Changelog v1.74.2

Features

• [metrics-storage] Add graph for LVM stats in Node dashboard #16795
• [prometheus] Replace PrometheusRules with ClusterObservabilityMetricsRulesGroups or ClusterObservabilityPropagatedMetricsRulesGroups when deployed using helm_lib_prometheus_rules helper and the observability module is enabled #17329

Fixes

• [candi] Remove duplicate additional_disks_hashes definition in static-node Terraform module. #17441
• [candi] Updated the bashible step to include Linux kernel versions that address CVE-2025-37999 #17300
• [candi] Allow manually stopping DVP node VirtualMachines in nested clusters by using runPolicy AlwaysOnUnlessStoppedManually. #17110
• [cloud-provider-azure] fixed cve #16839
• [cloud-provider-dvp] this PR gives a lot more informational errors and messages to user #17165
• [cloud-provider-openstack] fix cve #17082
• [common] Latest CVEs are fixed. #17222
  All pods running kube-rbac-proxy will be restarted.
• [deckhouse] Fix module installer cleanup. #17301
• [deckhouse-controller] Exclude all service accounts from d8- namespaces in d8ms-prefix ValidatingAdmissionPolicy. #17440
• [ingress-nginx] Latest CVEs are fixed. #17222
  All pods running kube-rbac-proxy will be restarted.
• [registry] Omitted the auth field in DockerConfig when credentials (username and password) are empty. #17333

For more information, see the changelog and minor version release changes.

Changelog v1.73.13

Fixes

• [candi] Updated the bashible step to include Linux kernel versions that address CVE-2025-37999 #17369
• [istio] Fix CVE for Istio version 1.21 and 1.25 #17298
• [loki] disable send analytics report to stats.grafana.org #17109
  config module loki ↓
• [registry] Omitted the auth field in DockerConfig when credentials (username and password) are empty. #17332

For more information, see the changelog and minor version release changes.

Changelog v1.74.1

Features

• [common] Resource quota ignore mechanism for pvc and pods #17068
• [dhctl] Skipped application edition validation for standalone builds. #17154

Fixes

• [candi] remove excessive netcat calls from d8-shutdown-inhibitor #17153
• [candi] Add pause and kubernetes-api-proxy registry packages to bashible bb-package-fetch to prevent node failures during containerd major upgrades. #17047
• [deckhouse] Fix module docs rendering. #17245
• [deckhouse] Fix module enabling. #17057
• [extended-monitoring] Add namespace-scoped overrides #17213
• [ingress-nginx] Improved stability of geoproxy service startup. #17140
• [multitenancy-manager] Add validation to restrict Project name length to 53 characters. #16926
  Prevents creation of Projects with too-long names that would lead to invalid generated Kubernetes resource names.
• [node-manager] remove excessive netcat calls from d8-shutdown-inhibitor #17153
• [node-manager] It fixes issues in the DaemonSet manifest for fencing module. #17087
• [user-authn] Quote service names to prevent digit-only names from breaking yaml parser #17020
• [user-authz] Allow project-scoped roles to access Cluster-wide objects #16896

Chore

• [dhctl] Expand SSH output logs on errors for debug, verbose purposes. #16915

For more information, see the changelog and minor version release changes.

⚠️ Important

• Support for Kubernetes 1.34 has been added, while support for Kubernetes 1.29 has been discontinued. In future DKP releases, support for Kubernetes 1.30 will be removed. The default Kubernetes version (used when the kubernetesVersion parameter is set to Automatic) has been changed to 1.32.

✨ Major changes

• Added support for managing experimental and alpha Kubernetes features (feature gates) using the enabledFeatureGates parameter of the control-plane-manager module. For details on managing these features in DKP, refer to the module documentation.
• The --terminated-pod-gc-threshold parameter (the termination threshold for evicted pods) is now calculated automatically based on the number of nodes in the cluster. This provides a balance between cluster stability and the ability to perform diagnostics. Threshold values are available in the control-plane-manager module documentation.
• The maximum number of pods (maxPods) for a node group is now set automatically based on the podSubnetNodeCIDRPrefix parameter from ClusterConfiguration (unless explicitly specified). This ensures stable cluster operation.
• Added the vipAddress parameter to the HuaweiCloudInstanceClass resource of the Huawei Cloud provider, allowing you to specify a virtual IP address for all nodes in the instance class.
• The Huawei Cloud provider configuration now allows overriding the primary network for the main network interface (mainNetwork) and specifying subnets for additional network interfaces (additionalNetworks) on both CloudPermanent and CloudEphemeral nodes.
• The archive with debugging data is now collected using the d8 tool. If you need to collect diagnostic data, follow the instructions.
• Now when hook execution fails, all metrics collected by that hook are preserved. This prevents loss of debugging information and simplifies the following root-cause analysis.
• Fixed a Deckhouse queue freeze in hybrid clusters that occurred when module configuration parameters were incomplete.

🔒 Security

• Implemented module integrity control based on the EROFS filesystem to improve security and prevent unauthorized modifications. The new system requires kernel support for dm-verity and EROFS.

🌐 Network

• Added support for the SCTP (Stream Control Transmission Protocol). Applications using this protocol can now run in a Deckhouse cluster.
• Added a geoproxy auxiliary microservice to the ingress-nginx module. This service is aimed at improving the stability of the Ingress NGINX Controller when working with GeoIP databases and provides the following features:
  • MaxMind license saving (databases are downloaded from a single point once a day).
  • Persistent data storage (if components are restarted, it doesn’t require accessing the MaxMind servers).
  • Lets you specify a custom mirror for downloading databases.
• Added the Prometheus metric bpf_progs_complexity_max_verified_insts to assess the number of instructions in eBPF programs loaded into the kernel on cluster nodes. This metric helps evaluate the compatibility of the networking subsystem with the node kernels. The metric requires Linux kernel version 5.16 or newer.
• Added a new metric (geoip_version) and dashboards for monitoring GeoIP functionality in the cluster.
• Fixed issues with simultaneous updates of the node-local-dns module and the networking subsystem.

Component version updates

The following DKP components have been updated:

• d8 (Deckhouse CLI): v0.24.2
• gatekeeper: v3.20.1
• Kubernetes Control Plane: 1.31.14, 1.32.10 1.33.6
• metallb: v0.15.2
• Nginx (for NGINX Ingress controller v1.12): 1.26.1

Changelog v1.73.12

⚠️ Important

• All DKP components will be restarted during the update.

Fixes

• [cloud-provider-vsphere] fix stale session for cloud-data-discoverer #17089
• [istio] fixing the CVE in Kiali #17045

For more information, see the changelog and minor version release changes.

Changelog v1.73.11

⚠️ Important

• Ingress controllers will be restarted during the update.

Fixes

• [dashboard] Fixed CVE-2025-30204 by updating dashboard components #16927
• [deckhouse] Fix module enabling. #17043
• [registrypackages] Update integrity patch for containerd (cse only). #17028

For more information, see the changelog and minor version release changes.

Changelog v1.73.10

Fixes

• [cloud-provider-dvp] Added functionality to wait for a disk to be attached to a VM #16965
• [cloud-provider-huaweicloud] fix CSI unpublishValidation for non exist ECS instance #16916
• [registrypackages] Update integrity patch for containerd (cse only). #17000
• [service-with-healthchecks] Fixed CVEs #16950
• [user-authz] cache namespace label checks in the user-authz webhook via informer to avoid per-request apiserver GETs #16920

For more information, see the changelog and minor version release changes.

Changelog v1.73.9

Fixes

• [deckhouse-controller] Fix conversions for external modules #16851
• [dhctl] Fix parallel bootstrap cloud permanent nodes #16886

Chore

• [docs] Add NGC examples for automatically installation of NVIDIA drivers. #16864

For more information, see the changelog and minor version release changes.

Changelog v1.72.12

Fixes

• [deckhouse-controller] Fix conversions for external modules #16891
• [deckhouse-controller] Fixed verifying migrated modules #16873
• [deckhouse-controller] Fixed a crash during external module updates with conversions that caused ModuleRelease to fail validation due to a forbidden property error. #16849
• [istio] Fixed AuthorizationPolicy CRD insufficiency for Istio 1.25. #16605

For more information, see the changelog and minor version release changes.

Changelog v1.73.8

Fixes

• [cloud-provider-yandex] cloud-provider-yandex CVE's was fixed #16611
• [cni-cilium] The MTU configuration has been updated. #16751
  The MTU will be updated on all interfaces of all pods.
• [deckhouse-controller] Fix "multiple readiness hooks found" error on hook registration retry after failure. #16776
• [dhctl] Fix panic during destroy. Change opentofu log level to INFO. #16726
• [prometheus] Fix namespace label value in the Ingress Nginx controller and several other metrics #16720
  Ingress Nginx controller dashboards are fixed
• [user-authn] Fix BadRequest after the change password redirect when password policy is enabled #16744
• [user-authn] Fix login error 500 with password policy enabled. #16703

For more information, see the changelog and minor version release changes.