[ci:component:github.com/gardener/gardener:v1.50.2->v1.54.1]

[gardener-robot-ci-3]

Release Notes:

Add Bastion config validator

The kubeReserved and systemReserved specs of workers are now validated against the node allocatable resources of the corresponding machine type.

Removed unnecessary `PATCH` to `machine.status.node` during restoration of machine objects.

Fixed an issue that could cause a `Shoot`'s control plane namespace to be orphaned. This could happen when control plane migration is triggered, but does not start because the destination `Seed` is not `Ready` yet, and meanwhile the `Shoot` is deleted.

A shoot `event-logger` is introduced, which collects logs from shoot `control-plane` and shoot `kube-system`.
- Events older than 5 seconds are omitted. Thus when the event logger is restarted it will repeat only the logs few recent events.
- The version of the event logger is well formatted and accurate.

The following images are updated:
- registry.k8s.io/kube-state-metrics/kube-state-metrics: v1.9.7 -> v2.1.1 (for kubernetes < 1.20)
- registry.k8s.io/kube-state-metrics/kube-state-metrics: v1.9.7 -> v2.5.0 (for kubernetes >= 1.20)

Gardenlet now uses PriorityClass: gardener-system-critical

The `SecretBindingProviderValidation` feature gate of `gardener-apiserver` is now promoted to beta and enabled by default. This enables the following validations:
- requires the provider type of a `SecretBinding` to be set (on `SecretBinding` creation)
- requires the `SecretBinding` provider type to match the `Shoot` provider type (on `Shoot` creation)
- enforces immutability on the provider type of a `SecretBinding`

The GA-ed or deprecated `ShootMaxTokenExpiration{Overwrite,Validation}` and `RotateSSHKeypairOnMaintenance` feature gates have been removed.

Updated vertical-pod-autoscaler to v0.11.0

A new testing strategy and developer guideline has been added. Make sure to check out the [document](https://github.com/gardener/gardener/blob/master/docs/development/testing.md#writing-test-machinery-tests) if you want to learn more about the different kinds of tests we use and how to best write them!

The recent changes to the "github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config".HealthCheckConfig type that added client configuration settings are now reverted.

The Shoot spec now supports selecting scheduling profiles. Apart from the "balanced" (aka "default") profile it is possible to configure a `bin-packing` profile (alpha feature). For more details see the [usage docs](https://github.com/ialidzhikov/gardener/blob/75d786fcecf3ddf52ca29947fab777d1e40d389d/docs/usage/shoot_scheduling_profiles.md).

The `ShootCARotation` and `ShootSARotation` feature gates have been promoted to beta and are now enabled by default. Make sure that all provider extensions registered to your system support these features before upgrading to this Gardener version.

The minimum Kubernetes version for garden and seed clusters is now `1.20`. Make sure to upgrade your clusters to at least `1.20` before deploying this Gardener version.

Update istio to v1.14.1.

Allow passing custom REST configuration settings (QPS, Burst, Timeout) to extension shoot clients.

Extension health check types are moved from `github.com/gardener/gardener/extensions/pkg/controller/healthcheck/config` to `github.com/gardener/gardener/extensions/pkg/apis/config`

A bug has been fixed which prevented automatic remediation of webhooks in case there was at least one webhook with `failurePolicy=Ignore`.

The new `ShootNodeLocalDNSEnabledByDefault` admission plugin of the `gardener-apiserver` (disabled by default) controls whether the `.spec.systemComponents.nodeLocalDNS.enabled` field for newly created `Shoot` resources is defaulted to `true`. Existing `Shoot`s are not modified. Shoot's can still explicitly disable the node local dns cache by setting `.spec.systemComponents.nodeLocalDNS.enabled=false`. See [this document](https://github.com/gardener/gardener/blob/master/docs/concepts/apiserver_admission_plugins.md#shootnodelocaldnsenabledbydefault).

A GEP proposing changes to support HA Shoot control planes is now added.

Gardener extensions which contain a worker controller need to implement functions: `PreReconcileHook`, `PostReconcileHook`, `PreDeleteHook`, `PostDeleteHook`. The functions `DeployMachineDependencies` and `CleanupMachineDependencies` are now deprecated and will be removed in a future release. The logic of those deprecated functions can be moved to the respective pre/post hook functions.

`provider-local` does now support `ManagedSeed`s in the `Skaffold`-based environment.

It is now possible to provide additional `containerd` configuration for shoot worker nodes, please take a look at [this document](https://github.com/gardener/gardener/blob/master/docs/usage/custom-containerd-config.md) for more information.

The TestMachinery-based `ManagedSeed` tests (including the related `TestDefinition`s in the `.test-defs` directory) have been deleted in favor of new e2e tests.

The following images are updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.20.1` -> `v1.20.2` (for Kubernetes `< 1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.1` -> `v1.21.2` (for Kubernetes `1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.1` -> `v1.22.2` (for Kubernetes `>= 1.22`)

Strict schema validation is now performed for VerticalPodAutoscaler resources.

Golang version is updated to 1.18.4

Differentiate the vpa metrics for the seed and control planes to avoid conflicts in prometheus when the recording rules are evaluated.

If a resource in the `ManagedResource` is annotated with `resources.gardener.cloud/skip-health-check=true` then the resource will be skipped during health checks by the health controller. The ManagedResource conditions will not reflect the health condition of this resource anymore. The `ResourcesProgressing` condition will also be set to `False`.

Downloading several tools vial `./hack/tools.mk` has been fixed for ARM64 based Linux machines.

Update envoy proxy to v1.21.4 (used in reversed vpn and apiserver-proxy)

gardenlet's base image is updated from `alpine:3.15.4` to `alpine:3.16.0`.

`hack/install-requirements.sh` is removed. You can use `hack/tools.mk` to install tools needed for development and CI.

The machine image defaulting does now work based on the CPU architecture of the machine in a given worker pool.

The `Shoot` maintenance controller has been enhanced to auto-update the machine image of the worker pool in a `Shoot` based on the CPU architecture of the machines.

Additional dashboards for monitoring conntrack insertion failures most likely due to conntrack races

All `Actuator` interfaces for extension controllers have been extended and now receive a `logr.Logger` passed from the reconciler with the proper context of the reconciled object.

Gardener's component configuration APIs have been changed in the following breaking ways:
- `kubernetesLogLevel` has been removed from all component configs
- `ControllerManagerConfiguration.server.http` has been split into `server.{healthProbes,metrics}` (health endpoints and metrics are now served on different ports)
- `ControllerManagerConfiguration.server.https` has been removed

`gardener-controller-manager` serves health endpoints and metrics on different ports now. Adapt your scrape configs accordingly to port `metrics`.

The loki/telegraf container no longer runs in privileged mode.

The following images are updated:
- quay.io/prometheus/blackbox-exporter: v0.20.0 -> v0.21.1

`metric-server` image is updated to `v0.6.1`

Fix an issue where the HVPA would set Requests higher than Limits if `ControlledValues: RequestsOnly` is set

Published docker images for HVPA-Controller are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

The `DisableDNSProviderManagement` feature gate has been promoted to GA and is now unconditionally enabled. If the `shoot-dns-service` extension is deployed, please make sure following prerequistes are given for a smoothly transition:
 - The `shoot-dns-service` extension must be installed in a version >= `v1.20.0`.
 - The controller deployment of the `shoot-dns-service` sets `providerConfig.values.dnsProviderManagement.enabled=true`
 - Its admission controller (`gardener-extension-admission-shoot-dns-service`) is deployed on the garden cluster
 - the `dns-external` extension must still be installed

The vpn-seed-server/vpn-seed-server container no longer runs in privileged mode.

VPN shoot client can now be run with a privileged init container and a non-privileged runtime container

The vpn-shoot/vpn-shoot container no longer runs in privileged mode (when ReversedVPN feature gate is enabled). As it still needs to still modify some kernel settings, this part is moved to init container that still has to run in privileged but the risk to cluster security is minimal because of the ephemeral nature of init containers.

The GA-ed `WorkerPoolKubernetesVersion` feature gate is now removed.

Some signatures in `pkg/controllerutils/mapper` have changed to support the simple injection of a proper context and logger.

Fixed a bug that prevented Shoots from being able to use `expander: priority` for cluster-autoscaler

The `apiserver-proxy-pod-webhook` now uses `distroless` instead of `alpine` as a base image.

Minimize apiserver-proxy-sidecar image by using a scratch image.

The `API Server` dashboard in Grafana now shows the actual DB size per instance (`etcd-main`, `etcd-events`). Earlier those values were summed up and distorted if more than one kube-apiserver replica existed in the control plane.

vpn-seed-server and vpn-shoot-client container images now contain only a reduced set of binary/libaries.

The already deprecated `shoot.gardener.cloud/use-as-seed` annotation (since v1.18.0) is no longer supported for creating Shooted Seed clusters. Please check the following [documentation](https://github.com/gardener/gardener/blob/v1.51.0/docs/usage/managed_seed.md#migrating-from-the-use-as-seed-annotation-to-managedseeds) on how to migrate from the `use-as-seed` annotation to `ManagedSeeds`. Before updating to this version of Gardener, make sure that you migrated to `ManagedSeeds` and that you no longer have usages of the `use-as-seed` annotation on the landscape.

A warning in vpn-shoot about the private key being group/other accessible is now addressed.

livenessProbe of etcd container has been updated to `ETCDCTL_API=3 etcdctl get foo --consistency=s` making the consistency `serializable`.

failureThreshold has been updated to `5` for both livenessProbe and readinessProbe of etcd.

The `etcd-druid` now uses `distroless` instead of `alpine` as a base image.

`etcd-druid` will now also add statefulset permissions to the etcd role

Published docker images for Etcd-Druid are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

Added a new condition `BackupReady` to the etcd status

Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

The Etcd-Backup-Restore image has been updated to `Alpine 3.15.4`.

Added new package `membergarbagecollector` to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to list `pods` and `statefulsets`.

Added new package `membergarbagecollector` to remove superfluous members from the ETCD cluster.

Etcd can now scale up itself from a single member cluster to a multi member cluster

Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64.

Added pod permission in etcd_role that now enable `etcd-backup-restore` to get/list/watch pods

Fixed a bug where etcd calls related to multi node operation were used in single node operation

Temp fix: skip the single member restoration if data-dir found to be invalid.

Fixed a bug in Scaleup feature in func: `IsMemberInCluster()` which can cause Scaleup feature to get fail.

Assigned the correct Peer address to the Etcd after it restores from backup-bucket.

No attempt is made to update member Peer URL when trying to promote a member

The Loki, Prometheus, and the VPN seed server envoy proxy parsers parse timezone and milliseconds from the timestamp.

The Gardener API server now enforces the following configuration options for ManagedSeed resources:
1. The vertical pod autoscaler should be enabled from the Shoot specification.
2. The nginx-ingress addon should not be enabled for a Shoot referred by a ManagedSeed.

Before upgrading to this version of Gardener make sure that all ManagedSeeds and the Shoots they refer to conform the newly enforced configuration options.

A bug that prevented Shoot deletion when the OS image version or kubernetes version was beyond its expiration date is now fixed.

Add missing sleep command to minimized container image.

Switched openvpn topology to subnet and ensured that the chosen cipher is always selected.

It is now possible to disable an admission plugin for the shoot kube-apiserver in the `ShootSpec` by setting the AdmissionPlugin.Disabled field to `true`.

An issue causing a panel in the `Node/Worker Pool Overview` dashboard to fail to load due to invalid query is now fixed.

A bug causing `gardenlet` to panic in case of shoot using namespace which doesn't have the required project label is fixed.

Owner checks (which are used by the `backup-restore` sidecar to determine whether the owner domain name resolves to the specified owner ID and if not, take a final full snapshot and disable the cluster), will no longer be enabled by `gardenlet`, if the `HAControlPlanes` feature gate is enabled, the `Shoot` is annotated with `alpha.control-plane.shoot.gardener.cloud/high-availability` and the `Shoot`'s ETCDs are started as a cluster (with more than 1 replica).

Updating CRD for `DNSEntries` to allow specifying routing policy

`node-problem-detector` image is updated from `k8s.gcr.io/node-problem-detector/node-problem-detector:v0.8.7` to `eu.gcr.io/gardener-project/3rd/node-problem-detector:v0.8.10-gardener.1`.

The node-exporter is configured to collect filesystem metrics for the /run mount point.

The following image is updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.22.2` -> `v1.23.1` (for Kubernetes >= `1.23`)

The `SecretBindingProviderValidation` feature gate of `gardener-apiserver` is promoted to GA and is now unconditionally enabled.

`PodSecurityPolicy` admission plugin should be disabled before upgrading the shoot cluster to kubernetes `v1.25`. Please refer [Migrating to PodSecurity](https://github.com/gardener/gardener/blob/master/docs/usage/pod-security.md#migrating-to-podsecurity).

A bug causing `gardenlet` helm chart deployment to fail is fixed.

Add option to disable gardener shoot monitoring

A bug has been fixed for HA shoots and their underlying etcd clusters. In some occasions, Gardenlet didn't wait for changes to be completely rolled out to etcd. Especially in combination with the CA-rotation feature this could cause the cluster being stuck in an unrecoverable state.

A bug is fixed which allowed dependency-watchdog to not ignore scaling operations on deployment which are not enabled/deployed in a given cluster
A bug with uploading of a rotated dependency-watchdog-probe secrets is now fixed by refreshing the clients with updated secrets.

Switch default leader election resource lock for `dependency-watchdog` from `endpointsleases` to `leases`.

A dependent's scaling up/down can be ignored by DWD now by adding the annotation `dependency-watchdog.gardener.cloud/ignore-scaling` to the deployment

Published docker images for Dependency-Watchdog are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

The `dependency-watchdog` now uses `distroless` instead of `alpine` as a base image.

DWD client shall no longer use long running TCP connections when attempting to probe Kube ApiServer via internal endpoint.

K8s dependencies are upgraded to v0.24.3 to adopt a fix in the `k8s.io/apiserver` module that causes gardener-apiserver to do not always return the expected result when the client requests resources with the `--selector` / `--field-selector` flags.

Latency metrics of the proxy subresource are not considered for the KubeApiServerLatency alert and API Server / Request Latency dashboard panel.

The following images are updated:
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.20.2` -> `v1.20.3` (for Kubernetes `1.20`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.21.2` -> `v1.21.3` (for Kubernetes `1.21`)
- `eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler`: `v1.22.2` -> `v1.22.3` (for Kubernetes `1.22`)

A new `gardenlet` feature gate called `DefaultSeccompProfile` is introduced. If enabled all Gardener managed workloads in the seed will have their seccomp profiles defaulted to "RuntimeDefault".

The `apiserver-proxy`, `blackbox-exporter`, `node-exporter`, `kube-proxy`, `node-local-dns`, `node-problem-detector`, `vpn-shoot`, `coredns`, `metrics-server` components now have their seccomp profiles set to "RuntimeDefault".

The node-local-dns/node-cache container no longer runs in privileged mode.

The `SeedChange` and `CopyEtcdBackupsDuringControlPlaneMigration` feature gates have been promoted to beta and are now enabled by default.

For users who don't have the RBAC permissions to update `shoots/binding` subresource, it is not possible anymore to specify `.spec.seedName` during creation of `Shoot`.

A new `gomegacheck` linter is now executed on `make check`. Find out more in the [docs](https://github.com/gardener/gardener/blob/master/hack/tools/gomegacheck/README.md).

The following images is updated:
- `k8s.gcr.io/dns/k8s-dns-node-cache`: `1.22.5` -> `v1.22.8`

Workaround for https://issues.k8s.io/109286 is now only executed for < 1.25 Shoots. In K8s 1.25+ the issue is fixed with https://github.com/kubernetes/kubernetes/pull/109288 and we no longer need to execute the workaround.

The `logging.loki.garden.priority` field is removed from gardenlet's component config as it is no longer used after the [new concept for PriorityClasses in Gardener](https://github.com/gardener/gardener/blob/v1.52.2/docs/development/priority-classes.md).

Enhance pod permissions for etcd-druid.

Use single-zone HA shoot for e2e rotation tests.

Use priority class `gardener-system-500` for etcd, as per https://github.com/gardener/gardener/issues/5634.

Fixed a bug where etcd calls related to multi node operation were used in single node operation

Assigned the correct Peer address to the Etcd after it restores from backup-bucket.

No attempt is made to update member Peer URL when trying to promote a member

An issue has been fixed that caused the `Backup-Restore` component to connect to the wrong etcd cluster for initializing and member-add procedures.

A bug has been fixed that caused the `etcd-backup-restore` side-car to connect to the etcd cluster via the `peer-service` URL. The side-car is supposed to use the `client-service` instead since it a) exposes client port `2379` and b)  redirects traffic only to members which are ready to service traffic.

The definition of the `etcd.status.ready` field was defined more precisely due to changed semantics of multi-node etcd clusters. `etcd.status.ready` is `true` whenever all underlying etcd replicas are ready. Please note, that the implementation for this check was not changed.

A new flag `--service-endpoints` has been added to the `etcdbrctl server` command. These (Kubernetes) service URLs ensure that `etcd-backup-restore` only connects to etcd member which are ready to server traffic. Especially the `MemberAdd` and `Init` steps require this.

Dropping the feature of passing storage container credentials through ENV for the following storage provider: S3, Swift, OCS, ABS, OSS. Please switch to pass the storage container credentials through volume file mount.

For multi-node etcd: Added a feature of single member etcd restoration in case of data/data-dir of etcd member found to be corrupted or invalid.

An issue has been fixed that caused the `liveness` and `readiness` probes of `etcd` to always succeed even though an error was reported. This prevented defective etcd pods from being restarted automatically and caused unready candidates being considered as ready to serve traffic via the `etcd service`.

A `startup` probe has been added to `etcd` to allow 2 minutes of initialization time before checking for etcd liveness.

Add support for running envtest on M1 Macbooks.

Fixed an issue in the release job needed to add the correct image version `config/default/manager_image_patch.yaml`.

Added a new condition `BackupReady` to the etcd status

livenessProbe of etcd container has been updated to `ETCDCTL_API=3 etcdctl get foo --consistency=s` making the consistency `serializable`.

failureThreshold has been updated to `5` for both livenessProbe and readinessProbe of etcd.

The `etcd-druid` now uses `distroless` instead of `alpine` as a base image.

The entrypoint for `etcd-druid` in its container image has been modified.

Deploying the etcd StatefulSet through a Helm chart has been abandoned. A codified version (component concept) is now used for this purpose.

`etcd` Statefulsets are not claimed anymore based on labels. Instead, the statefulsets are fetched using Name and Namespace combination. Thus, `etcd.spec.selector` does not have an effect on statefulsets anymore.

`etcd-druid` will now also add statefulset permissions to the etcd role

Published docker images for Etcd-Druid are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

Published docker images for Etcd-Backup-Restore are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

The Etcd-Backup-Restore image has been updated to `Alpine 3.15.4`.

Added new package `membergarbagecollector` to remove superfluous members from the ETCD cluster. Due to this, etcd-backup-restore now needs permissions to list `pods` and `statefulsets`.

Etcd can now scale up itself from a single member cluster to a multi member cluster

Published docker images for Etcd-Custom-Image are now multi-arch ready. They support linux/amd64 and linux/arm64.

Added pod permission in etcd_role that now enable `etcd-backup-restore` to get/list/watch pods

Etcd-Druid's Golang version has been update to `1.18.4.`.

The correct image version has been set in `config/default/manager_image_patch.yaml` to match the current release.

An issue causing the Seed nginx-ingress to fail on 1.22 GKE Seed cluster (or any 1.22 Seed cluster with K8s version that has a suffix - for example `v1.22.12-gke.300`) is now fixed.

Fix statefulset volumeClaimTemplate `StorageClassName` value population if etcd storageClass is an empty string.

Plant API has been dropped, operators need to clean up `Plant` resources before upgrading the `Gardener` version to v1.54.

Temporarily fix issue where `PodManagementPolicy` was trying to be updated from `OrderedReady` to `Parallel` for older shoots (created using etcd-druid:v0.8.5 and before), but the statefulset forbids updates to this field.

Temporarily fixes an issue where druid tries to set `spec.ServiceName` to `PeerServiceName` by default, although older single-node etcds would have this field set to `ClientServiceName`, and updation of statefulset `spec.ServiceName` field is forbidden.

Persist additional metrics to monitor disk device performance contention/saturation

Node-local-dns health check does not longer use port 8080 of the host, but uses port 8099 instead.

The `DNSProvider` extension kind was removed. Please make sure to remove any `ControllerRegistrations` that include the `DNSProvider` kind. If you are using the extension `shoot-dns-service`, make sure to deploy the dns-controller-manager by extending its `ControllerDeployment` (see [Deployment of DNS controller manager](https://github.com/gardener/gardener-extension-shoot-dns-service/blob/master/docs/installation/setup.md#deployment-of-dns-controller-manager)).

Fixed a bug where the Shoot reconciliation could get stuck due to `DNSRecords` not being reconciled.

The following image is updated:
- quay.io/prometheus/prometheus: v2.36.1 -> v2.37.0

The Golang version is updated to 1.18.5.

gardenlet's base image is updated from `alpine:3.16.1` to `alpine:3.16.2`.

An issue causing the guestbook integration test to fail against alicloud Shoot clusters is now fixed.

Published docker images for `ext-authz-server` are now multi-arch ready. They support `linux/amd64` and `linux/arm64`.

The ext-authz-server now uses `distroless` instead of `alpine` as a base image.

Gardener envtest now supports running against an existing gardener setup via `USE_EXISTING_GARDENER`, see [doc](https://github.com/gardener/gardener/blob/master/docs/development/testing.md#debugging-integration-tests).

The following image is updated:
- quay.io/prometheus/blackbox-exporter: v0.21.1 -> v0.22.0

The following image is updated:
- k8s.gcr.io/cpa/cluster-proportional-autoscaler: v1.8.5 -> v1.8.6

The following image is updated:
- quay.io/prometheus/alertmanager: v0.22.2 -> v0.24.0

The following image is updated:
- eu.gcr.io/gardener-project/gardener/autoscaler/cluster-autoscaler: v1.23.1 -> v1.24.0 (for Kubernetes >= 1.24)

An issue causing the loki PriorityClass to be deleted too early when there are still loki StatefulSets that reference it is now mitigated.

`terraformer` pods now use `PriorityClass` `gardener-system-300`.

The ingress default backend has been switched to `eu.gcr.io/gardener-project/gardener/ingress-default-backend:0.11.0`.

Gardener is using `go1.19` now. Make sure to upgrade your go installation.

Improve the ApiServerUnreachableViaKubernetesService alert

The following image is updated:
- quay.io/prometheus/prometheus: v2.37.0 -> v2.38.0

The following image is updated:
- fluent/fluent-bit: 1.9.6 -> 1.9.7

The following image is updated:
- ghcr.io/prometheus-operator/prometheus-config-reloader: v0.56.2 -> v0.58.0

Shoots are correctly labeled for globally enabled extensions now.

A race condition in the Seed deletion has been fixed, which could cause the deletion to be stuck in a deadlock.

The `machine-controller-manager` version deployed by `provider-local` has been updated to `v0.46.1`.

The `networking-calico` version deployed by `provider-local` has been updated to `v1.26.0`.

All split logs between shoot and central Loki are packed before being sent to the central Loki.

The event-logger watches events of multiple namespaces specified by `--seed-event-namespaces` and `--shoot-event-namespaces` like comma-separated values.
The flags `--seed-event-namespace` and `--shoot-event-namespace` are dropped.

Remove race condition in the multitenant client when labels set is not cloned.

Remove the `__gardener_multitenant_id__` label when it is not needed

The name of the batch ID label can be set via `IdLabelName` from the plugin configuration.

Gardener now evaluates the `BackupReady` condition of `etcd` resources when calculating the health of shoot control planes. In case of non-functioning backups, the state is reported in the `ControlPlaneHealthy` of the affected shoot.

Access log of api-server proxy now only shows forwarded requests, but ignores readiness/liveness probes and metrics requests.

`gardenlet` is now using `scratch` instead of `alpine` as a base image.

The default value for the `--audit-log-path` flag of Gardener API Server was changed from `/tmp/audit.log` to `/tmp/audit/audit.log`.

The memory and CPU requests of the loki containers are capped to 50mi of CPU and 300Mi of memory for the logging test-machinery tests.

Fix worker group dropdown in "Node/Worker Pool Overview" dashboard.

Liveness and startup probes for etcd were removed. After activating them, we noticed that they cause more harm than good since the startup time for etcd clusters varies and isn't predicable. Killing the `etcd` container in such a case doesn't solve the situation and will rather end in an endless loop of restarts. This change will cause a restart of etcd clusters.

This PR fixes an issue which caused the `sts.spec.podManagementPolicy` not to be updated to `Parallel` if an existing etcd cluster is scaled-up from `1 -> x`. This can cause an issue if the cluster is afterwards completely scaled-down (aka hibernation) and scaled-up again.

Health checks of `ManagedResources` are more reliable now when updating resources in the referenced secrets.

[gardener-robot]

@gardener-robot-ci-3 Thank you for your contribution.