Drop support for Kubernetes 1.9

Usage was also not recommended due to CVE-2018-1002105.

NOTICE.md

@@ -1,5 +1,5 @@
 ## Gardener  
-Copyright (c) 2017-2018 SAP SE or an SAP affiliate company. All rights reserved.     
+Copyright (c) 2017-2019 SAP SE or an SAP affiliate company. All rights reserved.     
 
 ## Seed Source
 

charts/seed-controlplane/charts/cloud-controller-manager/templates/cloud-controller-manager.yaml

@@ -53,9 +53,6 @@ spec:
         imagePullPolicy: IfNotPresent
         command:
         - /hyperkube
-        {{- if semverCompare "< 1.10" .Values.kubernetesVersion }}
-        - alpha
-        {{- end }}
         - cloud-controller-manager
         - --allocate-node-cidrs=true
         - --cloud-provider={{ .Values.cloudProvider }}
@@ -77,9 +74,7 @@ spec:
         - --tls-cert-file=/var/lib/cloud-controller-manager-server/cloud-controller-manager-server.crt
         - --tls-private-key-file=/var/lib/cloud-controller-manager-server/cloud-controller-manager-server.key
         {{- end }}
-        {{- if semverCompare ">= 1.10" .Values.kubernetesVersion }}
         - --tls-cipher-suites={{ include "kubernetes.tlsCipherSuites" . | replace "\n" "," | trimPrefix "," }}
-        {{- end }}
         - --use-service-account-credentials
         - --v=2
         {{- range $index, $param := $.Values.additionalParameters }}

charts/seed-controlplane/charts/kube-addon-manager/values.yaml

@@ -10,4 +10,4 @@ images:
 shootAPIServer:
   Capabilities:
     KubeVersion:
-      GitVersion: v1.9
+      GitVersion: v1.13

charts/seed-controlplane/charts/kube-apiserver/templates/kube-apiserver.yaml

@@ -40,12 +40,8 @@ spec:
         command:
         - /hyperkube
         - apiserver
-        {{- if semverCompare "< 1.10" .Values.kubernetesVersion }}
-        - --admission-control={{ include "kube-apiserver.admissionPlugins" . | trimSuffix "," }}
-        {{- else }}
         - --enable-admission-plugins={{ include "kube-apiserver.admissionPlugins" . | trimSuffix "," }}
         - --disable-admission-plugins=PersistentVolumeLabel
-        {{- end }}
         - --admission-control-config-file={{ include "kube-apiserver.admissionPluginConfigFileDir" . }}/admission-configuration.yaml
         {{- if .Values.advertiseAddress }}
         - --advertise-address={{ .Values.advertiseAddress }}
@@ -61,9 +57,7 @@ spec:
         - --client-ca-file=/srv/kubernetes/ca/ca.crt
         - --enable-aggregator-routing=true
         - --enable-bootstrap-token-auth=true
-        {{- if semverCompare ">= 1.9.7" .Values.kubernetesVersion }}
         - --http2-max-streams-per-connection=1000
-        {{- end }}
         {{- if .Values.endpointReconcilerType }}
         - --endpoint-reconciler-type={{ .Values.endpointReconcilerType }}
         {{- end }}
@@ -91,9 +85,7 @@ spec:
         - --service-account-key-file=/srv/kubernetes/service-account-key/id_rsa
         - --tls-cert-file=/srv/kubernetes/apiserver/kube-apiserver.crt
         - --tls-private-key-file=/srv/kubernetes/apiserver/kube-apiserver.key
-        {{- if semverCompare ">= 1.10" .Values.kubernetesVersion }}
         - --tls-cipher-suites={{ include "kubernetes.tlsCipherSuites" . | replace "\n" "," | trimPrefix "," }}
-        {{- end }}
         - --v=2
 {{- range $index, $param := $.Values.additionalParameters }}
         - {{ $param }}

charts/seed-controlplane/charts/kube-controller-manager/templates/_helpers.tpl

@@ -3,22 +3,3 @@
 - --feature-gates={{ range $feature, $enabled := .Values.featureGates }}{{ $feature }}={{ $enabled }},{{ end }}
 {{- end }}
 {{- end -}}
-
-{{- define "kube-controller-manager.controllers" -}}
-{{- if and (semverCompare "< 1.10" .Values.kubernetesVersion) (ne .Values.cloudProvider "") }}
-- --controllers=*,bootstrapsigner,tokencleaner,-service,-route
-{{- else }}
-- --controllers=*,bootstrapsigner,tokencleaner
-{{- end }}
-{{- end -}}
-
-{{- define "kube-controller-manager.cloudProviderFlags" -}}
-{{- if (ne .Values.cloudProvider "") }}
-{{- if semverCompare "< 1.10" .Values.kubernetesVersion }}
-- --cloud-provider={{ .Values.cloudProvider }}
-{{- else }}
-- --cloud-provider=external
-- --external-cloud-volume-plugin={{ .Values.cloudProvider }}
-{{- end }}
-{{- end }}
-{{- end -}}

charts/seed-controlplane/charts/kube-controller-manager/templates/kube-controller-manager.yaml

@@ -56,7 +56,7 @@ spec:
         - controller-manager
         - --allocate-node-cidrs=true
         - --attach-detach-reconcile-sync-period=1m0s
-        {{- include "kube-controller-manager.controllers" . | indent 8 }}
+        - --controllers=*,bootstrapsigner,tokencleaner
         # We already have the cloud-controller-manager in place and deploy it next to every Shoot control plane.
         # Though the kube-controller-manager should no longer require the cloud provider credentials or the cloud
         # config after this change, the fact that we do not have a CSI plugin for the volumes in place yet, we still
@@ -65,7 +65,10 @@ spec:
         # hence, once we have it we can also isolate KCM from interaction with the cloud.
         # For the same reasons, the kubelet still needs the information and can be excluded from interacting with the cloud
         # API once we have CSI.
-        {{- include "kube-controller-manager.cloudProviderFlags" . | indent 8 }}
+        {{- if (ne .Values.cloudProvider "") }}
+        - --cloud-provider=external
+        - --external-cloud-volume-plugin={{ .Values.cloudProvider }}
+        {{- end }}
         - --cloud-config=/etc/kubernetes/cloudprovider/cloudprovider.conf
         - --cluster-cidr={{ .Values.podNetwork }}
         - --cluster-name={{ .Values.clusterName }}
@@ -99,9 +102,7 @@ spec:
         - --tls-cert-file=/var/lib/kube-controller-manager-server/kube-controller-manager-server.crt
         - --tls-private-key-file=/var/lib/kube-controller-manager-server/kube-controller-manager-server.key
         {{- end }}
-        {{- if semverCompare ">= 1.10" .Values.kubernetesVersion }}
         - --tls-cipher-suites={{ include "kubernetes.tlsCipherSuites" . | replace "\n" "," | trimPrefix "," }}
-        {{- end }}
         - --use-service-account-credentials=true
         - --v=2
         {{- range $index, $param := $.Values.additionalParameters }}

charts/seed-controlplane/charts/kube-scheduler/values.yaml

@@ -1,4 +1,4 @@
-kubernetesVersion: 1.9.1
+kubernetesVersion: 1.13.1
 replicas: 1
 podAnnotations: {}
 featureGates: {}

charts/seed-monitoring/charts/prometheus/values.yaml

@@ -16,7 +16,7 @@ ingress:
   # admin : admin base64 encoded
   basicAuthSecret: YWRtaW46JGFwcjEkSWRSaVM5c3MkR3U1MHMxaGUwL2Z6Tzh2elE4S1BEMQ==
 
-kubernetesVersion: 1.10.0
+kubernetesVersion: 1.13.1
 
 namespace:
   uid: 100c3bb5-48b9-4f88-96ef-48ed557d4212

charts/shoot-cloud-config/charts/original/templates/kubelet/_kubelet-binary

@@ -9,10 +9,8 @@
   encoding: b64
   content: {{ .cloudProvider.config | b64enc }}
 {{- end }}
-{{- if semverCompare ">= 1.10" .kubernetes.version }}
 - path: /var/lib/kubelet/config/kubelet
   permissions: 0644
   encoding: b64
   content: {{ include "kubelet-config" . | b64enc }}
-{{- end }}
 {{- end -}}

charts/shoot-cloud-config/charts/original/templates/kubelet/_kubelet.flags

@@ -1,47 +1,4 @@
 {{- define "kubelet-flags" -}}
-{{- if semverCompare "< 1.10" .kubernetes.version -}}
---allow-privileged=true \
---anonymous-auth=false \
---client-ca-file=/var/lib/kubelet/ca.crt \
---authentication-token-webhook \
---authorization-mode=Webhook \
---bootstrap-kubeconfig=/var/lib/kubelet/kubeconfig-bootstrap \
---cgroup-root="/" \
---cloud-provider={{ .cloudProvider.name }} \
-{{- if .cloudProvider.config }}
---cloud-config=/var/lib/kubelet/cloudprovider.conf \
-{{- end }}
---cluster-dns="{{ required "kubernetes.clusterDNS is required" .kubernetes.clusterDNS }}" \
---cluster-domain={{ required "kubernetes.domain is required" .kubernetes.domain }} \
---cni-bin-dir=/opt/cni/bin/ \
---cni-conf-dir=/etc/cni/net.d/ \
---cadvisor-port=0 \
---enable-debugging-handlers=true \
---event-burst=25 \
---event-qps=25 \
---eviction-hard="memory.available<{{ .worker.evictionHardMemoryAvailable }},nodefs.available<5%,nodefs.inodesFree<5%,imagefs.available<5%,imagefs.inodesFree<5%" \
---eviction-soft="memory.available<{{ .worker.evictionSoftMemoryAvailable }},nodefs.available<10%,nodefs.inodesFree<10%,imagefs.available<10%,imagefs.inodesFree<10%" \
---eviction-soft-grace-period="memory.available=1m30s,nodefs.available=1m30s,nodefs.inodesFree=1m30s,imagefs.available=1m30s,imagefs.inodesFree=1m30s" \
---eviction-max-pod-grace-period="90" \
---eviction-pressure-transition-period="4m" \
-{{- if (include "kubelet.featureGates" .) }}
-{{- include "kubelet.featureGates" . | trimSuffix "," }} \
-{{- end }}
---kube-api-burst=50 \
---kube-api-qps=50 \
---image-gc-high-threshold=50 \
---image-gc-low-threshold=40 \
---kubeconfig=/var/lib/kubelet/kubeconfig-real \
---kube-reserved=cpu="80m",memory="1Gi" \
---network-plugin=cni \
---node-labels="kubernetes.io/role=node,node-role.kubernetes.io/node=,worker.garden.sapcloud.io/group={{ required "workers.name is required" .worker.name }}" \
---read-only-port=0 \
---rotate-certificates=true \
-{{- range $index, $param := .kubernetes.kubelet.parameters }}
-{{ $param }} \
-{{- end }}
---v=2
-{{- else -}}
 --allow-privileged=true \
 --bootstrap-kubeconfig=/var/lib/kubelet/kubeconfig-bootstrap \
 --cloud-provider={{ .cloudProvider.name }} \
@@ -64,7 +21,6 @@
 {{ $param }} \
 {{- end }}
 --v=2
-{{- end }}
 {{- if semverCompare "< 1.11" .kubernetes.version }}
 --feature-gates=PodPriority=true \
 {{- end }}

charts/shoot-core/charts/kube-proxy/templates/componentconfig.yaml

@@ -16,11 +16,7 @@ data:
     clusterCIDR: {{ .Values.global.podNetwork }}
     conntrack:
       maxPerCore: 524288
-    {{- if semverCompare "< 1.10-0" .Capabilities.KubeVersion.GitVersion }}
-    {{- include "kube-proxy.featureGates" . | trimSuffix "," | indent 4 }}
-    {{- else }}
     {{- if .Values.featureGates }}
     featureGates:
 {{ toYaml .Values.featureGates | indent 6 }}
     {{- end }}
-    {{- end }}

charts/utils-templates/templates/_versions.tpl

@@ -43,11 +43,7 @@ apps/v1
 {{- end -}}
 
 {{- define "apiserviceversion" -}}
-{{- if semverCompare ">= 1.10-0" .Capabilities.KubeVersion.GitVersion -}}
 apiregistration.k8s.io/v1
-{{- else -}}
-apiregistration.k8s.io/v1beta1
-{{- end -}}
 {{- end -}}
 
 {{- define "networkpolicyversion" -}}
@@ -83,9 +79,5 @@ policy/v1beta1
 {{- end -}}
 
 {{- define "podsecuritypolicyversion" -}}
-{{- if semverCompare ">= 1.10-0" .Capabilities.KubeVersion.GitVersion -}}
 policy/v1beta1
-{{- else -}}
-extensions/v1beta1
-{{- end -}}
 {{- end -}}

docs/development/local_setup.md

@@ -338,7 +338,7 @@ $ kubectl --namespace shoot--dev--local get secret kubecfg -o jsonpath="{.data.k
 # Depending on your Internet speed, it can take some time, before your node reports a READY status.
 $ kubectl --kubeconfig dev/shoot-kubeconfig get nodes
 NAME                    STATUS    ROLES     AGE       VERSION
-192.168.99.201.nip.io   Ready     node      1m        v1.9.1
+192.168.99.201.nip.io   Ready     node      1m        v1.12.4
 ```
 
 > Note: It is required that your minikube has network connectivity to the nodes created by Vagrant.

docs/proposals/01-extensibility.md

@@ -96,9 +96,9 @@ spec:
   - type: unmanaged
   kubernetes:
     versions:
+    - 1.12.1
     - 1.11.0
     - 1.10.5
-    - 1.9.8
   machineTypes:
   - name: m4.large
     cpu: "2"

docs/usage/supported_k8s_versions.md

@@ -2,9 +2,9 @@
 
 Momentarily, the Gardener supports the following Kubernetes versions:
 
-| Cloud provider | Kubernetes 1.9 | Kubernetes 1.10 | Kubernetes 1.11 | Kubernetes 1.12 |
-| -------------- | -------------- | --------------- | --------------- | --------------- |
-| AWS            | 1.9.0+         | 1.10.0+         | 1.11.0+         | 1.12.1+         |
-| Azure          | 1.9.7+         | 1.10.1+         | 1.11.0+         | 1.12.1+         |
-| GCP            | 1.9.0+         | 1.10.0+         | 1.11.0+         | 1.12.1+         |
-| OpenStack      | 1.9.0+         | 1.10.1+         | 1.11.0+         | 1.12.1+         |
+| Cloud provider | Kubernetes 1.10 | Kubernetes 1.11 | Kubernetes 1.12 |
+| -------------- | --------------- | --------------- | --------------- |
+| AWS            | 1.10.0+         | 1.11.0+         | 1.12.1+         |
+| Azure          | 1.10.1+         | 1.11.0+         | 1.12.1+         |
+| GCP            | 1.10.0+         | 1.11.0+         | 1.12.1+         |
+| OpenStack      | 1.10.1+         | 1.11.0+         | 1.12.1+         |

example/05-project-dev.yaml

@@ -14,6 +14,6 @@ spec:
   - apiGroup: rbac.authorization.k8s.io
     kind: User
     name: alice.doe@example.com
-  # description: This is my first project
-  # purpose: Experimenting with Gardener
-  namespace: garden-dev # Optional, random name such as garden-dev-sws7p will be generated
+# description: "This is my first project"
+# purpose: "Experimenting with Gardener"
+# namespace: "garden-dev" # Optional, will be initialized if unset.

example/30-cloudprofile-alicloud.yaml

@@ -18,7 +18,6 @@ spec:
         - 1.12.3
         - 1.11.5
         - 1.10.11
-      # - 1.9.11 # Usage is not recommended, see CVE-2018-1002105
       machineImages:
       - name: CoreOS
         id: coreos_1745_7_0_64_30G_alibase_20180705.vhd

example/30-cloudprofile-aws.yaml

@@ -18,7 +18,6 @@ spec:
         - 1.12.3
         - 1.11.5
         - 1.10.11
-      # - 1.9.11 # Usage is not recommended, see CVE-2018-1002105
       machineImages:
       - name: CoreOS
         regions:

example/30-cloudprofile-azure.yaml

@@ -18,7 +18,6 @@ spec:
         - 1.12.3
         - 1.11.5
         - 1.10.11
-      # - 1.9.11 # Usage is not recommended, see CVE-2018-1002105
       machineImages:
       - name: CoreOS
         publisher: CoreOS

example/30-cloudprofile-gcp.yaml

@@ -18,7 +18,6 @@ spec:
         - 1.12.3
         - 1.11.5
         - 1.10.11
-      # - 1.9.11 # Usage is not recommended, see CVE-2018-1002105
       machineImages:
       - name: CoreOS
         image: projects/coreos-cloud/global/images/coreos-stable-1745-7-0-v20180614

example/30-cloudprofile-openstack.yaml

@@ -20,7 +20,6 @@ spec:
         - 1.12.3
         - 1.11.5
         - 1.10.11
-      # - 1.9.11 # Usage is not recommended, see CVE-2018-1002105
       loadBalancerProviders:
       - name: haproxy
       machineImages:

example/90-shoot-alicloud.yaml

@@ -43,7 +43,6 @@ spec:
   #     issuerURL: https://identity.example.com
   #     usernameClaim: username-claim
   #     usernamePrefix: username-prefix
-  #-#-# only usable with Kubernetes >= 1.10
   #     signingAlgs: RS256,some-other-algorithm
   #-#-# only usable with Kubernetes >= 1.11
   #     requiredClaims:

example/90-shoot-aws.yaml

@@ -47,7 +47,6 @@ spec:
   #     issuerURL: https://identity.example.com
   #     usernameClaim: username-claim
   #     usernamePrefix: username-prefix
-  #-#-# only usable with Kubernetes >= 1.10
   #     signingAlgs: RS256,some-other-algorithm
   #-#-# only usable with Kubernetes >= 1.11
   #     requiredClaims: