Deckhouse

Fixes


- **[candi]** Add creation of the `TMPDIR` directory in the `bashible.sh` script. [6059](https://github.com/deckhouse/deckhouse/pull/6059)
- **[chrony]** Run chrony pods in host network namespace. [6007](https://github.com/deckhouse/deckhouse/pull/6007)
- **[linstor]** Workaround for several annoying issues in LINSTOR related to hanging controller. [6037](https://github.com/deckhouse/deckhouse/pull/6037)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.52.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.52.0).

Important update notes
- All nodes with DRBD will restart.

Major changes

- The _control-plane-manager_, _ingress-nginx_ (partly), _monitoring-kubernetes_, _node-manager_, _operator-trivy_, _user-authz_, as well as CSI components and a number of base components, now use distroless images. This increases module security and reduces the attack surface.
- The [denyVulnerableImages](https://deckhouse.io/documentation/v1.52/modules/015-admission-policy-engine/configuration.html#parameters-denyvulnerableimages) parameter allows you to prevent containers based on the images with _High_ and _Critical_ vulnerabilities from running in a cluster.
- Time on the nodes is now synchronized by default via master nodes that act as NTP servers (the `chrony` module).
- Grafana dashboards for _pgbouncer_, queues and slow _PHP-FPM_ requests have been added. The _Elasticsearch_ dashboard has been updated.
- Processes in the containers that use distroless images are now run as the `deckhouse` user with UID:GID `64535`:`64535` (previously, they were run as the nobody user with UID:GID `65534`:`65534`).

The following components will be restarted during the update
- **Kubernetes control plane**
- **Ingress Controller**
- **Prometheus/Grafana**
- `admission-policy-engine`
- `cert-manager`
- `chrony`
- `cloud-provider-aws`
- `cloud-provider-azure`
- `cloud-provider-gcp`
- `cloud-provider-openstack`
- `cloud-provider-yandex`
- `cni-cilium`
- `dashboard`
- `deckhouse`
- `extended-monitoring`
- `flant-integration`
- `ingress-nginx`
- `istio`
- `kube-dns`
- `kube-proxy`
- `linstor`
- `log-shipper`
- `metallb`
- `monitoring-kubernetes`
- `monitoring-kubernetes-control-plane`
- `node-local-dns`
- `node-manager`
- `openvpn`
- `operator-prometheus`
- `operator-trivy`
- `pod-reloader`
- `runtime-audit-engine`
- `snapshot-controller`
- `terraform-manager`
- `upmeter`
- `user-authn`
- `user-authz`
- `vertical-pod-autoscaler`


Component version updates
- Kubernetes control plane: `1.25.14`, `1.26.9`, `1.27.6`
- linstor
- controller: `1.24.2`
- DRBD: `9.2.5`
- cert-manager: `1.12.3`
- containerd: `1.6.24`
- node-exporter (monitoring-kubernetes): `1.6.1`
- operator (operator-trivy): `0.15.1`
- prometheus-operator: `0.68`
- shell-operator: `1.3.2`


See [CHANGELOG v1.52](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.52.md) for more details.

Fixes


- **[prometheus]** Fix `fix-permissions` init container to run under *kesl* security. [6091](https://github.com/deckhouse/deckhouse/pull/6091)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.51.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.51.0).

Fixes


- **[ingress-nginx]** Add postpone updates for the main controller with `HostWithFailover` inlet. [6015](https://github.com/deckhouse/deckhouse/pull/6015)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.51.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.51.0).

Know before update


- Ingress controller 1.6 will restart.

Fixes


- **[ingress-nginx]** Fix bug with absent auth cookie, which leads to logout users sometimes from web pages with authorization. [5978](https://github.com/deckhouse/deckhouse/pull/5978)
Ingress controller 1.6 will restart.


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.51.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.51.0).