Skip to content

Gardener Review Meetings 2025 โ€‹

Overview โ€‹

In case you couldn't participate and are interested in catching up, you can find the contents of the review meetings we have had in 2025 here.

Check back regularly for updates and upcoming topics!

Reviews โ€‹

2025/08/27 - v1.126 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@ScheererJ10m๐ŸŒ node-local-dns Enablement w/o Nodes Rollout#12422
@LucaBernstein5m๐Ÿšจ Emergency Stop Of Shoot Reconciliations#12712

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [OPERATOR] โš ๏ธ The NewWorkerPoolHash feature gate has been promoted to beta and is now enabled by default. [...] All provider extensions must be upgraded to a version which includes Gardener v1.98.0 first to support this feature. #12550
  • ๐Ÿ› [USER] Errors that occur during Worker reconciliation are now also propagated to the Shoot status. #12769
  • ๐Ÿ› [OPERATOR] An issue causing the plutono-datasources ConfigMap to be reconciled by 2 ManagedResources when Seed is Garden managed by gardener-operator is now fixed. [...] #12798

2025/08/13 - v1.125 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@rfranzke10m๐Ÿค– GEP-28: ETCD Management Via etcd-druid#12391
@marc14045m๐Ÿšซ No More RBAC Collisions In Kubeconfigs#12597
@ialidzhikov10m๐Ÿ™…๐Ÿผโ€โ™‚๏ธ Global Max Allowed Values For VPA#12481
@AleksandarSavchev5m๐Ÿงฑ Robust Config Handling In gardener-node-agent#12589
@tobschli10m๐Ÿข Cluster API Provider For Gardenercluster-api-provider-gardener (repo), blog post

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿ› [OPERATOR] Seed registration was fixed for ManagedSeeds with seed templates configuring spec.resources. #12652
  • ๐Ÿ› [OPERATOR] A bug in gardener-node-agent that prevented the location for the sandbox image to be configurable to a custom value on worker nodes with containerd v2.x was fixed. #12665
  • โœจ [DEVELOPER] The Concourse CICD pipeline has been migrated to GitHub Actions. #12592

2025/08/06 - Kubernetes v1.33 Special Edition โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenters: @Kostov6, @plkokanov, @RadaBDimitrova

DurationTopicReference(s)
15m๐ŸŽ“ Graduation Ceremony
Graduated Features
KEP-753, KEP-3850, KEP-3998, KEP-4193, KEP-2590, KEP-1880, KEP-3866, KEP-4444 & KEP-2433, KEP-2625, KEP-3633, KEP-3094, KEP-1495, KEP-2644, KEP-3857
15m๐ŸŒธ Beta Bloom
Alpha -> Beta Promotions
KEP-5100, KEP-4381, KEP-4817, KEP-5142, KEP-4832, KEP-3257, KEP-3619, KEP-4639, KEP-127, KEP-4265, KEP-2902, KEP-3960 & KEP-4818, KEP-5073
10m๐Ÿ—ž๏ธ Fresh Off The Press
New Alpha Features
KEP-4951, KEP-4603, KEP-4960, KEP-5055 & KEP-4816 & KEP-5018 & KEP-4815, KEP-2535, KEP-4742, KEP-5067, KEP-5109, KEP-4205, KEP-4412, KEP-4049
5m๐Ÿงผ Security, Deprecations & RemovalsCVE-2025-4563, KEP-4004. KEP-4974, KEP-5040, KEP-3503
5m๐Ÿชด What's Changing In Gardener#11033, #12343, #12115 & #12413, #11502

2025/07/30 - v1.124 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@timuthy10m๐Ÿ–ผ๏ธ Image Rewriter Extensionextension-image-rewriter (repo)
@oliver-goetz5mโœˆ๏ธ L7 Load-Balancing Metrics Dashboards#12509
@domdom8210m๐Ÿงฆ CIDR Overlap w/ Seed For HA Shoots#12204
@vitanovs10m๐Ÿšช Vertical Pod Autoscaler Feature Gates#12339

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [USER] Starting with Kubernetes v1.34, setting the field .spec.cloudProfileName is be forbidden. The field will be dropped from existing Shoots once. Users are advised to drop this field and specify the cloud profile using the .spec.cloudProfile.name field instead. #11816
  • ๐Ÿ› [OPERATOR] A bug has been fixed which caused Pods from namespaces other than kube-system and labeled with node.gardener.cloud/critical-component=true to be considered by gardener-resource-manager. #12557
  • ๐Ÿ› [OPERATOR] A bug has been fixed which prevented the seed-specific Plutono dashboards from being provided by gardenlet in case its seed cluster was the garden runtime cluster at the same time. #12476

2025/07/16 - v1.123 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@LucaBernstein5m๐Ÿช„ Defaulting Machine Image Version From Prefix#12374
@oliver-goetz10m๐Ÿ˜Œ Simplified gardenlet Deployment Configuration#11996
@timebertt10m๐Ÿƒโ€โžก๏ธ Bastion Controller In provider-local#12366
@ishan1669615m๐Ÿ™…๐Ÿผโ€โ™‚๏ธ Immutable Backup Buckets#12175

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [USER] The deprecated url annotation in <shoot-name>.monitoring secrets in the project namespace has been removed. Please use the plutono-url annotation instead. #12396
  • โœจ [OPERATOR] The NodeAgentAuthorizer feature gate has been graduated to GA and is locked to true. #12405
  • โœจ [DEVELOPER] BackupBucket/BackupEntry controllers now support WorkloadIdentity type of credentials, provider extensions may need to adjust the respective controllers or to explicitly disallow BackupBuckets of their type to configure WorkloadIdentity. #12321

The occurrence for the v1.122 release was skipped because of too few topics.


2025/06/25 - v1.121 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@RadaBDimitrova5m๐Ÿฉบ Improved Health Check For Rolling Updates#11869
@ashwani2k5m๐Ÿ“ฃ dependency-watchdog Reports Scale Down#12272
@timebertt10m๐Ÿผ GEP-28: gardenadm bootstrap Progress#2906 (issue)
@timuthy5m๐Ÿฆพ New Capabilities For Extension Shoot Webhooks#12273
@vpnachev5m๐Ÿ™… New DoNotCopyBackupCredentials Feature Gate#12168

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [OPERATOR] gardenlet no longer deploys ControlPlane resources with .spec.purpose=exposure for Shoots using unmanaged DNS provider. gardenlet will now cleanup any ControlPlane exposure resource as part of the reconciliation and deletion flows for such Shoots. #12162
  • ๐Ÿ› [USER] A bug causing the kube-apiserver to crash when anonymous authentication is configured via StructuredAuthentication was fixed. #12198
  • โœจ [DEVELOPER] Introduced new version classifications unavailable and expired. They are not meant to be set manually but should act as computed classification states. #12298

2025/06/18 - v1.120 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@DockToFuture10m๐Ÿ‘ฏ Single-Stack IPv4 -> Dual-Stack IPv{4,6} Migration For GCPextension-provider-gcp#1010
@nickytd5m๐Ÿ›ฐ๏ธ GEP-34: OpenTelemetry Operator And Collectors#11861
@oliver-goetz10mโš–๏ธ Cluster-Internal L7 Load-Balancing Endpoints For kube-apiserversSummary
@timuthy10m๐Ÿ›ธ Compatibility Fields In Extension API#11982

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • โœจ [OPERATOR] The Garden resource has been enhanced with a new field, spec.VirtualCluster.ETCD.Main.Backup.Region, which enables the configuration of the backup bucket region. Previously, the region was derived from the provider (spec.runtimeCluster.provider.region). This behavior remains as a fallback if the backup region is not explicitly specified. #12186
  • โœจ [DEVELOPER] The .spec.purpose field in the ControlPlane resource is now deprecated and will be removed in Gardener v1.123. In the times before SNI was introduced and unconditionally enabled it was previously used to manage control plane exposure. #12161

2025/06/11 - Hack The Garden Wrap Up โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@axel7born5mโšก๏ธ Replace OpenVPN With WireguardSummary
@afritzler5mโ›ณ๏ธ Make gardener-operator Single-Node ReadySummary
@nickytd5m๐Ÿ“ก OpenTelemetry Transport For Shoot MetricsSummary
@rickardsjp5m๐Ÿ”ฌ Cluster Network ObservabilitySummary
@tobschli5m๐Ÿ“ Signing Of ManagedResource SecretsSummary
@Gerrit915m๐Ÿงฐ Migrate ControlPlane Reconciliation Of Provider Extensions To ManagedResourcesSummary
@benedikt-haug5mโœจ Dashboard Usability ImprovementsSummary
@klocke-io5m๐Ÿ“œ Documentation RevampSummary
@Gerrit915mโ„น๏ธ Expose EgressCIDRs In shoot-info ConfigMapSummary
@kon-angelo5m๐Ÿ“ˆ Overcome Maximum Of 450 Nodes On AzureSummary
@Nuckal7775m๐Ÿฆœ Multiple Parallel Versions In A Gardener Landscape (Canary Deployments)Summary
@rrhubenov5m๐Ÿง‘โ€๐Ÿ”ง Worker Group Node Roll-outSummary
@kon-angelo5m๐Ÿ‘€ Instance Scheduled Events WatcherSummary

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • โš–๏ธ Cluster-Internal L7 Load-Balancing Endpoints For kube-apiservers. Summary
  • โ™ป๏ธ GEP-32 โ€“ Version Classification Lifecycles. Summary

2025/05/21 - v1.119 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@timuthy10m๐Ÿ›ก๏ธ CVE-2025-47282, CVE-2025-47283, CVE-2025-47284#12136 (issue), #12137 (issue), external-dns-management#462 (issue)
@shafeeqes5m๐Ÿ’ช๐Ÿป Forceful Redeployment Of gardenlets#11972
@rfranzke10mgardenadm token + gardenadm join#11934, #11942
@ScheererJ5mkube-proxy's Readiness Probe#12015

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • โœจ [OPERATOR] The support for the already deprecated shoot.gardener.cloud/managed-seed-api-server annotation is now removed. Instead, consider enabling high availability for the ManagedSeed's Shoot control plane. #11838
  • โœจ [OPERATOR] Spreading Istio ingress-gateway pods across hosts is enforced only for zonal Istio deployments now. #12007

2025/05/07 - v1.118 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@domdom8210m๐Ÿงฆ CIDR Overlap w/ Seed For Non-HA Shoots#11582
@vlerenc10m๐Ÿ’ฐ Leaner Clusters, Lower Billsblog post
@grolu10m๐Ÿ•น Recent Gardener Dashboard Features1.80.0 (release)
@shafeeqes, @ary199215m๐Ÿฆ‹ In-Place Node Updates#11191, #11393, #11631, #11713, #11718, #11843, #11844, #11953

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿ› [OPERATOR] Gardener core components are automatically restarted (due to a failing liveness probe) in case their Kubernetes API server watch caches do not sync for 3m. #11966
  • โœจ [USER] The CA bundle of the kubelet is now available via a ConfigMap the project's namespace, called <shoot-name>.ca-kubelet. #11916
  • โœจ [OPERATOR] The Seed API feature new field spec.backup.credentialsRef, it is of type corev1.ObjectReference and is allowed to refer to a Secret. #11583

2025/04/23 - v1.117 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@axel7born10m๐Ÿ‘ฏ Single-Stack IPv4 -> Dual-Stack IPv{4,6} Migration#11692
@oliver-goetz5m๐Ÿญ SPDY Support For L7 Load-Balancing#11807
@oliver-goetz10m๐Ÿง‘โ€โš•๏ธ Extension Care Controller#11769
@hendrikKahl5m๐Ÿš€ machine-controller-manager Processing Throughput#11879

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [USER] The VPA version is updated to 1.3.0. Upstream VPA 1.3.0 does no longer serve API version autoscaling.k8s.io/v1beta2. Gardener's VPA installation will continue to serve API version autoscaling.k8s.io/v1beta2 until Gardener v1.119. [...] #11774
  • โœจ [OPERATOR] NamespacedCloudProfile.spec.limits.maxNodesTotal can now also be used to override the limit defined in the parent CloudProfile with an increased value. Increasing requires additional permissions granted by the custom verb raise-spec-limits. #11796
  • โœจ [OPERATOR] gardener-operator automatically adds the networking.resources.gardener.cloud/to-virtual-garden-kube-apiserver-tcp-443: allowed label to the gardenlet deployment in case it is deployed to the garden runtime cluster. Thus, it is not required anymore to configure this label in the Gardenlet resource. #11855

2025/04/09 - v1.116 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@vitanovs10m๐ŸŽฎ New ShootState Finalizer Controller#11491
@unmarshall, @Shreyas-s1410m๐Ÿค– etcd-druid CEL Validations + API Module#11545
@rfranzke5m๐Ÿ‘ฎ Bug Fixes In NetworkPolicy Controller#11780
@timuthy10m๐Ÿงฉ Extensions For Seed Reconciliations#11764
@ScheererJ10m๐Ÿ“ GEP-28 Update: Autonomous Shoot Clusters#2906 (issue)

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [OPERATOR] Please note, if you configure spec.extensions in your Garden resource: gardener-operator adds a garden- prefix to all extension resources configured via the Garden. Existing extension resources (not prefixed) will be deleted automatically at the end of the reconciliation. [...]. #11764
  • ๐Ÿช“ [DEVELOPER] The extension class field in the generic extension controller was removed. Please use the new field classes instead. #11764
  • โœจ [OPERATOR] The feature gate NewVPN has been graduated to GA. It was already enabled by default and can now no longer be turned off. The feature gate will be removed in a future release. #11714

2025/03/26 - v1.115 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@shafeeqes10m๐Ÿ—‘๏ธ Drop TokenInvalidator Controller And Webhook#11497
@LucaBernstein5m๐Ÿ”Œ Latest NamespacedCloudProfiles Features#11647, #11550
@ialidzhikov10m๐Ÿš Replace TopologyAwareHints With ServiceTrafficDistribution#11178
@ScheererJ5mโš™๏ธ Better CoreDNS Configurability#11526
@oliver-goetz10m๐ŸŒ… Drop HorizontalPodAutoscaler For gardener-apiserver#11684
@hendrikKahl5m๐Ÿƒ GOAWAY Chance For gardener-apiserver#11551

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • โœจ [USER] If the Gardener operator has defined a control plane wildcard certificate, the .status.advertisedAddresses of the Shoot contain an entry with an endpoint secured by this certificate. Note that this endpoint is specific to the seed cluster the Shoot is scheduled to. Read all about it in this document. #11612
  • โœจ [OPERATOR] The injectGardenKubeconfig field is defaulted to true for extensions responsible for Worker resources when registered via the operator.gardener.cloud/v1alpha1.Extension API. #11658

2025/03/12 - v1.114 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@AleksandarSavchev5mโ›”๏ธ Deny-All NetworkPolicy In kube-system Namespace For Shoots#11502
@timuthy10m๐Ÿญ Minimum Resource Requirements For Shoot ETCD + API Server#11252
@timuthy5m๐Ÿ”จ Extension Example Manifest Generator#11329
@Wieneo5m๐Ÿ—‘๏ธ Dropping Reserved VPN Authz Server#11338
@oliver-goetz10mโš–๏ธ L7 Load-Balancing For Requests To kube-apiservers#11085
@rfranzke5m๐Ÿ”‘ Garden Access For Extensions No Longer By Default#11593

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿช“ [OPERATOR] โš ๏ธ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.26. Make sure to upgrade all existing clusters before upgrading to this Gardener version. #10664
  • ๐Ÿช“ [USER] All Seeds are now automatically labeled with name.seed.gardener.cloud/<name>=true (โš  no longer seed.gardener.cloud/<name>=true) where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11479
  • โœจ [OPERATOR] gardener-operator now waits for required Extensions to get ready early in the reconcile flow. It addresses use-cases where extensions run mutating webhooks in the garden runtime cluster that must be present when Garden components are deployed. #11523

2025/03/05 - Kubernetes v1.32 Special Edition โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenters: @marc1404, @LucaBernstein

DurationTopicReference(s)
10m๐ŸŽ“ Graduation Ceremony
Graduated Features
KEP-4358, KEP-1967, KEP-4193, KEP-3221, KEP-1847
10m๐ŸŒธ Beta Bloom
Alpha -> Beta Promotions
KEP-4368, KEP-4633, KEP-4247, KEP-1790, KEP-3476, KEP-4381, KEP-4601, KEP-3157
10m๐Ÿ—ž๏ธ Fresh Off The Press
New Alpha Features
KEP-4832, KEP-3962, KEP-2837, KEP-4818, KEP-4817, KEP-4827 & KEP-4828, KEP-4802 & KEP-4885
5m๐Ÿงผ Security, Deprecations & RemovalsCVE-2025-0426, CVE-2024-9042, KEP-4381, kubernetes/kubernetes#127017
5m๐Ÿชด What's Changing In Gardener#11020, #10666, #10858

2025/02/26 - v1.113 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@maboehm5m๐Ÿ‘ท Maximum Node Count For Shoots#11279
@domdom825m๐Ÿ‘€ ACL Reconciliation On Infrastructure Changesextension-acl#105
@Wieneo5m๐ŸŽญ GEP-30: Rework API Server Proxy#11214 (issue)
@ishan1669610m๐Ÿ› Fix Failing ETCD Restorationsetcd-backup-restore#778 (issue)
@timebertt5m๐Ÿชœ Refactor E2E Tests To Ordered Its#11379 (issue)
@vpnachev5m๐Ÿ“ข Public Gardener Information Discovery#11238

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • ๐Ÿ› [USER] The ETCD encryption config now properly configures a 32-byte key. #11150
  • โœจ [OPERATOR] Enhance the gardener-operator to allow specification of more than a single network range for .spec.runtimeCluster.networking.{nodes,pods,services}, and .spec.virtualCluster.networking.services, which also allows dual-stack configurations. #11251
  • โœจ [OPERATOR] Shoot system and Shoot control plane containers, which do not require privilege escalations, now forbid privilege escalation explicitly. There is an issue in Kubernetes about the privilege escalation configuration being true by default. #11241

2025/02/19 - v1.112 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@domdom825m๐Ÿ›ก๏ธ Prevent Leaking kube-apiserver's Service IP in Shoot#10949
@rfranzke10m๐Ÿคนโ€โ™‚๏ธ Credentials Rotation Without Workers Rollout#11027
@oliver-goetz5m๐ŸŒฏ Wrapper For OperatingSystemConfig Provisioning Script#11208
@marc140410m๐Ÿ’ฅ Cluster Autoscaler Priority Expander Config#11045
@petersutter5m๐Ÿ—ผ Structured Authentication With Dashboard#11080

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • โœจ [USER] All Seeds are now automatically labeled with seed.gardener.cloud/<name>=true where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11062
  • ๐Ÿ“– [OPERATOR] Rewrite Setup Gardener document #11260

2025/02/12 - v1.111 Release โ€‹

๐Ÿ“ฝ๏ธ Recording

Demo Agenda ๐Ÿ“‹ โ€‹

Presenter(s)DurationTopicReference(s)
@marc14045mโš™๏ธ Default Machine Image Version#10954
@timuthy10m๐Ÿ‘จ๐Ÿปโ€๐ŸŒพ Gardener Operator Manages Extension Resources#11192, #11001
@dimityrmirchev5m๐Ÿšซ Secret/ConfigMap Tampering Protection#11108
@oliver-goetz5m๐Ÿ—‘๏ธ Improved Deletion Logic In gardener-node-agent#11015

No Demo, But Still Worth Celebrating ๐ŸŽ‰ โ€‹

  • โœจ [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. #10910
  • โœจ [OPERATOR] Now vali contains the managed control plane logs from the early stages of Shoot reconcile. #11082
  • ๐Ÿ› [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. #11080
EU and German government funding logos

Funded by the European Union โ€“ NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.