Merge branch 'dev' into opa-e2e-tests

# Conflicts:
#	cluster/node-pools/master-default/userdata.yaml

Author: nwickramasin

cluster/config-defaults.yaml

@@ -121,12 +121,14 @@ skipper_default_filters: 'disableAccessLog(2,3,404,429) -> fifo(2000,20,"1s")'
 # skipper_default_filters_authentication defines filters that implement default request authentication
 skipper_default_filters_authentication: ''
 skipper_default_filters_append: 'stateBagToTag("auth-user", "client.uid")'
-skipper_disabled_filters: "static,bearerinjector,setRequestHeaderFromSecret"
+skipper_disabled_filters: "static,bearerinjector,setRequestHeaderFromSecret,basicAuth"
 skipper_lua_sources: "file"
 skipper_edit_route_placeholders: ""
 skipper_ingress_inline_routes: ""
 skipper_ingress_refuse_payload: ""
 skipper_endpointslices_enabled: "true"
+skipper_kubernetes_annotation_predicates: ''
+skipper_kubernetes_east_west_range_annotation_predicates: ''
 
 skipper_compress_encodings: "gzip,deflate,br"
 
@@ -738,8 +740,8 @@ tracing_coredns_local_zone_traces_endpoint: ""
 # AMI id given the image name and the Image AWS account owner.
 #
 # [0]: https://github.com/zalando-incubator/cluster-lifecycle-manager/blob/8a9bd1cb2d094038a9e23e646421f8146b48886a/provisioner/template.go#L116
-kuberuntu_image_v1_31_jammy_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.0-amd64-master-347" "861068367966" }}
-kuberuntu_image_v1_31_jammy_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.0-arm64-master-347" "861068367966" }}
+kuberuntu_image_v1_31_jammy_amd64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.4-amd64-master-359" "861068367966" }}
+kuberuntu_image_v1_31_jammy_arm64: {{ amiID "zalando-ubuntu-jammy-22.04-kubernetes-production-v1.31.4-arm64-master-359" "861068367966" }}
 
 # Which distro from the previous config items should be used. Valid options are only `jammy` for now. Can be set for each node pool.
 kuberuntu_distro_master: "jammy"
@@ -831,7 +833,7 @@ kubelet_registry_burst: "40"
 #  - upstream: official Kubernetes version
 #  - zalando:  internal Zalando build with our custom patches
 kubernetes_scheduler_image: "zalando"
-kubernetes_controller_manager_image: "zalando"
+kubernetes_controller_manager_image: "upstream"
 
 # when set to true, service account tokens can be used from outside the cluster
 allow_external_service_accounts: "false"
@@ -1171,7 +1173,7 @@ sysctl_settings: ""
 # must ensure that no existing resources should be annotated with a TTL.
 # This can happen in the case where a test deployment is deployed to production
 # as is. Currently, it's a no-op since kube-janitor doesn't run in production.
-# 
+#
 # This is needed until we can implement namespace prefix matching to reduce
 # the scope of kube-janitor to a set of namespace names that aren't known
 # at the time of enaling kube-janitor. Once the feature is in place, it would

cluster/manifests/02-kube-aws-iam-controller/deployment.yaml

@@ -27,7 +27,7 @@ spec:
       hostNetwork: true
       containers:
       - name: kube-aws-iam-controller
-        image: container-registry.zalando.net/teapot/kube-aws-iam-controller:v0.3.0-45-gf22c994
+        image: container-registry.zalando.net/teapot/kube-aws-iam-controller:v0.3.0-49-g8369d21
         env:
         - name: AWS_DEFAULT_REGION
           value: "{{.Cluster.Region}}"

cluster/manifests/03-ebs-csi/controller.yaml

@@ -35,7 +35,7 @@ spec:
         runAsUser: 1000
       containers:
         - name: ebs-plugin
-          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.35.0-master-21
+          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.38.1-master-24
           args:
             - controller
             - --endpoint=$(CSI_ENDPOINT)
@@ -82,7 +82,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-provisioner
-          image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-4-master-21
+          image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-24
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -107,7 +107,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-attacher
-          image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-4-master-21
+          image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-24
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -129,7 +129,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-resizer
-          image: container-registry.zalando.net/teapot/external-resizer:v1.12.0-eks-1-31-4-master-21
+          image: container-registry.zalando.net/teapot/external-resizer:v1.12.0-eks-1-31-10-master-24
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -151,7 +151,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-4-master-21
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-24
           args:
             - --csi-address=/csi/csi.sock
           resources:

cluster/manifests/03-ebs-csi/node.yaml

@@ -34,7 +34,7 @@ spec:
         runAsUser: 0
       containers:
         - name: ebs-plugin
-          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.35.0-master-21
+          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.38.1-master-24
           args:
             - node
             - --endpoint=$(CSI_ENDPOINT)
@@ -77,7 +77,7 @@ spec:
             privileged: true
             readOnlyRootFilesystem: true
         - name: node-driver-registrar
-          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-4-master-21
+          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-24
           args:
             - --csi-address=$(ADDRESS)
             - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
@@ -114,7 +114,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-4-master-21
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-24
           args:
             - --csi-address=/csi/csi.sock
           volumeMounts:

cluster/manifests/audittrail-adapter/daemonset.yaml

@@ -33,7 +33,7 @@ spec:
       hostNetwork: true
       containers:
       - name: audittrail-adapter
-        image: container-registry.zalando.net/teapot/audittrail-adapter:master-66
+        image: container-registry.zalando.net/teapot/audittrail-adapter:master-71
         env:
           - name: AWS_REGION
             value: "{{ .Cluster.Region }}"

cluster/manifests/aws-cloud-controller-manager/daemonset.yaml

@@ -27,7 +27,7 @@ spec:
         - --cloud-provider=aws
         - --use-service-account-credentials=true
         - --configure-cloud-routes=false
-        image: container-registry.zalando.net/teapot/aws-cloud-controller-manager-internal:v1.31.1-master-133
+        image: container-registry.zalando.net/teapot/aws-cloud-controller-manager-internal:v1.31.4-master-136
         name: aws-cloud-controller-manager
         resources:
           requests:

cluster/manifests/coredns-local/daemonset-coredns.yaml

@@ -163,7 +163,7 @@ spec:
             memory: {{.Cluster.ConfigItems.dns_dnsmasq_sidecar_mem}}
 {{ end }}
       - name: coredns
-        image: container-registry.zalando.net/teapot/coredns:1.11.3-master-24
+        image: container-registry.zalando.net/teapot/coredns:1.12.0-master-25
         args: [ "-conf", "/etc/coredns/Corefile" ]
         env:
         - name: ZONE

cluster/manifests/deletions.yaml

@@ -313,6 +313,8 @@ post_apply:
 - name: role-sync-controller
   kind: CronJob
   namespace: kube-system
+- name: role-sync-controller
+  kind: ClusterRole
 - name: role-sync-controller
   kind: ClusterRoleBinding
 - name: role-sync-controller

cluster/manifests/deployment-service/controller-statefulset.yaml

@@ -29,7 +29,7 @@ spec:
       terminationGracePeriodSeconds: 300
       containers:
         - name: "deployment-service-controller"
-          image: "container-registry.zalando.net/teapot/deployment-controller:master-233"
+          image: "container-registry.zalando.net/teapot/deployment-controller:master-235"
           args:
             - "--config-namespace=kube-system"
             - "--decrypt-kms-alias-arn=arn:aws:kms:{{ .Cluster.Region }}:{{ .Cluster.InfrastructureAccount | getAWSAccountID }}:alias/deployment-secret"

cluster/manifests/deployment-service/status-service-deployment.yaml

@@ -1,4 +1,4 @@
-# {{ $image   := "container-registry.zalando.net/teapot/deployment-status-service:master-233" }}
+# {{ $image   := "container-registry.zalando.net/teapot/deployment-status-service:master-235" }}
 # {{ $version := index (split $image ":") 1 }}
 
 apiVersion: apps/v1