ip Job - Execute kubectl apply with --server-side=true --field-manager='kubectl-client-side-apply' --force-conflicts flags in WorkloadCluster Ip Job - Remove unused tests under helm directory.
    • security-bundle version 1.8.0 introduces the following changes: - Add kyverno-crds app to handle Kyverno CRD install. - Update kyverno (app) to v0.17.15. This version disables the CRD install job in favor of kyverno-crds App.
    • kyverno-app version 0.17.15 brings the following changes: - Set VPA max 6 CPU / 24Gi memory and adjust default requests/limits for reports-controller. - Set VPA max 4 CPU / 8Gi memory and adjust default requests/limits for background-controller. - Set starting CPU limit of request+25% for cleanup-controller. - Disable Kyverno CRDs install Job in favor of kyverno-crds App.
    • kyverno-crds version 1.11.1 removes unpopulated labels and fixes the team label.

    Cluster management

    Docs

  • Highlights

    Highlights for the week ending Feb 15 2024

    Apps

    • dex-k8s-authenticator component is now deprecated and disabled by default due to the upstream project no longer being maintained. We advise switching to use kubectl gs login for access. Please reach out if you need any support regarding the access mechanism.
    • external-dns-app version v.3.1.0 removes the default namespace filter configuration. This was an relict from times where nginx-ingress was bound the the kube-system namespace and now got lifted.
    • flux-app version v1.3.1 corrects installation issues from the v1.2.0 release where in certain scenarios controllers were unable to start due to PSPs still being available on the clusters. This version of the app also improves monitoring of the flux controllers. Customers who are using the v1.2.0 release should upgrade to this new version at the earliest convenience. Please reach out if you need any support regarding the upgrade.

    Docs

  • Highlights

    Highlights for the week ending Feb 01 2024

    Apps

    • flux-app version v1.2.0 With this update we are introducing 2 changes. The first change is the update to flux version v2.1.2 Please see the upstream release notes - the changes include overall improvements without breaking changes. Besides the update to flux version v2.1.2 we are also dropping all PSPs from the install.yaml in favor of PSS, additionally we updated all security policies to satisfy the kyverno checks.

    Docs

  • Highlights

    Highlights for the week ending Dec 21 2023

    Observability

    • Logging for workload clusters is now enabled by default
      • You can access those logs via your installation’s Grafana
      • Logs are available for
        • All CAPA workload clusters
        • AWS workload clusters from 19.3.0 onwards
      • Available logs:
        • Pod logs from giantswarm and kube-system namespaces
        • Kubernetes API server audit logs
        • Systemd unit logs
      • Documentation: https://handbook.giantswarm.io/docs/observability/loki-usage/
  • Highlights

    Highlights for the week ending Nov 23 2023

    Linkerd

    These three releases have been upgraded to Linkerd v2.14.3. For more Information about the Linkerd v2.14.3 changes, please take a look at the official release notes

  • Highlights

    Highlights for the week ending Nov 16 2023

    General

    • Logging infrastructure is now available on AWS and CAPA management clusters.
      • Loki and Promtail are deployed on AWS and CAPA management clusters
      • You can query for following Logs:
        • Kubernetes Pods
        • Audit logs from Kubernetes API server
        • Systemd units
      • Logs retention is set to 1 month
      • Only Management cluster Logs are available (for now)
      • Access Logs using Grafana, see usage doc

    Falco

    • Falco 0.7.0 is released. It means the underlying component version is higher than 0.36.0. The update contains falcoctl tool which helps to administrate Falco configuration and audit the state of the system. From now on Falco images will not be longer shipped with rules inside the image. Instead, they will use an init container to download the rules from an official repository and will check frequently for updates. As a consequence, the amount of rules Falco installs has drastically been lowered, and the previous ruleset has been divided into several categories, Standard, Incubating, and Sandbox. This reduces the noise in general but in case the previous ruleset is required, it is possible to enable this using the command line tool. For more information about the new situation, check Falco’s new rules repository.
  • Highlights

    Highlights for the week ending October 10 2023

    Apps

    security-bundle versions 1.1.0 and 0.18.0 With these two releases we include two new tools supporting migration away from Pod Security Policies, exception-recommender and kyverno-policy-operator. With exception-recommender analyzes the current policy reports in a cluster get analyzed and based on the results a Giant Swarm PolicyExceptionDrafts gets generated. Once the drafts have been reviewed and accepted, kyverno-policy-operator takes the resulting Giant Swarm PolicyExceptions and generates the necessary Kyverno resources to allow workloads to continue running.

    Documentation

    We have started the migration away from Pod Security Policies! Therefore we have added a cluster administrator migration guide containing all information about the new Policy API and all the assistive tooling available to help you securely migrate workloads off of PSPs. Reach out for any questions regarding the Pod Security Policies to Pod Security Standards migration

  • Highlights

    Highlights for the week ending September 14 2023

    Management API

    • We introduced the new custom resource RoleBindingTemplate to all management clusters. It allows dynamic creation and deletion of RoleBindings across organizations. Read the docs for more information.

    App

    • kyverno-policies-ux version v0.6.0 introduces a new mechanism that prevents the accidental deletion of resources with the giantswarm.io/prevent-deletion label. Read the docs for more information.
  • Highlights

    Highlights for the week ending August 31 2023

    aws-load-balancer

    • aws-load-balancer-controller-app version v1.3.4, migrates from monitoring labels to ServiceMonitor and introduces a new Pod Security Policy for Cluster API support (versions behind Kubernetes 1.25).

    external-dns

    • external-dns version v2.39.0 replaces monitoring labels with ServiceMonitor CR, adds minAllowed in VPA to avoid OOMs and increases memory limits.

    kyverno

    • kyverno-app version v0.15.1(and v0.15.0) updates to the highly anticipated Kyverno version 1.10.2. This release brings major architectural changes to the Kyverno controllers as well as breaking changes to the upstream Helm chart. During the upgrade to 0.15.0 or 0.15.1, existing Kyverno deployments will be briefly scaled to 0 and replaced with the new version. Important: The Helm schema has changed to reflect the new deployment structure, so if you are overriding Helm values, review the release notes and upgrade guide to ensure any relevant configuration will still apply to the new controllers. These changes include significant stability and performance improvements and VPA support for more Kyverno components.

    linkerd

    For more Information about the Linkerd v2.13.6 changes, please take a look at the official release notes

    ingress-nginx

    • We spent the last months reworking our ingress-nginx-app by aligning it to the upstream ingress-nginx project. This is necessary to be future-proof, feature compliant, and offer the best ingress experience possible. Therefore we want to announce the first public stable release of our new ingress-nginx chart. This release includes breaking changes if you are currently using v2.x.x. We set up a migration guide to make the upgrade as smooth as possible. Notable changes requiring your attention and/or manual intervention, like renaming, deprecating or removing values, have been highlighted below. Even though we highly recommend upgrading to this and future releases, v2.x.x will continue receiving bug fixes as long as possible.

    All feedback regarding this release, its changes, or our migration guide is very welcome!