Overview

In case you couldn’t participate and are interested in catching up, you can find the contents of the review meetings we have had in 2025 here.

Check back regularly for updates and upcoming topics!

Reviews

2025/05/21 - v1.119 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@timuthy10m🛡️ CVE-2025-47282, CVE-2025-47283, CVE-2025-47284#12136 (issue), #12137 (issue), external-dns-management#462 (issue)
@shafeeqes5m💪🏻 Forceful Redeployment Of gardenlets#11972
@rfranzke10mgardenadm token + gardenadm join#11934, #11942
@ScheererJ5mkube-proxy’s Readiness Probe#12015

No Demo, But Still Worth Celebrating 🎉

  • ✨ [OPERATOR] The support for the already deprecated shoot.gardener.cloud/managed-seed-api-server annotation is now removed. Instead, consider enabling high availability for the ManagedSeed’s Shoot control plane. #11838
  • ✨ [OPERATOR] Spreading Istio ingress-gateway pods across hosts is enforced only for zonal Istio deployments now. #12007

2025/05/07 - v1.118 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@domdom8210m🧦 CIDR Overlap w/ Seed For Non-HA Shoots#11582
@vlerenc10m💰 Leaner Clusters, Lower Billsblog post
@grolu10m🕹 Recent Gardener Dashboard Features1.80.0 (release)
@shafeeqes, @ary199215m🦋 In-Place Node Updates#11191, #11393, #11631, #11713, #11718, #11843, #11844, #11953

No Demo, But Still Worth Celebrating 🎉

  • 🐛 [OPERATOR] Gardener core components are automatically restarted (due to a failing liveness probe) in case their Kubernetes API server watch caches do not sync for 3m. #11966
  • ✨ [USER] The CA bundle of the kubelet is now available via a ConfigMap the project’s namespace, called <shoot-name>.ca-kubelet. #11916
  • ✨ [OPERATOR] The Seed API feature new field spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. #11583

2025/04/23 - v1.117 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@axel7born10m👯 Single-Stack IPv4 -> Dual-Stack IPv{4,6} Migration#11692
@oliver-goetz5m🐭 SPDY Support For L7 Load-Balancing#11807
@oliver-goetz10m🧑‍⚕️ Extension Care Controller#11769
@hendrikKahl5m🚀 machine-controller-manager Processing Throughput#11879

No Demo, But Still Worth Celebrating 🎉

  • 🪓 [USER] The VPA version is updated to 1.3.0. Upstream VPA 1.3.0 does no longer serve API version autoscaling.k8s.io/v1beta2. Gardener’s VPA installation will continue to serve API version autoscaling.k8s.io/v1beta2 until Gardener v1.119. […] #11774
  • ✨ [OPERATOR] NamespacedCloudProfile.spec.limits.maxNodesTotal can now also be used to override the limit defined in the parent CloudProfile with an increased value. Increasing requires additional permissions granted by the custom verb raise-spec-limits. #11796
  • ✨ [OPERATOR] gardener-operator automatically adds the networking.resources.gardener.cloud/to-virtual-garden-kube-apiserver-tcp-443: allowed label to the gardenlet deployment in case it is deployed to the garden runtime cluster. Thus, it is not required anymore to configure this label in the Gardenlet resource. #11855

2025/04/09 - v1.116 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@vitanovs10m🎮 New ShootState Finalizer Controller#11491
@unmarshall, @Shreyas-s1410m🤖 etcd-druid CEL Validations + API Module#11545
@rfranzke5m👮 Bug Fixes In NetworkPolicy Controller#11780
@timuthy10m🧩 Extensions For Seed Reconciliations#11764
@ScheererJ10m🐓 GEP-28 Update: Autonomous Shoot Clusters#2906 (issue)

No Demo, But Still Worth Celebrating 🎉

  • 🪓 [OPERATOR] Please note, if you configure spec.extensions in your Garden resource: gardener-operator adds a garden- prefix to all extension resources configured via the Garden. Existing extension resources (not prefixed) will be deleted automatically at the end of the reconciliation. […]. #11764
  • 🪓 [DEVELOPER] The extension class field in the generic extension controller was removed. Please use the new field classes instead. #11764
  • ✨ [OPERATOR] The feature gate NewVPN has been graduated to GA. It was already enabled by default and can now no longer be turned off. The feature gate will be removed in a future release. #11714

2025/03/26 - v1.115 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@shafeeqes10m🗑️ Drop TokenInvalidator Controller And Webhook#11497
@LucaBernstein5m🔌 Latest NamespacedCloudProfiles Features#11647, #11550
@ialidzhikov10m🚏 Replace TopologyAwareHints With ServiceTrafficDistribution#11178
@ScheererJ5m⚙️ Better CoreDNS Configurability#11526
@oliver-goetz10m🌅 Drop HorizontalPodAutoscaler For gardener-apiserver#11684
@hendrikKahl5m🏃 GOAWAY Chance For gardener-apiserver#11551

No Demo, But Still Worth Celebrating 🎉

  • ✨ [USER] If the Gardener operator has defined a control plane wildcard certificate, the .status.advertisedAddresses of the Shoot contain an entry with an endpoint secured by this certificate. Note that this endpoint is specific to the seed cluster the Shoot is scheduled to. Read all about it in this document. #11612
  • ✨ [OPERATOR] The injectGardenKubeconfig field is defaulted to true for extensions responsible for Worker resources when registered via the operator.gardener.cloud/v1alpha1.Extension API. #11658

2025/03/12 - v1.114 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@AleksandarSavchev5m⛔️ Deny-All NetworkPolicy In kube-system Namespace For Shoots#11502
@timuthy10m🍭 Minimum Resource Requirements For Shoot ETCD + API Server#11252
@timuthy5m🔨 Extension Example Manifest Generator#11329
@Wieneo5m🗑️ Dropping Reserved VPN Authz Server#11338
@oliver-goetz10m⚖️ L7 Load-Balancing For Requests To kube-apiservers#11085
@rfranzke5m🔑 Garden Access For Extensions No Longer By Default#11593

No Demo, But Still Worth Celebrating 🎉

  • 🪓 [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.26. Make sure to upgrade all existing clusters before upgrading to this Gardener version. #10664
  • 🪓 [USER] All Seeds are now automatically labeled with name.seed.gardener.cloud/<name>=true (⚠ no longer seed.gardener.cloud/<name>=true) where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11479
  • ✨ [OPERATOR] gardener-operator now waits for required Extensions to get ready early in the reconcile flow. It addresses use-cases where extensions run mutating webhooks in the garden runtime cluster that must be present when Garden components are deployed. #11523

2025/03/05 - Kubernetes v1.32 Special Edition

📽️ Recording

Demo Agenda 📋

Presenters: @marc1404, @LucaBernstein

DurationTopicReference(s)
10m🎓 Graduation Ceremony
Graduated Features
KEP-4358, KEP-1967, KEP-4193, KEP-3221, KEP-1847
10m🌸 Beta Bloom
Alpha -> Beta Promotions
KEP-4368, KEP-4633, KEP-4247, KEP-1790, KEP-3476, KEP-4381, KEP-4601, KEP-3157
10m🗞️ Fresh Off The Press
New Alpha Features
KEP-4832, KEP-3962, KEP-2837, KEP-4818, KEP-4817, KEP-4827 & KEP-4828, KEP-4802 & KEP-4885
5m🧼 Security, Deprecations & RemovalsCVE-2025-0426, CVE-2024-9042, KEP-4381, kubernetes/kubernetes#127017
5m🪴 What’s Changing In Gardener#11020, #10666, #10858

2025/02/26 - v1.113 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@maboehm5m👷 Maximum Node Count For Shoots#11279
@domdom825m👀 ACL Reconciliation On Infrastructure Changesextension-acl#105
@Wieneo5m🎭 GEP-30: Rework API Server Proxy#11214 (issue)
@ishan1669610m🐛 Fix Failing ETCD Restorationsetcd-backup-restore#778 (issue)
@timebertt5m🪜 Refactor E2E Tests To Ordered Its#11379 (issue)
@vpnachev5m📢 Public Gardener Information Discovery#11238

No Demo, But Still Worth Celebrating 🎉

  • 🐛 [USER] The ETCD encryption config now properly configures a 32-byte key. #11150
  • ✨ [OPERATOR] Enhance the gardener-operator to allow specification of more than a single network range for .spec.runtimeCluster.networking.{nodes,pods,services}, and .spec.virtualCluster.networking.services, which also allows dual-stack configurations. #11251
  • ✨ [OPERATOR] Shoot system and Shoot control plane containers, which do not require privilege escalations, now forbid privilege escalation explicitly. There is an issue in Kubernetes about the privilege escalation configuration being true by default. #11241

2025/02/19 - v1.112 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@domdom825m🛡️ Prevent Leaking kube-apiserver’s Service IP in Shoot#10949
@rfranzke10m🤹‍♂️ Credentials Rotation Without Workers Rollout#11027
@oliver-goetz5m🌯 Wrapper For OperatingSystemConfig Provisioning Script#11208
@marc140410m💥 Cluster Autoscaler Priority Expander Config#11045
@petersutter5m🗼 Structured Authentication With Dashboard#11080

No Demo, But Still Worth Celebrating 🎉

  • ✨ [USER] All Seeds are now automatically labeled with seed.gardener.cloud/<name>=true where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11062
  • 📖 [OPERATOR] Rewrite Setup Gardener document #11260

2025/02/12 - v1.111 Release

📽️ Recording

Demo Agenda 📋

Presenter(s)DurationTopicReference(s)
@marc14045m⚙️ Default Machine Image Version#10954
@timuthy10m👨🏻‍🌾 Gardener Operator Manages Extension Resources#11192, #11001
@dimityrmirchev5m🚫 Secret/ConfigMap Tampering Protection#11108
@oliver-goetz5m🗑️ Improved Deletion Logic In gardener-node-agent#11015

No Demo, But Still Worth Celebrating 🎉

  • ✨ [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. #10910
  • ✨ [OPERATOR] Now vali contains the managed control plane logs from the early stages of Shoot reconcile. #11082
  • 🐛 [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. #11080