Deckhouse

Fixes


- **[user-authn]** Fix the problem when the user is not allowed to access web interfaces if the allowed groups option is specified in Dex authenticator. [9514](https://github.com/deckhouse/deckhouse/pull/9514)

Chore


- **[admission-policy-engine]** Update the list of excluded sa. [9505](https://github.com/deckhouse/deckhouse/pull/9505)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.63.0).

Fixes


- **[dhctl]** Fixed checking the length of the list of external IP addresses in the `YandexClusterConfiguration`. [9449](https://github.com/deckhouse/deckhouse/pull/9449)
- **[dhctl]** Fix static installation consume 100% of CPU. [9359](https://github.com/deckhouse/deckhouse/pull/9359)
- **[user-authn]** Update `client-groups.patch` for Dex. [9465](https://github.com/deckhouse/deckhouse/pull/9465)
- **[user-authn]** Show real ip addresses in dex and dex-authenticator logs. [9221](https://github.com/deckhouse/deckhouse/pull/9221)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.63.0).

Features


- **[admission-policy-engine]** Add validating `spec.enforcementAction` in constraints resources. [9427](https://github.com/deckhouse/deckhouse/pull/9427)

Fixes


- **[candi]** Fix catch exit codes in cloud-providers bootstrap-network scripts. [9448](https://github.com/deckhouse/deckhouse/pull/9448)
- **[candi]** Before running `kubectl` check if it exists. [9438](https://github.com/deckhouse/deckhouse/pull/9438)
- **[istio]** Granted permissions for `istio-cni-node` to restart pods without properly configured iptables for traffic redirection. [9444](https://github.com/deckhouse/deckhouse/pull/9444)

Chore


- **[snapshot-controller]** Bump snapshot-controller version to `v8.0.1`. [9428](https://github.com/deckhouse/deckhouse/pull/9428)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.63.0).

Fixes


- **[candi]** Fix bootstrap network script for nodes with many interfaces for cloud-provider Yandex Cloud. [9408](https://github.com/deckhouse/deckhouse/pull/9408)
- **[deckhouse]** Allow admins to change objects with `kind=StorageClass`. [9398](https://github.com/deckhouse/deckhouse/pull/9398)
- **[deckhouse]** Allow admins to change objects with `kind=StorageClass`. [9362](https://github.com/deckhouse/deckhouse/pull/9362)
- **[global-hooks]** Fixed the Services with multiple ports broken by Helm. [9392](https://github.com/deckhouse/deckhouse/pull/9392)
- **[log-shipper]** Fix JSON codec for socket destination. [9385](https://github.com/deckhouse/deckhouse/pull/9385)
- **[multitenancy-manager]** Fix templates. [9358](https://github.com/deckhouse/deckhouse/pull/9358)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.63.0).

Features


- **[log-shipper]** Add GELF codec to Socket destination. Now it is possible to send logs to Graylog. [9306](https://github.com/deckhouse/deckhouse/pull/9306)

Fixes


- **[candi]** Fix for node bootstrap in CE. [9323](https://github.com/deckhouse/deckhouse/pull/9323)
- **[cloud-provider-vcd]** Create virtual machine NIC before the VM starts. [9255](https://github.com/deckhouse/deckhouse/pull/9255)
- **[istio]** Fix istio module operability in managed K8s setups. [9275](https://github.com/deckhouse/deckhouse/pull/9275)
- **[network-policy-engine]** Downgrade iptables version from `1.8.10` to `1.8.9` due to iptables chains overflow. You need to clear unwanted iptables rules manually or reboot the affected nodes. [9315](https://github.com/deckhouse/deckhouse/pull/9315)
- **[node-manager]** Fix role rights for cluster-autoscaler `1.29`, `1.30`. [9294](https://github.com/deckhouse/deckhouse/pull/9294)
- **[registrypackages]** Downgrade iptables version from `1.8.10` to `1.8.9`. [9315](https://github.com/deckhouse/deckhouse/pull/9315)
- **[upmeter]** Fixed status page CSS in air-gapped environments. [9287](https://github.com/deckhouse/deckhouse/pull/9287)
- **[upmeter]** Fixed flapping status page API. [9287](https://github.com/deckhouse/deckhouse/pull/9287)

Chore


- **[ingress-nginx]** Add an example of usage ingress-nginx with _L2LoadBalancer_ inlet. [9214](https://github.com/deckhouse/deckhouse/pull/9214)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.63.0).

Major changes

- Grafana v8 has been replaced with Grafana v10. The old version of Grafana is now available at grafana-v8 ( as per the cluster DNS name schema).
- Sidecar containers now have a default CPU utilization limit of 2 cores in Istio (you can change it in the [sidecar.resourcesManagement.static.limits.cpu](https://deckhouse.io/documentation/v1.63/modules/110-istio/configuration.html#parameters-sidecar-resourcesmanagement-static-limits-cpu) parameter). To apply it to existing pods, restart them.
- In the runtime-audit-engine module, the validation hook port has been changed from 9680 to 4227. This may require updating firewall rules if traffic to cluster master nodes is subject to filtering.
- The ability to send logs to Graylog — support for the GELF codec ([spec.socket.encoding.codec parameter](https://deckhouse.io/documentation/v1.63/modules/460-log-shipper/cr.html#clusterlogdestination-v1alpha1-spec-socket-encoding-codec)) has been added.
- A new type of Ingress controller [inlets](https://deckhouse.io/documentation/v1.63/modules/402-ingress-nginx/cr.html#ingressnginxcontroller-v1-spec-inlet) has been introduced — LoadBalancerWithSSLPassthrough and HostPortWithSSLPassthrough. You can use them to forward SSL traffic without terminating it on the Ingress Controller.
- The [l2-load-balancer module](https://deckhouse.io/documentation/v1.63/modules/381-l2-load-balancer/) has been redesigned, featuring a new load balancer implementation for bare-metal clusters where neither a cloud load balancer nor MetalLB in BGP mode is available.
- You can now delegate static nodes configured without [Cluster API Provider Static](https://deckhouse.io/documentation/v1.63/modules/040-node-manager/#cluster-api-provider-static) (CAPS) to the CAPS control. To do this, set the static.node.deckhouse.io/skip-bootstrap-phase: "" annotation in the corresponding StaticInstance resource
- The option to specify an organization as the first part of the path template for cloud node master and persistent groups in vCloud Director has been added.
- Token-based authentication for clouds has been introduced in vCloud Director.
- Installer pre-checks that report potential DKP installation issues prior to installation have been updated.
- The installer algorithm has been revised to include retries for installation steps in case of failure.
- Validation of the user's email and password fields has been added when creating a user (note that these fields are mandatory).
- The documentation has been expanded to include a list of [all monitoring alerts](https://deckhouse.io/documentation/v1.63/alerts.html).

Security

- The cni-cilium module has been migrated to distroless builds.

Component version updates

- Kubernetes control plane: `v1.27.16`, `v1.28.12`, `v1.29.7`, `v1.30.3`
- Grafana v10.4.5.
- helm_lib: `1.28.0`
- addon-operator: `v1.4.2`
- Deckhouse CLI: `0.3.1`
- dex: `2.41.0`
- NGINX Ingress Controller `v1.10.3`

A list of internal modules or their components that will be restarted during the upgrade

- Kubernetes control plane
- Grafana
- cilium
- Ingress controller v10
- Kruise controller manager
- deckhouse
- dex
- documentation

See [CHANGELOG v1.63](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.63.md) for more details.