The changes worth paying attention to
- Support for the current version of the _virtualization_ module has been discontinued. Note that Deckhouse will not be able to perform an upgrade if the module is enabled. Please manually delete virtual machines and use [this script](https://github.com/deckhouse/deckhouse/blob/main/tools/virtualization/remove-module.sh) to disable the module before upgrading Deckhouse. We plan to significantly redesign the functionality of the _virtualization_ module and introduce it as a standalone product. Stay tuned.
- The format for naming resources created by the _multitenancy-manager_ module has been changed. All resources (except for namespaces) created by the _multitenancy-manager_ module will be redeployed. Resource names are now shorter (the project prefix has been removed from the resource name).
Major changes
- _Istio_ 1.19 support has been added.
- _Ingress controller v1.1_ is now considered obsolete. Please schedule an upgrade to version 1.9! Also, an alert about the obsolete version controller being used in the cluster has been added.
- A critical vulnerability in the JWT library as well as 14 high-level vulnerabilities in the runtime-audit-engine module libraries have been fixed.
- You can now apply Deckhouse update [immediately](https://deckhouse.io/documentation/v1.56/deckhouse-faq.html#how-do-i-apply-an-update-without-having-to-wait-for-the-update-window) without having to wait for the scheduled update window (`release.deckhouse.io/apply-now: "true"`).
- The _trivy-operator_ module (it configures scanning of container images used in the cluster for vulnerabilities) now also works when deploying Deckhouse in private environments with registries that have self-signed certificates.
- In control policies (the admission-policy-engine module), you can now set a limit on the number of replica controllers (refer to [the replicaLimits section](https://deckhouse.io/documentation/v1.56/modules/015-admission-policy-engine/cr.html#operationpolicy-v1alpha1-spec-policies-replicalimits)).
- The _cni-simple-bridge_, _cni-flannel_, _terraform-manager_, _Prometheus_ and _Grafana_ modules now use distroless images. This improves module security and reduces the attack surface.
Component version updates
- cilium: `1.14.5`
- cni-flannel: `0.23.0`
- falcosidekick (the runtime-audit-engine module): `2.28.0`
- Grafana: `8.5.13`
- istio: `1.19.4`
- kiali (istio): `1.67.2`
- operator-trivy: `0.16.4`
The following modules or their components will be restarted as part of the update
- Ingress controller
- Prometheus/Grafana
- cilium (some policies will not be active during the restart)
- cni-flannel
- istio
- operator-trivy
- runtime-audit-engine