Deckhouse

Fixes


- **[deckhouse-controller]** Bump addon-operator version to fix mergo concurrent map writes. [5139](https://github.com/deckhouse/deckhouse/pull/5139)
- **[ingress-nginx]** Fix kruise DaemonSet handling on node drain. [5142](https://github.com/deckhouse/deckhouse/pull/5142)

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.47.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.47.0).

Features


- **[ingress-nginx]** Tune Kruise controller's leader election and verbosity. [5092](https://github.com/deckhouse/deckhouse/pull/5092)
Kruise controller deployment will be updated and restarted.

Fixes


- **[candi]** Fix the install `containerd` step for cases when `NodeGroup` CRI changes from `docker` to `containerd`. [5086](https://github.com/deckhouse/deckhouse/pull/5086)
- **[deckhouse]** Fix `DeckhouseRelease` cleanup hook. Mark superseded releases in the right order. [5113](https://github.com/deckhouse/deckhouse/pull/5113)
- **[ingress-nginx]** Fix Kruise controller update logic when reverting a failed update. [5100](https://github.com/deckhouse/deckhouse/pull/5100)
Kruise controller manager will be restarted.
- **[linstor]** Rename `exported_node` to `node` in PrometheusRule. [5121](https://github.com/deckhouse/deckhouse/pull/5121)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.47.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.47.0).

Fixes

- **[dhctl]** Add cache identity for a `kubeconfig` parameter in the `converge` command. [4961](https://github.com/deckhouse/deckhouse/pull/4961)
- **[ingress-nginx]** Update the Kruise controller manager before updating Ingress Nginx so that an updated Kruise controller manager takes care of Ingress nginx demonsets. [5050](https://github.com/deckhouse/deckhouse/pull/5050)
- **[linstor]** Update Linstor. Fix `D8LinstorControllerTargetDown` alert. [4823](https://github.com/deckhouse/deckhouse/pull/4823)
- **[node-manager]** Rework CRI requirements. Add ignoring `NodeGroup` with the `NotManaged` CRI type and Kubernetes version below `1.24`. [5033](https://github.com/deckhouse/deckhouse/pull/5033)
In the next release (v1.48) it will be impossible to update Deckhouse until docker is replaced with containerd.
- **[user-authn-crd]** Loosens the `applicationIngressCertificateSecretName` field's pattern to accept an empty string. [5067](https://github.com/deckhouse/deckhouse/pull/5067)


For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.47.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.47.0).

Important update notes
- Note that upgrading DRBD to `9.2.4` would require restarting the cluster nodes running the `linstor-node` component (all nodes in the cluster use it by default). You can control the node restart policy with the [approvalMode](https://deckhouse.io/documentation/v1/modules/040-node-manager/cr.html#nodegroup-v1-spec-disruptions-approvalmode) parameter.
- **Docker support will be discontinued** in the next Deckhouse release. We recommend that you plan ahead to switch the container runtime to containerd.

Major changes

- The [Istio](https://deckhouse.io/documentation/v1.47/modules/110-istio/) module is now available in the CE edition of Deckhouse. Note, however, that federation and multi-cluster features are not supported in CE.
- The new [Module](https://deckhouse.io/documentation/v1.47/modules/002-deckhouse/cr.html#module) resource (read-only) has been added. You can now use the `kubectl get modules` command to print a full list of Deckhouse modules in the cluster along with their statuses.
- It is now easier to change the container registry address in a Deckhouse cluster — just use the `deckhouse-controller` command (see the [documentation](https://deckhouse.io/documentation/v1.47/deckhouse-faq.html#how-do-i-switch-a-running-deckhouse-cluster-to-use-a-third-party-registry) for details).
- [Linstor](https://deckhouse.io/documentation/v1.47/modules/041-linstor/) now supports nodes with `SELinux` enabled.
- Support for _Debian 9_ and _Ubuntu 18.04_ has been discontinued. The `D8NodeHasDeprecatedOSVersion` alert will pop up if these OS versions are used.
- To increase standardization and improve security, a number of components (`kube-dns`, `kube-proxy`, `ingress-nginx`, etc.) have been shifted to building using Distroless images.
- The containerd runtime on nodes is reconfigured to use the `discard_unpacked_layers parameter`, which will save up to 35% of disk space allocated for image storage.

The following components will be restarted during the update

- **Ingress controller**
- **Prometheus/Grafana**
- Kubernetes Control Plane components
- `bashible-apiserver`
- `containerd` (on all nodes)
- `cni-flannel`
- `dashboard`
- `documentation`
- `kube-proxy`
- `kube-dns`
- `kruise-controller-manager` (`ingress-nginx` module)
- `linstor`
- `monitoring-kubernetes`
- `node-exporter`
- `falco`
- `trivy`, `operator-trivy`
- `upmeter`

Component version updates:

- DRBD (`linstor`): `9.2.4`
- Kubernetes control plane: `1.24.15`, `1.25.11`, `1.26.6`
- Falco (`runtime-audit-engine`): `0.35.0`
- Linstor:
- linstor-csi: `1.2.0`
- linstor-server: `1.23.0`
- piraeus-ha-controller: `1.1.4`
- piraeus-operator: `1.10.4`
- Trivy: `0.42`
- Trivy-operator: `0.14.0`

See [CHANGELOG v1.47](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.47.md) for more details.

Know before update


- NodePort services on a nodes without annotation were open to the world.

Fixes


- **[kube-proxy]** Fix `node.deckhouse.io/nodeport-bind-internal-ip` annotation behavior [5199](https://github.com/deckhouse/deckhouse/pull/5199)
NodePort services on a nodes without annotation were open to the world.

For more information, see the [changelog](https://github.com/deckhouse/deckhouse/blob/main/CHANGELOG/CHANGELOG-v1.46.md) and minor version [release changes](https://github.com/deckhouse/deckhouse/releases/tag/v1.46.0).