Gardener Review Meetings 2025

Overview

In case you couldn’t participate and are interested in catching up, you can find the contents of the review meetings we have had in 2024 here.

Check back regularly for updates and upcoming topics!

Presenter(s)	Duration	Topic	Reference(s)
@shafeeqes	`10m`	🗑️ Drop `TokenInvalidator` Controller And Webhook	#11497
@LucaBernstein	`5m`	🔌 Latest `NamespacedCloudProfile`s Features	#11647, #11550
@ialidzhikov	`10m`	🚏 Replace `TopologyAwareHints` With `ServiceTrafficDistribution`	#11178
@ScheererJ	`5m`	⚙️ Better CoreDNS Configurability	#11526
@oliver-goetz	`10m`	🌅 Drop `HorizontalPodAutoscaler` For `gardener-apiserver`	#11684
@hendrikKahl	`5m`	🏃 GOAWAY Chance For `gardener-apiserver`	#11551

✨ [USER] If the Gardener operator has defined a control plane wildcard certificate, the .status.advertisedAddresses of the Shoot contain an entry with an endpoint secured by this certificate. Note that this endpoint is specific to the seed cluster the Shoot is scheduled to. Read all about it in this document. #11612
✨ [OPERATOR] The injectGardenKubeconfig field is defaulted to true for extensions responsible for Worker resources when registered via the operator.gardener.cloud/v1alpha1.Extension API. #11658

Presenter(s)	Duration	Topic	Reference(s)
@AleksandarSavchev	`5m`	⛔️ Deny-All `NetworkPolicy` In `kube-system` Namespace For `Shoot`s	#11502
@timuthy	`10m`	🍭 Minimum Resource Requirements For `Shoot` ETCD + API Server	#11252
@timuthy	`5m`	🔨 `Extension` Example Manifest Generator	#11329
@Wieneo	`5m`	🗑️ Dropping Reserved VPN Authz Server	#11338
@oliver-goetz	`10m`	⚖️ L7 Load-Balancing For Requests To `kube-apiserver`s	#11085
@rfranzke	`5m`	🔑 Garden Access For Extensions No Longer By Default	#11593

🪓 [OPERATOR] ⚠️ Gardener does no longer support garden, seed, or shoot clusters with Kubernetes versions <= 1.26. Make sure to upgrade all existing clusters before upgrading to this Gardener version. #10664
🪓 [USER] All Seeds are now automatically labeled with name.seed.gardener.cloud/<name>=true (⚠ no longer seed.gardener.cloud/<name>=true) where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11479
✨ [OPERATOR] gardener-operator now waits for required Extensions to get ready early in the reconcile flow. It addresses use-cases where extensions run mutating webhooks in the garden runtime cluster that must be present when Garden components are deployed. #11523

Duration	Topic	Reference(s)
`10m`	🎓 Graduation Ceremony Graduated Features	KEP-4358, KEP-1967, KEP-4193, KEP-3221, KEP-1847
`10m`	🌸 Beta Bloom Alpha -> Beta Promotions	KEP-4368, KEP-4633, KEP-4247, KEP-1790, KEP-3476, KEP-4381, KEP-4601, KEP-3157
`10m`	🗞️ Fresh Off The Press New Alpha Features	KEP-4832, KEP-3962, KEP-2837, KEP-4818, KEP-4817, KEP-4827 & KEP-4828, KEP-4802 & KEP-4885
`5m`	🧼 Security, Deprecations & Removals	CVE-2025-0426, CVE-2024-9042, KEP-4381, kubernetes/kubernetes#127017
`5m`	🪴 What’s Changing In Gardener	#11020, #10666, #10858

Presenter(s)	Duration	Topic	Reference(s)
@maboehm	`5m`	👷 Maximum Node Count For `Shoot`s	#11279
@domdom82	`5m`	👀 ACL Reconciliation On Infrastructure Changes	extension-acl#105
@Wieneo	`5m`	🎭 GEP-30: Rework API Server Proxy	#11214 (issue)
@ishan16696	`10m`	🐛 Fix Failing ETCD Restorations	etcd-backup-restore#778 (issue)
@timebertt	`5m`	🪜 Refactor E2E Tests To Ordered `It`s	#11379 (issue)
@vpnachev	`5m`	📢 Public Gardener Information Discovery	#11238

🐛 [USER] The ETCD encryption config now properly configures a 32-byte key. #11150
✨ [OPERATOR] Enhance the gardener-operator to allow specification of more than a single network range for .spec.runtimeCluster.networking.{nodes,pods,services}, and .spec.virtualCluster.networking.services, which also allows dual-stack configurations. #11251
✨ [OPERATOR] Shoot system and Shoot control plane containers, which do not require privilege escalations, now forbid privilege escalation explicitly. There is an issue in Kubernetes about the privilege escalation configuration being true by default. #11241

Presenter(s)	Duration	Topic	Reference(s)
@domdom82	`5m`	🛡️ Prevent Leaking `kube-apiserver`’s Service IP in `Shoot`	#10949
@rfranzke	`10m`	🤹‍♂️ Credentials Rotation Without Workers Rollout	#11027
@oliver-goetz	`5m`	🌯 Wrapper For `OperatingSystemConfig` Provisioning Script	#11208
@marc1404	`10m`	💥 Cluster Autoscaler Priority Expander Config	#11045
@petersutter	`5m`	🗼 Structured Authentication With Dashboard	#11080

✨ [USER] All Seeds are now automatically labeled with seed.gardener.cloud/<name>=true where <name> is their own name, and (if applicable) the name of their parent seed in case they are managed seeds. This label can be used as selector for requests. #11062
📖 [OPERATOR] Rewrite Setup Gardener document #11260

Presenter(s)	Duration	Topic	Reference(s)
@marc1404	`5m`	⚙️ Default Machine Image Version	#10954
@timuthy	`10m`	👨🏻‍🌾 Gardener Operator Manages `Extension` Resources	#11192, #11001
@dimityrmirchev	`5m`	🚫 `Secret`/`ConfigMap` Tampering Protection	#11108
@oliver-goetz	`5m`	🗑️ Improved Deletion Logic In `gardener-node-agent`	#11015

✨ [USER] Expired versions from the NamespacedCloudProfile are always dropped, except for already applied versions. #10910
✨ [OPERATOR] Now vali contains the managed control plane logs from the early stages of Shoot reconcile. #11082
🐛 [OPERATOR] An issue was fixed in gardener-operator that prevented configuring OIDC for gardener-dashboard while using Structured Authentication. #11080