OSC Release v1.0.4
OSC Release v1.0.4 is a comprehensive update across all OSC Gardener components, featuring Gardener v1.132.5 compatibility updates, GPU operator enhancements, OIDC central configuration support, and various infrastructure improvements. The most significant change is the switch from the ingress-nginx controller to a Gateway API implementation using the Envoy controller. Additionally, support for Kubernetes 1.34 has been added for Shoot Cluster.
Key features and improvements
- Gardener Upgrade: Upgraded to the upstream Gardener release v1.132.5.
- Bug Fixes and Stability Improvements: Upgraded various components and resolved several high-severity CVEs.
- Automated System for Placing Customer CA in the Keycloak Truststore: In version 1.0.3, a feature was introduced to add custom Certificate Authorities (CAs) to the Keycloak truststore. In 1.0.4, this feature can now be used via self-service.
- Support for Kubernetes 1.34: Full compatibility with Kubernetes version 1.34 has been introduced.
- Introduction of Gateway API as a Successor to Ingress-NGINX Controller: In response to the deprecation of the ingress-nginx controller, we have transitioned to the Gateway API solution using the Envoy controller for management clusters. This change will also affect OSC Dashboard and Keycloak.
- New Limits for Shoot API Server Usage: Starting with version 1.0.4, we are introducing a mechanism to limit the size of API requests and the number of mutating requests. Non-mutating requests for Shoot Cluster will also be subject to limits. The specific limits will be documented seperately.
- Gardener deny network policies: Security hardening introduced by the upstream Gardener for Shoot Cluster in versions 1.33.x and 1.34.x ensures that communication to and from the kube-system namespace is denied by default via network policies unless specifically allowed. This hardening is already included in the patch for release 1.0.3-7, which supports the use of newer Shoot Cluster versions (1.33.x). Starting from release 1.0.4, such network policies will be enforced for all Shoot Cluster using version 1.33.x and higher.
Required customer actions before upgrade
- Upgrade all Kubernetes clusters to version 1.31 or higher and Garden Linux images to 2150.4.0
OSC Dashboard v2.7.3
- Add group assignment support for project members - groups can now be added, edited, and removed from projects through members page
- Shoot Cluster Peering:
- Configure direct IP connectivity between Shoot Cluster.
- Accessible via the new Peering card on the Shoot Cluster detail page.
- Includes bidirectional status indicators, CIDR conflict warnings, and optional automatic reverse peering setup and cleanup.
- Large group memberships no longer cause authentication failures - session token is split into chunks when it exceeds the browser cookie limit
- Toast notifications for warnings and errors are now persistent and logged to the browser console for easier troubleshooting
- Modal dialogs now require explicit closure via their corresponding button
- Improved German and French localization
- Maintenance auto-update is unchecked by default when creating a new Shoot Cluster
Upgrade table of upstream components
| Component | Current version PaaS | Previous version | CVE fixed |
|---|---|---|---|
| goLang | 1.26.x | 1.25.x | |
| cilium | 1.18.8 | 1.17.9 | CVE-2025-22874 |
| ingress-nginx | - | 1.13.7 | |
| cert-manager | v1.19.4 | 1.18.5 | CVE-2026-24051, CVE-2025-68121, CVE-2025-61725 |
| external-dns | v0.13.2 | v0.20.0 | |
| Gateway API CRD | v1.4 | - | |
| Envoy gateway controller | 1.6.3 | - | |
| Envoy proxy | distroless-v1.36.4 | - |
Patch release notes
Here are noted changes for every patch release in release v1.0.4
Patch release 1.0.4-1
- Enabled the quota feature by default for the OSC Dashboard (without quota set for now)
- Upgraded csi-driver, gardener-extension-provider-onmetal, cloud-provider-onmetal
- Fixed a race condition during CoreDNS deployment
- Fixed a bug where httpRoute was not created for vali
- Updated the OSC Dashboard to version 2.7.3
- Added support for wildcard customer DNS
Patch release 1.0.4-2
- osc-dashboard updated to v2.7.4 - fixed bug with disabling customer-dns feature
- Bump dns-controller-manager & customer-dns components to introduce wildcard dns entry support for customer dns feature
- Add possibility to turn on or turn off support for gateway API in cert-manager extension
- Fixed bug in s3 extension where added labels to identify