Support for Kubernetes v1.25

[shafeeqes]

How to categorize this PR?

/area open-source usability
/kind enhancement
/topology garden seed shoot

What this PR does / why we need it:
Support for Kubernetes v1.25

Which issue(s) this PR fixes:
Part of #6567

Special notes for your reviewer:

• I didn't vendor new k8s.io/* Golang sources yet as we usually do this together with a new sigs.k8s.io/controller-runtime upgrade.
  • Update: Completed in Upgrade k8s.io/* to v0.25, sigs.k8s.io/controller-runtime to v0.13 #6668
• ⚠️ This PR only contains the Gardener part for supporting 1.25 - there will/must be follow-up PRs for each extension repository where individual support gets added.
• Code changes have been tested with the provider-local
  • Create/Delete a new shoot cluster with v1.25.0
• Upgrading clusters won't work yet, because of Drop PodSecurityPolicy usage / move to PodSecurity #5250, PodSecurityPolicy is still part of requiredPlugins.
  • Update: Will work after Remove PodSecurityPolicy from requiredPlugins and add a user-facing warning to consider migration #6700
• Seed clusters with v1.25 is not yet supported because of:
  • [Feature] Update API versions for Cronjobs and PDBs etcd-druid#429
  • [Feature] Handle autoscaling/v2 API version for HorizontalPodAutoscaler hvpa-controller#104

Release note:

Gardener can now support shoot clusters with Kubernetes version 1.25. In order to allow creation/update of 1.25 clusters you will have to update the version of your provider extension(s) to a version that supports 1.25 as well. Please consult the respective releases and notes in the provider extension's repository.

Gardener can now support shoot clusters with Kubernetes version 1.25. Extension developers have to prepare individual extensions as well to work with 1.25.

[gardener-prow]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rfranzke]

/assign

[rfranzke]

Thanks @shafeeqes, this looks good now. Let's go
/lgtm
/approve

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: rfranzke

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [rfranzke]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[shafeeqes]

/test pull-gardener-check-vulnerabilities

[gardener-prow]

@shafeeqes: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-gardener-check-vulnerabilities	af2bd99	link	false	/test pull-gardener-check-vulnerabilities

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

[shafeeqes]

@shafeeqes: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
pull-gardener-check-vulnerabilities af2bd99 link false /test pull-gardener-check-vulnerabilities
Full PR test history. Your PR dashboard. Command help for this repository. Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

This passed yesterday 👀

Call stacks in your code:
      cmd/gardener-seed-admission-controller/app/gardener_seed_admission_controller.go:[19](https://prow.gardener.cloud/view/gs/gardener-prow/pr-logs/pull/gardener_gardener/6638/pull-gardener-check-vulnerabilities/1569528608265867264#1:build-log.txt%3A19)0:18: github.com/gardener/gardener/cmd/gardener-seed-admission-controller/app.Options.Run calls sigs.k8s.io/controller-runtime/pkg/manager.controllerManager.Start, which eventually calls golang.org/x/net/http2.ConfigureServer$1
  Found in: golang.org/x/net/http2@v0.0.0-[20](https://prow.gardener.cloud/view/gs/gardener-prow/pr-logs/pull/gardener_gardener/6638/pull-gardener-check-vulnerabilities/1569528608265867264#1:build-log.txt%3A20)22072[21](https://prow.gardener.cloud/view/gs/gardener-prow/pr-logs/pull/gardener_gardener/6638/pull-gardener-check-vulnerabilities/1569528608265867264#1:build-log.txt%3A21)55237-a158d28d115b
  Fixed in: golang.org/x/net/http2@v1.19.1

[rfranzke]

That's why the check optional - vulnerabilities can pop up at any point in time. This one should be unrelated to changes of this PR.

[shafeeqes]

This one should be unrelated to changes of this PR.

Yep.

[vlerenc]

We have now a tool that checks for DISA STIG K8s compliance. We have only trivial/cosmetic findings that can possibly be changed at any time, but these two may have end user tangible consequences, so it would be good to combine them with a new Kubernetes minor version or we need to wait another 4 months for the next one. WDYT @shafeeqes @rfranzke?

• Kubernetes Kubelet must enable kernel protection (HIGH 242434)
• Kubernetes Kubelet must not disable timeouts (MEDIUM 245541)

Both should be very quick and simple to fix, but will this possibly alter behaviour (242434 for the workload and 245541 when interacting with the Kubelet via the API server like streaming logs, etc.)?

If so (or unclear), we should probably better combine this with a new Kubernetes minor version (e.g. this one here, v1.25)?

[rfranzke]

I think we have to wait for 1.26, this PR is already merged since 3 weeks and released as well.