diff --git a/cluster/config-defaults.yaml b/cluster/config-defaults.yaml
index 927a43d1f2..621fdd2d4c 100644
--- a/cluster/config-defaults.yaml
+++ b/cluster/config-defaults.yaml
@@ -132,8 +132,11 @@ skipper_edit_route_placeholders: ""
 skipper_ingress_inline_routes: ""
 skipper_ingress_refuse_payload: ""
 skipper_endpointslices_enabled: "true"
+
 skipper_kubernetes_annotation_predicates: ''
+skipper_kubernetes_annotation_filters_append: ''
 skipper_kubernetes_east_west_range_annotation_predicates: ''
+skipper_kubernetes_east_west_range_annotation_filters_append: ''
 
 skipper_compress_encodings: "gzip,deflate,br"
 
diff --git a/cluster/manifests/01-admission-control/config.yaml b/cluster/manifests/01-admission-control/config.yaml
index e8634886e5..f87bb8d946 100644
--- a/cluster/manifests/01-admission-control/config.yaml
+++ b/cluster/manifests/01-admission-control/config.yaml
@@ -116,7 +116,7 @@ data:
   pod.pod-security-policy.privileged-service-accounts.{{ $sa }}: ""
 {{- end}}
 {{- if eq .Cluster.ConfigItems.wiz_enable_runtime_sensor "true" }}
-  pod.pod-security-policy.privileged-service-accounts.wiz_wiz_sensor: ""
+  pod.pod-security-policy.privileged-service-accounts.wiz_wiz-sensor: ""
 {{- end }}
 
   pod.pod-security-policy.allowed-restricted-capabilities.AUDIT_WRITE: ""
diff --git a/cluster/manifests/03-ebs-csi/controller.yaml b/cluster/manifests/03-ebs-csi/controller.yaml
index 923276b111..f1121e819e 100644
--- a/cluster/manifests/03-ebs-csi/controller.yaml
+++ b/cluster/manifests/03-ebs-csi/controller.yaml
@@ -35,7 +35,7 @@ spec:
         runAsUser: 1000
       containers:
         - name: ebs-plugin
-          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.38.1-master-24
+          image: container-registry.zalando.net/teapot/aws-ebs-csi-driver:v1.38.1-master-25
           args:
             - controller
             - --endpoint=$(CSI_ENDPOINT)
@@ -82,7 +82,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-provisioner
-          image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-24
+          image: container-registry.zalando.net/teapot/external-provisioner:v5.1.0-eks-1-31-10-master-25
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -107,7 +107,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-attacher
-          image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-24
+          image: container-registry.zalando.net/teapot/external-attacher:v4.7.0-eks-1-31-10-master-25
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -129,7 +129,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: csi-resizer
-          image: container-registry.zalando.net/teapot/external-resizer:v1.12.0-eks-1-31-10-master-24
+          image: container-registry.zalando.net/teapot/external-resizer:v1.12.0-eks-1-31-10-master-25
           args:
             - --csi-address=$(ADDRESS)
             - --v=2
@@ -151,7 +151,7 @@ spec:
             allowPrivilegeEscalation: false
             readOnlyRootFilesystem: true
         - name: liveness-probe
-          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-24
+          image: container-registry.zalando.net/teapot/livenessprobe:v2.14.0-eks-1-31-10-master-25
           args:
             - --csi-address=/csi/csi.sock
           resources:
diff --git a/cluster/manifests/03-ebs-csi/node.yaml b/cluster/manifests/03-ebs-csi/node.yaml
index a3863386a4..343201f7be 100644
--- a/cluster/manifests/03-ebs-csi/node.yaml
+++ b/cluster/manifests/03-ebs-csi/node.yaml
@@ -77,7 +77,7 @@ spec:
             privileged: true
             readOnlyRootFilesystem: true
         - name: node-driver-registrar
-          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-24
+          image: container-registry.zalando.net/teapot/node-driver-registrar:v2.12.0-eks-1-31-10-master-25
           args:
             - --csi-address=$(ADDRESS)
             - --kubelet-registration-path=$(DRIVER_REG_SOCK_PATH)
diff --git a/cluster/manifests/fabric-gateway/deployment.yaml b/cluster/manifests/fabric-gateway/deployment.yaml
index f645f7f490..dd05ef0591 100644
--- a/cluster/manifests/fabric-gateway/deployment.yaml
+++ b/cluster/manifests/fabric-gateway/deployment.yaml
@@ -1,4 +1,4 @@
-# {{ $image := "container-registry.zalando.net/gwproxy/fabric-gateway:master-300" }}
+# {{ $image := "container-registry.zalando.net/gwproxy/fabric-gateway:master-301" }}
 # {{ $version := index (split $image ":") 1 }}
 apiVersion: apps/v1
 kind: Deployment
diff --git a/cluster/manifests/skipper/deployment.yaml b/cluster/manifests/skipper/deployment.yaml
index 9cdd982fdf..7d7d0c902b 100644
--- a/cluster/manifests/skipper/deployment.yaml
+++ b/cluster/manifests/skipper/deployment.yaml
@@ -1,6 +1,6 @@
 {{/* image-updater-bot detects *image variables so use print to disable it for main image */}}
 
-{{ $main_image := print "container-registry.zalando.net/teapot/skipper-internal:" "v0.21.247-1070" }}
+{{ $main_image := print "container-registry.zalando.net/teapot/skipper-internal:" "v0.21.257-1079" }}
 {{ $canary_image := "container-registry.zalando.net/teapot/skipper-internal:v0.21.257-1079" }}
 
 
@@ -174,7 +174,9 @@ spec:
           - "-kubernetes-east-west-range-domains=ingress.cluster.local"
           - "-kubernetes-east-west-range-predicates=ClientIP(\"10.2.0.0/15\", \"{{ .Values.vpc_ipv4_cidr }}\")"
           - '-kubernetes-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_predicates }}'
+          - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}'
           - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}'
+          - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}'
           - "-reverse-source-predicate"
 {{ end }}
           - "-proxy-preserve-host"
@@ -543,7 +545,9 @@ spec:
           - "-kubernetes-east-west-range-domains=ingress.cluster.local"
           - "-kubernetes-east-west-range-predicates=ClientIP(\"10.2.0.0/15\", \"{{ .Values.vpc_ipv4_cidr }}\")"
           - '-kubernetes-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_predicates }}'
+          - '-kubernetes-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_annotation_filters_append }}'
           - '-kubernetes-east-west-range-annotation-predicates={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_predicates }}'
+          - '-kubernetes-east-west-range-annotation-filters-append={{ .Cluster.ConfigItems.skipper_kubernetes_east_west_range_annotation_filters_append }}'
           - "-reverse-source-predicate"
           - "-default-filters-dir=/etc/config/default-filters"
           - '-default-filters-prepend={{ .Cluster.ConfigItems.skipper_default_filters }}'
diff --git a/cluster/manifests/wiz/sensor-daemonset.yaml b/cluster/manifests/wiz/sensor-daemonset.yaml
index 38ad4c6334..d2b9cb328d 100644
--- a/cluster/manifests/wiz/sensor-daemonset.yaml
+++ b/cluster/manifests/wiz/sensor-daemonset.yaml
@@ -10,6 +10,8 @@ metadata:
     application: "wiz"
     component: "sensor"
     daemonset: "wiz-sensor"
+  annotations:
+    node-ready.cluster.zalando.org/exclude: "true"
   namespace: wiz
 spec:
   selector:
@@ -27,7 +29,6 @@ spec:
       annotations:
         container.apparmor.security.beta.kubernetes.io/wiz-sensor: unconfined
         cluster-autoscaler.kubernetes.io/enable-ds-eviction: "true"
-        node-ready.cluster.zalando.org/exclude: "true"
     spec:
       serviceAccountName: wiz-sensor
       nodeSelector: