Update k8s packages (minor)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/gardener/gardener	v1.140.2 → v1.141.0
github.com/gardener/gardener/pkg/apis	v1.140.2 → v1.141.0
k8s.io/api	v0.35.4 → v0.36.0
k8s.io/apiextensions-apiserver	v0.35.4 → v0.36.0
k8s.io/apimachinery	v0.35.4 → v0.36.0
k8s.io/client-go	v0.35.4 → v0.36.0
k8s.io/code-generator	v0.35.4 → v0.36.0
k8s.io/component-base	v0.35.4 → v0.36.0

---

Release Notes

gardener/gardener (github.com/gardener/gardener)

v1.141.0

Compare Source

[github.com/gardener/gardener:v1.141.0]

⚠️ Breaking Changes

• [OPERATOR] The NewWorkerPoolHash feature gate has been promoted to GA and can no longer be disabled. by @​timuthy [#​14531]
• [OPERATOR] ⚠️ Gardener does no longer support Garden, Seed, or Shoot clusters with Kubernetes versions <= 1.30. Make sure to upgrade all existing clusters before upgrading to this Gardener version. by @​timuthy [#​14501]
• [USER] Newly created Shoots now have a set period of 28d for etcd encryption key rotation. by @​AleksandarSavchev [#​14034]
• [DEVELOPER] make gardenadm-up SCENARIO=connect now deploys the Gardener (gardener-operator and Garden resource) directly into the self-hosted shoot. Previously, it was deploying them next to the machine pods of the self-hosted shoot in the kind cluster. Use make gardenadm-up SCENARIO=connect-kind for the out-of-self-hosted-shoot deployment mode. by @​rfranzke [#​14387]
• [DEPENDENCY] The obsolete Provider field was removed from the extensionswebhook.Webhook struct. The field can be removed without substitution. by @​timuthy [#​14460]

📰 Noteworthy

• [OPERATOR] The gardener-resource-manager HA config webhook now uses ScheduleAnyway instead of DoNotSchedule for the hostname topology spread constraint when there is at most one node in the cluster. A new node-high-availability-config controller re-triggers the webhook when the node count crosses this threshold. by @​rfranzke [#​14595]
• [OPERATOR] machine-controller-manager's RBAC permissions for the source cluster have been reduced to follow the principle of least privilege. by @​dimityrmirchev [#​14372]
• [DEVELOPER] Added panic recovery to flow.Task to prevent a single task failure from crashing the entire controller. If you previously implemented custom panic recovery within your tasks, you can consider removing that custom panic recovery. by @​dergeberl [#​14606]
• [DEVELOPER] The local setup now includes a cloud-controller-manager-local, which is deployed for kind clusters (in the kube-system namespace) and for shoot clusters (in the control plane namespace). The cloud-controller-manager implements Services of type LoadBalancer by creating dedicated Docker containers listening on external IPs (automatically added to the host's loopback interface on kind cluster creation). This replaces previous hacks for implementing load balancers in provider-local and supports load balancers in shoot clusters for the first time. by @​timebertt [#​14415]
• [DEPENDENCY] Extension charts deployed on self-hosted shoot clusters may not receive .Values.gardener.seed when the shoot has not yet been promoted to a Seed. Charts should guard Seed-dependent values with {{ if .Values.gardener.seed }}. by @​rfranzke [#​14395]
• [DEPENDENCY] A new helper function BuildExtensionTypeNamespaceSelector has been introduced. It builds proper namespaces selectors for extension webhooks, based on the extension type and class attributes. by @​timuthy [#​14460]

✨ New Features

• [OPERATOR] Added spec.runtimeCluster.settings.loadBalancerServices.proxyProtocol.allowed and spec.runtimeCluster.settings.loadBalancerServices.externalTrafficPolicy to the Garden resource. When Allowed set to true, gardener-operator configures the Istio ingress gateway to terminate PROXY protocol, enabling preservation of the original client IP address for load balancers that use PROXY protocol. The explicit nature of the setting allows a seamless migration while enforcing a good security posture. ExternalTrafficPolicy allows configuring the Gateway either as Cluster (default) or Local, similar to the Seed. by @​jamand [#​14420]
• [OPERATOR] The gardener-node-agent now monitors the health of systemd units declared in the OperatingSystemConfig and reports a SystemdUnitsReady condition on the Node. Unhealthy units are surfaced on the Shoot via the EveryNodeReady condition. by @​rfranzke [#​14496]
• [USER] The Shoot spec field spec.kubernetes.kubeAPIServer.encryptionConfig.provider.type now supports the aesgcm and secretbox encryption provider types. The field is immutable. by @​AleksandarSavchev [#​14034]
• [USER] The Garden spec fields spec.virtualCluster.kubernetes.kubeAPIServer.encryptionConfig.provider.typeand spec.virtualCluster.gardener.gardenerAPIServer.encryptionConfig.provider.type now support the aesgcm and secretbox encryption provider types. The fields are immutable. by @​AleksandarSavchev [#​14034]

🐛 Bug Fixes

• [OPERATOR] The garbage collection logic now also deletes pods that are stuck due to preemption by the kubelet or scheduler. by @​rfranzke [#​14519]
• [OPERATOR] The observability setup is deleted as late as possible so that, in case an error occurs during the deletion of any components, there is still enough information available to investigate the issue. by @​iypetrov [#​14475]
• [OPERATOR] A bug was fixed where gardenadm init could fail due to a transient error while fetching the shoot-gardener-node-agent ManagedResource when the Kubernetes API server is temporarily unavailable due to static pod rollout. by @​ialidzhikov [#​14601]
• [OPERATOR] A bug has been fixed that caused unintentional ShootState creations for Shoots running on managed seed clusters (those backed by ManagedSeed objects). The affected ShootState resources are automatically cleaned up by gardenlet during start-up. by @​plkokanov [#​14666]
• [USER] Cluster-proportional autoscaling of coredns now works with Kubernetes >= 1.33 by @​ScheererJ [#​14638]
• [DEPENDENCY] The golangci-lint makefile install recipe can be used in Gardener extensions again. by @​timebertt [#​14555]

🏃 Others

• [OPERATOR] Gardener Discovery Server is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14587]
• [OPERATOR] Alertmanager is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14575]
• [OPERATOR] Vali is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14567]
• [OPERATOR] OpenTelemetry Collector is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14585]
• [OPERATOR] Use Info logging for admission denials instead of Error so that the full stack trace to every denial log entry does not get logged by @​DockToFuture [#​14561]
• [OPERATOR] Apiserver-Proxy uses a dedicated network interface apiserver-proxy for its advertised IP address. Requests from nodes such as kubelet probes will use the proper IP as per the route table again. by @​domdom82 [#​14440]
• [OPERATOR] Shoot advertised addresses are now configurable by extension components for Shoot VirtualService resources. by @​ScheererJ [#​14534]
• [OPERATOR] During Shoot reconciliation MachineDeployments are now deployed in parallel. This should speed up the reconciliation of the Worker resource. by @​plkokanov [#​14220]
• [OPERATOR] Resource limits have been removed for node-problem-detector by @​domdom82 [#​14450]
• [OPERATOR] Prometheus is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14573]
• [OPERATOR] Additional per nodegroup metrics can be exposed by cluster-autoscaler via the field .spec.kubernetes.clusterAutoscaler.emitPerNodeGroupMetrics in the Shoot API . by @​aaronfern [#​14557]
• [OPERATOR] Gardener Dashboard is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14586]
• [OPERATOR] Patch is now used to label all Machines with force-deletion: True instead of Update when the Shoot is being hibernated or deleted. Additionally, the function used to do this during the reconciliation of the Worker resource is now only executed once instead of for each MachineDeployment. by @​plkokanov [#​14220]
• [OPERATOR] The gardenadm init flow now determines Pod network availability by checking the Node's NetworkUnavailable condition instead of the shoot-core-coredns ManagedResource health. This is a prerequisite improvement for the control plane Node restoration feature. by @​ialidzhikov [#​14523]
• [OPERATOR] The following dependencies have been updated:
  • gardener/etcd-druid from v0.36.2 to v0.36.3. Release Notes
  • github.com/gardener/etcd-druid/api from v0.36.2 to v0.36.3. by @​Shreyas-s14 [#​14661]
• [OPERATOR] cluster-autoscaler now supports a new expander least-nodes from v1.31 onwards by @​aaronfern [#​14558]
• [OPERATOR] Plutono is now exposed directly via istio instead of nginx-ingress by @​ScheererJ [#​14142]
• [USER] VPN-related dashboards now show a shared crosshair on all panels. by @​domdom82 [#​14576]
• [DEVELOPER] The DinD version used in the remote local setup has been updated to v29. by @​vicwicker [#​14644]
• [DEVELOPER] make seed-down and make garden-down cleanup additional resources by @​matthias-horne [#​14547]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/prometheus/node-exporter from v1.10.2 to v1.11.1. by @​gardener-ci-robot [#​14508]
• [DEPENDENCY] The following dependencies have been updated:
  • gcr.io/istio-release/pilot from 1.29.1 to 1.29.2.
  • gcr.io/istio-release/proxyv2 from 1.29.1 to 1.29.2.
  • istio.io/api from v1.29.1 to v1.29.2. by @​gardener-ci-robot [#​14582]
• [DEPENDENCY] Update kindest/node image to v1.35.1 (Kubernetes v1.35.1, containerd v2.2.1). by @​LucaBernstein [#​14421]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/vali from v2.2.31 to v2.2.32. Release Notes by @​gardener-ci-robot [#​14611]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/kiwigrid/k8s-sidecar from 2.5.5 to 2.6.0. by @​gardener-ci-robot [#​14537]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/etcd-druid from v0.36.1 to v0.36.2. Release Notes
  • github.com/gardener/etcd-druid/api from v0.36.1 to v0.36.2. by @​gardener-ci-robot [#​14579]
• [DEPENDENCY] The following dependencies have been updated:
  • credativ/plutono from v7.5.46 to v7.5.47. Release Notes by @​gardener-ci-robot [#​14613]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/gardener-discovery-server from v0.9.0 to v0.10.0. Release Notes by @​gardener-ci-robot [#​14600]
• [DEPENDENCY] The following dependencies have been updated:
  • gardener/coredns-config-adapter from v0.5.0 to v0.6.0. Release Notes by @​gardener-ci-robot [#​14605]
• [DEPENDENCY] The following dependencies have been updated:
  • quay.io/prometheus/alertmanager from v0.31.1 to v0.32.0. by @​gardener-ci-robot [#​14538]
• [DEPENDENCY] The following dependencies have been updated:
  • envoyproxy/envoy from distroless-v1.37.0 to v1.37.2. Release Notes by @​gardener-ci-robot [#​14563]

application/spdx+json

• admission-controller-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller@sha256:4c0764b6cbd79bea391de905c444e8901f3ef901c9cc601a5b8fcf66394aa40a
• admission-controller-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller@sha256:a4bed35099c21fb59a719a718afc1f83040d4746a7dfaf81c4442e09725bf0ab
• apiserver-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver@sha256:549aafc0b61b16d9e7d6fa1ab0bd95bd68f0d7dfac77989be541e9551f4dc726
• apiserver-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver@sha256:b0675085cef3786d983b6a751cff7820b6dd896e55afccd99e07cefa2891f161
• controller-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager@sha256:3757e8e04a1e555abbe832c72932211b4fb766ee8f3d6ded15c9acd6a14adde9
• controller-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager@sha256:68bc182b3b1cbfcbbdb26bcb9b0ac5a182e0de0b1ae785c7f0fd9947e9653ccd
• gardenadm-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm@sha256:558ae9de4cfffe41cce57e22bc8505c9f38d54e0fb8feea7b06754970b9090a3
• gardenadm-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm@sha256:ca399bfd9253860c2a8f5287aec8ecdd90b8b4fa96e8694dede72a05f0fbe263
• gardenlet-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet@sha256:47b8d427ac8f6deee19004e196c2a3396edd5010293bb1272abd7aaa2d385dae
• gardenlet-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet@sha256:88953b01d223307b0ea3e05c8df24eeb1f08e5c1883b85be42b5e5da7a2f5af3
• node-agent-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent@sha256:97bbf8d719ee9a6a441aee3ea1690bcb054eaf5ee23b3e98ee7ba580e5732a80
• node-agent-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent@sha256:b40af8512c84cb32e56541716cba9036152e4393e9c810d0ea109d9e89f3abe7
• operator-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/operator@sha256:b687d0080c773f8b51d7e7fe262bd38774cace83dc175bd59e86b38d4378fa89
• operator-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/operator@sha256:de2bed5eedb5348fb5399b7ade0ec3569a247f75a6ea532b1365cab8c84cba59
• resource-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager@sha256:127276658aff87d975ce690a0a862c0073d1c119028110d0a4dcb1a71e281c50
• resource-manager-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager@sha256:637b96ae9ddebe86ce4b36cb9a275b88a5dcd6cc7a7c1ac3993d7d93c0b89374
• scheduler-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler@sha256:118cf6da60ad6930362891b741ab79a4d596a5fc8933c2cef7f8cb9fe75653f8
• scheduler-spdx-ref: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler@sha256:f9aa546df5d17ae6fe8510da46bb403de6d5a594febec773258cf79886257ec6

Helm Charts

• controlplane: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/controlplane:v1.141.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/gardenlet:v1.141.0
• operator: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/operator:v1.141.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/charts/gardener/resource-manager:v1.141.0

Container (OCI) Images

• admission-controller: europe-docker.pkg.dev/gardener-project/releases/gardener/admission-controller:v1.141.0
• apiserver: europe-docker.pkg.dev/gardener-project/releases/gardener/apiserver:v1.141.0
• controller-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/controller-manager:v1.141.0
• gardenadm: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenadm:v1.141.0
• gardenlet: europe-docker.pkg.dev/gardener-project/releases/gardener/gardenlet:v1.141.0
• node-agent: europe-docker.pkg.dev/gardener-project/releases/gardener/node-agent:v1.141.0
• operator: europe-docker.pkg.dev/gardener-project/releases/gardener/operator:v1.141.0
• resource-manager: europe-docker.pkg.dev/gardener-project/releases/gardener/resource-manager:v1.141.0
• scheduler: europe-docker.pkg.dev/gardener-project/releases/gardener/scheduler:v1.141.0

kubernetes/api (k8s.io/api)

v0.36.0

Compare Source

kubernetes/apiextensions-apiserver (k8s.io/apiextensions-apiserver)

v0.36.0

Compare Source

kubernetes/apimachinery (k8s.io/apimachinery)

v0.36.0

Compare Source

kubernetes/client-go (k8s.io/client-go)

v0.36.0

Compare Source

kubernetes/code-generator (k8s.io/code-generator)

v0.36.0

Compare Source

kubernetes/component-base (k8s.io/component-base)

v0.36.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 54 additional dependencies were updated
• The go directive was updated for compatibility reasons

Details:

Package	Change
go	1.25.6 -> 1.26.0
istio.io/api	v1.29.1 -> v1.29.2
istio.io/client-go	v1.29.1 -> v1.29.2
github.com/aws/aws-sdk-go-v2	v1.39.6 -> v1.41.2
github.com/aws/aws-sdk-go-v2/config	v1.31.17 -> v1.32.10
github.com/aws/aws-sdk-go-v2/credentials	v1.18.21 -> v1.19.10
github.com/aws/aws-sdk-go-v2/feature/ec2/imds	v1.18.13 -> v1.18.18
github.com/aws/aws-sdk-go-v2/internal/configsources	v1.4.13 -> v1.4.18
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2	v2.7.13 -> v2.7.18
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding	v1.13.3 -> v1.13.5
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url	v1.13.13 -> v1.13.18
github.com/aws/aws-sdk-go-v2/service/sso	v1.30.1 -> v1.30.11
github.com/aws/aws-sdk-go-v2/service/ssooidc	v1.35.5 -> v1.35.15
github.com/aws/aws-sdk-go-v2/service/sts	v1.39.1 -> v1.41.7
github.com/aws/smithy-go	v1.23.2 -> v1.24.1
github.com/gardener/cert-management	v0.19.0 -> v0.22.0
github.com/gardener/etcd-druid/api	v0.36.2 -> v0.36.3
github.com/go-openapi/errors	v0.22.6 -> v0.22.7
github.com/go-openapi/jsonpointer	v0.22.4 -> v0.22.5
github.com/go-openapi/jsonreference	v0.21.4 -> v0.21.5
github.com/go-openapi/swag/conv	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/fileutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/jsonname	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/jsonutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/loading	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/mangling	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/stringutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/typeutils	v0.25.4 -> v0.25.5
github.com/go-openapi/swag/yamlutils	v0.25.4 -> v0.25.5
github.com/klauspost/compress	v1.18.4 -> v1.18.5
go.opentelemetry.io/otel	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlplog/otlploghttp	v0.18.0 -> v0.19.0
go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/log	v0.18.0 -> v0.19.0
go.opentelemetry.io/otel/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/sdk/log	v0.18.0 -> v0.19.0
go.opentelemetry.io/otel/sdk/metric	v1.42.0 -> v1.43.0
go.opentelemetry.io/otel/trace	v1.42.0 -> v1.43.0
go.opentelemetry.io/proto/otlp	v1.9.0 -> v1.10.0
golang.org/x/oauth2	v0.35.0 -> v0.36.0
google.golang.org/genproto/googleapis/api	v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/genproto/googleapis/rpc	v0.0.0-20260226221140-a57be14db171 -> v0.0.0-20260401024825-9d38bb4040a9
google.golang.org/grpc	v1.79.3 -> v1.80.0
google.golang.org/protobuf	v1.36.11 -> v1.36.12-0.20260120151049-f2248ac996af
helm.sh/helm/v3	v3.20.1 -> v3.20.2
k8s.io/klog/v2	v2.130.1 -> v2.140.0
k8s.io/kube-aggregator	v0.35.3 -> v0.35.4
k8s.io/kube-openapi	v0.0.0-20260127142750-a19766b6e2d4 -> v0.0.0-20260317180543-43fb72c5454a
k8s.io/kubelet	v0.35.3 -> v0.35.4
k8s.io/metrics	v0.35.3 -> v0.35.4
k8s.io/pod-security-admission	v0.35.3 -> v0.35.4
sigs.k8s.io/gateway-api	v1.3.0 -> v1.5.0