Gardener Review Meetings (2026)
In case you couldn't participate and are interested in catching up, you can find the contents of the review meetings we have had in 2026 here.
Meetings are recorded and published on Gardener's YouTube channel.
Check back regularly for updates and upcoming topics!
Reviews
2026/06/24 - v1.145 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @RadaBDimitrova | 5m | 💾 pvc-autoscaler as a Seed Cluster Component | #14991 |
| @AleksandarSavchev | 10m | 🦅 Advanced Falco Configuration Options | shoot-falco-service#517, shoot-falco-service#519, shoot-falco-service#511 |
| @kevin-lacoo | 5m | ☁️ Alicloud: Dual-Stack and Custom Route Table Support | provider-alicloud#901 |
| @Roncossek | 5m | 🤹 Migration towards Machine Capabilities | #11301 (issue) |
| @MartinWeindel | 10m | 🌍 shoot-dns-service: Migration to Next-Gen Controller | shoot-dns-service#727, shoot-dns-service#643, shoot-dns-service#615 |
| @timuthy | 5m | 🔑 Helper Script to Re-Bootstrap gardenlet | #14805 |
No Demo, But Still Worth Celebrating 🎉
- 🪓 [OPERATOR] The
gardener-schedulercandidate determination strategy deployed bygardener-operatoris now configurable viaGarden.spec.virtualCluster.gardener.gardenerScheduler.candidateDeterminationStrategy(allowed values:SameRegion,MinimalDistance). [...]. #14963 - 🐛 [OPERATOR] A bug has been fixed that prevented Gardenlet from reconciling shoots without an external cluster domain. #14521
- 🐛 [USER] Fix malformed registry cache endpoint URLs when the registry cache Service in the Shoot contains an IPv6 clusterIP. IPv6 cluster IPs are now correctly wrapped in square brackets (e.g.
https://[2a05:d018:197f:7e06::1]:5000) registry-cache#595
2026/06/10 - v1.144 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @AleksandarSavchev | 5m | 🔓 Mutable encryptionConfig Provider Type | #14720 |
| @Vincinator | 5m | 📦 containerd Configuration Version 4 Support | #14856 |
| @voelzmo | 10m | ⚡ VPC MTU Configuration for Jumbo Frame Support | provider-gcp#1399, provider-aws#1732 |
| @axel7born | 5m | 🧪 Configurable Network Probes | shoot-networking-problemdetector#352 |
| @plkokanov | 10m | 📀 GEP-0038: Autoscaling PersistentVolumeClaims | pvc-autoscaler@v0.2.0 |
| @shreyas-s-rao | 5m | ⚡ Advanced AWS Worker Configuration Options | provider-aws#1791 |
| @oliver-goetz | 5m | 🌐 Envoy Edge Proxy Best Practices | #14690 |
No Demo, But Still Worth Celebrating 🎉
- 🪓 [OPERATOR] The
UseUnifiedHTTPProxyPortfeature gate has graduated to GA and cannot be disabled anymore. The feature gate can be removed from your component configuration. If you're using gardener-extension-acl, ensure that all shoots enabling the extension have been successfully reconciled with version v1.15.0 or higher before upgrading to this Gardener version that enables the feature gate unconditionally. #14899 - 🐛 [OPERATOR] A bug has been fixed where
gardener-resource-managerwould crash-loop after a hibernated shoot woke up with an expired authentication token. The bootstrap detection now evaluates the current time dynamically instead of using a value frozen at gardenlet startup. #14937 - 🐛 [OPERATOR] A bug has been fixed where
Gardenresources would start encryption key rotation on creation. #14801
2026/05/27 - v1.143 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @axel7born | 10m | 🌐 Automatic MTU Configuration for VPN | #14768, vpn2#265 |
| @axel7born | 5m | 🔀 Dual-Stack IPv4/IPv6 Networking Support on OpenStack | provider-openstack#1257 |
| @theoddora | 10m | 🤝 Garden-Shoot Trust Configuration | garden-shoot-trust-configurator (repo) |
| @oliver-goetz | 5m | 🔗 HTTP/2 Connection Coalescing Fix for Gardener Observability | #14867 |
| @cerealsnow | 10m | 🌐 [GEP-36] Self-Hosted Shoot Control Plane Exposure | #14723, #14781 |
No Demo, But Still Worth Celebrating 🎉
- 🪓 [OPERATOR] The deprecated
gardenClusterCACertfield was removed from theGardenletConfiguration. The CA is now always automatically set by Gardener. #14803 - 🪓 [OPERATOR] ⚠️ This extension no longer supports Kubernetes versions
<= 1.31. Please make sure to upgrade all Garden, Seed and Shoot clusters to at least version 1.32 before deploying this extension version. (gardener-extension-provider-openstack) gardener-extension-provider-openstack#1331 - 🐛 [OPERATOR] The
gardener-resource-managerdeployment procedure was hardened. In rare situations, the procedure became stuck indefinitely after the seed's CA rotation. #14765 - ✨ [USER] gardener-apiserver no longer accepts invalid values for the Shoot's
.spec.kubernetes.kubeAPIServer.eventTTLfield even for existing Shoot resources with already invalid values. Invalid values are values outside of the range[0, 24h]. gardener-apiserver caps theeventTTLto24hfor already persisted Shoots with a value exceeding the allowed maximum. #14707
2026/05/20 - v1.142 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @timuthy | 5m | 🏗️ New BackupEntryForGarden Feature Gate | #14628 |
| @oliver-goetz | 10m | 🗑️ Removal of Legacy gardener/controlplane Helm Chart | #14614 |
| @maboehm | 5m | 🏷️ Configurable Deletion Propagation for ManagedResources | #14642 |
| @timebertt | 10m | 🪆 Gardener-in-Docker (GinD) | #14700 |
| @takoverflow | 5m | ⚙️ Customizable maxBinpackingTime Flag for cluster-autoscaler | #14698 |
No Demo, But Still Worth Celebrating 🎉
- ❗️ [OPERATOR]
DisableNginxIngressInGardenallows to disablenginx-ingressin a Garden runtime cluster managed bygardener-operator. [...]. #14636 - 🐛 [USER] Rotating the etcd encryption key tolerates unavailable
APIServices. #14679 - 🐛 [OPERATOR] The
reconcileSeedWebhookConfigfunction now correctly reconciles bothMutatingWebhookConfigurationandValidatingWebhookConfigurationfor extensions that register both mutating and validating admission webhooks. Previously, only the first configuration was reconciled due to a premature return in the loop. #14664
2026/05/13 - Hack The Garden Wrap Up
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @tobschli | 5m | 🌱 Complete the ManagedSeedSet Implementation | hackathon#52, Summary |
| @jnull | 5m | 🔍 Improve Debugability of Failed Node Joins | hackathon#68, Summary |
| @hown3d | 5m | 🔒 Add Support for Virtual Garden to ACL Extension | hackathon#47, Summary |
| @majst01 | 5m | 🛡️ Replace OpenVPN with WireGuard | hackathon#70, Summary |
| @timebertt | 5m | 🌐 Make Internal Domain Optional/Mutable | hackathon#53, Summary |
| @rfranzke | 5m | 🌿 Experiment with shoot/shoot Controller in Self-Hosted Shoot Clusters | hackathon#45, Summary |
| @georgibaltiev | 5m | 🔑 Implement Public CA Bundle Discovery Mechanism | hackathon#15, Summary |
| @hown3d | 5m | 🐝 SelfHostedShootExposure in Cilium Extension | hackathon#46, Summary |
| @maboehm | 5m | ⚙️ Run Garden and Seed in Self-Hosted Shoot Cluster on Managed Infrastructure | hackathon#55, Summary |
| @maboehm | 5m | 👁️ Allow Admins to Easily Use a Viewer Kubeconfig by Default | hackathon#71, Summary |
| @Kostov6 | 5m | 📝 Stage confineSpecUpdateRollout Changes in Annotation | hackathon#64, Summary |
| @LucaBernstein | 5m | 💾 GardenState Resource for Automated Garden Cluster Disaster Recovery | hackathon#44, Summary |
| @mhoffmann-noris | 5m | 🔐 Separately Encrypt etcd Backups | hackathon#69, Summary |
| @plkokanov | 5m | ⚡ Reduce Secret Watch Pressure by Splitting ManagedResource Data | hackathon#61, Summary |
No Demo, But Still Worth Celebrating 🎉
- 🤝 Support Joining Control Plane Nodes in Managed Infrastructure. hackathon#54, Summary
2026/04/29 - v1.141 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @rfranzke | 5m | 🩺 gardener-node-agent Monitors systemd Unit Health | #14496 |
| @Shreyas-s14 | 10m | 🔂 etcd 3.4→3.5 Upgrade Path in etcd-druid | etcd-druid#1281, etcd-druid#1300 |
| @ScheererJ | 5m | 🏜️ Ingress NGINX Retirement | #13448 (issue) |
| @timebertt | 10m | 🐳 Local cloud-controller-manager for Load Balancers | #14415 |
| @AleksandarSavchev | 5m | 🔐 New aesgcm and secretbox Encryption Provider Types | #14034 |
| @petersutter, @grolu, @klocke-io | 10m | 🕹 Gardener Dashboard Update | 1.84.0 (release) |
No Demo, But Still Worth Celebrating 🎉
- 🪓 [USER] Newly created
Shoots now have a set period of28dfor etcd encryption key rotation. #14034 - 🪓 [OPERATOR] The
NewWorkerPoolHashfeature gate has been promoted to GA and can no longer be disabled. #14531 - 🐛 [USER] Cluster-proportional autoscaling of coredns now works with Kubernetes >= 1.33 #14638
- 🐛 [OPERATOR] The garbage collection logic now also deletes pods that are stuck due to preemption by the kubelet or scheduler. #14519
2026/04/15 - v1.140 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @rrhubenov | 5m | 🗑️ RemoveVali Feature Gate for Vali Instance Removal | #14279 |
| @rfranzke | 10m | 🌐 NetworkPolicy Controller Optimization | #14410 |
| @ScheererJ | 10m | 🖥️ [GEP-28] Self-Hosted Shoot API Server Direct Access in Local Setup | #14370 |
| @tobschli | 10m | 🎮 [GEP-28] Extension Management & gardenlet Controllers | #2906 (issue) |
No Demo, But Still Worth Celebrating 🎉
- 🐛 [OPERATOR] Fix a bug where the
shoot-carecontroller cannot reconcile shoots withspec.maintenance.confineSpecUpdateRollout=trueand updated DNS credentials, i.e.shoot.spec.dns.providers[].credentialsRef, until the shoot is reconciled. #14397 - 🐛 [USER] Fixed
EveryNodeReadyshoot condition incorrectly reportingNodeAgentUnhealthyfor nodes not managed by MCM. #14509 - ❗️ [OPERATOR] Ingress-GCE no longer requires deployment of
BackendConfigCRDs. In addition, the deployment of the default-http-backend in the shoot is no longer necessary and hence removed. gardener-extension-provider-gcp#1320 - 🐛 [OPERATOR] Fixing an issue where a rapid scale up and scale down can result in a cordoned machine in the cluster. machine-controller-manager#1090
2026/04/01 - v1.139 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @oliver-goetz | 10m | ⚖️ Dual Autoscaling for istio-ingressgateway with VPA and HPA | #14313 |
| @timuthy | 5m | 🔐 Static Username Prefixes for {Admin,Viewer}KubeconfigRequests | #14252 |
| @rfranzke | 10m | 🌐 Zone-Aware Shoot Control Plane Placement | #14238 |
| @jamand | 5m | 🌐 Custom Domain Support for gardener-discovery-server | #14126 |
| @DockToFuture | 10m | 🚪 New Traefik Extension for Shoots | extension-shoot-traefik (repo) |
No Demo, But Still Worth Celebrating 🎉
- 🪓 [OPERATOR] Garden
.status.encryptedResourcesfield is removed, use Garden.status.credentials.encryptionAtRest.resourcesinstead. #14354 - 🪓 [OPERATOR] The
raise-spec-limitsverb has been removed forNamespacedCloudProfiles because it is no-longer needed. #14344 - 🐛 [OPERATOR] A bug causing the
gardenletto crash during startup was fixed. Earlier, the startup procedure occasionally failed on large-scale seed clusters due to cache sync timeouts. #14408 - 🐛 [OPERATOR] An issue preventing the
shootstate-controllerof gardenlet to populate all required states to the ShootState for a self-hosted Shoot is now fixed. #14339
2026/03/18 - v1.138 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @rfranzke | 10m | 🔄 Serial OperatingSystemConfig Reconciliation Coordination in gardener-node-agent | #14129 |
| @cerealsnow | 10m | 🌍 Local Setup DNS via bind9 — No More /etc/hosts Manipulation | #14062 |
| @oliver-goetz | 10m | 🏗️ Provider Extensions Setup Migrated to gardener-operator-Based remote Setup | #13994 |
| @nickytd | 5m | 🏷️ ShootAdvertisedAddress Application Field for UI-Friendly Endpoint Names | #14140 |
| @acumino | 5m | 🗺️ gardenadm init/join Availability Zone Support via --zone Flag | #14081 |
No Demo, But Still Worth Celebrating 🎉
- ❗️ [OPERATOR] Hard memory limit on istio-ingress has been removed. Memory is managed by VPA in all cases now. #14197
- 🐛 [OPERATOR] Fixed a race condition in the
ControllerInstallationreconciler that could create duplicate installations due to reading from a stale informer cache instead of the API server. #14274 - 🐛 [OPERATOR] The per-worker-pool
node-local-dnsDaemonSets now also include the name of the worker in their label selector and in their Pods' labels. This resolves an issue where each of the correspondingVPAs targeted allnode-cachecontainers from all of theseDaemonSets resulting in incorrect resource recommendations. #14294
2026/03/11 - Kubernetes v1.35 Special Edition
Demo Agenda 📋
Presenters: @timuthy, @rfranzke
| Duration | Topic | Reference(s) |
|---|---|---|
15m | 🎓 Graduation Ceremony Graduated Features | KEP-1287, KEP-5067, KEP-4381, KEP-3015, KEP-4368, KEP-4622, KEP-5504 |
20m | 🌸 Beta Bloom Alpha -> Beta Promotions | KEP-4742, KEP-4192, KEP-4876, KEP-5598, KEP-961, KEP-5295, KEP-127, KEP-4639, KEP-2535, KEP-5307, KEP-3973 |
10m | 🗞️ Fresh Off The Press New Alpha Features | KEP-4671, KEP-5284, KEP-4828, KEP-4827, KEP-5440, KEP-5237, KEP-5471 |
5m | 🧼 Security, Deprecations & Removals | KEP-5495, KEP-4033, KEP-5573, KEP-4781 |
5m | 🪴 What's Changing In Gardener | #13687, #13845, #13707 |
2026/03/04 - v1.137 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @rfranzke | 5m | 🏠 GEPs Moved to New gardener/enhancements Repository | #14043 |
| @rfranzke | 5m | 🔑 Secrets Manager: Config Functions and Lazy CA Loading | #14000 |
| @rrhubenov | 10m | 🪵 VictoriaLogsBackend Feature Gate | #13988 |
| @ScheererJ | 5m | 🖥️ Node-Specific Configuration Files in gardener-node-agent | #13412 |
| @LucaBernstein | 5m | 📦 Go Submodule for Gardener APIs | #13536 |
No Demo, But Still Worth Celebrating 🎉
- 🪓 [DEVELOPER] When using
ModeServicein the extension webhook library, the specified service port is now properly propagated when constructing theadmissionregistrationv1.WebhookClientConfigfor{Validating,Mutating}WebhookConfigurations (previously, it was not specified at all and defaulted to443by Kubernetes). Make sure to specify--webhook-config-service-portto prevent falling back to the--webhook-config-server-port(if configured). #14063 - 🐛 [OPERATOR] Fixed the shoot-care controller panic for clusters where
.status.credentials.rotationexists but.status.credentials.encryptionAtRestis nil. #14147 - 🐛 [OPERATOR] An issue causing the control-plane migration to get stuck if the source backup entry deployment was retried is now fixed. #14091
- 🐛 [USER] An issue which lead to a nil pointer in gardenlet when a Shoot had an empty
.spec.addonsstructure defined is now fixed. #14112
2026/02/18 - v1.136 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @oliver-goetz | 5m | 📝 kube-apiserver Access Logs | #13569 |
| @maxmsap | 5m | 🧲 provider-ironcore: Experimental GPU Support | ironcore-dev/roadmap#31 |
| @rfranzke | 5m | 📣 Manifest Propagation To Shoots | #13614 |
| @vitanovs | 10m | ♻️ InPlaceOrRecreate VPA Update Mode Webhook | #12940, #13573 |
| @DockToFuture | 5m | 🤝 Seamless Overlay Network Switch | networking-calico#779, aws-custom-route-controller#411 |
| @shafeeqes | 5m | 🪪 Custom CA Bundle Support For Helm Repositories | #13868 |
| @timuthy | 5m | ➕ Leftover Toleration During Shoot Cleanup | #13918 |
No Demo, But Still Worth Celebrating 🎉
- ✨ [USER] Shoot addons (
.spec.addons) have been deprecated and will be forbidden starting with Kubernetes 1.35. Their usage was already discouraged for productive clusters, as they now only include unmaintained components (Kubernetes dashboard and Ingress NGINX Controller). #13845 - ✨ [USER] The
Shootfield.spec.seedSelectorcan now be adjusted for already scheduled shoots, as long as the new selector still selects the assigned seed. #13920 - ✨ [OPERATOR] The
gardener-controller-managernow increases allResourceQuotas in project namespaces when a Gardener update leads to Gardener creating more resources in them. This was introduced to prevent failingShootreconciliations whenResourceQuotas of projects are near their limit. #13850
2026/01/28 - v1.135 Release
Demo Agenda 📋
| Presenter(s) | Duration | Topic | Reference(s) |
|---|---|---|---|
| @AleksandarSavchev | 5m | 🔑 Automatic Credentials Rotation During Shoot Maintenance | #13493 |
| @LucaBernstein | 5m | 🩹 TokenRequestor: Remediate Outdated ServiceAccount Tokens | #13630 |
| @domdom82 | 10m | 🔄 HA VPN Round-Robin Bonding Mode | #13649 |
| @vpnachev | 5m | 🪪 WorkloadIdentity Support For DNS | #13720, #13680, #13469 |
| @vicwicker | 10m | 🩺 Prometheus Health Checks In Care Controllers | #13341 |
| @kon-angelo | 5m | 🧑💼 ManagedResource Support In Generic ControlPlane Actuator | #13585 |
| @marc1404 | 5m | ☸️ Kubernetes Minor Version Retention | #13471 |
No Demo, But Still Worth Celebrating 🎉
- ✨ [OPERATOR]
gardenletcan now propagate static manifests stored in the seed cluster'sgardennamespace to all shoot namespaces. Read all about it here. #13614 - ✨ [DEVELOPER] The generic control-plane webhook is now capable of ensuring the
kube-apiserverandkube-controller-managerDeployments, as well asetcds, of the virtual garden cluster. #13635 - ✨ [DEPENDENCY]
CredentialsBindings can now referencecore.gardener.cloud/v1beta1.InternalSecretresources. Provider extensions should start validating them similar to references forv1.Secretresources. #13759
2026/01/21 - Kubernetes v1.34 Special Edition
Demo Agenda 📋
Presenters: @ScheererJ, @tobschli
| Duration | Topic | Reference(s) |
|---|---|---|
25m | 🎓 Graduation Ceremony Graduated Features | KEP-4381, KEP-3939, KEP-1790, KEP-3751, KEP-5080, KEP-4601, KEP-3331, KEP-4633, KEP-3960, KEP-4818, KEP-2400, KEP-4033 |
15m | 🌸 Beta Bloom Alpha -> Beta Promotions | KEP-4412, KEP-740, KEP-3104, KEP-2837, KEP-3962, KEP-5073, KEP-1287 |
10m | 🗞️ Fresh Off The Press New Alpha Features | KEP-5295, KEP-4317, KEP-5307, KEP-3721 |
5m | 🧼 Security, Deprecations & Removals | KEP-4033, KEP-3015 |
5m | 🪴 What's Changing In Gardener | #12814, #12883 |