Changes and Releases

Updates on Giant Swarm workload cluster releases, apps, UI improvements and documentation changes.

• Jul 30, 2024 Managed Apps athena v1.12.3

  Changed

  • Bump architect-orb@5.3.1 to fix CVE-2024-24790.
• Jul 30, 2024 Security athena v1.12.3

  Changed

  • Bump architect-orb@5.3.1 to fix CVE-2024-24790.
• Jul 30, 2024 Fleet Management organization-operator v1.6.4

  Changed

  • Bump architect-orb@5.3.1 to fix CVE-2024-24790.
• Jul 30, 2024 Security organization-operator v1.6.4

  Changed

  • Bump architect-orb@5.3.1 to fix CVE-2024-24790.
• Jul 30, 2024 CAPA releases releases aws-25.2.0

  This release updates cluster-aws Helm chart, which brings improvements for container registry usage.

  Change details compared to CAPA 25.1.0

  cluster-aws 1.3.0

  Changed

  • All workload clusters will by default use Zot registry as a pull-through cache of Azure Container Registry.
• Jul 30, 2024 CAPA releases releases aws-26.1.0

  This release updates the apps and components, keeping them up to date with the latest v25 release. It also brings improvements for the container registry usage.

  Change details compared to CAPA 26.0.0

  cluster-aws 1.3.0

  Changed

  • All workload clusters will by default use Zot registry as a pull-through cache of Azure Container Registry.

  cert-manager 3.7.9

  Fix

  • Remove quotes from acme-http01-solver-image argument. The quotes are used when looking up the image which causes an error.

  Update

  • Improves container security by setting runAsGroup and runAsUser greater than zero for all deployments.

  containerlinux 3815.2.5

  Changes since Stable 3815.2.4

  Security fixes:

  • openssh (CVE-2024-6387)

  Updates:

  • Linux (6.1.96)
  • openssh (9.7_p1)

  cilium 0.25.1

  Changed

  • Fix regression setting Policy BPF Max map policyMapMax back to 65536 from 16384.
  • Upgrade cilium to v1.15.6.
• Jul 29, 2024 Connectivity ingress-nginx-app v3.9.1

  Added

  • Chart: Sync to upstream. (#687)
    • Chart: Explicitly set runAsGroup.
• Jul 29, 2024 Managed Apps ingress-nginx-app v3.9.1

  Added

  • Chart: Sync to upstream. (#687)
    • Chart: Explicitly set runAsGroup.
• Jul 25, 2024 Highlights

  Highlights for the week ending 2024-07-25

  Observability

  • alloy-app version 0.3.0 introduces the following changes: - Add kyverno policy exception for run as non root - Upgrade alloy upstream chart from 0.4.0 to 0.5.1 - This bumps the version of alloy from 1.2.0 to 1.2.1
  • logging-operator version 0.7.0 adds support for Alloy as logging agent. It adds --logging-agent flag too, to toggle between Promtail and Alloy.
  • loki-app version 0.21.0 upgrades upstream chart from 6.6.4 to 6.7.1 - see changelog for more information. The loki version goes from 3.0.0 to 3.1.0.
  • object-storage-operator version 0.8.0 introduces the following changes: - ReclaimPolicy added in the Bucket CR to manage the data clean up (retain or delete). - Add a finalizer on the Azure secret to prevent its deletion. - Empty all the objects in the S3 bucket in case of bucket deletion.
  • observability-bundle version 1.5.1 upgrades prometheus-operator-crd to 11.0.1. In addition version 1.5.0 introduces the following changes: - Add alloy v0.3.0 as alloy-logs - prometheus-operator will not check promql syntax for prometheusRules that are labelled application.giantswarm.io/prometheus-rule-kind: loki
  • observability-operator version 0.3.0 deletes monitoring resources if monitoring is disabled at the installation or cluster level using the giantswarm.io/monitoring label.
  • prometheus-operator-crd version 11.0.1 adds helm.sh/resource-policy: keep annotation to all CRDs to avoid deletion during Helm operations.
  • prometheus-rules version 4.8.0 moves alloy to monitoring namespace. The version 4.7.0 introduces the following changes: - Support for loki rules to management clusters in alloy config - grafana datasource for MC loki ruler - Make dns-operator-azure capz only. - Fix PromtailDown alert to fire only when the node is ready.
  • kube-downscaler-app version 0.3.0 pushes kube-downscaler app to all collections, and version 0.2.0 adds enabled field in values to disable whole chart if needed.

  Authentication and Authorization

  • dex-app version 1.42.11 brings the following changes: - Default ingress.tls.clusterIssuer values to letsencrypt-giantswarm - Update cert-manager.io/cluster-issuer annotation to use default.
  • teleport-kube-agent-app version 0.9.2 introduces podAntiAffinity so teleport-kube-agent pods run on different control-plane nodes also increases the number of replicas to 3 to maintain better high availability.

  Connectivity

  • k8s-dns-node-cache-app version v2.8.1 fixes an issue with app-exporter metrics that were happening on Cluster API installation by removing provider specific restrictions. Now the all app-exporter metrics are available on all providers.

  Security

  • kyverno-policies-connectivity version 0.6.0 introduces the following changes: - Update kubectl container image to version v1.26.0 for WorkloadCluster Ip Job - Increase pod and container SecurityContext settings for WorkloadCluster Ip Job - Execute kubectl apply with --server-side=true --field-manager='kubectl-client-side-apply' --force-conflicts flags in WorkloadCluster Ip Job - Remove unused tests under helm directory.
  • security-bundle version 1.8.0 introduces the following changes: - Add kyverno-crds app to handle Kyverno CRD install. - Update kyverno (app) to v0.17.15. This version disables the CRD install job in favor of kyverno-crds App.
  • kyverno-app version 0.17.15 brings the following changes: - Set VPA max 6 CPU / 24Gi memory and adjust default requests/limits for reports-controller. - Set VPA max 4 CPU / 8Gi memory and adjust default requests/limits for background-controller. - Set starting CPU limit of request+25% for cleanup-controller. - Disable Kyverno CRDs install Job in favor of kyverno-crds App.
  • kyverno-crds version 1.11.1 removes unpopulated labels and fixes the team label.

  Cluster management

  • aws-cloud-controller-manager-app version 1.29.3-gs1 updates component to upstream version v1.29.3.

  • cluster-api-provider-azure-app version 1.12.4-gs2 removes kube-rbac-proxy from azure-service-operator. Additionally, the image of azure-service-operator is now fetched from gsoci.azurecr.io.

  • cluster-azure version 0.16.1 introduces an improvement respecting global.apps.externalDnsPrivate to overwrite configuration of external-dns-private app.

  • cloud-provider-cloud-director-app version 0.3.0 rollbacks CPI from 1.6.0 to 1.5.0 due to IP Spaces incompatibility.

  • cluster-cloud-director version:

    • 0.56.1
      • Rollback CPI from 1.6.0 to 1.5.0 due to VCD version incompatibility.
    • 0.56.0
      • Bump Kubernetes to 1.27.14.
    • 0.55.0
      • Bump Kubernetes to 1.26.14.

  • cluster-vsphere version 0.56.1 unpauses Cluster resource as part of cleanup hook after deletion in order to prevent leftover resources.

  • default-apps-cloud-director version 0.9.0 introduces the following changes: - Update cert-exporter to v2.9.1. - Update cert-manager-app to v3.8.0. - Update k8s-dns-node-cache-app to v2.8.1. - Update net-exporter to v1.21.0 - Update observability-bundle to v1.4.0. - Update security-bundle to v1.7.1. - Update teleport-kube-agent-app to v0.9.2. - Update vertical-pod-autoscaler-app to v5.2.4.

  • azure-private-endpoint-operator version 0.2.3

  • cluster version 0.36.0 removes the CronJobTimeZone feature gate as it becomes stable and is included in Kubernetes v1.29.

  • cluster-autoscaler-app version [1.29.3-gs1](https://github.com/giantswarm/cluster-autoscaler- app/compare/v1.28.5-gs1…v1.29.3-gs1) updates the upstream app version to v1.29.3.

  Docs

  • Learn how to configure your cluster to add new metrics and use Grafana mimir to control your workloads.
• Jul 25, 2024 Observability mimir-app v0.11.0

  Added

  • Add vpa resource template for the ingester.

  Changed

  • Bump mimir version from datasource.

• Newer entries
• Older entries