Gardener Review Meetings 2025

Overview

In case you couldn't participate and are interested in catching up, you can find the contents of the review meetings we have had in 2025 here.

Check back regularly for updates and upcoming topics!

Reviews

2025/08/27 - v1.126 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@ScheererJ	10m	🌍 node-local-dns Enablement w/o Nodes Rollout	#12422
@LucaBernstein	5m	🚨 Emergency Stop Of Shoot Reconciliations	#12712

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] ⚠️ The NewWorkerPoolHash feature gate has been promoted to beta and is now enabled by default. [...] All provider extensions must be upgraded to a version which includes Gardener v1.98.0 first to support this feature. #12550
• 🐛 [USER] Errors that occur during Worker reconciliation are now also propagated to the Shoot status. #12769
• 🐛 [OPERATOR] An issue causing the plutono-datasources ConfigMap to be reconciled by 2 ManagedResources when Seed is Garden managed by gardener-operator is now fixed. [...] #12798

---

2025/08/13 - v1.125 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@rfranzke	10m	🤖 GEP-28: ETCD Management Via etcd-druid	#12391
@marc1404	5m	🚫 No More RBAC Collisions In Kubeconfigs	#12597
@ialidzhikov	10m	🙅🏼‍♂️ Global Max Allowed Values For VPA	#12481
@AleksandarSavchev	5m	🧱 Robust Config Handling In gardener-node-agent	#12589
@tobschli	10m	🐢 Cluster API Provider For Gardener	cluster-api-provider-gardener (repo), blog post

No Demo, But Still Worth Celebrating 🎉

• 🐛 [OPERATOR] Seed registration was fixed for ManagedSeeds with seed templates configuring spec.resources. #12652
• 🐛 [OPERATOR] A bug in gardener-node-agent that prevented the location for the sandbox image to be configurable to a custom value on worker nodes with containerd v2.x was fixed. #12665
• ✨ [DEVELOPER] The Concourse CICD pipeline has been migrated to GitHub Actions. #12592

---

2025/08/06 - Kubernetes v1.33 Special Edition

📽️ Recording

Demo Agenda 📋

Presenters: @Kostov6, @plkokanov, @RadaBDimitrova

Duration	Topic	Reference(s)
15m	🎓 Graduation Ceremony Graduated Features	KEP-753, KEP-3850, KEP-3998, KEP-4193, KEP-2590, KEP-1880, KEP-3866, KEP-4444 & KEP-2433, KEP-2625, KEP-3633, KEP-3094, KEP-1495, KEP-2644, KEP-3857
15m	🌸 Beta Bloom Alpha -> Beta Promotions	KEP-5100, KEP-4381, KEP-4817, KEP-5142, KEP-4832, KEP-3257, KEP-3619, KEP-4639, KEP-127, KEP-4265, KEP-2902, KEP-3960 & KEP-4818, KEP-5073
10m	🗞️ Fresh Off The Press New Alpha Features	KEP-4951, KEP-4603, KEP-4960, KEP-5055 & KEP-4816 & KEP-5018 & KEP-4815, KEP-2535, KEP-4742, KEP-5067, KEP-5109, KEP-4205, KEP-4412, KEP-4049
5m	🧼 Security, Deprecations & Removals	CVE-2025-4563, KEP-4004. KEP-4974, KEP-5040, KEP-3503
5m	🪴 What's Changing In Gardener	#11033, #12343, #12115 & #12413, #11502

---

2025/07/30 - v1.124 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@timuthy	10m	🖼️ Image Rewriter Extension	extension-image-rewriter (repo)
@oliver-goetz	5m	✈️ L7 Load-Balancing Metrics Dashboards	#12509
@domdom82	10m	🧦 CIDR Overlap w/ Seed For HA Shoots	#12204
@vitanovs	10m	🚪 Vertical Pod Autoscaler Feature Gates	#12339

No Demo, But Still Worth Celebrating 🎉

• 🪓 [USER] Starting with Kubernetes v1.34, setting the field .spec.cloudProfileName is be forbidden. The field will be dropped from existing Shoots once. Users are advised to drop this field and specify the cloud profile using the .spec.cloudProfile.name field instead. #11816
• 🐛 [OPERATOR] A bug has been fixed which caused Pods from namespaces other than kube-system and labeled with node.gardener.cloud/critical-component=true to be considered by gardener-resource-manager. #12557
• 🐛 [OPERATOR] A bug has been fixed which prevented the seed-specific Plutono dashboards from being provided by gardenlet in case its seed cluster was the garden runtime cluster at the same time. #12476

---

2025/07/16 - v1.123 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@LucaBernstein	5m	🪄 Defaulting Machine Image Version From Prefix	#12374
@oliver-goetz	10m	😌 Simplified gardenlet Deployment Configuration	#11996
@timebertt	10m	🏃‍➡️ Bastion Controller In provider-local	#12366
@ishan16696	15m	🙅🏼‍♂️ Immutable Backup Buckets	#12175

No Demo, But Still Worth Celebrating 🎉

• 🪓 [USER] The deprecated url annotation in <shoot-name>.monitoring secrets in the project namespace has been removed. Please use the plutono-url annotation instead. #12396
• ✨ [OPERATOR] The NodeAgentAuthorizer feature gate has been graduated to GA and is locked to true. #12405
• ✨ [DEVELOPER] BackupBucket/BackupEntry controllers now support WorkloadIdentity type of credentials, provider extensions may need to adjust the respective controllers or to explicitly disallow BackupBuckets of their type to configure WorkloadIdentity. #12321

---

The occurrence for the v1.122 release was skipped because of too few topics.

---

2025/06/25 - v1.121 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@RadaBDimitrova	5m	🩺 Improved Health Check For Rolling Updates	#11869
@ashwani2k	5m	📣 dependency-watchdog Reports Scale Down	#12272
@timebertt	10m	🍼 GEP-28: gardenadm bootstrap Progress	#2906 (issue)
@timuthy	5m	🦾 New Capabilities For Extension Shoot Webhooks	#12273
@vpnachev	5m	🙅 New DoNotCopyBackupCredentials Feature Gate	#12168

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] gardenlet no longer deploys ControlPlane resources with .spec.purpose=exposure for Shoots using unmanaged DNS provider. gardenlet will now cleanup any ControlPlane exposure resource as part of the reconciliation and deletion flows for such Shoots. #12162
• 🐛 [USER] A bug causing the kube-apiserver to crash when anonymous authentication is configured via StructuredAuthentication was fixed. #12198
• ✨ [DEVELOPER] Introduced new version classifications unavailable and expired. They are not meant to be set manually but should act as computed classification states. #12298

---

2025/06/18 - v1.120 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@DockToFuture	10m	👯 Single-Stack IPv4 -> Dual-Stack IPv{4,6} Migration For GCP	extension-provider-gcp#1010
@nickytd	5m	🛰️ GEP-34: OpenTelemetry Operator And Collectors	#11861
@oliver-goetz	10m	⚖️ Cluster-Internal L7 Load-Balancing Endpoints For kube-apiservers	Summary
@timuthy	10m	🛸 Compatibility Fields In Extension API	#11982

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] The Garden resource has been enhanced with a new field, spec.VirtualCluster.ETCD.Main.Backup.Region, which enables the configuration of the backup bucket region. Previously, the region was derived from the provider (spec.runtimeCluster.provider.region). This behavior remains as a fallback if the backup region is not explicitly specified. #12186
• ✨ [DEVELOPER] The .spec.purpose field in the ControlPlane resource is now deprecated and will be removed in Gardener v1.123. In the times before SNI was introduced and unconditionally enabled it was previously used to manage control plane exposure. #12161

---

2025/06/11 - Hack The Garden Wrap Up

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@axel7born	5m	⚡️ Replace OpenVPN With Wireguard	Summary
@afritzler	5m	⛳️ Make gardener-operator Single-Node Ready	Summary
@nickytd	5m	📡 OpenTelemetry Transport For Shoot Metrics	Summary
@rickardsjp	5m	🔬 Cluster Network Observability	Summary
@tobschli	5m	📝 Signing Of ManagedResource Secrets	Summary
@Gerrit91	5m	🧰 Migrate ControlPlane Reconciliation Of Provider Extensions To ManagedResources	Summary
@benedikt-haug	5m	✨ Dashboard Usability Improvements	Summary
@klocke-io	5m	📜 Documentation Revamp	Summary
@Gerrit91	5m	ℹ️ Expose EgressCIDRs In shoot-info ConfigMap	Summary
@kon-angelo	5m	📈 Overcome Maximum Of 450 Nodes On Azure	Summary
@Nuckal777	5m	🦜 Multiple Parallel Versions In A Gardener Landscape (Canary Deployments)	Summary
@rrhubenov	5m	🧑‍🔧 Worker Group Node Roll-out	Summary
@kon-angelo	5m	👀 Instance Scheduled Events Watcher	Summary

No Demo, But Still Worth Celebrating 🎉

• ⚖️ Cluster-Internal L7 Load-Balancing Endpoints For kube-apiservers. Summary
• ♻️ GEP-32 – Version Classification Lifecycles. Summary

---

2025/05/21 - v1.119 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@timuthy	10m	🛡️ CVE-2025-47282, CVE-2025-47283, CVE-2025-47284	#12136 (issue), #12137 (issue), external-dns-management#462 (issue)
@shafeeqes	5m	💪🏻 Forceful Redeployment Of gardenlets	#11972
@rfranzke	10m	gardenadm token + gardenadm join	#11934, #11942
@ScheererJ	5m	kube-proxy's Readiness Probe	#12015

No Demo, But Still Worth Celebrating 🎉

• ✨ [OPERATOR] The support for the already deprecated shoot.gardener.cloud/managed-seed-api-server annotation is now removed. Instead, consider enabling high availability for the ManagedSeed's Shoot control plane. #11838
• ✨ [OPERATOR] Spreading Istio ingress-gateway pods across hosts is enforced only for zonal Istio deployments now. #12007

---

2025/05/07 - v1.118 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@domdom82	10m	🧦 CIDR Overlap w/ Seed For Non-HA Shoots	#11582
@vlerenc	10m	💰 Leaner Clusters, Lower Bills	blog post
@grolu	10m	🕹 Recent Gardener Dashboard Features	1.80.0 (release)
@shafeeqes, @ary1992	15m	🦋 In-Place Node Updates	#11191, #11393, #11631, #11713, #11718, #11843, #11844, #11953

No Demo, But Still Worth Celebrating 🎉

• 🐛 [OPERATOR] Gardener core components are automatically restarted (due to a failing liveness probe) in case their Kubernetes API server watch caches do not sync for 3m. #11966
• ✨ [USER] The CA bundle of the kubelet is now available via a ConfigMap the project's namespace, called <shoot-name>.ca-kubelet. #11916
• ✨ [OPERATOR] The Seed API feature new field spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. #11583

---

2025/04/23 - v1.117 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@axel7born	10m	👯 Single-Stack IPv4 -> Dual-Stack IPv{4,6} Migration	#11692
@oliver-goetz	5m	🐭 SPDY Support For L7 Load-Balancing	#11807
@oliver-goetz	10m	🧑‍⚕️ Extension Care Controller	#11769
@hendrikKahl	5m	🚀 machine-controller-manager Processing Throughput	#11879

No Demo, But Still Worth Celebrating 🎉

• 🪓 [USER] The VPA version is updated to 1.3.0. Upstream VPA 1.3.0 does no longer serve API version autoscaling.k8s.io/v1beta2. Gardener's VPA installation will continue to serve API version autoscaling.k8s.io/v1beta2 until Gardener v1.119. [...] #11774
• ✨ [OPERATOR] NamespacedCloudProfile.spec.limits.maxNodesTotal can now also be used to override the limit defined in the parent CloudProfile with an increased value. Increasing requires additional permissions granted by the custom verb raise-spec-limits. #11796
• ✨ [OPERATOR] gardener-operator automatically adds the networking.resources.gardener.cloud/to-virtual-garden-kube-apiserver-tcp-443: allowed label to the gardenlet deployment in case it is deployed to the garden runtime cluster. Thus, it is not required anymore to configure this label in the Gardenlet resource. #11855

---

2025/04/09 - v1.116 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@vitanovs	10m	🎮 New ShootState Finalizer Controller	#11491
@unmarshall, @Shreyas-s14	10m	🤖 etcd-druid CEL Validations + API Module	#11545
@rfranzke	5m	👮 Bug Fixes In NetworkPolicy Controller	#11780
@timuthy	10m	🧩 Extensions For Seed Reconciliations	#11764
@ScheererJ	10m	🐓 GEP-28 Update: Autonomous Shoot Clusters	#2906 (issue)

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] Please note, if you configure spec.extensions in your Garden resource: gardener-operator adds a garden- prefix to all extension resources configured via the Garden. Existing extension resources (not prefixed) will be deleted automatically at the end of the reconciliation. [...]. #11764
• 🪓 [DEVELOPER] The extension class field in the generic extension controller was removed. Please use the new field classes instead. #11764
• ✨ [OPERATOR] The feature gate NewVPN has been graduated to GA. It was already enabled by default and can now no longer be turned off. The feature gate will be removed in a future release. #11714

---

2025/03/26 - v1.115 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@shafeeqes	10m	🗑️ Drop TokenInvalidator Controller And Webhook	#11497
@LucaBernstein	5m	🔌 Latest NamespacedCloudProfiles Features	#11647, #11550
@ialidzhikov	10m	🚏 Replace TopologyAwareHints With ServiceTrafficDistribution	#11178
@ScheererJ	5m	⚙️ Better CoreDNS Configurability	#11526
@oliver-goetz	10m	🌅 Drop HorizontalPodAutoscaler For gardener-apiserver	#11684
@hendrikKahl	5m	🏃 GOAWAY Chance For gardener-apiserver	#11551

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] If the Gardener operator has defined a control plane wildcard certificate, the .status.advertisedAddresses of the Shoot contain an entry with an endpoint secured by this certificate. Note that this endpoint is specific to the seed cluster the Shoot is scheduled to. Read all about it in this document. #11612
• ✨ [OPERATOR] The injectGardenKubeconfig field is defaulted to true for extensions responsible for Worker resources when registered via the operator.gardener.cloud/v1alpha1.Extension API. #11658

---

2025/03/12 - v1.114 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@AleksandarSavchev	5m	⛔️ Deny-All NetworkPolicy In kube-system Namespace For Shoots	#11502
@timuthy	10m	🍭 Minimum Resource Requirements For Shoot ETCD + API Server	#11252
@timuthy	5m	🔨 Extension Example Manifest Generator	#11329
@Wieneo	5m	🗑️ Dropping Reserved VPN Authz Server	#11338
@oliver-goetz	10m	⚖️ L7 Load-Balancing For Requests To kube-apiservers	#11085
@rfranzke	5m	🔑 Garden Access For Extensions No Longer By Default	#11593

No Demo, But Still Worth Celebrating 🎉

• 🪓 [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.26. Make sure to upgrade all existing clusters before upgrading to this Gardener version. #10664
• 🪓 [USER] All Seeds are now automatically labeled with name.seed.gardener.cloud/<name>=true (⚠ no longer seed.gardener.cloud/<name>=true) where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11479
• ✨ [OPERATOR] gardener-operator now waits for required Extensions to get ready early in the reconcile flow. It addresses use-cases where extensions run mutating webhooks in the garden runtime cluster that must be present when Garden components are deployed. #11523

---

2025/03/05 - Kubernetes v1.32 Special Edition

📽️ Recording

Demo Agenda 📋

Presenters: @marc1404, @LucaBernstein

Duration	Topic	Reference(s)
10m	🎓 Graduation Ceremony Graduated Features	KEP-4358, KEP-1967, KEP-4193, KEP-3221, KEP-1847
10m	🌸 Beta Bloom Alpha -> Beta Promotions	KEP-4368, KEP-4633, KEP-4247, KEP-1790, KEP-3476, KEP-4381, KEP-4601, KEP-3157
10m	🗞️ Fresh Off The Press New Alpha Features	KEP-4832, KEP-3962, KEP-2837, KEP-4818, KEP-4817, KEP-4827 & KEP-4828, KEP-4802 & KEP-4885
5m	🧼 Security, Deprecations & Removals	CVE-2025-0426, CVE-2024-9042, KEP-4381, kubernetes/kubernetes#127017
5m	🪴 What's Changing In Gardener	#11020, #10666, #10858

---

2025/02/26 - v1.113 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@maboehm	5m	👷 Maximum Node Count For Shoots	#11279
@domdom82	5m	👀 ACL Reconciliation On Infrastructure Changes	extension-acl#105
@Wieneo	5m	🎭 GEP-30: Rework API Server Proxy	#11214 (issue)
@ishan16696	10m	🐛 Fix Failing ETCD Restorations	etcd-backup-restore#778 (issue)
@timebertt	5m	🪜 Refactor E2E Tests To Ordered Its	#11379 (issue)
@vpnachev	5m	📢 Public Gardener Information Discovery	#11238

No Demo, But Still Worth Celebrating 🎉

• 🐛 [USER] The ETCD encryption config now properly configures a 32-byte key. #11150
• ✨ [OPERATOR] Enhance the gardener-operator to allow specification of more than a single network range for .spec.runtimeCluster.networking.{nodes,pods,services}, and .spec.virtualCluster.networking.services, which also allows dual-stack configurations. #11251
• ✨ [OPERATOR] Shoot system and Shoot control plane containers, which do not require privilege escalations, now forbid privilege escalation explicitly. There is an issue in Kubernetes about the privilege escalation configuration being true by default. #11241

---

2025/02/19 - v1.112 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@domdom82	5m	🛡️ Prevent Leaking kube-apiserver's Service IP in Shoot	#10949
@rfranzke	10m	🤹‍♂️ Credentials Rotation Without Workers Rollout	#11027
@oliver-goetz	5m	🌯 Wrapper For OperatingSystemConfig Provisioning Script	#11208
@marc1404	10m	💥 Cluster Autoscaler Priority Expander Config	#11045
@petersutter	5m	🗼 Structured Authentication With Dashboard	#11080

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] All Seeds are now automatically labeled with seed.gardener.cloud/<name>=true where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11062
• 📖 [OPERATOR] Rewrite Setup Gardener document #11260

---

2025/02/12 - v1.111 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)	Duration	Topic	Reference(s)
@marc1404	5m	⚙️ Default Machine Image Version	#10954
@timuthy	10m	👨🏻‍🌾 Gardener Operator Manages Extension Resources	#11192, #11001
@dimityrmirchev	5m	🚫 Secret/ConfigMap Tampering Protection	#11108
@oliver-goetz	5m	🗑️ Improved Deletion Logic In gardener-node-agent	#11015

No Demo, But Still Worth Celebrating 🎉

• ✨ [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. #10910
• ✨ [OPERATOR] Now vali contains the managed control plane logs from the early stages of Shoot reconcile. #11082
• 🐛 [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. #11080