Skip to content

Changelog v1.75.0#628

Open
deckhouse-BOaTswain wants to merge 12 commits into
mainfrom
changelog/v1.75.0
Open

Changelog v1.75.0#628
deckhouse-BOaTswain wants to merge 12 commits into
mainfrom
changelog/v1.75.0

Conversation

@deckhouse-BOaTswain

@deckhouse-BOaTswain deckhouse-BOaTswain commented Dec 11, 2025

Copy link
Copy Markdown
Collaborator

Changelog v1.75.0

[MALFORMED]

  • #16103 unknown section " | <1st level dir in the repo>"
  • #16795 unknown section "metrics-storage"
  • #16927 unknown section "dashboard"
  • #17243 unknown section "dashboard"
  • #17702 unknown section "registry-packages"
  • #17776 unknown section "projects"
  • #18791 unknown section ""

Know before update

  • Breaking changes:
    • The default value of Certificate.Spec.PrivateKey.RotationPolicy is now Always.
    • The default value for the Certificate resource's revisionHistoryLimit field is now set to 1.
    • Metrics changes. A high cardinality label, called path, was removed from the certmanager_acme_client_request_count and certmanager_acme_client_request_duration_seconds metrics.
      Feature:
    • Added the ability to configure requests and limits for pods used for ACME HTTP-01 challenges. Configurable in the Issuer and ClusterIssuer objects. For configuring the built-in DKP CluserIssers (letsencrypt and letsencrypt-staging) added settings in moduleConfig.
  • Cilium agents will be restarted during the update.
  • Control-plane components and kubelets will restart to pick up the new feature gates
    on clusters where they were not enabled before. VPA may start applying in-place
    updates instead of only eviction-based updates.
  • If you have controllers running 1.9 the automatic upgrade will be blocked until the version is updated, upgrading to 1.10+ will cause the corresponding controllers to restart.
  • If you have used certain features of operator-trivy before, a new alert named VulnerableImagesDenialConfigNotMigrated might start firing after update. In that case, you must manually move denyVulnerableImages section of settings from admission-policy-engine to operator-trivy module config. Alert message will provide necessary instructions on how to do so.
  • Istio version 1.19.7 has been removed because it is considered outdated. In this regard, errors may occur when updating the Deckhouse version. It is recommended to upgrade Istio from version 1.19.7 to version 1.21.6 before upgrading Deckhouse release.
  • Mode Auto is deprecated and will be removed in a future API version. Use explicit modes like Recreate, Initial, or InPlaceOrRecreate instead.
  • The default VPA mode for Loki components is changed from Auto to InPlaceOrRecreate.
    Loki pods will now prefer in-place resource updates when supported by the cluster,
    falling back to pod recreation only when required.
  • The minimum supported version of Kubernetes is now 1.31. All control plane components will restart.
  • These changes prevent unnecessary or destructive plan updates that could occur when data sources depend on changing labels and annotations. The behavior of other cloud providers is not affected.
    If you encounter unexpected converge plans or cluster bootstrap issues when using OpenTofu-based providers (such as dvp, dynamics, zvirt, or yandex), please report them to Deckhouse Technical Support.
  • This update triggers a rolling update of the flannel pods.
  • This update triggers a rolling update of the kube-proxy pods.
  • This update triggers a rolling update of the network-policy-engine pods.
  • Will restart all d8 pods on dkp release with this changes.

Features

  • [admission-policy-engine] Added policy to deny exec/attach to pods with heritage deckhouse label. #16749
  • [candi] Added annotation for node by creating converger user. #16734
  • [candi] Added parsing oss.yaml file in werf. #17567
  • [candi] Added support for Kubernetes 1.35 and discontinued support for Kubernetes 1.30. Default Kubernetes version was changed 1.32->1.33. #17504
    The minimum supported version of Kubernetes is now 1.31. All control plane components will restart.
  • [candi] Added support for multiple Kubernetes v1.35 feature gates. #18044
  • [candi] Display lists of third-party (OSS) components in the modules documentation. #17530
  • [candi] Enable DRA alpha feature gates for multi allocations #17993
    Kubelet, api-server, controller-manager and scheduler will be restarted.
  • [candi] Implementing SecurityPolicyExceptions in modules cert-manager, user-authz, user-authn, multitenancy-manager, admission-policy-engine, basic-auth. #16738
  • [cert-manager] Add alerts for ACME Challenges stuck in pending or error states #18669
  • [cert-manager] Bumped version up to v1.19.2. #17486
    Breaking changes:
    • The default value of Certificate.Spec.PrivateKey.RotationPolicy is now Always.
    • The default value for the Certificate resource's revisionHistoryLimit field is now set to 1.
    • Metrics changes. A high cardinality label, called path, was removed from the certmanager_acme_client_request_count and certmanager_acme_client_request_duration_seconds metrics.
      Feature:
    • Added the ability to configure requests and limits for pods used for ACME HTTP-01 challenges. Configurable in the Issuer and ClusterIssuer objects. For configuring the built-in DKP CluserIssers (letsencrypt and letsencrypt-staging) added settings in moduleConfig.
  • [cloud-provider-aws] Adds support for PublicNetworkAllowList to restrict incoming traffic #16854
  • [cloud-provider-azure] add NVMe disk discovery support for Ubuntu 22.04 Gen2 VMs #19159
  • [cloud-provider-dvp] Add validation for VirtualMachineClass and boot images before VM creation #17755
  • [cloud-provider-dvp] Added managed-by, cluster-uuid, vm_name labels to all cluster's infra objects. #17267
  • [cloud-provider-dvp] Created of NP automatic. #17286
  • [cloud-provider-zvirt] add customNetworkConfig #17879
  • [cni-cilium] Added Hubble metrics and logs settings. #16669
    Cilium agent's will be restarted.
  • [cni-cilium] Allowed configuring the InPlaceOrRecreate VPA updated mode for Cilium components. #17252
    Users can explicitly select the InPlaceOrRecreate VPA mode for Cilium pods via ModuleConfig.
    Default behavior remains unchanged.
  • [common] Resource quota ignore mechanism for pvc and pods #17068
  • [common] add support accesiblenamespaces in k8s v1.35 #18069
  • [control-plane-manager] Added support for enabling/disabling specific scheduler extensions and setting custom values. #16892
  • [control-plane-manager] Added update-observer component for real-time Kubernetes version update monitoring. #17457
    Cluster administrators now have detailed visibility into Kubernetes version updates through the new d8-cluster-kubernetes ConfigMap in the kube-system namespace.
  • [control-plane-manager] Anonymous access to kube-apiserver health endpoints is now enabled via AuthenticationConfiguration and proxy sidecar is removed. #17968
    Kube-apiserver will be restarted due to changes in manifest.
  • [control-plane-manager] Implement etcd-arbiter mode for HA capability with less resources. This will allow to bootstrap only etcd node without control-plane components. #16716
    Will restart all d8 pods on dkp release with this changes.
  • [deckhouse-controller] Add ObjectKeeper controller. #16773
  • [deckhouse-controller] Added Application statistics logic. #16809
  • [deckhouse-controller] Rewrited d8-cluster-configuration webhook from bash to Go. #17073
  • [deckhouse] Added configurable scan interval for a ModuleSource discovery. #17622
  • [deckhouse] Added version checking of module dependencies to scheduler. #17646
  • [descheduler] Add RemovePodsViolatingTopologySpreadConstraint strategy to v1alpha2 API for rebalancing pods across topology domains. #18107
    It evicts pods that violate TopologySpreadConstraints, enabling automatic rebalancing across availability zones after zone recovery.
  • [descheduler] Updated descheduler to the 0.34 version.
    Descheduler evicts pods with a larger restart count first it should make workload balancing in the cluster more stable.
    Descheduler respects DRA resources. #16846
  • [dhctl] Added a check in dhctl bootstrap to ensure the current user’s shell is bash. #16980
  • [dhctl] Added a wait for converger user creation on all master nodes. #16734
  • [dhctl] Added bootstrap support with the registry module for Direct and Unmanaged modes. #16103
  • [dhctl] Allowed updating master images. #17295
  • [dhctl] Improved UX related to bootstrap resources phase. #17742
  • [dhctl] Skipped application edition validation for standalone builds. #15493
  • [extended-monitoring] Added new options for customizing IAE . #16902
  • [ingress-nginx] Increased fault tolerance when the MaxMind service is unavailable or download limits are exceeded. #15276
    the instances will be restarted.
  • [istio] Added the InPlaceOrRecreate VPA update mode for Istio components. #17255
    Users can explicitly configure the InPlaceOrRecreate VPA mode for Istio workloads in ModuleConfig.
    Default VPA mode for Istio has been updated to InPlaceOrRecreate.
  • [istio] Allow custom ports in metadataEndpoint URLs for IstioFederation and IstioMulticluster CRDs. #19320
  • [istio] Changed name and type of istio-cni ConfigMap. #17297
  • [istio] Improved federation discovery observability by logging published services count. #17146
  • [istio] Removing depricated version of Istio 1.19.7 #17916
    Istio version 1.19.7 has been removed because it is considered outdated. In this regard, errors may occur when updating the Deckhouse version. It is recommended to upgrade Istio from version 1.19.7 to version 1.21.6 before upgrading Deckhouse release.
  • [log-shipper] Added metric and alert for not valid logshipper config. #17010
  • [loki] Changed the default VPA update mode for Loki from Auto to InPlaceOrRecreate. #17254
    The default VPA mode for Loki components is changed from Auto to InPlaceOrRecreate.
    Loki pods will now prefer in-place resource updates when supported by the cluster,
    falling back to pod recreation only when required.
  • [multitenancy-manager] Added unmanaged and skip-heritage functions for objects in ProjectTemplate. #17462
  • [node-local-dns] node-local-dns daemonset updating process is synced with cilium agents. #16295
  • [node-manager] Added alerts about missing cgroup v2 and/or containerd v2 support on nodes. #17658
  • [node-manager] Added configurable swap mechanism for Kubernetes pods using new memorySwap NodeGroup field. #16747
    Enabling swap for a NodeGroup will cause a kubelet restart on all nodes of that group.
  • [node-manager] Added new standalone node-controller for Node/NodeGroup hooks logic. #17836
  • [node-manager] Added validation to ensure .spec.kubelet.maxPods doesn't exceed the number of available Pod IP capacity per node. #16695
  • [node-manager] Allowed per-GPU custom MIG configurations via customConfigs with automatic config/label naming. #16678
  • [prometheus] Add prometheus configuration reload failed alert #17128
  • [prometheus] Added new alert to monitor remote write endpoint availability. #17677
    low
  • [prometheus] Replace PrometheusRules with ClusterObservabilityMetricsRulesGroups or ClusterObservabilityPropagatedMetricsRulesGroups when deployed using helm_lib_prometheus_rules helper and the observability module is enabled #16405
  • [prometheus] improve redirects from Grafana to the Deckhouse UI when Grafana is disabled #16988
    no impact
  • [registry] Added "Proxy" and "Local" registry operation modes. #17405
  • [registry] Added bootstrap support for Direct and Unmanaged modes. #16103
  • [terraform-manager] Suppress destructive changes when add/remove/change labels and annotations for cloud resources via opentofu. #19080
    These changes prevent unnecessary or destructive plan updates that could occur when data sources depend on changing labels and annotations. The behavior of other cloud providers is not affected.
    If you encounter unexpected converge plans or cluster bootstrap issues when using OpenTofu-based providers (such as dvp, dynamics, zvirt, or yandex), please report them to Deckhouse Technical Support.
  • [user-authn] Added Prometheus alert for Dex AuthRequest ResourceQuota monitoring. #17263
  • [user-authn] Added optional Kerberos (SPNEGO) SSO to the LDAP Dex provider with keytab-based validation. #16196
  • [user-authn] Added refreshTokenAbsoluteLifetime parameter to limit maximum lifetime of refresh tokens. #17114
  • [user-authn] Improved support for custom CA in the GitLab Dex provider (refined version of PR #15825
  • [user-authn] Introduced UserOperation hook for local Dex user operations (reset password, reset 2FA, lock/unlock) with status reporting. #15561
  • [user-authz] Added AccessibleNamespaces API to list namespaces accessible to the requesting user. #17436
  • [user-authz] Added BulkSubjectAccessReview API for checking multiple permissions in a single request. #17080
  • [user-authz] Allowed project Admins access to Roles, RoleBindings and AuthorizationRules on project namespaces. #17090
  • [user-authz] Restrict user roles from listing namespaces; use AccessibleNamespaces in non-CE editions #17651
  • [vertical-pod-autoscaler] Updated vpa module to 1.5.1. #16814
    Mode Auto is deprecated and will be removed in a future API version. Use explicit modes like Recreate, Initial, or InPlaceOrRecreate instead.

Fixes

  • [admission-policy-engine] Added and extend unit tests to cover tri-state behavior (omitted / empty / non-empty) and nested empty-array cases for both hooks. #17308
  • [admission-policy-engine] Allow DELETE operations, add containerPorts check in case of hostNetwork #17084
  • [admission-policy-engine] Fix high resource consumption for constraint d8denyexecheritage #19099
  • [admission-policy-engine] Fixed a bootstrap deadlock by excluding Gatekeeper webhook pods from constraints. #17791
  • [admission-policy-engine] Fixed enforcementAction for D8ReplicaLimits, added more template tests. #19521
  • [admission-policy-engine] Fixed multiple CVEs in admission-policy-engine module images (ratify, gatekeeper) by updating. dependencies. #17667
  • [admission-policy-engine] Fixed tri-state semantics for empty arrays and avoided empty objects in OperationPolicy/SecurityPolicy values. #17343
  • [admission-policy-engine] Prevent unintended Gatekeeper constraints from being rendered for SecurityPolicy when boolean fields are omitted. #18007
    Workload Pods are no longer denied by unrelated SecurityPolicy checks (e.g. hostNetwork/hostPort) when corresponding policy fields are not explicitly set.
  • [admission-policy-engine] added mount-points in ratify #17925
  • [candi] Add pause and kubernetes-api-proxy registry packages to bashible bb-package-fetch to prevent node failures during containerd major upgrades. #17047
  • [candi] Added a Netplan override to force the secondary NIC to use the main routing table, fixing cloud-init PBR conflicts. #16625
  • [candi] Added bashible 064 step criDir fallback. #16934
  • [candi] Added bashible events generateName. #16768
  • [candi] Added fallback to dnf package manager from yum install and remove bashbooster func's. #17012
  • [candi] Allow manually stopping DVP node VirtualMachines in nested clusters by using runPolicy AlwaysOnUnlessStoppedManually. #17110
  • [candi] Disabled kernel.panic parameter check in kubelet. #17296
  • [candi] Fixed CVEs in cloud-provider-azure. #18067
  • [candi] Improved static node cleanup script. #17418
  • [candi] Made modify_user in add_node_user bashible step idempotent. #17111
  • [candi] Moved the default values for registry in initConfiguration to dhctl. #16103
  • [candi] Remove duplicate additional_disks_hashes definition in static-node Terraform module. #17441
  • [candi] Server bootstrap logs are no longer transmitted via nc; Python is used instead. #17451
  • [candi] Updated pwru tool to v1.0.11 to fix CVE-2025-68121. #17952
  • [candi] Updated the bashible step to include Linux kernel versions that address CVE-2025-37999 #17300
  • [candi] fix CVE in cloud-provider-azure #18177
  • [candi] fix cve node-manager and opentofu. #19942
  • [candi] remove excessive netcat calls from d8-shutdown-inhibitor #17153
  • [cert-manager] Disable SecurityPolicyExceptions for cert-manager namespace #19280
  • [chrony] Mitigated CVE-2025-58181. #17959
  • [cilium-hubble] Fix affinity in HA mode #16862
    In HA cluster mode hubble-ui and hubble-relay will be restarted
  • [cilium-hubble] Fixed CVE-2026-29181 in hubble-ui-backend by bumping OpenTelemetry Go to v1.41.0 #20262
  • [cilium-hubble] Fixed CVE-2026-41520 in hubble-ui-backend #20361
  • [cloud-provider-aws] add information about AWS security group rules limits #18852
  • [cloud-provider-aws] fix CVE in cloud-provider-aws #18057
  • [cloud-provider-aws] fix cve #16843
  • [cloud-provider-aws] fix getInstancesByIDs to comply with the describeInstanceBatcher. #18267
  • [cloud-provider-azure] Fixed CVEs in cloud-provider-azure. #18067
  • [cloud-provider-azure] fix CVE in cloud-provider-azure #18177
  • [cloud-provider-azure] fix CVEs in cloud-provider-azure #18240
  • [cloud-provider-azure] fixed cve #16839
  • [cloud-provider-azure] fixed patch in azure #17696
  • [cloud-provider-dvp] Added fixes an infinite deletion state of DeckhouseMachine. #17585
  • [cloud-provider-dvp] Added functionality to wait for a disk to be attached to a VM #16965
  • [cloud-provider-dvp] Allowed using additionalDisks in master InstanceClasses. #17352
  • [cloud-provider-dvp] Cleanup orphaned resources when VM creation fails #17533
  • [cloud-provider-dvp] Fix healthCheckNodePort collisions #16996
  • [cloud-provider-dvp] Fixed VM deletion timeout and improved memory validation error reporting #17587
  • [cloud-provider-dvp] Prevented the CCM from recreating external LoadBalancers during Service deletion. #17446
  • [cloud-provider-dvp] Prevents orphaned VMBDA objects. #17682
  • [cloud-provider-dvp] Suppress destructive changes when add/remove/change labels and annotations for cloud resources via opentofu. #19080
  • [cloud-provider-dvp] allow user to use additionalDisks in master InstanceClass #18361
  • [cloud-provider-dvp] fix CVEs in cloud-provider-dvp #18446
  • [cloud-provider-dvp] fixed CVE #16810
  • [cloud-provider-dvp] refactored CreateVolume to improve idempotency when disk.status.capacity is not yet reported and standardized gRPC error handling #17826
  • [cloud-provider-dvp] this PR gives a lot more informational errors and messages to user #17165
  • [cloud-provider-dvp] this changes fix some of cases when pods stuck in Completed/Error #16741
  • [cloud-provider-dynamix] Fixed a queue hang caused by the module components failing to start. #16796
  • [cloud-provider-gcp] Fixed CVEs in cloud-provider-gcp. #18095
  • [cloud-provider-gcp] fix CVEs in cloud-provider-gcp #18328
  • [cloud-provider-huaweicloud] Fixed CVEs in cloud-provider-huaweicloud. #18096
  • [cloud-provider-huaweicloud] Fixed a queue hang caused by the module components failing to start. #16796
  • [cloud-provider-huaweicloud] fix CSI unpublishValidation for non exist ECS instance #16916
  • [cloud-provider-huaweicloud] fix CVEs in cloud-provider-huaweicloud #18179
  • [cloud-provider-huaweicloud] fix cve #17171
  • [cloud-provider-openstack] Add loadBalancer.enabled flag to prevent CCM crashes on k8s 1.32 without Octavia service #18228
  • [cloud-provider-openstack] Fixed CVEs in cloud-provider-openstack. #18099
  • [cloud-provider-openstack] Increase interval and timeout for health monitor #19350
  • [cloud-provider-openstack] fix CVE in cloud-provider-openstack module #18180
  • [cloud-provider-openstack] fix LB.enabled flag #18402
  • [cloud-provider-openstack] fix cve #17082
  • [cloud-provider-vcd] Fix LogrAdapter panic in VCD infra-controller-manager #20147
  • [cloud-provider-vcd] Fixed CVEs in cloud-provider-vcd. #18113
  • [cloud-provider-vcd] Fixed a queue hang caused by the module components failing to start. #16796
  • [cloud-provider-vcd] Implemented a hack to migrate etcd disk to VCD independent disk to prevent deletion of etcd data. #16302
    To migrate, you must perform a converge, which causes the master server to be recreated. If you are using only one master server with the manual address assignment via the mainNetworkIPAddresses parameter, add two more IP addresses for the migration process.
  • [cloud-provider-vcd] fix CVE in cloud-provider-vcd module #18327
  • [cloud-provider-vcd] fix cve #17136
  • [cloud-provider-vcd] fix vCD CCM TCP health monitors removal #19283
  • [cloud-provider-vsphere] Fix maping for kubernetes data disk #17859
  • [cloud-provider-vsphere] Fix vSphere privilege matrix and describe instructions for setting up environment via vSphere Client #18848
  • [cloud-provider-vsphere] fix cve #17106
  • [cloud-provider-vsphere] fix stale session for cloud-data-discoverer #17089
  • [cloud-provider-vsphere] normalizes new paths and makes bashible resolve existing paths case-insensitively #19748
  • [cloud-provider-yandex] Added fallback to nat_instance_internal_address_calculated. #17341
  • [cloud-provider-yandex] cloud-provider-yandex CVE's was fixed #16611
  • [cloud-provider-yandex] fix CVEs in cloud-provider-yandex #18291
  • [cloud-provider-yandex] fix cve #17469
  • [cloud-provider-zvirt] Fixed a queue hang caused by the module components failing to start. #16796
  • [cloud-provider-zvirt] fix CSI token refresh patch apply #18449
  • [cloud-provider-zvirt] fix CVEs in cloud-provider-zvirt #18257
  • [cloud-provider-zvirt] fix cve #17093
  • [cni-cilium] Fix hook discovery_cni_exclusive.go #17719
    If the SDN module is used in the cluster, the Cilium agent pods will be restarted.
  • [cni-cilium] Fix issue in generating CiliumEgressGatewayPolicy CR. #17949
    All current connections powered by EgressGateways will be terminated.
  • [cni-cilium] Fixed CVE-2026-33186, CVE-2026-27142, and CVE-2026-27139 by updating grpc dependency and Go version, and resolved build compatibility issues. #18645
  • [cni-cilium] Fixed CVE-2026-41520 for cilium-bugtool util #20067
  • [cni-cilium] Fixed egress-gateway-agent controller logic for deleted resources and disable dev logging. #17378
  • [cni-cilium] The MTU configuration has been updated. #16751
    The MTU will be updated on all interfaces of all pods.
  • [cni-cilium] Updated go-jose dependency to v4.1.4 to fix CVE-2026-34986. #19010
    Cilium agents will be restarted during the update.
  • [cni-flannel] Fixed CVE-2026-33186 by updating google.golang.org/grpc in flanneld. #19103
    This update triggers a rolling update of the flannel pods.
  • [cni-flannel] Reverted module stage from Deprecated back to General Availability to stop false deprecation alerts. #20306
  • [cni-simple-bridge] Refactored python image source and pip exclusion. #19144
  • [common] Disabled kernel.panic parameter check in kubelet. #17296
  • [common] Fixed CVE-2026-24051 in the CoreDNS image. #18611
  • [common] Fixed CVE-2026-33186 in the CoreDNS image. #18722
    CoreDNS pods will undergo a rolling restart.
  • [common] Latest CVEs are fixed. #17222
    All pods running kube-rbac-proxy will be restarted.
  • [common] Removed Python completely from the debug-container image as it is no longer needed, resolving corresponding CVEs, and silenced false positives for etcd binaries via VEX. #18842
  • [common] Restricted kubelet static pod manifest processing to .yaml and .yml files. #17842
  • [common] fixed CVE-2026-29181 in the CoreDNS #20259
  • [control-plane-manager] Fix order of converge components in control-plane-manager. #18195
  • [control-plane-manager] Removed liveness and readiness probes from update-observer container. #17789
  • [control-plane-manager] Upgrade etcd to 3.6.8. #18038
    etcd will restart.
  • [control-plane-manager] Upgraded etcd to 3.6.7. #17492
    etcd will restart.
  • [csi-vsphere] Fixed the Deckhouse queue getting stuck #20146
  • [deckhouse-controller] A module that conditionally depends on another is no longer disabled when an incompatible version of that dependency is enabled; the enable is rejected instead. #20345
  • [deckhouse-controller] Exclude all service accounts from d8- namespaces in d8ms-prefix ValidatingAdmissionPolicy. #17440
  • [deckhouse-controller] Fix conversions for external modules #16772
  • [deckhouse-controller] Fix false DeckhouseUpdatingFailed alert on registries without version tags in release-channel repo #18310
  • [deckhouse-controller] Fixed D8ModuleOutdatedByMajorVersion alert persist after update. #17468
  • [deckhouse-controller] Fixed --insecure flag being ignored in registry client operations. #17554
  • [deckhouse-controller] Fixed corner cases in d8-cluster-configuration webhook. #17342
  • [deckhouse-controller] Fixed false-positive "multiple readiness hooks found" error on module hook registration retry. #16694
  • [deckhouse-controller] Fixed incorrect MUP fallback for module releases. #17434
  • [deckhouse-controller] Fixed patch releases being skipped on minor updates. #17548
  • [deckhouse-controller] Fixed release notification time for deckhouse and module releases. #17583
  • [deckhouse-controller] Fixed stale ModuleConfigurationError metrics not being reset when ModuleRelease is deleted or module is disabled. #16940
  • [deckhouse-controller] Removed track-termination-mode notation. #16612
  • [deckhouse-controller] Rollback nelm version. #16770
  • [deckhouse-controller] added extra validation for kubernets version multiple downgrades scenario #18934
  • [deckhouse] Added exception to system-ns.deckhouse.io policy. #17754
  • [deckhouse] Added validation for deckhouse-registry Secret fields to reject spaces and newlines. #16101
  • [deckhouse] Allow updating scanInterval on the deckhouse ModuleSource. #19417
  • [deckhouse] Bump nelm version with deadlock fix. #18586
  • [deckhouse] Ensure heritage label on d8-system namespace via hook. #19196
  • [deckhouse] Fix exp modules auto enabling. #19699
  • [deckhouse] Fix module docs rendering. #17245
  • [deckhouse] Fix module enabling. #17009
  • [deckhouse] Fix module installer cleanup. #17301
  • [deckhouse] Fix module rerun. #17478
  • [deckhouse] Fixed deckhouse-registry secret validation. #17122
  • [deckhouse] Fixed global configuration generation. #19689
  • [deckhouse] Fixed missing module stage in the Module CR, restoring experimental module warnings. #17244
  • [deckhouse] Overwrite currentReleaseImageName on mismatch. #19416
  • [deckhouse] Remove notified=false annotation reset from runReleaseDeploy in the module release controller. #19182
  • [descheduler] Fixed module queue hang when a v1alpha1 Descheduler CR with deprecated-only strategies is applied. #17986
  • [descheduler] Removed implicit default thresholds from Descheduler CRD and align behavior with upstream. #17488
    Thresholds and targetThresholds are no longer implicitly defaulted.
    If a resource is not specified in the Descheduler CR, it is treated as 100% and does not participate in eviction logic.
  • [dhctl] Added dvp provider.kubeconfigDataBase64 preflight check. #16945
  • [dhctl] Added infrastructure states and NodeUser to sanitize in klog. #17943
  • [dhctl] Added many fixes in destroy command and restart destroy command. #16904
  • [dhctl] Added state saver to cluster for bootstrap additional control-plane and static nodes. #17943
  • [dhctl] Changed SSH logging. #17143
  • [dhctl] Eliminated double root-password prompts during Terraform validation. #16591
  • [dhctl] Fix deadlock in converge. #18564
  • [dhctl] Fix panic during destroy. Change opentofu log level to INFO. #16726
  • [dhctl] Fix panic in dhctl config render kubeadm-config command. #17934
  • [dhctl] Fix parallel bootstrap cloud permanent nodes #16886
  • [dhctl] Fix restart bootstrap during creating additional nodes in cloud permanent node groups. #18565
  • [dhctl] Fixed --skip-resources flag behaviour in destroy command. #16904
  • [dhctl] Fixed a memory leak in Terraform exporter. #15350
  • [dhctl] Fixed data race and panic in lease tryRenew. #17735
  • [dhctl] Fixed dhctl bootstrap-phase abort running after dhctl bootstrap-phasebase-infra. #16829
  • [dhctl] Fixed dhctl clissh scp command. #17896
  • [dhctl] Fixed dhctl in SSH tunnel preflight check. #17805
  • [dhctl] Fixed dhctl panic on destructive chages if master ip node is nill in update pipeline. #17351
  • [dhctl] Fixed dhctl server startup order and interrupt child process on backend connection failure. #17966
  • [dhctl] Fixed initconfiguration generation logic. #17285
  • [dhctl] Fixed kube token handling. #16735
  • [dhctl] Fixed node template diff output during converge when templates are empty but objects differ. #17943
  • [dhctl] Fixed to allow skip dhctl preflight check-staticinstance-by-ssh-credentials. #18077
  • [dhctl] Improved reliability when connecting to dhctl servers by adding retry logic and better error handling during startup #17698
  • [dhctl] Logged Kubernetes requests and responses in JSON format instead of protobuf bytes in debug logs. #17943
  • [dhctl] Made control-plane node SSH IP lookup non-strict in converge infrastructure hooks. #18063
  • [dhctl] Removed dhctl object node from cluster in converge. #17163
  • [dhctl] Removed some internal phases from progress bar. #17340
  • [dhctl] Removed unnecessary artifact from dhctl. #17797
  • [dhctl] Skip tmp lock for exporter and auto-converger. #18780
  • [dhctl] Stopped cleaning the temporary directory when converge or converge-migration fails. #17943
  • [dhctl] Updated tests. #17310
  • [dhctl] Use internal node ip if bastion ip was passed in converge. #19094
  • [dhctl] Wait for stronghold cluster sync before node deletion #19797
  • [dhctl] dhctl must not skip namespace update on cluster bootstrap, if namespace already exists #19195
  • [dhctl] fix SSH preflight check for StaticInstances with password-only auth. #19555
  • [dhctl] mitigate CVE-2026-33186 #18644
  • [dhctl] Аix non-strict unmarshalling for metaconfigs. #18359
  • [docs] Add info about kernel requirement for containerdv2 migration. #19437
  • [docs] Added docs about how NGC execution works. #17870
  • [docs] Fix vSphere privilege matrix and describe instructions for setting up environment via vSphere Client #18848
  • [docs] Fixed registry-modules-watcher deleting all documentation when registry returns an error. #16771
  • [extended-monitoring] Add namespace-scoped overrides #17213
  • [extended-monitoring] Cleanup exporter metrics when the monitored resource has been deleted #17988
  • [extended-monitoring] Fixed CVE-2025-47914, CVE-2025-58181 #17576
  • [extended-monitoring] fix typo in image-availability-exporter template #18597
  • [ingress-nginx] A false-positive trigger of alert GeoIPDownloadErrorDetectedFromMaxMind is fixed. #17741
  • [ingress-nginx] Added OWASP modesecurity core rule set support. #17348
    Pods of all ingress-nginx controller will be restarted.
  • [ingress-nginx] Added architecture-bashed node affinity settings. #16939
  • [ingress-nginx] Added fix for CVE-2026-4342. #18930
    All Ingress-NGINX controller pods will be restated.
  • [ingress-nginx] Added panel GeoIP DB status per controller in VHosts Grafana dashboard. #17219
  • [ingress-nginx] An http to https redirect to a wrong host is fixed. #17931
    All ingress-nginx controller pods will be restarted.
  • [ingress-nginx] CVE-2025-15566 is fixed in 1.10 and 1.12 controllers. #19261
    All pods of Ingress-NGINX controller of 1.10 and 1.12 versions will be restarted.
  • [ingress-nginx] Fixed accepting X-Forwareded/ProxyProtocol headers from untrusted networks. #17060
    All ingress nginx controller pods will be restarted.
  • [ingress-nginx] Fixed correct controller termination. #17041
    restart controllers
  • [ingress-nginx] Fixed the display of IP addresses in the status of Ingress resources with the LoadBalancer type. #15892
  • [ingress-nginx] Improved configuration validation and documentation. #17307
  • [ingress-nginx] Improved stability of geoproxy service startup. #17140
  • [ingress-nginx] Latest CVEs are fixed. #17222
    All pods running kube-rbac-proxy will be restarted.
  • [ingress-nginx] Latest fixes are backported to 1.75.1. #18497
    All Ingress-NGINX controller pods will be restated.
  • [ingress-nginx] Nelm fixes are backported. #18632
    All Ingress-NGINX controller pods will be restarted.
  • [ingress-nginx] Nginx is updated up to 1.30.1. #19862
    All Ingress-nginx controller pods will be restarted.
  • [ingress-nginx] Nginx was updated to 1.30.2. #20171
    All Ingress-nginx controller pods will be restarted.
  • [ingress-nginx] Restored the expected behavior of the Ingress resource annotation validation toggle in controller v1.12. #17809
    All ingress controller pods will restart.
  • [ingress-nginx] The CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, CVE-2026-24514 CVEs are fixed. #17795
    The ingress nginx controllers' pods will be restated.
  • [ingress-nginx] The annotation validation is fixed in 1.12. #18078
    All ingress-nginx controller pods of the 1.12 version will be restarted.
  • [ingress-nginx] The real-ip-cidr patches are updated to use correct nginx variables. #17402
    All ingress-nginx controllers' pods will be restarted.
  • [istio] Correction in Kiali of an insignificant error #16880
  • [istio] Correction of an useless error in the Istio CNI workflow #17787
  • [istio] Fix CVE for Istio version 1.21 and 1.25 #17298
  • [istio] Fixed indent in ztunnel daemonset template #18256
  • [istio] Fixing the list of requests from istiod to gateway API #18056
  • [istio] Reduce CPU and RAM for regenerate multicluster JWT token and sort ingressGateway #18567
  • [istio] added iptables wrapper in cni-v1x21x6 #18953
    istio-cni-nodes will be restarted
  • [istio] fixed CVE-2026-33186 in v1.21.6 images #18798
    pods in namespace d8-istio will be restarted
  • [istio] fixed CVE-2026-33186 in v1.25.2 images #18797
    pods in namespace d8-istio will be restarted
  • [istio] fixed CVE-2026-34986 #19018
    istio module pods will be restarted
  • [istio] fixed CVE-2026-39882, CVE-2026-39883 and CVE-2026-35206 #19311
    istio module pods will be restarted
  • [istio] fixed CVEs in module images #19424
    module pods will be restarted
  • [istio] fixed discovery_operator_versions_to_install.go hook to migrate from 1.21 to 1.25 #19646
  • [istio] fixing the CVE in Kiali #17045
  • [keepalived] Excluded vulnerable pip-25.3 from keepalived final image to fix CVE-2026-1703 #19145
  • [keepalived] Updated manual switch instructions in FAQ to use debug container. #17982
  • [kube-proxy] Fixed CVE-2026-33186 and CVE-2026-24051 in kube-proxy dependencies. #19104
    This update triggers a rolling update of the kube-proxy pods.
  • [log-shipper] Fixed source-specific log label enrichment and simplified transform processing. #16989
    Changing the order of transformations only affects the operation of the log-shipper.
  • [loki] Fixed CVE-2025-47914, CVE-2025-58181 #17555
  • [loki] disable send analytics report to stats.grafana.org #17109
    config module loki ↓
  • [monitoring-deckhouse] Fix module-release alerts (ModuleReleaseIsWaitingManualApproval, ModuleReleaseIsOutdated, ModuleReleaseIsBlockedByRequirements, ModuleIsInMaintenanceMode, D8ModuleOutdatedByMajorVersion) that never fired on 1.75.x clusters due to a moduleNamemodule label mismatch introduced when addon-operator was bumped to v1.19.7 in v1.75.1. #20112
  • [monitoring-kubernetes] Added unsupported ValidatingAdmissionPolicy API versions on Kubernetes 1.34. #17007
  • [monitoring-kubernetes] Fixed CVE-2025-47914, CVE-2025-58181 #17571
  • [monitoring-kubernetes] fix kube_persistentvolume_is_local recording rule for not-bound PVCs #17638
  • [monitoring-kubernetes] fix kube_persistentvolume_is_local recording rule when there are more than one kube-state-metrics exporter in cluster #17877
  • [multitenancy-manager] Fixed multiple CVEs in multitenancy-manager module images by updating dependencies. #17534
  • [network-gateway] Updated dnsmasq to v2.92-alt2 to address multiple security vulnerabilities (CVE-2026-*) #19934
  • [network-gateway] Updated python image source and mitigated pip CVE-2026-1703 #19146
  • [network-policy-engine] Fixed CVE-2026-34040, CVE-2026-33997, and CVE-2026-33186 in network-policy-engine dependencies. #19105
    This update triggers a rolling update of the network-policy-engine pods.
  • [network-policy-engine] Fixed a bug that led to CrashLoopBackOff kube-router's pods. #17737
  • [network-policy-engine] Reverted module stage from Deprecated back to General Availability to stop false deprecation alerts. #20306
  • [node-local-dns] Adapt node-local-dns for air-gapped environments. #18758
  • [node-local-dns] Fix name of registry secret in safe-updater deployment #19887
  • [node-local-dns] Return stale-dns-connections-cleaner #18739
    An additional service daemonset will be added.
  • [node-manager] Added adjust StaticMachineTemplate webhook to allow first change of labelSelector. #17276
  • [node-manager] Added annotate draining node when deleting. #17189
  • [node-manager] Added bashible-apiserver retry on start failed. #17249
  • [node-manager] Added cleanup for oversized MCM MachineSet revision history annotation #19654
  • [node-manager] Added deletion of the kubelet checkpoint file /var/lib/kubelet/pod_status_manager_state immediately before kubelet restart. #17403
    Prevents kubelet startup panic caused by incompatible or corrupted.
  • [node-manager] Added middleware to bashible-apiserver to log bashible resource requests and responses. #17019
  • [node-manager] Added patch to fix memory manager error after reboot. #17331
  • [node-manager] Adjusted the regexp used for NodeGroup priority generation in the cluster-autoscaler priority expander fallback. #16998
  • [node-manager] CAPI crd served version fix #19679
  • [node-manager] Enabled use node IP to get ApiServer for CAPI on bootstrap. #17076
  • [node-manager] Enabledoptional prom-rule. #17112
  • [node-manager] Fix capacity parsing logic for DVPInstanceClass and add test case for DVPSpecWorker #17935
    Capacity values (CPU/memory) for DVPInstanceClass are now correctly extracted according to spec shape. Nested virtualMachine fields are used and memory quantities like Gi are properly parsed.
  • [node-manager] Fix cluster-autoscaler deadlock when machine creation fails with a non-ResourceExhausted error, preventing scale-up to alternative node groups. #18154
  • [node-manager] Fix panic in cluster-autoscaler caused by nil pointer dereference during node removal simulation. #17924
  • [node-manager] Fixed GPU observability in node-manager for full GPU, MIG, and time-slicing workloads (dashboard links/queries, VRAM semantics, MIG slice visibility), stabilized DCGM profiling metrics pipeline, synced MIG profile config with upstream, and made custom MIG defaults explicit for unspecified GPU indexes. #18287
  • [node-manager] Fixed capi_crds_cabundle_injection. #17193
  • [node-manager] Fixed conditions calc for static NodeGroup. #16811
  • [node-manager] Fixed logging errors during ssh connections in caps. #17802
  • [node-manager] It fixes issues in the DaemonSet manifest for fencing module. #17087
  • [node-manager] Reduced CAPS log noise and duplicate messages. #16805
  • [node-manager] Set to rescan power-button input devices and refreshes stale descriptors, ensuring the shutdown inhibitor continues receiving button-press events. #16651
  • [node-manager] Updated go dependencies in the bashible-api-server. #16103
  • [node-manager] deploy capi controller and webhooks before basic resources to prevent race condition during upgrades. #18778
  • [node-manager] fix Cluster Autoscaler RBAC for CAPI providers, add missing machinedeployments/scale to write rule and patch verb to ClusterRole. #18883
  • [node-manager] hook to restore apiVersion on CAPI resources. #20376
  • [node-manager] optimize node-controller cache resources usage. #19225
  • [node-manager] remove excessive netcat calls from d8-shutdown-inhibitor #17153
  • [node-manager] rollback inject capi conversion hook in crds as on-before-helm #19229
  • [operator-prometheus] Fixed CVE-2025-47914, CVE-2025-58181 #17601
  • [prometheus-metrics-adapter] Fixed CVE-2025-47914, CVE-2025-58181 #17570
  • [prometheus-pushgateway] Fixed CVE-2025-47914, CVE-2025-58181, CVE-2025-22872, CVE-2025-22868 #17556
  • [prometheus] Fix namespace label value in the Ingress Nginx controller and several other metrics #16720
    Ingress Nginx controller dashboards are fixed
  • [prometheus] Fixed CVE-2025-47914, CVE-2025-58181, CVE-2025-65637 #17597
  • [prometheus] Fixed rebuild of trickster. #17115
  • [prometheus] Make Grafana redirect ingress pass the annotations validation. #17816
  • [registry] Fixed validation of input image list changes in the registry checker. #17472
  • [registry] Omitted the auth field in DockerConfig when credentials (username and password) are empty. #17310
  • [registry] Updated auth image Go dependencies to fix Go CVEs. #18233
    Registry pods will be restarted.
  • [registrypackages] Added vex with CVE-2026-33186. #18751
  • [registrypackages] Update integrity patch for containerd (cse only). #17000
  • [registrypackages] Upgraded containerd to 1.7.30 and 2.1.6. #17510
    Containerd will restart.
  • [service-with-healthchecks] Fixed CVEs #16950
  • [terraform-manager] Fix opentofu patches build after pull request 19080. #19453
  • [terraform-manager] Fixed terraform CVE. #17862
  • [terraform-manager] yandex terraform version was updated #16779
  • [upmeter] Fixed CVE-2025-47914, CVE-2025-58181, CVE-2025-65637 #17557
  • [user-authn] Added a warning that DexAuthenticator only works over HTTPS. #16721
  • [user-authn] Enabled hide internal error details from users in Dex to prevent information disclosure. #17177
  • [user-authn] Fix BadRequest after the change password redirect when password policy is enabled #16744
  • [user-authn] Fix login error 500 with password policy enabled. #16703
  • [user-authn] Fixed LDAP authentication failure when filter field contains trailing newline from YAML literal block scalar. #17950
  • [user-authn] Fixed multiple CVEs in user-authn module images by updating dependencies. #17518
  • [user-authn] Forbided IP addresses in DexAuthenticator domain fields; only DNS names are allowed. #17305
    DexAuthenticator resources with IP addresses in domain fields will now be rejected at creation/update time with a clear error message. Previously, such resources were accepted but failed silently during Ingress creation.
  • [user-authn] Improve basic-auth-proxy request handling, cache implementation, and shutdown behavior. #20090
  • [user-authn] Improved Dex LDAP Kerberos (SPNEGO) logs and error handling. #17543
  • [user-authn] Quote service names to prevent digit-only names from breaking yaml parser #17020
  • [user-authn] Restore ContinueOnConnectorFailure flag handling in Dex configuration #18219
  • [user-authn] Ships Dex Kubernetes storage CRDs with the module to prevent missing-CRD bootstrap failures. #17885
    On fresh clusters, Dex storage CRDs (e.g. OfflineSessions/RefreshToken) are now installed by the module,
    preventing hook/informer startup failures due to absent dex.coreos.com CRDs.
  • [user-authn] skipApproval no longer bypasses TOTP. When 2FA is enabled, users are sent to /totp before approval, so “auth request does not have an identity for approval” no longer occurs #16946
  • [user-authz] Allow project-scoped roles to access Cluster-wide objects #16896
  • [user-authz] Allowed node-local user-authz-webhook listener port (40443/TCP) for hostNetwork pods. #17656
    The user-authz-webhook DaemonSet now explicitly declares its listener port and has a matching
    SecurityPolicyException. This prevents Admission Policy Engine validation failures in-cluster.
    A targeted dmt lint exception is added for the host-network-ports rule because it enforces
    the 4200–4299 range and does not take SecurityPolicyException into account.
  • [user-authz] Fixed SecurityPolicyException usage, added CR presence check. #17660
  • [user-authz] cache namespace label checks in the user-authz webhook via informer to avoid per-request apiserver GETs #16920

Chore

  • [candi] Added module directory localization. #17544
  • [candi] Bump patch versions of Kubernetes images. #17930
    Kubernetes control-plane components will restart, kubelet will restart
  • [candi] Bumped autoscaler version to 1.32.2. #16610
  • [candi] Bumped patch versions of Kubernetes images. #16955
    Kubernetes control-plane components will restart, kubelet will restart.
  • [candi] Change the way to determinate registry packages proxy addresses during node bootstrap. #17977
  • [candi] Removed insecure kube-apiserver cipher suites TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_128_GCM_SHA256, added fixed names for TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256, TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256. #17777
  • [candi] Removed overrides for journald configuration. #17769
  • [candi] Removed patches for kubernetes 1.30, which is not supported since Deckhouse v1.75.0. #17998
  • [candi] Updated documentation in candi. #16933
  • [candi] Updated static nodes with topology labels via /var/lib/node_labels. #16816
  • [cilium-hubble] Added vex with CVE-2026-33726 for hubble #18917
  • [cilium-hubble] Fixed vex file #19009
  • [cloud-provider-aws] Added module directory localization. #17544
  • [cloud-provider-aws] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-azure] Added module directory localization. #17544
  • [cloud-provider-azure] Fixed cloud providers linter warnings. #17992
  • [cloud-provider-azure] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-dvp] Added module directory localization. #17544
  • [cloud-provider-dvp] Added ownerReferences to VM-related objects (managed by CAPDVP and CSI). #17268
  • [cloud-provider-dvp] Fixed cloud providers linter warnings. #17992
  • [cloud-provider-dvp] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-dynamix] Added module directory localization. #17544
  • [cloud-provider-dynamix] Fixed linter warnings in Dynamix and HuaweiCloud cloud providers #18202
  • [cloud-provider-gcp] Added module directory localization. #17544
  • [cloud-provider-gcp] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-huaweicloud] Added module directory localization. #17544
  • [cloud-provider-huaweicloud] Fixed linter warnings in Dynamix and HuaweiCloud cloud providers #18202
  • [cloud-provider-openstack] Added module directory localization. #17544
  • [cloud-provider-openstack] Fixed cloud providers linter warnings. #17992
  • [cloud-provider-openstack] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-vcd] Added module directory localization. #17544
  • [cloud-provider-vcd] Fixed cloud providers linter warnings. #17992
  • [cloud-provider-vsphere] Added module directory localization. #17544
  • [cloud-provider-vsphere] Fixed cloud providers linter warnings. #17992
  • [cloud-provider-vsphere] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-yandex] Added module directory localization. #17544
  • [cloud-provider-yandex] Fixed cloud providers linter warnings. #17992
  • [cloud-provider-yandex] Updated module internals for Nelm compatibility. #17150
  • [cloud-provider-zvirt] Added module directory localization. #17544
  • [cloud-provider-zvirt] Fixed cloud providers linter warnings. #17992
  • [cni-cilium] Added SVACE analyze for modules. #17514
  • [cni-cilium] Added vex with CVE-2026-33726 for hubble #18917
  • [cni-cilium] Changed GO target version to 1.25. #17981
  • [cni-cilium] Fixed code in egress-gateway-agent (se-plus), check-wg-kernel-compat and safe-agent-updater images with linter recommendations. #17763
  • [cni-cilium] Fixed vex file #19009
  • [cni-cilium] Refactor build to use pre-packaged dependencies from envoyproxy_deps repository instead of downloading from GitHub at build time #18937
    Cilium agents will be restarted.
  • [cni-flannel] Changed GO target version to 1.25. #17981
  • [cni-flannel] Fixed code in flanneld image with linter recommendations. #17763
  • [cni-flannel] Restarted cni-flannel agents. #17532
  • [cni-simple-bridge] Restarted cni-simple-bridge agents. #17532
  • [common] Changed GO target version to 1.25 in vxlan-offloading-fixer image. #17981
  • [common] Refactored debug-container image to support distroless environments and include essential tools. #17982
  • [control-plane-manager] Improved the control-plane-manager etcd re-join logic for losing a member by destructive changes. converge #17347
  • [csi-vsphere] Updated module internals for Nelm compatibility. #17150
  • [deckhouse] Module moved from core distribtion into separate external module. #16328
    If you have used certain features of operator-trivy before, a new alert named VulnerableImagesDenialConfigNotMigrated might start firing after update. In that case, you must manually move denyVulnerableImages section of settings from admission-policy-engine to operator-trivy module config. Alert message will provide necessary instructions on how to do so.
  • [descheduler] Grant RBAC for PersistentVolumeClaims so the descheduler can list and watch PVCs #18787
  • [dhctl] Add output of remained resources for creation resources bootstrap phase in dhctl. #18046
  • [dhctl] Added preflight check to get access staticInstance with sshcredentials. #16974
  • [dhctl] Added preflight tests. #17261
  • [dhctl] Expand SSH output logs on errors for debug, verbose purposes. #16915
  • [dhctl] Set default ssh port to 22, to backward compatibility with cli ssh behavior in dhctl. #16947
  • [docs] Add NGC examples for automatically installation of NVIDIA drivers. #16864
  • [docs] Network ports for hostNetwork virtualization components actualization #18139
  • [extended-monitoring] Moved events exporter to our repo. #17091
  • [ingress-nginx] Added ingress-nginx controller of version v1.14.3. #17864
    The change does not affect existing clusters unless controllerVersion 1.14 is selected.
  • [ingress-nginx] Added the ability to customize ports for the load balancer Service. #17433
  • [ingress-nginx] Added unconfined seccomp profile to Ingress-NGINX controller pods. #18929
    All Ingress-NGINX controller pods will be restarted.
  • [ingress-nginx] Changed GO target version to 1.25. #17981
  • [ingress-nginx] Fixed code in failover-cleaner, protobuf-exporter, proxy-failover-iptables and proxy-failover images with linter recommendations. #17763
  • [ingress-nginx] Nginx is updated to v1.29.5 in all controllers, golang dependencies are also updated. #17914
    All ingres-nginx controller pods will be restated.
  • [ingress-nginx] Removed 1.9 controller version. #17832
    If you have controllers running 1.9 the automatic upgrade will be blocked until the version is updated, upgrading to 1.10+ will cause the corresponding controllers to restart.
  • [ingress-nginx] Restarted ingress-nginx controllers. #17532
  • [ingress-nginx] removed deprecated alert GeoIPDownloadErrorDetected. #17711
    All instances will be restarted.
  • [istio] Changed GO target version to 1.25. #17981
  • [istio] Changing the multi-network Istio documentation #18591
  • [istio] Fixed code in api-proxy and metadata-exporter images with linter recommendations. #17763
  • [istio] Warning about the inability to use user 1337 for user applications #18601
  • [istio] added excludes for DMT lint #19325
  • [istio] changed vex CVE justifications in pilots images #19583
  • [istio] version 1.25 set as default globalVersion value in ModuleConfig #19012
  • [istio] vex justified CVE-2026-42151 and CVE-2026-42154 in pilot and operator images #20189
  • [kube-dns] Changed GO target version to 1.25. #17981
  • [kube-dns] Fixed code in sts-pods-hosts-appender-webhook image with linter recommendations. #17763
  • [kube-proxy] API endpoints discovery hook now uses EndpointSlice #18083
  • [kube-proxy] Changed GO target version to 1.25. #17981
  • [kube-proxy] Fixed code in init-container image with linter recommendations. #17763
  • [kube-proxy] Restarted kube-proxy agents. #17532
  • [log-shipper] Migrate Loki endpoint discovery from v1.Endpoints to discovery.k8s.io/v1.EndpointSlice for Kubernetes 1.35 compatibility. #18036
  • [metallb] Dashboard templates will be imported only if prometheus, prometheus-operator modules are enabled. #17840
  • [monitoring-custom] Add clarification to D8ReservedNodeLabelOrTaintFound alert description. #19296
  • [monitoring-ping] Changed GO target version to 1.25. #17981
  • [monitoring-ping] Fixed code in monitoring-ping image with linter recommendations. #17763
  • [network-policy-engine] Restarted network-policy-engine agents. #17532
  • [node-local-dns] Added logging of slow upstream queries and a new coredns_kubeforward_slow_requests_total metric for tracking them. #16808
  • [node-local-dns] Changed GO target version to 1.25. #17981
  • [node-local-dns] Fixed code in iptables-loop and coredns images with linter recommendations. #17763
  • [node-local-dns] Restarted non-cilium setups of node-local-dns. #17532
  • [node-manager] Added patches for cluster-autoscaler. #18004
  • [node-manager] Bumped autoscaler version to 1.34. #16610
  • [node-manager] Bumped capi version 1.10.6 > 1.11.3. #16153
  • [openvpn] Changed GO target version to 1.25. #17981
  • [openvpn] Fixed code in easyrsa-migrator and openvpn images with linter recommendations. #17763
  • [openvpn] Restarted openvpn instances, all vpn connections disrupted. #17532
  • [prometheus] Added new rules for grafana dashboards. #15865
  • [registry] Update dependencies to fix CVEs #18619
  • [service-with-healthchecks] Added SVACE analyze for modules. #17514
  • [service-with-healthchecks] Changed GO target version to 1.25. #17981
  • [service-with-healthchecks] Fixed code in artifact image with linter recommendations. #17763
  • [terraform-manager] Updated terraform-manager images build. #16941
  • [user-authz] Fixed golangci-lint findings in multiple modules (user-authn, user-authz, admission-policy-engine, multitenancy-manager). #17672
  • [vertical-pod-autoscaler] Enabled using InPlaceOrRecreate update mode instead of Auto for Deckhouse-managed VPAs. #17011
    Control-plane components and kubelets will restart to pick up the new feature gates
    on clusters where they were not enabled before. VPA may start applying in-place
    updates instead of only eviction-based updates.

For more information, see the changelog and minor version release changes.

@Taior Taior force-pushed the main branch 7 times, most recently from 1d43597 to 0b9edcd Compare April 30, 2026 11:50
z9r5 and others added 4 commits May 27, 2026 10:05
Signed-off-by: deckhouse-BOaTswain <89150800+deckhouse-boatswain@users.noreply.github.com>
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

2 similar comments
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: Kirill Kramorov <kirill.kramorov@flant.com>
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

1 similar comment
@KraMorK

KraMorK commented Jun 3, 2026

Copy link
Copy Markdown
Member

/changelog

Signed-off-by: deckhouse-BOaTswain <89150800+deckhouse-boatswain@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants