Deckhouse

Features


- **[deckhouse-controller]** Add mechanism to check that desired modules are disabled before deckhouse update. [10176](https://github.com/deckhouse/deckhouse/pull/10176)

Fixes


- **[deckhouse]** Fix `ValidatingAdmissionPolicy` for checking update windows. [10151](https://github.com/deckhouse/deckhouse/pull/10151)
- **[dhctl]** Do not return error if deckhouse release exists. [10164](https://github.com/deckhouse/deckhouse/pull/10164)
- **[dhctl]** Only one resource will create for namespace if it namespace does not exist. [10159](https://github.com/deckhouse/deckhouse/pull/10159)
- **[istio]** Fix supported Kubernetes version in the documentation. [10148](https://github.com/deckhouse/deckhouse/pull/10148)
- **[loki]** Removed migrator init containers from modules. [10150](https://github.com/deckhouse/deckhouse/pull/10150)
- **[prometheus]** Removed migrator init containers from modules. [10150](https://github.com/deckhouse/deckhouse/pull/10150)
- **[upmeter]** Removed migrator init containers from modules. [10150](https://github.com/deckhouse/deckhouse/pull/10150)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.64.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.64.4).

Features

- **[dashboard]** Add auth.allowedUserGroups option. Now it is possible to authorize user access based on their groups. [10068](https://github.com/deckhouse/deckhouse/pull/10068)
- **[user-authn]** Add claimMappingOverride option for OIDC Dex provider. [9974](https://github.com/deckhouse/deckhouse/pull/9974)
- **[user-authn]** dex support Base64 encoded and PEM encoded certs. [9894](https://github.com/deckhouse/deckhouse/pull/9894)

Fixes

- **[cni-cilium]** Disabling the upload of the service image `base-cilium-dev` to the final container registry. [9987](https://github.com/deckhouse/deckhouse/pull/9987)
All cilium-agent pods will be restarted.
- **[cni-cilium]** Wiping unwanted iptables-legacy rules. [9971](https://github.com/deckhouse/deckhouse/pull/9971)
All cilium-agent pods will be restarted.
- **[dhctl]** Fix panic during creation resources and add timestamps to debug log. [10070](https://github.com/deckhouse/deckhouse/pull/10070)
- **[dhctl]** Fix ensure required namespaces. [9714](https://github.com/deckhouse/deckhouse/pull/9714)
- **[prometheus]** Fix Grafana root URL. [10076](https://github.com/deckhouse/deckhouse/pull/10076)
Grafana will be restarted.
- **[upmeter]** Fix `D8UpmeterSmokeMiniMoreThanOnePVxPVC` alert. [10026](https://github.com/deckhouse/deckhouse/pull/10026)

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.64.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.64.3).

Fixes


- **[dhctl]** Fix sshBastionPort spec type [9990](https://github.com/deckhouse/deckhouse/pull/9990)
- **[istio]** Improved validation of the ModuleConfig [9912](https://github.com/deckhouse/deckhouse/pull/9912)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.64.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.64.2).

Features


- **[candi]** Stricter permissions (0700/0600) applied to kubelet configuration and PKI files to improve security. [9868](https://github.com/deckhouse/deckhouse/pull/9868)
- **[candi]** Add support for Astra Linux 1.8. Support for Astra Linux 1.8 ensures compatibility with the latest OS version, providing updated packages and configurations. [9296](https://github.com/deckhouse/deckhouse/pull/9296)
- **[control-plane-manager]** Stricter permissions (0700/0600) applied to kubelet configuration and PKI files to improve security. [9868](https://github.com/deckhouse/deckhouse/pull/9868)

Fixes


- **[candi]** fix resize partition step [9950](https://github.com/deckhouse/deckhouse/pull/9950)
- **[cloud-provider-aws]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-azure]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-gcp]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-openstack]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-openstack]** Create one server group for all masters. [9806](https://github.com/deckhouse/deckhouse/pull/9806)
- **[cloud-provider-vcd]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-vsphere]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-yandex]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cloud-provider-zvirt]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cni-cilium]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[cni-cilium]** iptables-wrapper fix for cilium pods. [9856](https://github.com/deckhouse/deckhouse/pull/9856)
The cilium pods will be restarted.
- **[cni-flannel]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[common]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[deckhouse-controller]** Fixed a bug related to the fact that the state of the release object was not updated. [9838](https://github.com/deckhouse/deckhouse/pull/9838)
- **[deckhouse-tools]** Fix custom certs copying. [9840](https://github.com/deckhouse/deckhouse/pull/9840)
- **[dhctl]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[docs]** Add CEF format example in docs log-shipper [9875](https://github.com/deckhouse/deckhouse/pull/9875)
- **[global-hooks]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[go_lib]** Canceling migration from d8-cni-configuration secret to proper CNI module configs. [9900](https://github.com/deckhouse/deckhouse/pull/9900)
- **[multitenancy-manager]** Fix 'namespace not found' problem. [9891](https://github.com/deckhouse/deckhouse/pull/9891)
- **[multitenancy-manager]** Add verify namespace object for messageExpression in ValidatingAdmissionPolicy [9849](https://github.com/deckhouse/deckhouse/pull/9849)
- **[user-authn]** Allow system-users with + symbol in email. [9846](https://github.com/deckhouse/deckhouse/pull/9846)

Chore


- **[candi]** Bump patch versions of Kubernetes images: `v1.28.14`, `v1.29.9`, `v1.30.5` [9917](https://github.com/deckhouse/deckhouse/pull/9917)
Kubernetes control-plane components will restart, kubelet will restart.
- **[runtime-audit-engine]** Allow falco to match multiple rules on same event. [9652](https://github.com/deckhouse/deckhouse/pull/9652)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.64.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.64.1).

Major changes

* **The l2-load-balancer module is no longer being developed.** The module will be deprecated in the next DKP version. The functions of the *l2-load-balancer* module will be implemented in the *metallb* module.
* **A [new role-based access model](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/140-user-authz/#the-new-role-based-model) has been introduced.** We recommend sticking to it for new projects.
* The option to allow only specific [Ingress controller classes](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/402-ingress-nginx/cr.html#ingressnginxcontroller-v1-spec-ingressclass) (IngressClass) and specific storage classes (StorageClass) to be used in a given namespace has been added. For this, specify a list of Ingress controller classes ([policies.ingressClassNames](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/015-admission-policy-engine/cr.html#operationpolicy-v1alpha1-spec-policies-ingressclassnames) parameter) and storage classes ([policies.storageClassNames](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/015-admission-policy-engine/cr.html#operationpolicy-v1alpha1-spec-policies-storageclassnames) parameter) in the cluster operating policy.
* A new **deckhouse-tools** module has been introduced. The module implements a web interface for downloading the Deckhouse CLI utility (`d8`) from the cluster (no need for internet access). The web interface is available at the `tools` domain according to the established [DNS naming template](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/deckhouse-configure-global.html#parameters-modules-publicdomaintemplate).
* You can now enhance the scheduler with external plugins via webhooks (the [KubeSchedulerWebhookConfiguration](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/040-control-plane-manager/cr.html#kubeschedulerwebhookconfiguration) resource). For example, you can configure data storage application pods to be allocated closer to the data, use priority when selecting a node depending on its state (network load, storage subsystem state), etc.
* A notification about the scheduled update of patch versions has been added. The notification features information about the type of update (module or DKP). You can enable it using the [update.notification.releaseType](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/002-deckhouse/configuration.html#parameters-update-notification-releasetype) parameter in the [update.notification](https://deckhouse.io/products/kubernetes-platform/documentation/v1.64/modules/002-deckhouse/configuration.html#parameters-update-notification) parameter section).

Security


* The new DKP version features stricter permissions for cluster configuration files and folders and those created by Deckhouse.

Component version updates

* Kubernetes control plane: `1.28.13`, `1.29.8`, `1.30.4`
* NGINX Ingress Controller: `1.10.4`
* `cni-simple-bridge`: `1.8.9.`
* `dex`: `1.41.1`
* `falco (runtime-audit-engine)`: `0.38.1`
* `kube-router`: `1.8.9`
* `loki`: `2.9.10`
* `vector (log-shipper)`: `0.40.1`

A list of internal modules or their components that will be restarted during the upgrade

* Kubernetes control plane
* Ingress controller
* `cni-cilium-hubble`
* `cni-flannel`
* `cni-simple-bridge`
* `constraint-exporter` (`admission-policy-engine`)
* `control-plane-manager`
* `deckhouse`
* `delivery`
* `documentation`
* `istio`
* `log-shipper`
* `loki`
* `multitenancy-manager`
* `network-policy-engine`
* `node-manager`
* `operator-trivy`
* `runtime-audit-engine`
* `upmeter`
* `user-authn`

See [CHANGELOG v1.64](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.64.md) for more details.

Fixes


- **[deckhouse-controller]** Fixed a bug related to the fact that the state of the release object was not updated. [10410](https://github.com/deckhouse/deckhouse/pull/10410)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.63.12).