Staging 2.25.0 ck8s4

[Ajarmar]

Warning

This is a public repository, ensure not to disclose:

• personal data beyond what is necessary for interacting with this pull request, nor
• business confidential information, such as customer names.

What kind of PR is this?

Required: Mark one of the following that is applicable:

• kind/feature
• kind/improvement
• kind/deprecation
• kind/documentation
• kind/clean-up
• kind/bug
• kind/other

Optional: Mark one or more of the following that are applicable:

Important

Breaking changes should be marked kind/admin-change or kind/dev-change depending on type
Critical security fixes should be marked with kind/security

• kind/admin-change
• kind/dev-change
• kind/security
• kind/adr

What does this PR do / why do we need this PR?

Patch release v2.25.0-ck8s4.

Information to reviewers

Some notes regarding the changelog:

• We had several commits in the kubespray submodule that are represented by just one commit in the compliantkubernetes-kubespray repo, so I added the individual commits in the submodule into the changelog instead. Let me know what you think.
• Please have a look at how the "Known issues" in the changelog are formatted and let me know what you think about that as well.

Checklist

• Proper commit message prefix on all commits
• Change checks:
  • The change is transparent
  • The change is disruptive
  • The change requires no migration steps
  • The change requires migration steps
• Metrics checks:
  • The metrics are still exposed and present in Grafana after the change
  • The metrics names didn't change (Grafana dashboards and Prometheus alerts are not affected)
  • The metrics names did change (Grafana dashboards and Prometheus alerts were fixed)
• Logs checks:
  • The logs do not show any errors after the change
• Pod Security Policy checks:
  • Any changed pod is covered by Pod Security Admission
  • Any changed pod is covered by Gatekeeper Pod Security Policies
  • The change does not cause any pods to be blocked by Pod Security Admission or Policies
• Network Policy checks:
  • Any changed pod is covered by Network Policies
  • The change does not cause any dropped packets in the NetworkPolicy Dashboard
• Audit checks:
  • The change does not cause any unnecessary Kubernetes audit events
  • The change requires changes to Kubernetes audit policy
• Falco checks:
  • The change does not cause any alerts to be generated by Falco
• Bug checks:
  • The bug fix is covered by regression tests

[aarnq]

Should this maybe be a warning or caution instead?

[Ajarmar]

Sure. Based on the descriptions found here, I think "Warning" may be most accurate.

[aarnq]

LGTM

[OlleLarsson]

Do we want something like this?

Suggested change

	- [kubernetes-sigs/kubespray#11476](https://github.com/kubernetes-sigs/kubespray/pull/11476) - [calico] Update calico to v3.27.4 to fix high cpu issues
	- [elastisys/kubespray#18](https://github.com/elastisys/kubespray/pull/18) - Multiple tunnels per connection in UpCloud [@aarnq](https://github.com/aarnq)
	### Other(s)
	- [#386](https://github.com/elastisys/compliantkubernetes-kubespray/pull/386) - documentation: docs: Update migration guide with missing export command for variable [@lucianvlad](https://github.com/lucianvlad)
	- [kubernetes-sigs/kubespray#11476](https://github.com/kubernetes-sigs/kubespray/pull/11476) - Update calico to v3.27.4 to fix high cpu issues
	- [elastisys/kubespray#18](https://github.com/elastisys/kubespray/pull/18) - Multiple tunnels per connection in UpCloud [@aarnq](https://github.com/aarnq)
	### Other(s)
	- [#386](https://github.com/elastisys/compliantkubernetes-kubespray/pull/386) - Update migration guide with missing export command for variable [@lucianvlad](https://github.com/lucianvlad)