Deckhouse

Fixes

- **[candi]** Resolve names to IPv4 addresses with d8-curl. [6944](https://github.com/deckhouse/deckhouse/pull/6944)
- **[node-manager]** Remove the validating webhook for the Node deletion operation. [6938](https://github.com/deckhouse/deckhouse/pull/6938)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.55.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.55.0).

Fixes


- **[candi]** Run chmod on file only if it exists. [6880](https://github.com/deckhouse/deckhouse/pull/6880)
- **[candi]** Handle registry packages fetch errors. [6860](https://github.com/deckhouse/deckhouse/pull/6860)
- **[cni-cilium]** Cilium version bumped to 1.14.5 [6881](https://github.com/deckhouse/deckhouse/pull/6881)
Cilium agents will restart, during restart some policies won't work.
- **[node-manager]** add NodeGroup name validation only for 'CREATE' operation. [6879](https://github.com/deckhouse/deckhouse/pull/6879)

Chore


- **[cni-cilium]** Enabled pprof interface in cilium-agent. [6883](https://github.com/deckhouse/deckhouse/pull/6883)
cillium-agent pods will restart.


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.55.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.55.0).

Fixes


- **[ceph-csi]** Use different liveness probe ports for csi-controller-cephfs and csi-controller-rbd. [6727](https://github.com/deckhouse/deckhouse/pull/6727)
- **[control-plane-manager]** Remove the use of crictl when backing up etcd. [6720](https://github.com/deckhouse/deckhouse/pull/6720)
- **[node-manager]** Add MachineHealthCheck for CAPS. [6609](https://github.com/deckhouse/deckhouse/pull/6609)

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.55.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.55.0).

Fixes

- **[prometheus]** Fixes update_alertmanager_status hook when there is an alertmanager via a labeled service in the cluster. https://github.com/deckhouse/deckhouse/pull/6699

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.55.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.55.0).

Fixes


- **[cni-cilium]** Restore removed API versions in CRDs. [6690](https://github.com/deckhouse/deckhouse/pull/6690)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.55.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.55.0).

Major changes

- More than 20 vulnerabilities of various criticality have been remedied.
- The default security policy ([PSS](https://kubernetes.io/docs/concepts/security/pod-security-standards/)) in the cluster has been enacted (this behavior is controlled by the new [defaultPolicy](https://deckhouse.io/documentation/v1.55/modules/015-admission-policy-engine/configuration.html#parameters-podsecuritystandards-defaultpolicy) parameter of the admission-policy-engine module). The update does not introduce any additional restrictions (the `Privileged` policy is retained) for the existing clusters. However, for all new Deckhouse installations starting with version 1.55, the Baseline security policy (which prevents the most well-known and popular privilege escalation methods) will be used in the cluster.
- The cilium version in the [cni-cilium](https://deckhouse.io/documentation/v1.55/modules/021-cni-cilium/) module has been upgraded from version 1.12 to 1.14. Please note that:
- Regressions in the network subsystem may occur, including those related to network policies.
- Resource consumption by cilium agents is expected to decrease.
- Large amounts of network policies now load faster.
- The deprecated _CiliumEgressNATPolicy_ and _CiliumBGPLoadBalancerIPPool_ CRDs have been removed.
- In the [istio](https://deckhouse.io/documentation/v1.55/modules/110-istio/) module, it is now possible to specify the timeout for a TCP connection between the istio sidecar and the service (the [idleTimeout](https://deckhouse.io/documentation/v1.55/modules/110-istio/configuration.html#parameters-proxyconfig-idletimeout) parameter).
- A number of components have been migrated to distroless images to improve security and reduce the attack surface. Specifically, _documentation, node-local-dns, upmeter,_ and cloud provider module components have been switched to distroless images.

The following components will be restarted during the update

- **Kubernetes control plane**
- alerts-receiver (prometheus module)
- bashible-apiserver (node-manager modules)
- cinder-csi-plugin (cloud-provider-openstack module)
- cloud-provider-azure
- cni-cilium
- dex, dex-authenticator, kubeconfig-generator (user-authn module)
- documentation
- ebs-csi-plugin (cloud-provider-aws module)
- gatekeeper (admission-policy-engine module)
- istio-operator (istio module)
- kube-dns
- kube-state-metrics (monitoring-kuberntetes)
- loki
- monitoring-kubernetes
- operator-prometheus
- operator-trivy
- pd-csi-plugin (cloud-provider-gcp module)
- prometheus-metrics-adapter
- upmeter
- user-authz
- vsphere-csi-plugin (cloud-provider-vsphere module)
- yandex-csi-plugin (cloud-provider-yandex module)


Component version updates

- Kubernetes control plane: `1.25.16`, `1.26.11`, `1.27.8`, `1.28.4`
- kube-state-metrics: `2.7.0`
- Azure cloud-controller-manager: `1.24.22`, `1.25.22`, `1.26.17`, `1.27.11`, `1.28.3`
- cni-cilium: `1.14.4`

See [CHANGELOG v1.55](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.55.md) for more details.