1. Docs
  2. Changes and releases
  3. Workload cluster releases for CAPA

Workload Cluster Releases for CAPA

  • Workload cluster releases for CAPA releases aws-29.6.0

    Most notable change in this release is the reduction of IAM permissions on the worker nodes instance profile, aiming at improving the general security of the clusters. Additional changes include reducing the size of the ETCD volume to 50GB targetting costs saving initiatives, as well as improvements for the node-termination-handler application for smoother upgrades and operations. Several components such as Flatcar or Kubernetes have also been updated to the latest available versions.

    Changes compared to v29.5.0

    Components

    • cluster-aws from v2.5.0 to v2.6.0
    • Flatcar from v3975.2.2 to v4081.2.1
    • Kubernetes from v1.29.12 to v1.29.13

    cluster-aws v2.5.0…v2.6.0

    Changed

    • Chart: Reduce default etcd volume size to 50 GB.
    • Explicitly set Ignition user data storage type to S3 bucket objects for machine pools
    • Use reduced IAM permissions on worker nodes instance profile. This can be toggled back with global.providerSpecific.reducedInstanceProfileIamPermissionsForWorkers.

    Fixed

    • Explicitly set aws-node-termination-handler queue region so crash-loops are avoided, allowing faster startup

    Apps

    • aws-nth-bundle from v1.2.0 to v1.2.1
    • aws-pod-identity-webhook from v1.17.0 to v1.18.0
    • cilium from v0.25.1 to v0.25.2
    • prometheus-blackbox-exporter from v0.4.2 to v0.5.0
    • security-bundle from v1.8.2 to v1.9.1
    • vertical-pod-autoscaler from v5.3.0 to v5.3.1
    • vertical-pod-autoscaler-crd from v3.1.1 to v3.1.2

    aws-nth-bundle v1.2.0…v1.2.1

    Added

    • Forward proxy settings to aws-node-termination-handler-app as environment variables

    aws-pod-identity-webhook v1.17.0…v1.18.0

    Changed

    • Update securityContext to be compliant.

    cilium v0.25.1…v0.25.2

    Changed

    prometheus-blackbox-exporter v0.4.2…v0.5.0

    Changed

    • Harden security context to pass PSS compliance.

    Removed

    • Remove PSP resources.

    security-bundle v1.8.2…v1.9.1

    Breaking changes

    Note: When upgrading to this security-bundle version with Falco enabled, the Falco App will fail to upgrade due to a breaking change in the upstream chart. To finish the upgrade, disable, then re-enable the Falco App by setting apps.falco.enabled=[false|true] in the security-bundle user values Config Map.

    Changed

    • Update trivy-operator (app) to v0.10.3.
    • Update trivy (app) to v0.13.1.
    • Update kyverno (app) to v0.18.1.
    • Update kyverno-crds (app) to v1.12.0.
    • Update kyverno-policies (app) to v0.21.0.
    • Update starboard-exporter (app) to v0.8.0.
    • Update falco (app) to v0.9.1.

    vertical-pod-autoscaler v5.3.0…v5.3.1

    Changed

    • Chart: Update Helm release vertical-pod-autoscaler to v9.9.1. (#333)

    vertical-pod-autoscaler-crd v3.1.1…v3.1.2

    Changed

    • Chart: Sync to upstream. (#124)
  • Workload cluster releases for CAPA releases aws-25.1.3

    This release introduces aws-node-termination-handler for graceful draining of nodes during an upgrade or other type of replacement of worker nodes.

    Details can be found in the node pools documentation.

    Changes compared to v25.1.2

    Components

    • cluster-aws from v1.1.3 to v1.1.5

    cluster-aws v1.1.3…v1.1.5

    Added

    • Make ASG lifecycle hook heartbeat timeout configurable
    • Add aws-node-termination-handler bundle

    Apps

    • aws-nth-bundle v1.2.0
    • cert-exporter from v2.9.0 to v2.9.3

    aws-nth-bundle v1.2.0

    Added

    • Send spot instance interruption and instance state change events to SQS queue so that aws-node-termination-handler can react to them

    cert-exporter v2.9.0…v2.9.3

    Added

    • Chart: Add VPA and resources configuration for deployment and daemonset. (#382)

    Changed

    • Chart: Enable global.podSecurityStandards.enforced. (#420)
    • Chart: Update PolicyExceptions to v2beta1. (#358)
  • Workload cluster releases for CAPA releases aws-25.4.0

    This release introduces aws-node-termination-handler for graceful draining of nodes during an upgrade or other type of replacement of worker nodes.

    Details can be found in the node pools documentation.

    Changes compared to v25.3.0

    Components

    • cluster-aws from v1.3.4 to v1.3.5

    cluster-aws v1.3.4…v1.3.5

    Added

    • Values: Add global.providerSpecific.controlPlaneAmi & global.providerSpecific.nodePoolAmi.
    • Add aws-node-termination-handler bundle
    • Make ASG lifecycle hook heartbeat timeout configurable

    Apps

    • aws-nth-bundle v1.2.0
    • cert-exporter from v2.9.0 to v2.9.3

    aws-nth-bundle v1.2.0

    Added

    • Send spot instance interruption and instance state change events to SQS queue so that aws-node-termination-handler can react to them

    cert-exporter v2.9.0…v2.9.3

    Added

    • Chart: Add VPA and resources configuration for deployment and daemonset. (#382)

    Changed

    • Chart: Enable global.podSecurityStandards.enforced. (#420)
    • Chart: Update PolicyExceptions to v2beta1. (#358)
  • Workload cluster releases for CAPA releases aws-26.3.0

    This release introduces aws-node-termination-handler for graceful draining of nodes during an upgrade or other type of replacement of worker nodes.

    Details can be found in the node pools documentation.

    Changes compared to v26.2.0

    Components

    • cluster-aws from v1.3.4 to v1.3.5

    cluster-aws v1.3.4…v1.3.5

    Added

    • Values: Add global.providerSpecific.controlPlaneAmi & global.providerSpecific.nodePoolAmi.
    • Add aws-node-termination-handler bundle
    • Make ASG lifecycle hook heartbeat timeout configurable

    Apps

    • aws-nth-bundle v1.2.0
    • cert-exporter from v2.9.0 to v2.9.3

    aws-nth-bundle v1.2.0

    Added

    • Send spot instance interruption and instance state change events to SQS queue so that aws-node-termination-handler can react to them

    cert-exporter v2.9.0…v2.9.3

    Added

    • Chart: Add VPA and resources configuration for deployment and daemonset. (#382)

    Changed

    • Chart: Enable global.podSecurityStandards.enforced. (#420)
    • Chart: Update PolicyExceptions to v2beta1. (#358)
  • Workload cluster releases for CAPA releases aws-27.4.0

    This release introduces aws-node-termination-handler for graceful draining of nodes during an upgrade or other type of replacement of worker nodes.

    Details can be found in the node pools documentation.

    Changes compared to v27.3.0

    Components

    • cluster-aws from v1.3.4 to v1.3.5

    cluster-aws v1.3.4…v1.3.5

    Added

    • Values: Add global.providerSpecific.controlPlaneAmi & global.providerSpecific.nodePoolAmi.
    • Add aws-node-termination-handler bundle
    • Make ASG lifecycle hook heartbeat timeout configurable

    Apps

    • aws-nth-bundle v1.2.0
    • cert-exporter from v2.9.0 to v2.9.3

    aws-nth-bundle v1.2.0

    Added

    • Send spot instance interruption and instance state change events to SQS queue so that aws-node-termination-handler can react to them

    cert-exporter v2.9.0…v2.9.3

    Added

    • Chart: Add VPA and resources configuration for deployment and daemonset. (#382)

    Changed

    • Chart: Enable global.podSecurityStandards.enforced. (#420)
    • Chart: Update PolicyExceptions to v2beta1. (#358)
  • Workload cluster releases for CAPA releases aws-28.4.0

    This release introduces aws-node-termination-handler for graceful draining of nodes during an upgrade or other type of replacement of worker nodes.

    Details can be found in the node pools documentation.

    Changes compared to v28.3.0

    Components

    • cluster-aws from v1.3.4 to v1.3.5

    cluster-aws v1.3.4…v1.3.5

    Added

    • Values: Add global.providerSpecific.controlPlaneAmi & global.providerSpecific.nodePoolAmi.
    • Add aws-node-termination-handler bundle
    • Make ASG lifecycle hook heartbeat timeout configurable

    Apps

    • aws-nth-bundle v1.2.0
    • cert-exporter from v2.9.0 to v2.9.3

    aws-nth-bundle v1.2.0

    Added

    • Send spot instance interruption and instance state change events to SQS queue so that aws-node-termination-handler can react to them

    cert-exporter v2.9.0…v2.9.3

    Added

    • Chart: Add VPA and resources configuration for deployment and daemonset. (#382)

    Changed

    • Chart: Enable global.podSecurityStandards.enforced. (#420)
    • Chart: Update PolicyExceptions to v2beta1. (#358)
  • Workload cluster releases for CAPA releases aws-29.5.0

    Changes compared to v29.4.0

    Components

    • cluster-aws from v2.4.0 to v2.5.0
    • Kubernetes from v1.29.10 to v1.29.12

    cluster-aws v2.4.0…v2.5.0

    Added

    • Add aws-node-termination-handler bundle
    • Values: Add global.providerSpecific.controlPlaneAmi & global.providerSpecific.nodePoolAmi.
    • Make ASG lifecycle hook heartbeat timeout configurable

    Changed

    • Chart: Update cluster to v1.7.0.
      • Add teleport-init systemd unit to handle initial token setup before teleport service starts
      • Improve teleport service reliability by adding proper file and service dependencies and pre-start checks

    Apps

    • aws-nth-bundle v1.2.0
    • cert-manager from v3.8.1 to v3.8.2
    • coredns from v1.22.0 to v1.23.0
    • observability-bundle from v1.8.0 to v1.9.0

    aws-nth-bundle v1.2.0

    Added

    • Send spot instance interruption and instance state change events to SQS queue so that aws-node-termination-handler can react to them

    cert-manager v3.8.1…v3.8.2

    Changed

    • Changed ownership to team Shield

    Removed

    • Get rid of label giantswarm.io/monitoring_basic_sli as this slo generation label is not used anymore.

    coredns v1.22.0…v1.23.0

    Changed

    • Update coredns image to 1.11.4.
    • Explicitly expose liveness and readiness probe ports in deployments.

    Removed

    • Remove PodSecurityPolicy and associated Resources and values.

    observability-bundle v1.8.0…v1.9.0

    Added

    • Add alloy v0.7.0 as alloyEvents.

    Changed

    • Upgrade alloy-logs and alloy-metrics to chart 0.7.0.
      • Bumps alloy from 1.4.2 to 1.5.0
    • upgrade kube-prometheus-stack from 65.1.1 to 66.2.1
      • prometheus-operator CRDs from 0.75.0 to 0.78.1
      • prometheus-operator from 0.77.1 to 0.78.1
      • prometheus from 2.54.1 to 2.55.1
      • kube-state-metrics from 2.13.0 to 2.14.0
      • grafana from 8.5.0 to 8.6.0
  • Workload cluster releases for CAPA releases aws-29.4.0

    Changes compared to v29.3.0

    Components

    • cluster-aws from v2.2.0 to v2.4.0
    • Flatcar from v3975.2.1 to v3975.2.2
    • Kubernetes from v1.29.9 to v1.29.10

    cluster-aws v2.2.0…v2.4.0

    Added

    • Add global.providerSpecific.additionalNodeTags. Field used to specify tags applied to nodes only.
    • Expose the maxHealthyPercentage property to allow setting the maximum percentage of healthy machines in the Auto Scaling Group during upgrades.

    Changed

    • Only try to render subnet tags if they are defined by the user.

    Apps

    • cert-exporter from v2.9.2 to v2.9.3
    • observability-bundle from v1.6.2 to v1.8.0

    cert-exporter v2.9.2…v2.9.3

    Changed

    • Chart: Enable global.podSecurityStandards.enforced. (#420)

    observability-bundle v1.6.2…v1.8.0

    Changed

    • Upgrade prometheus-agent from v0.6.9 to v0.7.0.
      • Adds extraArgs to be able to use nice features like wal truncation
    • upgrade kube-prometheus-stack from 61.0.0 to 65.1.1
      • prometheus-operator CRDs from 0.73.0 to 0.75.0
      • prometheus-operator from 0.75.0 to 0.77.1
      • prometheus upgraded from 2.53.0 to 2.54.1
      • grafana from 8.2.0 to 8.5.0
      • thanos ruler upgraded from 0.35.1 to 0.36.1
      • prometheus-node-exporter upgraded from 1.8.1 to 1.8.2
    • Add missing depends on annotation on alloy-metrics and alloy-logs to make sure they are deployed after the prometheus-operator-crds.
    • Upgrade alloyLogs to v0.6.1
      • Allow passing PodLogs via helm chart values
      • Upgrade to Alloy v1.4.2 which fixes a bug with component reload/evaluation and keeping Alloy up-to-date
      • Fixes an issue with CiliumNetworkPolicy preventing Alloy to run in clustering mode
  • Workload cluster releases for CAPA releases aws-25.1.2

    This release allows to have different node pools with different configuration to support legacy cgroupsv1.

    Changes compared to v25.1.1

    Components

    • cluster-aws from v1.1.2 to v1.1.3

    cluster-aws v1.1.2…v1.1.3

    Changed

    • Bump cluster chart to 0.35.3 so that we can configure node pools for cgroupsv1.
  • Workload cluster releases for CAPA releases aws-25.3.0

    This release allows to have different node pools with different configuration to support legacy cgroupsv1.

    Changes compared to v25.2.1

    Components

    • cluster-aws from v1.3.2 to v1.3.4

    cluster-aws v1.3.2…v1.3.4

    Changed

    • Bump cluster chart to 1.0.3 so that we can configure node pools for cgroupsv1.
    • Chart: Update cluster to v1.0.2.
      • Chart: Add OS tooling named template.

This part of our documentation refers to our vintage product. The content may be not valid anymore for our current product. Please check our new documentation hub for the latest state of our docs.