Gardener continues to enhance its security and flexibility, particularly for users operating in air-gapped environments or utilizing private infrastructure. A new feature now allows operators to specify a custom Certificate Authority (CA) bundle when pulling Helm charts from OCI registries. This is a significant improvement for environments where registries...
Switching networking configurations in a live Kubernetes cluster is a delicate operation where timing is everything. A common scenario for Gardener operators is transitioning a cluster's Calico networking from an overlay mode (like IPIP) to a non-overlay, native routing mode. Previously, this switch could lead to temporary network disruptions. We're happy to...
Managing configurations consistently across a fleet of Kubernetes clusters can be a complex task. Operators often need a straightforward way to deploy baseline resources—such as security policies, resource quotas, or RBAC rules—to all or a subset of their clusters without the overhead of building and maintaining a full-blown extension.
Maintaining a strong security posture is crucial for any Kubernetes environment. A key aspect of this is the regular rotation of credentials. To simplify this essential task and reduce operational overhead, Gardener now supports the automatic rotation of several critical credentials during a Shoot cluster's maintenance window.
We are happy to announce that Gardener is one of the first Kubernetes offerings to report official AI Conformance, as defined by the Cloud Native Computing Foundation's (CNCF) Kubernetes AI Conformance Working Group. This significant milestone underscores Gardener's commitment to providing a robust, scalable, and reliable platform for running modern, resourc...
PromCon EU 2025, the 10th annual conference for Prometheus users and developers, took place on October 21st and 22nd. After being held in Berlin for two years, the event was kindly hosted by Google in Munich again this year. Since Prometheus and related tools are the core of Gardener's monitoring stack, we were excited to attend, connect with the community,...
Gardener is committed to making node-local-dns a standard feature across all shoot clusters to enhance DNS performance and reliability. A recent enhancement ensures that enabling this feature is a seamless experience, even for clusters with specialized DNS configurations. Gardener now supports applying custom CoreDNS rules directly within node-local-dns .
Gardener has introduced a new feature that enhances the discoverability of services running within a Shoot's control plane. While the .status.advertisedAddresses field in the Shoot resource has always provided key endpoints like the API server URL, it now supports extension by other components.
Gardener is simplifying its networking infrastructure by moving towards a single, unified entrypoint for all HTTP CONNECT proxy traffic. This change, introduced as part of GEP-30 , aims to streamline configuration and reduce complexity.
Gardener continues to expand its storage capabilities, now offering integrated support for managed Network File System (NFS) services on Amazon Web Services (AWS) and Google Cloud Platform (GCP). These additions provide a straightforward way to provision shared, persistent storage with ReadWriteMany access for workloads that require concurrent access from mu...
Gardener's DNS management capabilities have been enhanced to provide a more explicit, secure, and flexible method for configuring internal DNS for Seed clusters. This change moves away from a global, label-based secret selection to a direct configuration within the Seed API.
Gardener is introducing a significant enhancement to its logging architecture for shoot clusters. By enabling the new OpenTelemetryCollector feature gate, shoots will be instrumented with the power and flexibility of the OpenTelemetry Collector to process and route shoot logs. This marks a key step in the evolution of Gardener's observability stack, as outli...
The internet is built on the Internet Protocol (IP), and for decades, its fourth version, IPv4, has been the bedrock of global connectivity. However, the explosive growth of the internet, a phenomenon that began in the 1990s, made it clear that the 32-bit address space of IPv4 was finite and rapidly depleting. The long-foreseen solution, IPv6, with its vast...
The node-local-dns feature in Kubernetes significantly improves DNS reliability and performance by running a dedicated caching agent on each cluster node. However, enabling or disabling this feature in Gardener historically required a full, time-consuming rolling update of all worker nodes. A recent enhancement streamlines this process, improving operational...
In large-scale Kubernetes landscapes, ensuring stability during updates is paramount. A faulty configuration or update can propagate quickly, potentially impacting numerous clusters. To provide operators with a powerful tool to mitigate such risks, Gardener has introduced an emergency stop mechanism for Shoot reconciliations.
Running Kubernetes clusters at scale comes with its own challenges.
We're pleased to announce the release of cluster-api-provider-gardener (CAPGa) , an open-source Cluster API provider that leverages Gardener as the underlying platform for cluster lifecycle management.
Gardener continues to enhance its networking capabilities, offering users greater flexibility in managing their cluster landscapes. A significant advancement is the extension of IPv4 network overlap support to Shoot clusters with high-availability (HA) control planes. Previously a feature exclusive to non-HA Shoots, this update allows both single-stack IPv4...
Gardener has introduced support for immutable backup buckets, a critical feature for enhancing the security and resilience of your Kubernetes clusters. This new capability leverages native cloud provider features to protect your etcd backups from accidental or malicious deletion and modification, helping you meet stringent security and compliance requirement...
In this blog post, we will explore how to set up an OpenTelemetry based observability stack on a Gardener shoot cluster. OpenTelemetry is an open-source observability framework that provides a set of APIs, SDKs, agents, and instrumentation to collect telemetry data from applications and systems. It provides a unified approach for collecting, processing, and...
Gardener continues to enhance its networking capabilities, now offering a streamlined migration path for existing IPv4-only shoot clusters on Google Cloud Platform (GCP) to dual-stack (IPv4 and IPv6). This allows clusters to leverage the benefits of IPv6 networking while maintaining IPv4 compatibility.
For operators managing Kubernetes clusters, clear and accurate health status is essential for stability and efficient troubleshooting. A recent enhancement to Gardener's shoot-care controller improves the precision of health checks during one of the most common operational tasks: rolling updates of worker nodes.
Gardener's dependency-watchdog is a crucial component for ensuring cluster stability. During infrastructure-level outages where worker nodes cannot communicate with the control plane, it activates a "meltdown protection" mechanism. This involves scaling down key control plane components like the machine-controller-manager (MCM), cluster-autoscaler (CA), and...
Gardener has introduced a new feature gate, DoNotCopyBackupCredentials , to enhance the security and clarity of how backup credentials for managed seeds are handled. This change moves away from an implicit credential-copying mechanism to a more explicit and secure configuration practice.
Gardener is enhancing its capabilities to support autonomous Shoot clusters, a model where the control plane runs on dedicated nodes within the cluster itself rather than on a separate Seed cluster. This approach is ideal for edge, air-gapped, or self-hosted Gardener environments. A new command-line tool, gardenadm , is being developed to streamline the crea...
Gardener's extension mechanism has been enhanced with two new fields in the ControllerRegistration and operatorv1alpha1.Extension APIs, offering operators more granular control and improved safety when managing extensions. These changes, detailed in PR #11982 , introduce autoEnable and clusterCompatibility for resources of kind: Extension .
Gardener continuously evolves to optimize performance and reliability. A recent improvement focuses on how internal control plane components communicate with kube-apiserver instances, introducing cluster-internal Layer 7 (L7) load balancing to ensure better resource distribution and system stability.
Gardener is advancing its observability capabilities by integrating OpenTelemetry, starting with log collection and processing. This strategic move, outlined in GEP-34: OpenTelemetry Operator And Collectors , lays the groundwork for a more standardized, flexible, and powerful observability framework in line with Gardener's Observability 2.0 vision .
The latest "Hack The Garden" event, held in June 2025 at Schlosshof in Schelklingen , brought together members of the Gardener community for an intensive week of collaboration, coding, and problem-solving. The hackathon focused on a wide array of topics aimed at enhancing Gardener's capabilities, modernizing its stack, and improving user experience. You can...
Gardener has recently refined how it determines the readiness of kube-proxy components within managed Kubernetes clusters. This adjustment leads to more accurate system health reporting, especially during node scale-down operations orchestrated by cluster-autoscaler .
Gardener continues to enhance its operational capabilities, and a recent improvement introduces a much-requested feature for managing gardenlets: the ability to forcefully trigger their redeployment. This provides operators with greater control and a streamlined recovery path for specific scenarios.
Gardener continues to enhance its gardenadm tool, simplifying the management of autonomous Shoot clusters. Recently, new functionalities have been introduced to streamline the process of adding worker nodes to these clusters: the gardenadm token command suite and the corresponding gardenadm join command. These additions offer a more convenient and Kubernetes...
Gardener is continually evolving to offer greater flexibility and efficiency in managing Kubernetes clusters. A significant enhancement has been introduced that addresses a common networking challenge: the requirement for completely disjoint network CIDR blocks between a shoot cluster and its seed cluster. Now, Gardener allows for IPv4 network overlap in spe...
Gardener is committed to providing efficient and flexible Kubernetes cluster management. Traditionally, updates to worker pool configurations, such as machine image or Kubernetes minor version changes, trigger a rolling update. This process involves replacing existing nodes with new ones, which is a robust approach for many scenarios. However, for environmen...
Gardener Dashboard version 1.80 introduces several significant enhancements aimed at improving user experience, credentials management, and overall operational efficiency. These updates bring more clarity to credential handling, a smoother experience for managing large numbers of clusters, and a move towards a more reactive interface.
The Kubernetes ecosystem is dynamic, offering a wealth of tools to manage the complexities of modern cloud-native applications. For enterprises seeking to provision and manage Kubernetes clusters efficiently, securely, and at scale, a robust and comprehensive solution is paramount. Gardener, born from years of managing tens of thousands of clusters efficient...
As organizations embrace Kubernetes for managing containerized applications at scale, the underlying infrastructure costs, particularly for compute resources, become a critical factor. Gardener, the open-source Kubernetes management platform, empowers organizations like SAP, STACKIT, T-Systems, and others (see adopters ) to operate tens of thousands of Kuber...
The open-source project Gardener is set to showcase its cutting-edge Kubernetes-as-a-Service (KaaS) capabilities at KubeCon + CloudNativeCon Europe 2025 in London.
🌐 IPv6 Support on IronCore : The team successfully created dual-stack shoot clusters on IronCore, although LoadBalancer services for IPv6 traffic still need some work. 🔁 Version Classification Lifecycle in CloudProfile : A Gardener Enhancement Proposal (GEP) was developed to predefine the timestamps for Kubernetes or machine image version classifications i...
We're thrilled to announce the launch of our new Gardener demo environment ! This interactive playground is designed to provide you with a hands-on experience of Gardener, our open-source project that offers a Kubernetes-based solution for managing Kubernetes clusters across various cloud providers uniformly.
Many innovative observability and application performance management (APM) products and services were released over the last few years. They often adopt or enhance concepts that Prometheus invented more than a decade ago. However, Prometheus, as an open-source project, has never lost its importance in this fast-moving industry and is the core of Gardener's m...
KubeCon + CloudNativeCon NA is just around the corner, taking place this year amidst the stunning backdrop of the Rocky Mountains in Salt Lake City, Utah.
🗃️ OCI Helm Release Reference for ControllerDeployment : The Hackathon introduced the core.gardener.cloud/v1 API, which supports OCI repository-based Helm chart references. This innovation reduces operational complexity and enables reusability for other scenarios. 👨🏼💻 Local gardener-operator Development Setup with gardenlet : A new Skaffold configuratio...
In Kubernetes, on every Node the container runtime daemon pulls the container images that are configured in the Pods' specifications running on the corresponding Node. Although these container images are cached on the Node's file system after the initial pull operation, there are imperfections with this setup.
With the rising popularity of WebAssembly (WASM) and WebAssembly System Interface (WASI) comes a variety of integration possibilities. WASM is now not only suitable for the browser, but can be also utilized for running workloads on the server. In this post we will explore how you can get started writing serverless applications powered by SpinKube on a Garden...
KubeCon + CloudNativeCon Europe 2024, recently held in Paris, was a testament to the robustness of the open-source community and its pivotal role in driving advancements in AI and cloud-native technologies. With a record attendance of over +12,000 participants, the conference underscored the ubiquity of cloud-native architectures and the business opportuniti...
Developing highly available workload that can tolerate a zone outage is no trivial task. In this blog, we will explore various recommendations to get closer to that goal. While many recommendations are general enough, the examples are specific in how to achieve this in a Gardener -managed cluster and where/how to tweak the different control plane components....
This community call was led by Pawel Palucki and Alexander D. Kanevskiy .
This community call was led by Raymond de Jong .
This community call was led by Jens Schneider and Lothar Gesslein.
This community call was led by Tim Ebert and Rafael Franzke .
This community call was led by Holger Kosser , Lukas Gross and Peter Sutter .
The cloud-native landscape is constantly evolving, bringing immense benefits in agility and scale. However, with this evolution comes a complex and ever-changing threat landscape. Recently, a significant vulnerability was reported by Unit 42 concerning Azure Container Instances (ACI) , a service designed to run containers in a multi-tenant environment. This...
Happy New Year Gardeners! As we greet 2021, we also celebrate Gardener’s third anniversary. Gardener was born with its first open source commit on 10.1.2018 (its inception within SAP was of course some 9 months earlier):
Kubernetes is a cloud-native enabler built around the principles for a resilient, manageable, observable, highly automated, loosely coupled system. We know that Kubernetes is infrastructure agnostic with the help of a provider specific Cloud Controller Manager . But Kubernetes has explicitly externalized the management of the nodes. Once they appear - correc...
STACKIT is a digital brand of Europe’s biggest retailer, the Schwarz Group, which consists of Lidl, Kaufland, as well as production and recycling companies. Following the industry trend, the Schwarz Group is in the process of a digital transformation. STACKIT enables this transformation by helping to modernize the internal IT of the company branches.
Dear community, we're happy to announce a new minor release of Gardener, in fact, the 16th in 2020! v1.13 came out just today after a couple of weeks of code improvements and feature implementations. As usual, this blog post provides brief summaries for the most notable changes that we introduce with this version. Behind the scenes (and not explicitly highli...
NOTE
Two months after our last Gardener release update, we are happy again to present release v1.11 and v1.12 in this blog post. Control plane migration, load balancer consolidation, and new security features are just a few topics we progressed with. As always, a detailed list of features, improvements, and bug fixes can be found in the release notes of each rele...
The Gardener team is happy to announce that Gardener now offers support for an additional, often requested, infrastructure/virtualization technology, namely KubeVirt ! Gardener can now provide Kubernetes-conformant clusters using KubeVirt managed Virtual Machines in the environment of your choice. This integration has been tested and works with any qualified...
Do you want to understand how Gardener creates and updates Kubernetes clusters (Shoots)? Well, it's complicated, but if you are not afraid of large diagrams and are a visual learner like me, this might be useful to you.
Summer holidays aren't over yet, still, the Gardener community was able to release two new minor versions in the past weeks. Despite being limited in capacity these days, we were able to reach some major milestones, like adding Kubernetes v1.19 support and the long-delayed automated gardenlet certificate rotation. Whilst we continue to work on topics related...
Even if we are in the midst of the summer holidays, a new Gardener release came out yesterday: v1.8.0! It's main themes are the large change of our logging stack to Loki (which was already explained in detail on a blog post on grafana.com ), more configuration options to optimize the utilization of a shoot, node-local DNS, new project roles, and significant...
The Gardener project website just received a serious facelift. Here are some of the highlights:
Feature flags are used to change the behavior of a program at runtime without forcing a restart.
The kubectl command-line tool uses kubeconfig files to find the information it needs in order to choose a cluster and communicate with its API server.
The KubeCon + CloudNativeCon Europe buzz might be settling, but the energy from our deep dive session with the incredible folks at SIG Cluster API is still palpable! We, from the Gardener team, were absolutely thrilled to share the stage and explore the powerful, declarative world of Kubernetes cluster lifecycle management.
For a team event during the Christmas season we decided to completely reinterpret the topic cookies . 😃
...they mess up the figure.
You want to experiment with Kubernetes or set up a customer scenario, but don't want to run the cluster 24 / 7 due to cost reasons?
Running as Root User ​ Whenever possible, do not run containers as root users. One could be tempted to say that in Kubernetes, the node and pods are well separated, however, the host and the container share the same kernel. If the container is compromised, a root user can damage the underlying node. Instead of running a root user, use RUN grou...
In summer 2018, the Gardener project team asked Kinvolk to execute several penetration tests in its role as a third-party contractor. The goal of this ongoing work is to increase the security of all Gardener stakeholders in the open source community. Following the Gardener architecture, the control plane of a Gardener managed shoot cluster resides in the cor...
Microservices tend to use smaller runtimes but you can use what you have today - and this can be a problem in Kubernetes .
The Gardener project team has analyzed the impact of the Gardener CVE-2018-2475 and the Kubernetes CVE-2018-1002105 on the Gardener Community Setup. Following some recommendations it is possible to mitigate both vulnerabilities.
The Kubernetes client command, kubectl, is included and configured to connect to the local Kubernetes server. If you have kubectl already installed and pointing to some other environment, such as minikube or a GKE cluster, be sure to change the context so that kubectl is pointing to docker-for-desktop. Read more on Docker.com .
...or DENY all traffic from other namespaces
Should I use:
The efs-provisioner allows you to mount EFS storage as PersistentVolumes in Kubernetes. It consists of a container that has access to an AWS EFS resource. The container reads a configmap containing the EFS filesystem ID, the AWS region and the name identifying the efs-provisioner. This name will be used later when you create a storage class.
The storage is definitely the most complex and important part of an application setup. Once this part is completed, one of the most problematic parts could be solved.
One thing that always bothered me was that I couldn't get the logs of several pods at once with kubectl . A simple tail -f <path-to-logfile> isn't possible. Certainly, you can use kubectl logs -f <pod-id> , but it doesn't help if you want to monitor more than one pod at a time.
