Deckhouse

Fixes


- **[cni-cilium]** Use predefined MAC-addresses for virtualization workloads. [4071](https://github.com/deckhouse/deckhouse/pull/4071)
- **[cni-cilium]** Perform routing lookup for custom tables. [4046](https://github.com/deckhouse/deckhouse/pull/4046)
- **[containerized-data-importer]** Make CDI working with `customCertificate`. [3985](https://github.com/deckhouse/deckhouse/pull/3985)
- **[log-shipper]** Add job label selector to alerts query. [4051](https://github.com/deckhouse/deckhouse/pull/4051)
- **[prometheus]** Increase Prometheus self sample limit. [4066](https://github.com/deckhouse/deckhouse/pull/4066)
- **[runtime-audit-engine]** Fix `K8sAudit` -> `k8s_audit` source convert action. [4134](https://github.com/deckhouse/deckhouse/pull/4134)

Chore


- **[cni-cilium]** Split `cilium` and `virt-cilium`. [4088](https://github.com/deckhouse/deckhouse/pull/4088)
All cilium agent Pods will be restarted.


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.44.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.44.0).

Features


- **[virtualization]** Kubevirt `v0.58.1`. [3989](https://github.com/deckhouse/deckhouse/pull/3989)

Fixes


- **[deckhouse-config]** Place the `deckhouse-config-webhook` on the same node as Deckhouse. [4014](https://github.com/deckhouse/deckhouse/pull/4014)
- **[istio]** D8IstioDeprecatedIstioVersionInstalled alert description clarification. [4010](https://github.com/deckhouse/deckhouse/pull/4010)
- **[log-shipper]** Fix the exclude clause for unschedulable nodes in the RateLimit alert. [4018](https://github.com/deckhouse/deckhouse/pull/4018)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.44.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.44.0).

The following components will be restarted during the update from the Deckhouse v1.43
- Kubernetes Control Plane components
- Prometheus/Grafana
- `admission-policy-engine`
- `ceph-csi`
- `cloud-provider-vsphere`
- `istio`
- `log-shipper-agent`
- `node-manager`
- `node-local-dns`
- `operator-prometheus`
- `openvpn`
- `prometheus-metrics-adapter`
- `virtualization`


Component version updates:
- Alertmanager: `0.25.0`
- cilium: `1.11.14`
- Kubernetes control plane: `1.23.16`, `1.24.10`, `1.25.6`
- istio: `1.16.2`
- Kiali (istio): `1.62`
- Kubevirt: `0.58.1`
- Librdkafka (log-shipper): `2.0.2`
- Prometheus operator: `0.62.0`
- Vector: `0.27.0`

Major changes:

- **The new [operator-trivy](https://deckhouse.io/documentation/v1.44/modules/500-operator-trivy/) module** periodically runs the vulnerability scanning with [Trivy](https://github.com/aquasecurity/trivy). To use it, add the `security-scanning.deckhouse.io/enabled` label to a namespace. Scanning results are available in Grafana: the _Security / Trivy Image Vulnerability Overview_ dashboard.
- **The new [runtime-audit-engine](https://deckhouse.io/documentation/v1.44/modules/650-runtime-audit-engine/) module** identifies security threats. Unlike `operator-trivy`, this module analyzes audit events. `runtime-audit-engine` is based on the [Falco](https://falco.org/) project.
- **The new [flow-schema](https://deckhouse.io/documentation/v1.44/modules/011-flow-schema/) module** configures queues and priorities for some requests to the API server. It helps to avoid overloading the API server. This module is enabled by default.
- In the `openvpn` module, it is now possible to enable high availability mode using the [highAvailability](https://deckhouse.io/documentation/v1.44/modules/500-openvpn/configuration.html#parameters-highavailability) parameter — this will run two copies of the OpenVPN server. You can also activate [logging](https://deckhouse.io/documentation/v1.44/modules/500-openvpn/#users-traffic-audit) of user activity.
- Support for Istio `1.16` has been added. Istio `1.12` and `1.13` are no longer supported.
- Sending alerts to Telegram via the built-in Alertmanager has [become easier](https://deckhouse.io/documentation/v1.44/modules/300-prometheus/usage.html#sending-alerts-to-telegram) — it is enough to configure the connection in the [telegramConfigs](https://deckhouse.io/documentation/v1.44/modules/300-prometheus/cr.html#customalertmanager-v1alpha1-spec-internal-receivers-telegramconfigs) parameter and create the Secret. An additional proxy server is no longer needed.

See [CHANGELOG v1.44](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.44.md) for more details.

Know before update


- Fix restarts containerd services on nodes.

Fixes


- **[candi]** Update of containerd to `1.6.18`. [3929](https://github.com/deckhouse/deckhouse/pull/3929)
Fix restarts containerd services on nodes.


See [CHANGELOG v1.43](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.43.md) for more details.

Fixes


- **[cni-cilium]** Exclude vmCIDRs from SNAT. [3899](https://github.com/deckhouse/deckhouse/pull/3899)
- **[istio]** Yet another iptables fix — the upstream way. Got rid of iptables-wrapper in favor of hardcoded iptables-legacy. [3897](https://github.com/deckhouse/deckhouse/pull/3897)


See [CHANGELOG v1.43](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.43.md) for more details.