Skip to content

v1.119.0
Compare
Choose a tag to compare
@gardener-robot-ci-1 gardener-robot-ci-1 released this 19 May 08:16
· 550 commits to master since this release
v1.119.0
69fc069

[gardener/gardener]

πŸ›‘οΈ Important Security Information

This release contains changes that address the following vulnerabilities:

CVE-2025-47284: Metadata injection for a project secret can lead to privilege escalation

A security vulnerability was discovered in the gardenlet component of Gardener. It could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • gardenlet < v1.116.4
  • gardenlet < v1.117.5
  • gardenlet < v1.118.2
  • gardenlet < v1.119.0

Fixed Versions:

  • gardenlet >= v1.116.4
  • gardenlet >= v1.117.5
  • gardenlet >= v1.118.2
  • gardenlet >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:U/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:L/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:H

CVE-2025-47283: Bypassing project secret validation can lead to privilege escalation

A security vulnerability was discovered in Gardener that could allow a user with administrative privileges for a Gardener project to obtain control over the seed cluster(s) where their shoot clusters are managed.

Affected Versions:

  • Gardener < v1.116.4
  • Gardener < v1.117.5
  • Gardener < v1.118.2
  • Gardener < v1.119.0

Fixed Versions:

  • Gardener >= v1.116.4
  • Gardener >= v1.117.5
  • Gardener >= v1.118.2
  • Gardener >= v1.119.0

CVSS Rating: Critical (9.9) CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/MA:H

⚠️ Breaking Changes

  • [OPERATOR] The already deprecated autoscaling.k8s.io/v1beta2 API version is no longer served. Before upgrading to this version of Gardener, make sure that all components use the autoscaling.k8s.io/v1 API version for managing VerticalPodAutoscaler resources. by @ialidzhikov [#11840]
  • [OPERATOR] The support for the already deprecated shoot.gardener.cloud/managed-seed-api-server annotation is now removed. Instead, consider enabling high availability for the ManagedSeed's Shoot control plane. by @ialidzhikov [#11838]
  • [USER] The already deprecated autoscaling.k8s.io/v1beta2 API version is no longer served. Instead, use the autoscaling.k8s.io/v1 API version for managing VerticalPodAutoscaler resources. by @ialidzhikov [#11840]

πŸ“° Noteworthy

  • [USER] The spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication field in the Shoot API is deprecated and will be removed in a future release. Before removal, it will be forbidden to set the field when using a future Kubernetes version that graduates the feature gate AnonymousAuthConfigurableEndpoints. by @marc1404 [#11984]
  • [OPERATOR] The RemoveAPIServerProxyLegacyPort feature gate has been promoted to beta and is now turned on by default. by @Wieneo [#11902]

✨ New Features

  • [OPERATOR] Garden.spec.virtualCluster.gardener.gardenerDashboard.ingress.enabled can now be used to control whether the gardener-operator should deploy a Ingress resource for the dashboard. by @Wieneo [#12002]
  • [OPERATOR] Garden.spec.virtualCluster.gardener.gardenerDashboard.oidcConfig.certificateAuthoritySecretRef can now be used to specify a secret containing a custom CA certificate for talking to the OIDC endpoint. The certificate must be stored under the ca.crt key. by @Wieneo [#11967]
  • [OPERATOR] Gardener supports gardener-node-agent images built by ko. by @timebertt [#12021]
  • [OPERATOR] It is now possible forcing gardener-operator to re-deploy gardenlets by annotating the responsible seedmanagement.gardener.cloud/v1alpha1.Gardenlet resource with gardener.cloud/operation=force-redeploy. Read all about it here. by @rfranzke [#11972]

πŸ› Bug Fixes

  • [OPERATOR] gardenlet's shoot-care controller : An issue causing gardenlet to report a misleading reason (NodesScalingDown) during rolling update of Shoot Nodes is now fixed. by @RadaBDimitrova [#11869]
  • [DEVELOPER] Fix extension webhook registration for autonomous shoot clusters. by @ScheererJ [#12040]

πŸƒ Others

  • [OPERATOR] It is now ensured that extension admission webhooks have validated WorkloadIdentitys/Secrets referenced in Shoots. by @rfranzke [#12075]
  • [OPERATOR] Annotations and labels are now ignored when creating referenced resources in the shoot control plane namespaces in seed clusters. by @rfranzke [#12064]
  • [OPERATOR] Set minAllowed CPU to 150m for prometheus-shoot to avoid frequent evictions by @voelzmo [#12069]
  • [OPERATOR] A new check ensures that only owners and project members with a UAM role are allowed to modify the project owner. by @timuthy [#12082]
  • [OPERATOR] The utilization of the VPN containers running in the seed is now improved by adapting their initial/static requests and by changing the corresponding VPA configuration:
    • autoscaling is disabled for the vpn-seed-server and openvpn-exporter containers
    • initial/static resource requests are reduced
    • limits are removed
    • minAllowed for the envoy-proxy container is removed by @axel7born [#12023]
  • [OPERATOR] Remove sum for VPA Pod metrics in 'recommendations' dashboard by @voelzmo [#12057]
  • [OPERATOR] Spreading Istio ingress-gateway pods across hosts is enforced only for zonal Istio deployments now. by @oliver-goetz [#12007]
  • [OPERATOR] kube-proxy no longer fails its readiness probe in case the node is about to be deleted by cluster-autoscaler. by @ScheererJ [#12015]
  • [DEPENDENCY] The following dependencies have been updated:
    • gcr.io/istio-release/pilot from 1.25.2 to 1.25.3.
    • gcr.io/istio-release/proxyv2 from 1.25.2 to 1.25.3.
    • istio.io/api from v1.25.2 to v1.25.3. by @gardener-ci-robot [#12074]
  • [DEPENDENCY] The following dependencies have been updated:
  • [DEVELOPER] The admission-local deployment was fixed to work with KinD based test setup. by @timuthy [#12106]

πŸ“– Documentation

  • [USER] Dual-Stack Migration documentation now clearly states the precondition of overlay removal. by @ScheererJ [#12053]

Helm Charts

  • controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.119.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.119.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.119.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.119.0

Container (OCI) Images

  • admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.119.0
  • apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.119.0
  • controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.119.0
  • gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.119.0
  • node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.119.0
  • operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.119.0
  • resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.119.0
  • scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.119.0

Contributors

marc1404, voelzmo, and 10 other contributors
Assets 10
Loading