Releases: kubernetes-sigs/gateway-api
Release list
Release v1.6.0
v1.6.0
Changes Since v1.5.1
GEP & API Graduation
- UDPRoute & TCPRoute Graduation:
- UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
- TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
- GEP Status Updates:
- Add GEP for the
XBackendresource into Experimental status (#4488, @keithmattix) - Move TCPRoute GEP to Standard (#4783, @zac-nixon)
- Move UDPRoute GEP to Standard (#5030, @rikatz)
- Add GEP for the
Feature
- API & Validation Enhancements:
- API validation updated for HTTPRoute retries:
retry.codesmust now be unique andretry.attemptsmust be >= 1. (#4907, @snorwin) - Increase the number of allowed Certificate Authority references from
8to16. (#4088, @root30) - The TLSRoute CRD validation has been adjusted to allow up to 1024 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
- BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
- Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
- API validation updated for HTTPRoute retries:
- Conformance Infrastructure:
- Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
- Remove the
idleTimeoutfield from the experimental SessionPersistence API. (#4771, @gcs278)
Documentation
- Migration & Site Updates:
- Migrate documentation from MkDocs to Docsy. (#4734, @iromanycheva-eng)
- The new wizard should be available at https://gateway-api.sigs.k8s.io/wizard. (#4584, @bexxmodd)
- API Specs & Guidance Clarifications:
- Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
- Add the missing
ListenersNotValidprogrammed reason for listenerSets. (#4586, @davidjumani) - Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
- Clarified CORS API documentation to describe behavior based on
allowCredentialsinstead of credentialed requests. (#4663, @snorwin) - Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
- Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
- Fixes:
Bug or Regression
- IPv6 Support:
- Fix
GatewayFrontendClientCertificateValidationInsecureFallback,GatewayFrontendClientCertificateValidation, andGatewayFrontendInvalidDefaultClientCertificateValidationfailing on IPv6 clusters. (#4636, @zirain) - Fix
GatewayFrontendInvalidDefaultClientCertificateValidationfailing on IPv6 clusters. (#4629, @zirain)
- Fix
- ValidatingAdmissionPolicy (VAP) Fixes:
- Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
- Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
- CRD & Schema Validation:
- Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
- Replace
omitemptywithomitzeroforsupportedKindsin ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
- API & Validation Fixes:
- It is disallowed to have repeated
filtersoftypeCORS. (#4639, @DamianSawicki) - Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
- Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
- Make
referencegrant.specfield required. (#4845, @bexxmodd)
- It is disallowed to have repeated
Test & Conformance
- New Conformance Tests:
- Add conformance test
ListenerSetAllowedRoutesCrossNamespacewhich verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber) - Added a conformance test covering the Gateway
Acceptedcondition with reasonListenersNotValidand the ListenerAcceptedcondition with reasonUnsupportedProtocol. (#4807, @snorwin) - Added conformance test
GatewayInvalidParametersRefthat verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin) - Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
- Add conformance test
- Test Machinery & Framework Updates:
- Conformance:
ExpectMirroredRequestnow starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei) - The default polling interval for conformance tests has been decreased. This can be modified by the new
DefaultPollInterval. (#4570, @howardjohn) - The gRPC conformance request helper no longer closes a caller-supplied (injected)
Options.GRPCClient; it closes only theDefaultClientit creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
- Conformance:
- Updates & Fixes to Existing Tests:
- The
conflicted=falsecondition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing) - Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
- Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
- Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
- Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)
- conformance: add missing gateway-api/skip-this-for-readiness annotation to invalid gateways (#5027, @snorwin)
- The GRPCRouteWeight conformance test now sends its distribution-sampling requests through the injectable Options.GRPCClient instead of a hardcoded DefaultClient, allowing implementations that supply a custom gRPC client to run it. (#5004, @lexfrei)
- The HTTPRouteRequestPercentageMirror conformance test now derives its acceptance band from the binomial standard deviation instead of a flat ±15% relative tolerance, removing sampling-variance flakes at low mirror percentages. (#5005, @lexfrei)
- Removed HTTPRoute retry tests with connection errors and backend timeouts (#4994, @snorwin)
- The
What's Changed
- TLSRoute: Add conformance test for with Invalid BackendRef Kind by @rostislavbobo in #4504
- TLSRoute: Add conformance test for with nonexistent BackendRef by @rostislavbobo in #4507
- CORS: HTTPCORSFilter and GEP 1767 clean-ups by @DamianSawicki in #4506
- Finalize CORS gep adjustments by @rikatz in #4515
- docs: update broken link for Acnodal EPIC and Cilium Slack by @natherz97 in #4422
- conformance test: CORS by @rikatz in #4494
- [main] Promote client-certificate validation features to Standard by @k8s-infra-cherrypick-robot in #4532
- conformance: Re-add ListenerSetAllowedRoutesSupportedKinds by @davidjumani in #4512
- Update docs about cert-manager by @adrianmoisey in #4539
- CORS conformance fixes regarding credentials and wildcards by @DamianSawicki in #4542
- fix: FailFast should return when test failed by @zirain in #4540
- cleanup: fix typo by @snorwin in #4546
- cleanup: align types for listener ResolvedRefs condition reason by @snorwin in #4543
- fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility by @snorwin in #4551
- remove copyright years after 2025 by @LiorLieberman in #4562
- conformance: client certificate AllowInsecureFallback validation mode tests by @snorwin in #4468
- Add script to verify release artifacts. by @bexxmodd in #4527
- fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs by @snorwin in #4557
- bump lychee and fix local links by @rikatz in #4573
- Documentation for GEP-91 Client Certificate Validation Configuration by @kl52752 in #4552
- Docs gep 3155 by @kl52752 in https://github.com/kubernetes-sigs/gatew...
v1.6.0-rc.2
Major Changes Since v1.6.0-rc.1
Bug or Regression
⚠️ Breaking Change: TLS must now be configured for listeners using the HTTPS protocol. (#4985, @snorwin)
Test & Conformance
- The GRPCRouteWeight conformance test now sends its distribution-sampling requests through the injectable Options.GRPCClient instead of a hardcoded DefaultClient, allowing implementations that supply a custom gRPC client to run it. (#5004, @lexfrei)
- The HTTPRouteRequestPercentageMirror conformance test now derives its acceptance band from the binomial standard deviation instead of a flat ±15% relative tolerance, removing sampling-variance flakes at low mirror percentages. (#5005, @lexfrei)
- Removed HTTPRoute retry tests with connection errors and backend timeouts (#4994, @snorwin)
What's Changed
- Update RELEASE.md by @kflynn in #4836
- Conformance report for NGINX Gateway Fabric 2.6.0 by @ciarams87 in #4837
- gep-4768: Standardized Telemetry API (provisional) by @gkhom in #4775
- docs: Add guidance preferring GRPCRoute for gRPC by @kahirokunn in #4513
- Increase TLSRoute hostnames limit from 16 to 1024 by @alexanderstephan in #4332
- build(deps): bump the non-k8s group across 2 directories with 1 update by @dependabot[bot] in #4838
- [gep-1713] ListenerSet: Fix typos and other inconsistencies by @dprotaso in #4824
- grpc: do not require unique hostnames with http by @howardjohn in #4598
- Add Ciilum conformance report for v1.5.1 by @youngnick in #4829
- Add conformance report for Varnish Gateway v0.20.0 by @perbu in #4831
- Enable golangci-lint modernize linter by @erikgb in #4821
- conformance: add cross-namespace ListenerSet AllowedRoutes test by @asauber in #4841
- [breaking change] Remove optional marker from ReferenceGrant.Spec by @bexxmodd in #4845
- Prevent arbitrary code execution hack scripts by @bexxmodd in #4846
- Fix Stored DOM XSS in Controller Wizard by @bexxmodd in #4848
- Migrate documentation from MkDocs to Docsy by @iromanycheva-eng in #4734
- Remove legacy mkdocs files by @rikatz in #4855
- add GEP 3965: Implementation-Specific Matches by @howardjohn in #4676
- fix wizard theme compatibility for dark mode by @bexxmodd in #4857
- build(deps): bump actions/setup-node from 4.1.0 to 6.4.0 by @dependabot[bot] in #4850
- Add verify-crdify script to detect breaking changes in CRDs by @ElenaZvereva in #4830
- Secure monthly-release workflow by @bexxmodd in #4849
- build(deps-dev): bump autoprefixer from 10.4.27 to 10.5.0 in /site by @dependabot[bot] in #4852
- test: retry simulation for echo-basic backend by @snorwin in #4862
- bump controller-tools by @rikatz in #4864
- docs: fix header background color by @snorwin in #4863
- build(deps): bump the k8s-io group across 4 directories with 5 updates by @dependabot[bot] in #4865
- fix: initialize retry count map to prevent nil map panic by @snorwin in #4866
- docs: add front matter to GEP pages to fix search links by @gcs278 in #4868
- cleanup: fix docs build variable mismatch and script error handling by @samzong in #4616
- EXP: Backend Resource by @keithmattix in #4488
- Update Envoy Gateway conformance report for v1.5.1 by @jukie in #4860
- docs: ensure example files reference proper pages + update API version by @JoeyC-Dev in #4840
- docs: fix broken links in README.md by @arybolovlev in #4877
- feat(echo-basic): Add UDP Echo server by @zac-nixon in #4871
- Update UDPRoute gep to add more conformance and clarification by @rikatz in #4879
- Update TCPRoute gep to add more conformance and clarification by @rikatz in #4878
- test(conformance): Add TCPRoute conformance tests for GEP-2644 by @zac-nixon in #4874
- test(conformance): add normative tests for HTTPRoute retries by @snorwin in #4817
- test(conformance): Add UDPRoute conformance tests for GEP-2645 by @zac-nixon in #4861
- Add guidance on API documentation by @rikatz in #4160
- Set release title to tag name in monthly release workflow by @bexxmodd in #4886
- conformance: make timeout and other fields configurable via yaml by @ericdbishop in #4773
- test: enhance retry simulation with TCP failure mode and retry delay by @snorwin in #4897
- test: remove backoff from normative HTTPRoute retry tests by @snorwin in #4898
- [release-1.6] bump dependencies and remove deprecated h2c package by @k8s-infra-cherrypick-robot in #4904
- [release-1.6] Skip conformance options test to avoid replacing flags by @k8s-infra-cherrypick-robot in #4906
- [release-1.6] api: use listType=set for HTTPRoute retry status codes and validate retry attempts >= 1 by @k8s-infra-cherrypick-robot in #4907
- [release-1.6] test(conformance) Touch up L4 conformance by @k8s-infra-cherrypick-robot in #4909
- [release-1.6] test(conformance): add test for HTTPRoute retries with timeouts by @k8s-infra-cherrypick-robot in #4910
- [release-1.6] conformance: add ListenerSet tests for Route parentRefs by @k8s-infra-cherrypick-robot in #4912
- [release-1.6] feat(apis): Promote TCPRoute to v1 by @k8s-infra-cherrypick-robot in #4920
- [release-1.6] feat(apis): Promote UDPRoute to v1 by @k8s-infra-cherrypick-robot in #4923
- [release-1.6] EXP: XBackend Implementation by @k8s-infra-cherrypick-robot in #4924
- [release-1.6] stop using selfsigned certificate on tlsroute tests and reuse cert function by @k8s-infra-cherrypick-robot in #4930
- [release-1.6] conformance: check pods in namespaces by @k8s-infra-cherrypick-robot in #4944
- [release-1.6] conformance: start the mirror log window before the requests are sent by @k8s-infra-cherrypick-robot in #4952
- [release-1.6] Close only the gRPC client the request helper owns by @k8s-infra-cherrypick-robot in #4953
- release v1.6.0-rc.1 by @bexxmodd in #4957
- Correct Backend in changelog by @keithmattix in #4964
- [release-1.6] Run Gateway and BackendTLSPolicy conformance tests in parallel by @k8s-infra-cherrypick-robot in #4967
- [release-1.6] chore: Update TCP && UDP Route version in conformance tests by @k8s-infra-cherrypick-robot in #4981
- [release-1.6] fix: enforce TLS configuration for HTTPS listeners via CEL by @k8s-infra-cherrypick-robot in #4985
- [release-1.6] fix: Invalid listener in TCPRouteInvalidNonTCPListener by @k8s-infra-cherrypick-robot in #4984
- [release-1.6] fix: remove HTTPRoute retry tests with connection errors and backend timeouts by @snorwin in #4994
- [release-1.6] test(conformance): add test covering shared and dedicated routes across multiple Gateways by @k8s-infra-cherrypick-robot in #4997
- [release-1.6] document tightened listener API validation as breaking change in CHANGELOG by @snorwin in htt...
v1.6.0-rc.1
Major Changes Since v1.5.1
GEP & API Graduation
- UDPRoute & TCPRoute Graduation:
- UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
- TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
- GEP Status Updates:
- Add GEP for the
XBackendresource into Experimental status (#4488, @keithmattix) - Move TCPRoute GEP to Standard (#4878, @rikatz)
- Move UDPRoute GEP to Standard (#4879, @rikatz)
- TCPRoute GEP (#4783, @zac-nixon)
- Add GEP for the
Feature
- API & Validation Enhancements:
- API validation updated for HTTPRoute retries:
retry.codesmust now be unique andretry.attemptsmust be >= 1. (#4907, @snorwin) - Increase the number of allowed Certificate Authority references from
8to16. (#4088, @root30) - The TLSRoute CRD validation has been adjusted to allow up to 4096 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
- BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
- Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
- API validation updated for HTTPRoute retries:
- Graduations:
- ValidatingAdmissionPolicy (VAP):
- Conformance Infrastructure:
- Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
- Remove the
idleTimeoutfield from the experimental SessionPersistence API. (#4771, @gcs278)
Documentation
- Migration & Site Updates:
- Migrate documentation from MkDocs to Docsy. (#4734, @iromanycheva-eng)
- The new wizard should be available at https://gateway-api.sigs.k8s.io/wizard. (#4584, @bexxmodd)
- New Documentation:
- Add documentation for TLSRoute. (#4558, @rikatz)
- Adds documentation around ListenerSets. (#4568, @davidjumani)
- API Specs & Guidance Clarifications:
- Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
- Add the missing
ListenersNotValidprogrammed reason for listenerSets. (#4586, @davidjumani) - Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
- Clarified CORS API documentation to describe behavior based on
allowCredentialsinstead of credentialed requests. (#4663, @snorwin) - Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
- Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
- Releases & Results:
- Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API. (#4733, @zac-nixon)
- Fixes:
Bug or Regression
- IPv6 Support:
- Fix
GatewayFrontendClientCertificateValidationInsecureFallback,GatewayFrontendClientCertificateValidation, andGatewayFrontendInvalidDefaultClientCertificateValidationfailing on IPv6 clusters. (#4636, @zirain) - Fix
GatewayFrontendInvalidDefaultClientCertificateValidationfailing on IPv6 clusters. (#4629, @zirain)
- Fix
- ValidatingAdmissionPolicy (VAP) Fixes:
- Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
- Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
- CRD & Schema Validation:
- Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
- Replace
omitemptywithomitzeroforsupportedKindsin ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
- API & Validation Fixes:
- It is disallowed to have repeated
filtersoftypeCORS. (#4639, @DamianSawicki) - Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
- Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
- Make
referencegrant.specfield required. (#4845, @bexxmodd)
- It is disallowed to have repeated
Test & Conformance
- New Conformance Tests:
- Add conformance test
ListenerSetAllowedRoutesCrossNamespacewhich verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber) - Added a conformance test covering the Gateway
Acceptedcondition with reasonListenersNotValidand the ListenerAcceptedcondition with reasonUnsupportedProtocol. (#4807, @snorwin) - Added conformance test
GatewayInvalidParametersRefthat verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin) - Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
- Implement conformance test for CORS. (#4494, @rikatz)
- Add conformance test
- Test Machinery & Framework Updates:
- Conformance:
ExpectMirroredRequestnow starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei) - The default polling interval for conformance tests has been decreased. This can be modified by the new
DefaultPollInterval. (#4570, @howardjohn) - The gRPC conformance request helper no longer closes a caller-supplied (injected)
Options.GRPCClient; it closes only theDefaultClientit creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
- Conformance:
- Updates & Fixes to Existing Tests:
- The
conflicted=falsecondition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing) - Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
- Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
- Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
- Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)
- The
What's Changed
- Update RELEASE.md by @kflynn in #4836
- Conformance report for NGINX Gateway Fabric 2.6.0 by @ciarams87 in #4837
- gep-4768: Standardized Telemetry API (provisional) by @gkhom in #4775
- docs: Add guidance preferring GRPCRoute for gRPC by @kahirokunn in #4513
- Increase TLSRoute hostnames limit from 16 to 1024 by @alexanderstephan in #4332
- build(deps): bump the non-k8s group across 2 directories with 1 update by @dependabot[bot] in #4838
- [gep-1713] ListenerSet: Fix typos and other inconsistencies by @dprotaso in #4824
- grpc: do not require unique hostnames with http by @howardjohn in #4598
- Add Ciilum conformance report for v1.5.1 by @youngnick in #4829
- Add conformance report for Varnish Gateway v0.20.0 by @perbu in #4831
- Enable golangci-lint modernize linter by @erikgb in #4821
- conformance: add cross-namespace ListenerSet AllowedRoutes test by @asauber in #4841
- [breaking change] Remove optional marker from ReferenceGrant.Spec by @bexxmodd in #4845
- Prevent arbitrary code execution hack scripts by @bexxmodd in #4846
- Fix Stored DOM XSS in Controller Wizard by @bexxmodd in #4848
- Migrate documentation from MkDocs to Docsy by @iromanycheva-eng in #4734
- Remove legacy mkdocs files by @rikatz in #4855
- add GEP 3965: Implementation-Specific Matches by @howardjohn in #4676
- fix wizard theme compatibility for dark mode by @bexxmodd in #4857
- build(deps): bump actions/setup-node from 4.1.0 to 6.4.0 by @dependabot[bot] in #4850
- Add verify-crdify script to detect breaking changes in CRDs by @ElenaZvereva in https://github.com/kubernetes-si...
monthly-2026.05
Gateway API monthly-2026.05 Release Notes
This is the monthly release for the Gateway API experimental channel for May 2026. This release includes the latest features and fixes from Gateway API's main branch.
Using this Release
To install the CRDs for this release, use install monthly-2026.05-install.yaml:
kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.05/monthly-2026.05-install.yaml
To build using this release in Go, include this release in your go.mod:
require sigs.k8s.io/gateway-api monthly-2026.05
and run go mod tidy. You'll find that monthly-2026.05 gets replaced by a Go pseudoversion; this is expected.
Changes Summary
Full Changelog: monthly-2026.04...monthly-2026.05
Merged Pull Requests (monthly-2026.04 to monthly-2026.05)
- Add missing API doc for BackendTLSPolicy as union feature (#4828) @rikatz
- #4826 Fix inconsistencies in ListenerSet example (#4827) @vovtz
- fix: add
j2_line_comment_prefixback to mkdocs configuration (#4822) @JoeyC-Dev - Bump golangci-lint (and KAL) to support Go 1.26 (#4820) @erikgb
- Bump K8s dependencies to 1.36 (#4819) @erikgb
- PROVISIONAL: Backend GEP (#4818) @keithmattix
- test(conformance): add test for Gateway Accepted condition with InvalidParameters reason (#4808) @snorwin
- test(conformance): add tests for Gateway listener Accepted condition with UnsupportedProtocol reason (#4807) @snorwin
- Fix MeshHTTPRoute307Redirect conformance test (#4806) @jgreeer
- fix: drop GRPCRoute from supported kinds assertion as the test does not require to support them (#4805) @snorwin
- stop building arm64 images on preverify jobs (#4803) @rikatz
- Fix grammar/sentence (#4798) @jkburges
- docs: update ReferenceGrant API references to v1 (#4796) @JoeyC-Dev
- fix mismatched annotation (#4793) @davidxia
- Make conformance reports require just major and minor GW API versions (#4792) @rikatz
- Make explicit call about resource name restrictions (#4787) @rikatz
- build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4784) @app/dependabot
- Fix Google Analytics custom events in Controller Matching Wizard (#4782) @iromanycheva-eng
- cleanup-test-resources option (#4776) @zhaohuabing
- GEP-1619: Remove idleTimeout from SessionPersistence API (#4771) @gcs278
- Add conformance report for agentgateway v1.1.0 (#4765) @howardjohn
- build(deps): bump the k8s-io group across 4 directories with 5 updates (#4761) @app/dependabot
- Update the bundle version for VAP and add it as a release step. (#4759) @bexxmodd
- Update HTTPRoute BackendRefs public docs to match API spec. (#4758) @briantkennedy
- conformance: Add reports for gloo-gateway (#4757) @davidjumani
- conformance: Add tests for omitted and empty backendRefs (#4750) @optix2000
- Specify the usage of BackendTLSPolicy as a union feature (#4745) @rikatz
- docs: better feature comparison table (#4744) @howardjohn
- build(deps): bump the mkdocs-deps group across 1 directory with 4 updates (#4742) @app/dependabot
- V1.5 Implementations page review (#4741) @youngnick
- conformance: make weight test 100x faster (#4740) @howardjohn
- Make monthly release action to be manually triggered with supplied tag. (#4736) @bexxmodd
- Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API (#4733) @zac-nixon
- manually bump dependencies (#4732) @rikatz
- start using images from registry.k8s.io (#4728) @upodroid
- build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 (#4725) @app/dependabot
- conformance: update tests to use gatewayv1 APIs (#4722) @cnvergence
- Add Google Analytics loader and event tracking for wizard (#4721) @iromanycheva-eng
- EXP: UDPRoute (#4720) @zac-nixon
- Add gateway:util:excludeFromCRD comments for complex CEL validations (#4714) @AndrewCharlesHay
- generator: omit top-level CRD status from manifests (#4712) @MatteoFari
- Add well-known labels package for GEP-1762 (#4705) @carmal891
- docs: clarify RequestHeaderModifier set behavior (#4684) @ShaanveerS
- conformance: Move Inference Extension conformance helper functions to gateway-api/conformance (#4602) @ericdbishop
- Add session persistence conformance test plan (#4482) @salonichf5
- Define union features (#4452) @rikatz
- Issue-4087: Increase MaxItems for CACertificateRefs validation (#4088) @root30
- Add conformance report for Contour 1.33.0 and Gateway API 1.3.0 (#4076) @sunjayBhatia
- Mkdocs Migration Python CLI for #3860 (#3999) @RoseWrightdev
monthly-2026.04
Gateway API monthly-2026.04 Release Notes
This is the monthly release for the Gateway API experimental channel for April 2026. This release includes the latest features and fixes from Gateway API's main branch.
Using this Release
To install the CRDs for this release, use install monthly-2026.04-install.yaml:
kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.04/monthly-2026.04-install.yaml
To build using this release in Go, include this release in your go.mod:
require sigs.k8s.io/gateway-api monthly-2026.04
and run go mod tidy. You'll find that monthly-2026.04 gets replaced by a Go pseudoversion; this is expected.
Changes Summary
Full Changelog: monthly-2026.01...monthly-2026.04
Merged Pull Requests (monthly-2026.01 to monthly-2026.04)
- Adding new reviewers along with some cleanup (#4730) @robscott
- Update NGINX Gateway Fabric conformance for 1.5 (#4718) @sjberman
- GatewayInfrastructure: use uncached client lookups (#4717) @howardjohn
- Add GKE Gateway conformance report for v1.5.0 (#4716) @szkaraddd
- Add report for v1.5.1 (#4715) @jukie
- docs: Include patch versions in wizard data and add v1.5 features (#4710) @snorwin
- Add NGF v2.5.0 pre-release conformance report (#4709) @sjberman
- Misc cleanup for v1.5 (#4708) @snorwin
- 2734 - update gateway infrastructure annotations to 16 (#4707) @wenisman
- conformance: Adds v1.5.1 Report for kgateway (#4703) @davidjumani
- update conformance report of gke-gateway for v1.4.0 (#4702) @szkaraddd
- Add v1.5.1 conformance report for Traefik Proxy (#4700) @kevinpollet
- build(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /hack/mkdocs/image in the mkdocs-deps group (#4696) @app/dependabot
- conformance: Add Airlock Microgateway 5.0.0 conformance reports (#4694) @tyxeron
- conformance: bump agentgateway to v1.0.0 (#4691) @howardjohn
- Add conformance reports for haproxy ingress (#4688) @jcmoraisjr
- build(deps): bump the non-k8s group across 1 directory with 4 updates (#4682) @app/dependabot
- build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4681) @app/dependabot
- docs: fix mkdocs redirects warning (#4680) @Seo-yul
- Docs: Remove deprecated copy_on_write option (#4678) @Seo-yul
- conformance: fix ListenerSetAllowedRoutesSupportedKinds flaking (#4675) @howardjohn
- docs: Add feature names to guides and concepts pages (#4672) @robscott
- add a way to override timeout configs with a flag (#4671) @LiorLieberman
- limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) @zirain
- CORS: clarify API documentation and remove conformance tests for credentialed requests (#4663) @snorwin
- update ListenerConditionConflicted condition docs (#4659) @davidjumani
- docs: fix broken links from security-model rename (#4658) @pl4nty
- docs: remove 1.3 spec from nav (#4657) @pl4nty
- some formatting changes to wizard ui. (#4656) @bexxmodd
- align TLSRoute with hostname concept (#4650) @vinayakray19
- build(deps): bump the k8s-io group across 4 directories with 5 updates (#4644) @app/dependabot
- build(deps): bump the mkdocs-deps group across 1 directory with 2 updates (#4643) @app/dependabot
- allow absent conflict condition for non-conflicted listeners (#4642) @zhaohuabing
- conformance: add v1.4.1 report for Kong Operator v2.1.2 (#4640) @pmalek
- Disallow repeaded CORS filters by CEL (#4639) @DamianSawicki
- fix: fix typo error (#4638) @yuluo-yx
- fix: use JoinHostPort (#4636) @zirain
- Minute clean-ups in conformance tests for CORS (#4634) @DamianSawicki
- fix SetupTimeoutConfig (#4630) @zirain
- fix GatewayFrontendInvalidDefaultClientCertificateValidation test (#4629) @zirain
- conformance: add v1.5.0 report for agentgateway (#4628) @howardjohn
- Add 204 as a possible cors preflight response code (#4627) @jcmoraisjr
- fix: improve GatewayMustHaveAttachedListeners log (#4623) @zirain
- implement findings on gh actions (#4622) @rikatz
- Fix for release artifact validation CI (#4620) @bexxmodd
- fix: align short name (#4619) @zirain
- fix: propagate context and fix defer leak in DumpEchoLogs (#4617) @samzong
- tlsroute: allow FIN or RST instead of just RST (#4615) @howardjohn
- cleanup: update GEPS to reflect release 1.5 (#4614) @snorwin
- build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#4611) @app/dependabot
- conformance: add Amazon VPC Lattice Gateway API Controller v2.0.1 report (#4610) @abdallahmahran10
- docs: Update site-docs for 1.5 (#4609) @kflynn
- conformance: add v1.4.1 agentgateway (#4606) @howardjohn
- safe-upgrade: allow installing experimental when no current CRD is in… (#4603) @howardjohn
- mark promoted features on GEP lists (#4601) @rikatz
- docs: add total column to conformance reports (#4597) @howardjohn
- docs: prevent patch releases from invalidating conformance reports. (#4596) @howardjohn
- Update CEL validation of allowOrigins (#4594) @DamianSawicki
- fix: Remove missing namespace in example manifests (#4591) @davidjumani
- fix: Update listener set programmed conditions (#4586) @davidjumani
- Controller matching wizard (#4584) @bexxmodd
- TLSRoute: Add conformance tests for connection rejection (#4583) @rostislavbobo
- Update CORS docs for Standard graduation (#4579) @DamianSawicki
- build(deps): bump sigs.k8s.io/controller-tools from 0.20.0 to 0.20.1 in /tools in the k8s-io group across 1 directory (#4577) @app/dependabot
- build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4575) @app/dependabot
- build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4574) @app/dependabot
- bump lychee and fix local links (#4573) @rikatz
- Bumping API approval link for v1.5 (#4572) @robscott
- conformance: tune and allow configuring polling interval (#4570) @howardjohn
- docs: Add documentation for ListenerSets (#4568) @davidjumani
- Add missing IgnoreWhitespace: true (#4567) @DamianSawicki
- TLSRoute: Use v1 for conformance tests (#4566) @rostislavbobo
- remove copyright years after 2025 (#4562) @LiorLieberman
- Misc v1.5.0 conformance improvements (#4560) @howardjohn
- Create TLSRoute documentation (#4558) @rikatz
- fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs (#4557) @snorwin
- Docs gep 3155 (#4553) @kl52752
- Documentation for GEP-91 Client Certificate Validation Configuration (#4552) @kl52752
- fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility (#4551) @snorwin
- cleanup: fix typo (#4546) @snorwin
- cleanup: align types for listener ResolvedRefs condition reason (#4543) @snorwin
- CORS conformance fixes regarding credentials and wildcards (#4542) @DamianSawicki
- Creates a consts for common values in conformance (#4541) @carmal891
- fix: FailFast should return when test failed (#4540) @zirain
- Update docs about cert-manager (#4539) @adrianmoisey
- build(deps): bump the k8s-io group across 4 directories with 5 updates (#4537) @app/dependabot
- VAP for release v1.5 (#4533) @robscott
- [main] Promote client-certificate validation features to Standard (#4532) @k8s-infra-cherrypick-robot
- Add script to verify release artifacts. (#4527) @bexxmodd
- Update conformance report for Envoy-Gateway v1.7.0 (#4525) @jukie
- promote CORS to standard (#4521) @rikatz
- Add Hostname concept and explanation document (#4516) @youngnick
- Finalize CORS gep adjustments (#4515) @rikatz
- conformance: Re-add ListenerSetAllowedRoutesSupportedKinds (#4512) @davidjumani
- TLSRoute: Add conformance test for with nonexistent BackendRef (#4507) @rostislavbobo
- CORS: HTTPCORSFilter and GEP 1767 clean-ups (#4506) @DamianSawicki
- TLSRoute: Add conformance test for with Invalid BackendRef Kind (#4504) @rostislavbobo
- docs: Add "When to Use GRPCRoute" section to GRPCRoute API types doc (#4502) @kahirokunn
- build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4501) @app/dependabot
- build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#4500) @app/dependabot
- ListenerSet: Promote to standard (#4499) @davidjumani
- Quote start in CORS GEP (#4498) @Stevenjin8
- Promote GEP-91 Client Certificate Validation for TLS terminating at t… (#4496) @kl52752
- bump libraries manually before RC (#4495) @rikatz
- conformance test: CORS (#4494) @rikatz
- Promote GEP-3155 Certificate selection when Gateways originate TLS (#4489) @kl52752
- TLSRoute: Add conformance test TCPRoute being invalide for TLS listener (#4487) @rostislavbobo
- Use TCPServer for TLSRoute tests instead of MQTT (#4485) @rikatz
- fix: HTTPRoute redirect test (#4484) @zirain
- Implement TCPServer for tests (#4483) @rikatz
- conformance: support fail fast (#4479) @zirain
- Drop HotMigration feature from ListenerSet (#4477) @dprotaso
- conformance: invalid default client certificate validation config (#4476) @kl52752
- Add conformance for tlsroute mixed listeners (#4475) @rikatz
- Gravitee Kubernetes Operator 4.10.3 conformance report for 1.4.0 (#4474) @a-cordier
- conformance: follow-up on TLSRoute TLSRoute rejection conformance tests (#4473) @rostislavbobo
- docs: add white and black logo variants (#4472) @snorwin
- build(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/mkdocs/image in the mkdocs-deps group (#4470) @app/dependabot
- Conformance report for NGINX Gateway Fabric 2.4.0 (#4469) @bjee19
- conformance: client certificate AllowInsecureFallback validation mode tests (#4468) @snorwin
- Fix inconsistencies on TLSRoute GEP feature names (#4467) @rikatz
- fix redirect for the old security-model link (#4465) @rikatz
- cleanup: simplify client certificate handling in test machinery (#4463) @snorwin
- Update KAL and fix new findings (#4461) @rikatz
- Remove broken link from security guide (#4460) @rikatz
- fix: update pattern for ...
v1.5.1
Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.
Gateway API v1.5.1
Major Changes Since v1.5.0
GEP
- Updates the documentation around the ListenerConditionConflicted condition (#4669, @davidjumani)
Conformance
- Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665, @zirain)
- Fix conformance test not working on IPv6 (#4646, @zirain)
- The
conflicted=falsecondition is not required anymore in the listener status for non-conflicted listeners. (#4664, @zhaohuabing) - Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted (#4624, @howardjohn)
What's Changed
- fix: D'oh. Got the full-changelog URL wrong. by @kflynn in #4608
- [release-1.5] tlsroute: allow FIN or RST instead of just RST by @k8s-infra-cherrypick-robot in #4624
- [release-1.5] fix SetupTimeoutConfig by @k8s-infra-cherrypick-robot in #4647
- [release-1.5] fix: use JoinHostPort by @zirain in #4646
- [release-1.5] Minute clean-ups in conformance tests for CORS by @k8s-infra-cherrypick-robot in #4652
- [release-1.5] fix: propagate context and fix defer leak in DumpEchoLogs by @k8s-infra-cherrypick-robot in #4625
- [release-1.5] Disallow repeaded CORS filters by CEL by @k8s-infra-cherrypick-robot in #4645
- [release-1.5] Add 204 as a possible cors preflight response code by @k8s-infra-cherrypick-robot in #4637
- [release-1.5] fix: improve GatewayMustHaveAttachedListeners log by @k8s-infra-cherrypick-robot in #4632
- [release-1.5] allow absent conflict condition for non-conflicted listeners by @k8s-infra-cherrypick-robot in #4664
- [release-1.5] update ListenerConditionConflicted condition docs by @k8s-infra-cherrypick-robot in #4669
- limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) by @zirain in #4667
- Patch 1.5.1 release. by @bexxmodd in #4685
Full Changelog: v1.5.0...v1.5.1
v1.5.0
Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.
Gateway API v1.5.0
Major Changes Since v1.4.1
Breaking Changes
TLSRoute v1alpha2 and XListenerSet
TLSRoute and ListenerSet have graduated to the Standard channel as v1. In 1.5.0, TLSRoute v1alpha2 is present only in the Experimental channel; in 1.6, it will be removed from the Experimental channel too.
Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.
Upgrades and ValidatingAdmissionPolicy
Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:
- It prevents installing Experimental CRDs once you've installed Standard CRDs.
- It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.
These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.
New Features
In this release, the following major features are moving to the Standard channel and are now considered generally available:
- Gateway Client Certificate validation (GEP-91, GEP-3567)
- Certificate selection for Gateway TLS origination (GEP-3155)
- ListenerSet support (GEP-1713)
- HTTPRoute CORS filter (GEP-1767)
- TLSRoute
v1(GEP-2643)
Additionally, the ReferenceGrant resource is moving to v1.
Experimental
- Gateway/HTTPRoute level authentication (GEP-1494)
Full Changelog
Full Changelog: v1.4.1...v1.5.0
Dependencies
Added
- github.com/Masterminds/semver/v3: v3.4.0
- github.com/chzyer/readline: v1.5.1
- github.com/gkampitakis/ciinfo: v0.3.2
- github.com/gkampitakis/go-diff: v1.3.2
- github.com/gkampitakis/go-snaps: v0.5.15
- github.com/ianlancetaylor/demangle: f615e6b
- github.com/joshdk/go-junit: v1.0.0
- github.com/maruel/natural: v1.1.1
- github.com/mfridman/tparse: v0.18.0
- github.com/tidwall/gjson: v1.18.0
- github.com/tidwall/match: v1.1.1
- github.com/tidwall/pretty: v1.2.1
- github.com/tidwall/sjson: v1.2.5
Changed
- cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
- github.com/cncf/xds/go: 2ac532f → 0feb691
- github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
- github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
- github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
- github.com/google/pprof: d1b30fe → 294ebfa
- github.com/mailru/easyjson: v0.9.0 → v0.9.1
- github.com/miekg/dns: v1.1.68 → v1.1.72
- github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
- github.com/onsi/gomega: v1.38.1 → v1.39.1
- github.com/prometheus/client_golang: v1.23.0 → v1.23.2
- github.com/prometheus/common: v0.65.0 → v0.66.1
- github.com/prometheus/procfs: v0.17.0 → v0.19.2
- github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
- github.com/spf13/cobra: v1.9.1 → v1.10.2
- github.com/spf13/pflag: v1.0.7 → v1.0.10
- github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
- github.com/stretchr/testify: v1.11.0 → v1.11.1
- go.etcd.io/bbolt: v1.4.2 → v1.4.3
- go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
- go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
- go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
- go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel: v1.37.0 → v1.38.0
- go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
- go.uber.org/zap: v1.27.0 → v1.27.1
- go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
- golang.org/x/crypto: v0.41.0 → v0.47.0
- golang.org/x/mod: v0.27.0 → v0.32.0
- golang.org/x/net: v0.43.0 → v0.49.0
- golang.org/x/oauth2: v0.30.0 → v0.34.0
- golang.org/x/sync: v0.16.0 → v0.19.0
- golang.org/x/sys: v0.35.0 → v0.40.0
- golang.org/x/telemetry: 1a19826 → bd525da
- golang.org/x/term: v0.34.0 → v0.39.0
- golang.org/x/text: v0.28.0 → v0.33.0
- golang.org/x/time: v0.12.0 → v0.14.0
- golang.org/x/tools: v0.36.0 → v0.41.0
- google.golang.org/genproto/googleapis/api: 8d1bb00 → ab9386a
- google.golang.org/genproto/googleapis/rpc: ef028d9 → ab9386a
- google.golang.org/grpc: v1.75.1 → v1.78.0
- google.golang.org/protobuf: v1.36.8 → v1.36.11
- k8s.io/api: v0.34.1 → v0.35.1
- k8s.io/apiextensions-apiserver: v0.34.1 → v0.35.1
- k8s.io/apimachinery: v0.34.1 → v0.35.1
- k8s.io/apiserver: v0.34.1 → v0.35.1
- k8s.io/client-go: v0.34.1 → v0.35.1
- k8s.io/code-generator: v0.34.1 → v0.35.1
- k8s.io/component-base: v0.34.1 → v0.35.1
- k8s.io/gengo/v2: c297c0c → ec3ebc5
- k8s.io/kms: v0.34.1 → v0.35.1
- k8s.io/kube-openapi: d7b6acb → 589584f
- k8s.io/utils: 0af2bda → 914a6e7
- sigs.k8s.io/controller-runtime: v0.22.1 → v0.23.1
- sigs.k8s.io/controller-tools: v0.19.0 → v0.20.1
- sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2
Removed
v1.5.0-rc.3
Note: This is a release candidate for
v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!
Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.
Changes Since v1.5.0-rc.2
- Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4604 @howardjohn)
What's Changed
- [release-1.5] safe-upgrade: allow installing experimental when no current CRD is in… by @k8s-infra-cherrypick-robot in #4604
Full Changelog: v1.5.0-rc.2...v1.5.0-rc.3
v1.5.0-rc.2
Note: This is a release candidate for
v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!
Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.
Changes Since v1.5.0-rc.1
- CORS Origin values are now validated by CEL to disallow unsupported values in the host portion (#4595, @DamianSawicki -- see discussion in #3648)
- Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs (#4578, @snorwin)
- Replace
omitemptywithomitzeroforsupportedKindsin ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4556, @snorwin) - Add the missing
ListenersNotValidprogrammed reason for listenerSets (#4589, @davidjumani) - The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4599, @howardjohn)
What's Changed
- [release-1.5] cleanup: fix typo by @k8s-infra-cherrypick-robot in #4550
- [release-1.5] cleanup: align types for listener ResolvedRefs condition reason by @k8s-infra-cherrypick-robot in #4554
- [release-1.5] build(deps): bump the k8s-io group across 4 directories with 5 updates by @k8s-infra-cherrypick-robot in #4548
- [release-1.5] CORS conformance fixes regarding credentials and wildcards by @k8s-infra-cherrypick-robot in #4547
- [release-1.5] fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility by @k8s-infra-cherrypick-robot in #4556
- [release-1.5] remove copyright years after 2025 by @k8s-infra-cherrypick-robot in #4565
- [release-1.5] TLSRoute: Use v1 for conformance tests by @k8s-infra-cherrypick-robot in #4569
- [release-1.5] fix: FailFast should return when test failed by @k8s-infra-cherrypick-robot in #4549
- [release-1.5] Misc v1.5.0 conformance improvements by @k8s-infra-cherrypick-robot in #4563
- [release-1.5] conformance: client certificate AllowInsecureFallback validation mode tests by @k8s-infra-cherrypick-robot in #4564
- [release-1.5] Add missing IgnoreWhitespace: true by @k8s-infra-cherrypick-robot in #4590
- [release-1.5] fix: Update listener set programmed conditions by @k8s-infra-cherrypick-robot in #4589
- [release-1.5] Update CEL validation of allowOrigins by @k8s-infra-cherrypick-robot in #4595
- [release-1.5] fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs by @snorwin in #4578
- [release-1.5] TLSRoute: Add conformance tests for connection rejection by @k8s-infra-cherrypick-robot in #4593
- [release-1.5] conformance: tune and allow configuring polling interval by @k8s-infra-cherrypick-robot in #4599
- CHANGELOG and version number updates for 1.5.0-rc.2 by @kflynn in #4600
Full Changelog: v1.5.0-rc.1...v1.5.0-rc.2
v1.5.0-rc.1
Note: This is a release candidate for
v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!
Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.
Major Changes Since v1.4.1
Breaking Changes
TLSRoute v1alpha2 and XListenerSet
Since TLSRoute and ListenerSet have graduated to the Standard channel, TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.
Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.
Upgrades and ValidatingAdmissionPolicy
Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:
- It prevents installing Experimental CRDs once you've installed Standard CRDs.
- It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.
These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.
New Features
In this release, the following major features are moving to the Standard channel and are now considered generally available:
- Gateway Client Certificate validation (GEP-91, GEP-3567)
- Certificate selection for Gateway TLS origination (GEP-3155)
- ListenerSet support (GEP-1713)
- HTTPRoute CORS filter (GEP-1767)
- TLSRoute
v1(GEP-2643)
Additionally, the ReferenceGrant resource is moving to v1.
Experimental
- Gateway/HTTPRoute level authentication (GEP-1494)
Changes by Kind
Test
- Add conformance test to check that only Accepted Routes are considered as attachedRoute on Gateway status (#4362, @davidesalerno)
- Added conformance tests for invalid backend TLS configurations and the Gateway ResolvedRefs condition (#4389, @snorwin)
- Adds a conformance test for BackendTLSPolicy so that when a ConfigMap contents are changed, it should be reconciled by the controller. (#4360, @Thealisyed)
GEPs
- Adding initial conformance tests for XListenerSets (#3890, @davidjumani)
- Adds the
AttachedListenersconditions to the Gateway status which is the count of successful ListenerSet attachments to the gateway (#4211, @davidjumani) - Allow only static port ports for listenerSets (#4426, @davidjumani)
- Fix the description of what conditions count as a valid attachedRoute on Gateway status (#4341, @davidesalerno)
- TLSRoute gep creation (#4064, @rikatz)
Feature
- Adds TLS mode validation for TLS protocol on ListenerSet Listener. (#4451, @rostislavbobo)
- Allow implementation-specific values for wellKnownCACertificates in BackendTLSPolicy (#4401, @snorwin)
- Promote ReferenceGrant to v1 (#4458, @rikatz)
- Support for client certificate validation for TLS terminating at the Gateway is now in Standard (#4496, @kl52752)
- Support for defining Gateway client certificate when Gateways originate TLS connection to Backends is now in Standard. (#4489, @kl52752)
- TLSRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" and "v1alpha3" version of this API are deprecated and will be removed in the future. (#4439, @rostislavbobo)
Documentation
- Added a "When to Use GRPCRoute" section to the GRPCRoute API types documentation, with guidance on when to use HTTPRoute vs GRPCRoute and for controller implementers. (#4502, @kahirokunn)
- Adds the
AttachedListenersconditions to the Gateway status for the GEP and details for ListenerSets conformance tests (#4205, @davidjumani) - Define a new Reason type for Listener's Condition status to reflect invalid Client Certificate Validation Configuration for Gateway. (#4443, @kl52752)
- Updating versioning docs located at https://gateway-api.sigs.k8s.io/concepts/versioning/ (#4308, @bexxmodd)
Bug or Regression
- Added
minItems=1validation toHTTPRoute.spec.rulesto prevent creation of HTTPRoute resources without any rules. (#4301, @snorwin) - Only allow cookieConfig with type: Cookie (#4411, @LiorLieberman)
Other (Cleanup or Flake)
- Remove TCPRoute support from TLS listeners (#4427, @rikatz)
- Update the Gateway status to include
AttachedListenerSets- the count of ListenerSets that have successfully attached to the gateway (#4358, @davidjumani)
Uncategorized
- Added conformance tests validating Gateway behavior for connection coalescing when SNI and Host headers do not match, including correct use of HTTP 421 for potentially misdirected requests. (#4364, @snorwin)
- Adds TLS mode validation for TLS protocol on Gateway Listener. (#4441, @rostislavbobo)
- Adds conformance tests for ListenerSets (#4445, @davidjumani)
- Https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v3.0.0 (#4453, @shuqz)
- Implement conformance test for CORS (#4494, @rikatz)
- Promote ListenerSet to standard (#4499, @davidjumani)
Dependencies
Added
- github.com/Masterminds/semver/v3: v3.4.0
- github.com/chzyer/readline: v1.5.1
- github.com/gkampitakis/ciinfo: v0.3.2
- github.com/gkampitakis/go-diff: v1.3.2
- github.com/gkampitakis/go-snaps: v0.5.15
- github.com/ianlancetaylor/demangle: f615e6b
- github.com/joshdk/go-junit: v1.0.0
- github.com/maruel/natural: v1.1.1
- github.com/mfridman/tparse: v0.18.0
- github.com/tidwall/gjson: v1.18.0
- github.com/tidwall/match: v1.1.1
- github.com/tidwall/pretty: v1.2.1
- github.com/tidwall/sjson: v1.2.5
Changed
- cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
- github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
- github.com/cncf/xds/go: 2ac532f → 0feb691
- github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
- github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
- github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
- github.com/google/pprof: d1b30fe → 294ebfa
- github.com/mailru/easyjson: v0.9.0 → v0.9.1
- github.com/miekg/dns: v1.1.68 → v1.1.72
- github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
- github.com/onsi/gomega: v1.38.1 → v1.39.1
- github.com/prometheus/client_golang: v1.23.0 → v1.23.2
- github.com/prometheus/common: v0.65.0 → v0.66.1
- github.com/prometheus/procfs: v0.17.0 → v0.19.2
- github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
- github.com/spf13/cobra: v1.9.1 → v1.10.2
- github.com/spf13/pflag: v1.0.7 → v1.0.10
- github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
- github.com/stretchr/testify: v1.11.0 → v1.11.1
- go.etcd.io/bbolt: v1.4.2 → v1.4.3
- go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
- go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
- go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
- go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
- go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
- go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
- go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
- ...