Deckhouse

Features


- **[dhctl]** In commander mode connect to controlled clusters via commander agent instead of SSH [10342](https://github.com/deckhouse/deckhouse/pull/10342)
- **[static-routing-manager]** Add the ability to create routes with "via dev" and without specifying a gateway IP. [10277](https://github.com/deckhouse/deckhouse/pull/10277)
Pods of static-routing-manager will be restarted.

Fixes


- **[cloud-provider-aws]** Fix for deploying a cluster in a local zone. [10491](https://github.com/deckhouse/deckhouse/pull/10491)
- **[cni-cilium]** Fixed `excludedCIDRs` option in EgressGatewayPolicies [10493](https://github.com/deckhouse/deckhouse/pull/10493)
- **[node-manager]** ignore heartbeat annotation on hook [10368](https://github.com/deckhouse/deckhouse/pull/10368)
- **[user-authn]** Add a patch to fix the problem with offline sessions that are not created/updated properly, which causes random refresh problems. [10486](https://github.com/deckhouse/deckhouse/pull/10486)

Chore


- **[cloud-provider-yandex]** Changed behavior of externalIPAddresses key in terraform. [10485](https://github.com/deckhouse/deckhouse/pull/10485)

Features


- **[deckhouse-controller]** Added support for Auto Patch mode for Modules Release (configurable in the module update policy object) [10466](https://github.com/deckhouse/deckhouse/pull/10466)

Fixes


- **[ingress-nginx]** Add check for existing label. [10449](https://github.com/deckhouse/deckhouse/pull/10449)
- **[istio]** SA token path in api-proxy container fixed. [10454](https://github.com/deckhouse/deckhouse/pull/10454)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.65.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.65.3).

Features


- **[metallb]** Added pre-upgrade compatibility check for metallb configuration. [10289](https://github.com/deckhouse/deckhouse/pull/10289)
- **[user-authz]** Improve rbacv2 hook to support custom roles, and roles extending and add docs. [10241](https://github.com/deckhouse/deckhouse/pull/10241)

Fixes


- **[cloud-provider-aws]** revert "Added the ability to specify your IAM role" [10435](https://github.com/deckhouse/deckhouse/pull/10435)
- **[control-plane-manager]** Fixed free space sufficiency detection for etcd-backup [10426](https://github.com/deckhouse/deckhouse/pull/10426)

Chore


- **[ingress-nginx]** Remove unnecessary validation and warnings. [10430](https://github.com/deckhouse/deckhouse/pull/10430)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.65.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.65.2).

Features


- **[cni-cilium]** Add ability to explicitly specify network interfaces for Virtual IP in EgressGateway. [10326](https://github.com/deckhouse/deckhouse/pull/10326)

Fixes


- **[cloud-provider-zvirt]** Add to the instance a status about zvirtinstance. [10236](https://github.com/deckhouse/deckhouse/pull/10236)
- **[common]** Add `/bin/true` to `init` image [10372](https://github.com/deckhouse/deckhouse/pull/10372)
- **[deckhouse-tools]** Rebuild d8-cli images when used version changes [10267](https://github.com/deckhouse/deckhouse/pull/10267)

Chore


- **[candi]** Bump patch versions of Kubernetes images: `v1.28.15`, `v1.29.10`, `v1.30.6` [10340](https://github.com/deckhouse/deckhouse/pull/10340)
Kubernetes control-plane components will restart, kubelet will restart.
- **[cni-cilium]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[cni-flannel]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[ingress-nginx]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[kube-proxy]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[network-gateway]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[node-local-dns]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[openvpn]** Replacing iptables with precompiled binaries. [10103](https://github.com/deckhouse/deckhouse/pull/10103)
The pods will be restarted.
- **[prometheus]** Update information about migration Prometheus and Upmeter pods with the local storage to other nodes. [10194](https://github.com/deckhouse/deckhouse/pull/10194)
- **[upmeter]** Update information about migration Prometheus and Upmeter pods with the local storage to other nodes. [10194](https://github.com/deckhouse/deckhouse/pull/10194)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.65.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.65.1).

Major changes

* **The *delivery* module has been removed.** DKP will not proceed with the update if the *delivery* module is enabled in the cluster.
* **Support for Ingress controller version 1.6 has been discontinued.** The minimum supported version is 1.9.
* The **ceph-csi** module is **no longer being developed**. The module is considered deprecated. It is recommended to replace the *ceph-csi* module with the [csi-ceph](https://github.com/deckhouse/csi-ceph) module.
* Support for OpenSuse has been added.
* New configuration options for the DKP [update mode](https://deckhouse.ru/products/kubernetes-platform/documentation/v1.65/modules/002-deckhouse/configuration.html#parameters-update-mode) have been added. In `Manual` mode, confirmation is now also required for patch versions. If you need to apply patch versions automatically but confirm the update of minor versions, use `AutoPatch` mode.
* The status of the *DeckhouseRelease* resource now contains either the exact time when the new version was applied (previously, it could differ from the actual time) or a command to confirm the update.
* A check to see if the [project](https://deckhouse.io/products/kubernetes-platform/documentation/v1.65/modules/160-multitenancy-manager/cr.html#project) conforms to the [project template](https://deckhouse.io/products/kubernetes-platform/documentation/v1.65/modules/160-multitenancy-manager/cr.html#projecttemplate) has been added.
* DKP now automatically creates etcd database backups once a day (at 00:00 UTC). The result is saved in `/var/lib/etcd/etcd-backup.snapshot` directory on all master nodes.
* A new *[iamNodeRole](https://deckhouse.io/products/kubernetes-platform/documentation/v1.65/modules/030-cloud-provider-aws/cluster_configuration.html#awsclusterconfiguration-iamnoderole)* parameter for the AWS provider has been added. It allows you to use a custom IAM role for a node instead of the role created by DKP. This may come in handy, for example, if you need to add more permissions to the IAM node role (e. G., to enable ECR access, etc.).
* A new *[nameservers](https://deckhouse.io/products/kubernetes-platform/documentation/v1.65/modules/030-cloud-provider-azure/cluster_configuration.html#azureclusterconfiguration-nameservers)* parameter has been added for the Azure provider. It allows you to specify a list of DNS servers used on nodes.
* `dhctl converge` now migrates master nodes fully automatically, even when transitioning to a cluster with a single master node. Previously, manual actions might have been required.

Security

* It is forbidden to modify resources created by DKP (they have the `heritage: deckhouse `label).
* Support for scanning images in repositories that use insecure connections or self-signed certificates has been added.
* Openvpn and documentation modules, as well as part of the istio module components, now use distroless images.

Component version updates

- kruise-controller-manager (ingress-nginx): 1.7.2
- addon-operator: 1.5.0
- containerd: 1.7.20
- cilium: 1.14.14
- openvpn: 2.6.12

A list of internal modules or their components that will be restarted during the upgrade

- Ingress controller
- bashible-apiserver
- capi-controller-manager
- cert-manager
- cilium
- cilium-hubble
- containerd
- control-plane-manager
- d8-kube-proxy
- dashboard
- deckhouse
- documentation
- grafana
- istio
- kruise-controller-manager
- metrics-scraper
- openvpn
- prometheus
- upmeter
- user-authn

See [CHANGELOG v1.65](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.65.md) for more details.

Features


- **[dhctl]** Options to skip preflight checks for dhctl-server operations. [10043](https://github.com/deckhouse/deckhouse/pull/10043)

Fixes


- **[deckhouse]** Fix validation policy for update windows in kubernetes 1.26 [10235](https://github.com/deckhouse/deckhouse/pull/10235)
- **[dhctl]** Fix empty registry credentials preflight check failure. [10226](https://github.com/deckhouse/deckhouse/pull/10226)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.64.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.64.5).