Skip to content

v0.9.5-3

Rollout

PaaS Patch Release v0.9.5-3

This patch release improve stability and security by fixing vulnerabilities present in parent release. Improve also observability by providing better error handling mechanism.

Key Features and Improvements

  • Ingress-nginx controller upgrade: Upgrade is needed to fix vulnerabilities CVE-2023-23914, CVE-2023-38545, CVE-2023-23914, CVE-2023-38545. This version of controller is also tested on kubernetes 1.28.
  • Support for newest kubernetes minor versions: Adding support for additional minor versions of k8s: 1.28.14 , 1.27.16
  • Improvements in cgroup exporter: The error handling has been improved and logging pressure has been reduced. A fix has been implemented for pathfinding in the cgroup directory. A nodeSelector has been introduced to ensure deployment only for shoots with SGX memory.
  • Improvements in the Node Feature Discovery extension: Pass through Helm values to installed charts.
  • New Garden Linux 1605.0.5: There you can find kernel updated to 6.6.51, gardenlinux packages update - to revision 1605, switched vim-tiny to vim (full version),added iftop utility for quick network diagnostics.

Important Notes

Node Feature Discovery

With the new patch release, the Node Feature Discovery (NFD) extension now provides the ability to modify Helm chart values. Here is an example of a Shoot YAML manifest:

kind: Shoot
apiVersion: core.gardener.cloud/v1beta1
metadata:
  name: ...
  namespace: ...
spec:
  extensions:
    - type: osc-nfd-shoot-service
      providerConfig:
        apiVersion: nfd.osc.extensions.config.gardener.cloud/v1alpha1
        kind: Configuration
        cgroups-prometheus-exporter:
          enabled: false
          values: |
            image:
              repository: mtr.devops.telekom.de/osc/common/monitoring/cgroups-prometheus-exporter
              tag: v0.2.0
              pullPolicy: Always
            prometheus:
              enablePrometheusRule: false
              enableServiceMonitor: false
        node-feature-rule:
          enabled: true
        node-feature-discovery:
          values: |
            image:
              repository:  mtr.devops.telekom.de/osc/gardener/node-feature-discovery
              pullPolicy: IfNotPresent
              tag: v0.13.4-minimal
          enabled: true
      disabled: false
    ...

The cgroups-prometheus-exporter is part of the NFD extension. After the implementation of the new patch release, there is a known issue of incompatibility with the previous version. This issue will not prevent the reconciliation of the shoot. It only affects the NFD extension.

upgrade process validation

To resolve this situation, it is recommended to disable and then enable the NFD extension in the Shoot YAML manifest.

To disable the osc-nfd-shoot-service:

kind: Shoot
apiVersion: core.gardener.cloud/v1beta1
metadata:
  name: ...
  namespace: ...
spec:
  ...
  extensions:
  - type: osc-nfd-shoot-service
    disabled: true
  ...

To re-enable the osc-nfd-shoot-service:

kind: Shoot
apiVersion: core.gardener.cloud/v1beta1
metadata:
  name: ...
  namespace: ...
spec:
  ...
  extensions:
  - type: osc-nfd-shoot-service
    disabled: false
  ...

Gardenlinux

It is recommended for customers to upgrade their Worker-Node images to Garden Linux 1510.1.