1. Docs
  2. Changes and releases

Changes and Releases

Updates on Giant Swarm workload cluster releases, apps, UI improvements and documentation changes.

  • Security athena v1.12.4

    Added

    • Made GraphQL introspection configurable and disabled by default

    Changed

    • Change ImagePullPolicy from Always to IfNotPresent to reduce image network traffic.
  • Managed Apps grafana-app v2.14.0

    Changed

    • upgrade grafana chart: 8.3.4 => 8.4.4
    • upgrade grafana : 11.1.0 => 11.1.3
  • Observability grafana-app v2.14.0

    Changed

    • upgrade grafana chart: 8.3.4 => 8.4.4
    • upgrade grafana : 11.1.0 => 11.1.3
  • CAPZ releases releases azure-29.0.0

    Changes compared to v28.0.0

    Components

    • Kubernetes from v1.28.12 to v1.29.7

    Apps

    • azure-cloud-controller-manager from v1.28.10-gs1 to v1.29.8-gs1
    • azure-cloud-node-manager from v1.28.10-gs1 to v1.29.8-gs1

    azure-cloud-controller-manager v1.28.10-gs1…v1.29.8-gs1

    Changed

    • Chart: Update to upstream v1.29.8. (#83)

    azure-cloud-node-manager v1.28.10-gs1…v1.29.8-gs1

    Changed

    • Chart: Update to upstream v1.29.8. (#72)
  • Fleet Management organization-operator v2.0.1

    Changed

    • Workflows update with devctl
    • Implemented fixes on organization/namespace deletion
  • Security organization-operator v2.0.1

    Changed

    • Workflows update with devctl
    • Implemented fixes on organization/namespace deletion
  • Managed Apps falco-app v0.9.0

    Added

    • Add custom rule to detect access to root CA key file in control plane nodes
    • Added the falco-k8s-metacollector.
    • Added team label to the daemonset.

    Changed

    • Remove API check on PolicyException.
    • Updated Falco chart version from 3.8.1 to 4.6.1.
    • Updated Falco-exporter chart version from 0.9.9 to 0.11.0
    • Updated Falcosidekick chart version from 0.7.5 to 0.8.2
    • Updated Falco to upstream version 0.38.1.
    • Edited Kyverno Policy Exceptions to allow falco-k8s-metacollector.
    • Edited the Falco Cilium Network Policy to allow traffing from the falco-k8s-metacollector.
  • Security falco-app v0.9.0

    Added

    • Add custom rule to detect access to root CA key file in control plane nodes
    • Added the falco-k8s-metacollector.
    • Added team label to the daemonset.

    Changed

    • Remove API check on PolicyException.
    • Updated Falco chart version from 3.8.1 to 4.6.1.
    • Updated Falco-exporter chart version from 0.9.9 to 0.11.0
    • Updated Falcosidekick chart version from 0.7.5 to 0.8.2
    • Updated Falco to upstream version 0.38.1.
    • Edited Kyverno Policy Exceptions to allow falco-k8s-metacollector.
    • Edited the Falco Cilium Network Policy to allow traffing from the falco-k8s-metacollector.
  • CAPZ releases releases azure-28.0.0

    Changes compared to v27.0.0

    Components

    • Kubernetes from v1.27.16 to v1.28.12

    Apps

    • azure-cloud-controller-manager from v1.27.18-gs1 to v1.28.10-gs1
    • azure-cloud-node-manager from v1.27.18-gs1 to v1.28.10-gs1

    azure-cloud-controller-manager v1.27.18-gs1…v1.28.10-gs1

    Changed

    • Chart: Update to upstream v1.28.10. (#82)

    azure-cloud-node-manager v1.27.18-gs1…v1.28.10-gs1

    Changed

    • Chart: Update to upstream v1.28.10. (#71)
  • CAPZ releases releases azure-27.0.0

    Changes compared to v26.0.0

    Components

    • cluster-azure from v0.18.0 to v1.0.0
    • Flatcar from v3815.2.4 to v3815.2.5
    • Kubernetes from v1.26.15 to v1.27.16

    cluster-azure v0.18.0…v1.0.0

    Changed

    • Chart: Update cluster to v1.1.0. (#325)
      • Machine Template: Adapt new image format.
      • Apps: Enable observability-policies.

    Apps

    • azure-cloud-controller-manager from v1.26.22-gs2 to v1.27.18-gs1
    • azure-cloud-node-manager from v1.26.22-gs2 to v1.27.18-gs1
    • cert-exporter from v2.9.0 to v2.9.1
    • cert-manager from v3.7.6 to v3.8.1
    • k8s-audit-metrics from v0.9.0 to v0.10.0
    • k8s-dns-node-cache from v2.6.2 to v2.8.1
    • net-exporter from v1.19.0 to v1.21.0
    • observability-bundle from v1.3.4 to v1.5.3
    • observability-policies v0.0.1
    • security-bundle from v1.7.1 to v1.8.0
    • teleport-kube-agent from v0.9.0 to v0.9.2
    • vertical-pod-autoscaler from v5.2.2 to v5.2.4

    azure-cloud-controller-manager v1.26.22-gs2…v1.27.18-gs1

    Changed

    • Chart: Update to upstream v1.27.18. (#81)

    azure-cloud-node-manager v1.26.22-gs2…v1.27.18-gs1

    Changed

    • Chart: Update to upstream v1.27.18. (#70)

    cert-exporter v2.9.0…v2.9.1

    Changed

    • Chart: Update PolicyExceptions to v2beta1. (#358)

    cert-manager v3.7.6…v3.8.1

    Added

    • Improves container security by setting runAsGroup and runAsUser greater than zero for all deployments.

    Changed

    • Bump architect-orb@5.3.1 to fix CVE-2024-24790.
    • Improves cainjector’s Vertical Pod Autoscaler
    • Remove quotes from acme-http01-solver-image argument. The quotes are used when looking up the image which causes an error.
    • Changed the way registry is being parsed in helm templates
    • Enable VPA by default

    k8s-audit-metrics v0.9.0…v0.10.0

    Changed

    • Add securityContext.readOnlyRootFilesystem helm value (default true).

    k8s-dns-node-cache v2.6.2…v2.8.1

    Changed

    • Make the app visible for all providers.
    • Reduce security exceptions #89.
      • Enable readOnly FS moving config to emptyDir volume.
      • Remove NET_ADMIN and drop ALL capabilities.
      • Add NET_BIND_SERVICE capability.
      • Add policy exception for require-non-root-groups/autogen-check-runasgroup.
      • Remove disallow-capabilities-* policy exceptions.
    • Update PolicyException CR version to v2beta1.

    net-exporter v1.19.0…v1.21.0

    Changed

    • Enable readOnlyRootFilesystem in securityContext (#376)[https://github.com/giantswarm/net-exporter/pull/376].
    • Update module google.golang.org/grpc to v1.65.0 (#373).
    • Update k8s modules to v0.30.2 (#375).
    • Update quay.io/giantswarm/alpine Docker tag to v3.20.1 (#372).
    • Add node and app labels in ServiceMonitor.

    observability-bundle v1.3.4…v1.5.3

    Added

    • Add alloy v0.3.0 as alloy-logs

    Changed

    • Rename alloy-logs app to camel case alloyLogs.
    • Fix CNP issues (allow traffic from pods in kube-system to nginx-ingress-controller)
      • Upgrade grafana-agent to 0.4.5.
      • Upgrade alloy to 0.3.1.
      • Upgrade promtail to 1.5.4.
    • Upgrade prometheus-operator-crd to 11.0.1.
    • prometheus-operator will not check promql syntax for prometheusRules that are labelled application.giantswarm.io/prometheus-rule-kind: loki
    • Upgrade kube-prometheus-stack to 11.0.0 and prometheus-operator-crd to 11.0.0. This upgrade mainly consists in:
      • kube-prometheus-stack dependency chart upgraded from 56.21.2 to 61.0.0
      • prometheus upgrade from 2.50.1 to 2.53.0
      • thanos ruler upgrade from 0.34.1 to 0.35.1
      • kube-state-metrics from 2.10.0 to 2.12.0
      • prometheus-operator from 0.71.2 0.75.0 - adding remoteWrite.proxyFromEnvironment and Scrape Class support
      • prometheus-node-exporter upgraded from 1.8.0 to 1.8.1
    • Upgrade grafana-agent from 0.4.3 to 0.4.4
      • This version enables the override the grafana agent CiliumNetworkPolicy egress and ingress sections.

    observability-policies v0.0.1

    Added

    • Add a ClusterPolicy to prevent prometheus-operator CRDs deletion.
    • Create observability-policies app to deploy Kyverno Observability Policies into clusters.

    security-bundle v1.7.1…v1.8.0

    Added

    • Add kyverno-crds app to handle Kyverno CRD install.

    Changed

    • Update kyverno (app) to v0.17.15. This version disables the CRD install job in favor of kyverno-crds App.

    teleport-kube-agent v0.9.0…v0.9.2

    Changed

    • Introduced podAntiAffinity so teleport-kube-agent pods run on different control-plane nodes also increased the number of replicas to 3 to maintain better high availability.
    • Changed the way registry is being parsed in helm templates

    vertical-pod-autoscaler v5.2.2…v5.2.4

    Changed

    • Chart: Update Helm release vertical-pod-autoscaler to v9.8.3. (#301)
    • Chart: Change restartPolicy to OnFailure for the CRD job. (#298)