Shoot Kubernetes Minor Version Upgrades

Breaking changes may be introduced with new Kubernetes versions. This documentation describes the Gardener specific differences and requirements for upgrading to a supported Kubernetes version. For Kubernetes specific upgrade notes the upstream Kubernetes release notes, changelogs and release blogs should be considered before upgrade.

Upgrading to Kubernetes v1.35

• The Shoot's .spec.kubernetes.kubeAPIServer.enableAnonymousAuthentication field is forbidden. Gardener continues to disable anonymous authentication by default. If you need to configure anonymous authentication, use Structured Authentication Configuration with the anonymous authenticator instead.
• The Shoot's .spec.addons field is forbidden. The retirement of the previously contained components Kubernetes Dashboard and Ingress NGINX Controller, requires owners to remove any existing addon configurations from the Shoot.
• The Shoot's .spec.kubernetes.kubeAPIServer.watchCacheSizes.default field is forbidden. Watch cache sizes are automatically sized by Kubernetes.
• The Shoot's .spec.kubernetes.kubeScheduler.kubeMaxPDVols field is forbidden. The maximum number of attachable volumes is maintained by the respective CSI plugin.

Upgrading to Kubernetes v1.34

• The Shoot's .spec.cloudProfileName field is forbidden. Shoot owners must migrate their CloudProfile reference to the new spec.cloudProfile.name field.
• The Shoot's .spec.secretBindingName field is forbidden. Shoot owners must migrate their SecretBinding references to CredentialsBinding and use the new .spec.credentialsBindingName field. For more information, see the SecretBinding to CredentialsBinding migration guide.
• The Shoot's operation annotations rotate-etcd-encryption-key-(start|complete) are forbidden. Shoot owners must use the rotate-etcd-encryption-key operation annotation instead, which performs a complete etcd encryption key rotation. Shoot clusters with an ongoing etcd encryption key rotation that is currently in the Prepared phase will move forward to the Completing phase.

Upgrading to Kubernetes v1.33

• A new deny-all NetworkPolicy is deployed into the kube-system namespace of the Shoot cluster. Shoot owners that run workloads in the kube-system namespace are required to explicitly allow their expected Ingress and Egress traffic in kube-system via NetworkPolicies.
• The Shoot's .spec.kubernetes.kubeControllerManager.podEvictionTimeout field is forbidden. Shoot owners should use the .spec.kubernetes.kubeAPIServer.defaultNotReadyTolerationSeconds and .spec.kubernetes.kubeAPIServer.defaultUnreachableTolerationSeconds fields.
• The Shoot's .spec.kubernetes.clusterAutoscaler.maxEmptyBulkDelete field is forbidden. Shoot owners should use the .spec.kubernetes.clusterAutoscaler.maxScaleDownParallelism field.
• The Shoot's .spec.cloudProfileName field is deprecated. Shoot owners should migrate their CloudProfile reference to the new .spec.cloudProfile.name field.

Upgrading to Kubernetes v1.32

TIP

It is recommended to migrate from OIDC to StructuredAuthentication before updating to Kubernetes v1.32 in order to avoid not being able to revert the change.

• The Shoot's spec.kubernetes.kubeAPIServer.oidcConfig field is forbidden.
  • Shoot owners that have used oidcConfig or a (Cluster)OpenIDConnectPreset resource are recommended to migrate to StructuredAuthentication. More information about StructuredAuthentication can be found in the Structured Authentication documentation.

Upgrading to Kubernetes v1.31

• The Shoot's spec.kubernetes.kubeAPIServer.oidcConfig.clientAuthentication field is forbidden.
• The Shoot's .spec.kubernetes.kubelet.systemReserved and .spec.provider.workers[].kubernetes.kubelet.systemReserved fields are forbidden. Shoot owners should use the .spec.kubernetes.kubelet.kubeReserved and .spec.provider.workers[].kubernetes.kubelet.kubeReserved fields.