Skip to content

Releases: kubernetes-sigs/gateway-api

Release v1.6.0

Choose a tag to compare

@bexxmodd bexxmodd released this 29 Jun 20:40
Immutable release. Only release title and notes can be modified.
89b3b0c

v1.6.0

Changes Since v1.5.1

GEP & API Graduation

  • UDPRoute & TCPRoute Graduation:
    • UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
    • TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
  • GEP Status Updates:

Feature

  • API & Validation Enhancements:
    • API validation updated for HTTPRoute retries: retry.codes must now be unique and retry.attempts must be >= 1. (#4907, @snorwin)
    • Increase the number of allowed Certificate Authority references from 8 to 16. (#4088, @root30)
    • The TLSRoute CRD validation has been adjusted to allow up to 1024 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
    • BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
    • Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
  • Conformance Infrastructure:
    • Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
  • Remove the idleTimeout field from the experimental SessionPersistence API. (#4771, @gcs278)

Documentation

  • Migration & Site Updates:
  • API Specs & Guidance Clarifications:
    • Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
    • Add the missing ListenersNotValid programmed reason for listenerSets. (#4586, @davidjumani)
    • Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
    • Clarified CORS API documentation to describe behavior based on allowCredentials instead of credentialed requests. (#4663, @snorwin)
    • Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
    • Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
  • Fixes:

Bug or Regression

  • IPv6 Support:
    • Fix GatewayFrontendClientCertificateValidationInsecureFallback, GatewayFrontendClientCertificateValidation, and GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4636, @zirain)
    • Fix GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4629, @zirain)
  • ValidatingAdmissionPolicy (VAP) Fixes:
    • Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
    • Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
  • CRD & Schema Validation:
    • Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
    • Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
  • API & Validation Fixes:
    • It is disallowed to have repeated filters of type CORS. (#4639, @DamianSawicki)
    • Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
    • Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
    • Make referencegrant.spec field required. (#4845, @bexxmodd)

Test & Conformance

  • New Conformance Tests:
    • Add conformance test ListenerSetAllowedRoutesCrossNamespace which verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber)
    • Added a conformance test covering the Gateway Accepted condition with reason ListenersNotValid and the Listener Accepted condition with reason UnsupportedProtocol. (#4807, @snorwin)
    • Added conformance test GatewayInvalidParametersRef that verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin)
    • Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
  • Test Machinery & Framework Updates:
    • Conformance: ExpectMirroredRequest now starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei)
    • The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4570, @howardjohn)
    • The gRPC conformance request helper no longer closes a caller-supplied (injected) Options.GRPCClient; it closes only the DefaultClient it creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
  • Updates & Fixes to Existing Tests:
    • The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing)
    • Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
    • Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
    • Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
    • Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)
    • conformance: add missing gateway-api/skip-this-for-readiness annotation to invalid gateways (#5027, @snorwin)
    • The GRPCRouteWeight conformance test now sends its distribution-sampling requests through the injectable Options.GRPCClient instead of a hardcoded DefaultClient, allowing implementations that supply a custom gRPC client to run it. (#5004, @lexfrei)
    • The HTTPRouteRequestPercentageMirror conformance test now derives its acceptance band from the binomial standard deviation instead of a flat ±15% relative tolerance, removing sampling-variance flakes at low mirror percentages. (#5005, @lexfrei)
    • Removed HTTPRoute retry tests with connection errors and backend timeouts (#4994, @snorwin)

What's Changed

Read more

v1.6.0-rc.2

v1.6.0-rc.2 Pre-release
Pre-release

Choose a tag to compare

@bexxmodd bexxmodd released this 25 Jun 04:51
Immutable release. Only release title and notes can be modified.
2a8f364

Major Changes Since v1.6.0-rc.1

Bug or Regression

  • ⚠️ Breaking Change: TLS must now be configured for listeners using the HTTPS protocol. (#4985, @snorwin)

Test & Conformance

  • The GRPCRouteWeight conformance test now sends its distribution-sampling requests through the injectable Options.GRPCClient instead of a hardcoded DefaultClient, allowing implementations that supply a custom gRPC client to run it. (#5004, @lexfrei)
  • The HTTPRouteRequestPercentageMirror conformance test now derives its acceptance band from the binomial standard deviation instead of a flat ±15% relative tolerance, removing sampling-variance flakes at low mirror percentages. (#5005, @lexfrei)
  • Removed HTTPRoute retry tests with connection errors and backend timeouts (#4994, @snorwin)

What's Changed

Read more

v1.6.0-rc.1

v1.6.0-rc.1 Pre-release
Pre-release

Choose a tag to compare

@bexxmodd bexxmodd released this 10 Jun 22:16
Immutable release. Only release title and notes can be modified.
00cfc55

Major Changes Since v1.5.1

GEP & API Graduation

  • UDPRoute & TCPRoute Graduation:
    • UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
    • TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
  • GEP Status Updates:

Feature

  • API & Validation Enhancements:
    • API validation updated for HTTPRoute retries: retry.codes must now be unique and retry.attempts must be >= 1. (#4907, @snorwin)
    • Increase the number of allowed Certificate Authority references from 8 to 16. (#4088, @root30)
    • The TLSRoute CRD validation has been adjusted to allow up to 4096 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
    • BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
    • Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
  • Graduations:
    • CORS filter is now part of the standard channel. (#4521, @rikatz)
  • ValidatingAdmissionPolicy (VAP):
    • Adds a VAP that prohibits:
      • Installation of experimental CRDs on top of standard channel CRDs (within the same API group).
      • Installation of monthly releases.
      • Installation of older releases. (#4533, @robscott)
  • Conformance Infrastructure:
    • Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
  • Remove the idleTimeout field from the experimental SessionPersistence API. (#4771, @gcs278)

Documentation

  • Migration & Site Updates:
  • New Documentation:
  • API Specs & Guidance Clarifications:
    • Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
    • Add the missing ListenersNotValid programmed reason for listenerSets. (#4586, @davidjumani)
    • Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
    • Clarified CORS API documentation to describe behavior based on allowCredentials instead of credentialed requests. (#4663, @snorwin)
    • Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
    • Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
  • Releases & Results:
    • Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API. (#4733, @zac-nixon)
  • Fixes:

Bug or Regression

  • IPv6 Support:
    • Fix GatewayFrontendClientCertificateValidationInsecureFallback, GatewayFrontendClientCertificateValidation, and GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4636, @zirain)
    • Fix GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4629, @zirain)
  • ValidatingAdmissionPolicy (VAP) Fixes:
    • Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
    • Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
  • CRD & Schema Validation:
    • Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
    • Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
  • API & Validation Fixes:
    • It is disallowed to have repeated filters of type CORS. (#4639, @DamianSawicki)
    • Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
    • Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
    • Make referencegrant.spec field required. (#4845, @bexxmodd)

Test & Conformance

  • New Conformance Tests:
    • Add conformance test ListenerSetAllowedRoutesCrossNamespace which verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber)
    • Added a conformance test covering the Gateway Accepted condition with reason ListenersNotValid and the Listener Accepted condition with reason UnsupportedProtocol. (#4807, @snorwin)
    • Added conformance test GatewayInvalidParametersRef that verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin)
    • Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
    • Implement conformance test for CORS. (#4494, @rikatz)
  • Test Machinery & Framework Updates:
    • Conformance: ExpectMirroredRequest now starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei)
    • The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4570, @howardjohn)
    • The gRPC conformance request helper no longer closes a caller-supplied (injected) Options.GRPCClient; it closes only the DefaultClient it creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
  • Updates & Fixes to Existing Tests:
    • The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing)
    • Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
    • Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
    • Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
    • Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)

What's Changed

Read more

monthly-2026.05

monthly-2026.05 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 06 May 14:52
Immutable release. Only release title and notes can be modified.
32e498c

Gateway API monthly-2026.05 Release Notes

This is the monthly release for the Gateway API experimental channel for May 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

To install the CRDs for this release, use install monthly-2026.05-install.yaml:

kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.05/monthly-2026.05-install.yaml

To build using this release in Go, include this release in your go.mod:

require sigs.k8s.io/gateway-api monthly-2026.05

and run go mod tidy. You'll find that monthly-2026.05 gets replaced by a Go pseudoversion; this is expected.

Changes Summary

Full Changelog: monthly-2026.04...monthly-2026.05

Merged Pull Requests (monthly-2026.04 to monthly-2026.05)

  • Add missing API doc for BackendTLSPolicy as union feature (#4828) @rikatz
  • #4826 Fix inconsistencies in ListenerSet example (#4827) @vovtz
  • fix: add j2_line_comment_prefix back to mkdocs configuration (#4822) @JoeyC-Dev
  • Bump golangci-lint (and KAL) to support Go 1.26 (#4820) @erikgb
  • Bump K8s dependencies to 1.36 (#4819) @erikgb
  • PROVISIONAL: Backend GEP (#4818) @keithmattix
  • test(conformance): add test for Gateway Accepted condition with InvalidParameters reason (#4808) @snorwin
  • test(conformance): add tests for Gateway listener Accepted condition with UnsupportedProtocol reason (#4807) @snorwin
  • Fix MeshHTTPRoute307Redirect conformance test (#4806) @jgreeer
  • fix: drop GRPCRoute from supported kinds assertion as the test does not require to support them (#4805) @snorwin
  • stop building arm64 images on preverify jobs (#4803) @rikatz
  • Fix grammar/sentence (#4798) @jkburges
  • docs: update ReferenceGrant API references to v1 (#4796) @JoeyC-Dev
  • fix mismatched annotation (#4793) @davidxia
  • Make conformance reports require just major and minor GW API versions (#4792) @rikatz
  • Make explicit call about resource name restrictions (#4787) @rikatz
  • build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4784) @app/dependabot
  • Fix Google Analytics custom events in Controller Matching Wizard (#4782) @iromanycheva-eng
  • cleanup-test-resources option (#4776) @zhaohuabing
  • GEP-1619: Remove idleTimeout from SessionPersistence API (#4771) @gcs278
  • Add conformance report for agentgateway v1.1.0 (#4765) @howardjohn
  • build(deps): bump the k8s-io group across 4 directories with 5 updates (#4761) @app/dependabot
  • Update the bundle version for VAP and add it as a release step. (#4759) @bexxmodd
  • Update HTTPRoute BackendRefs public docs to match API spec. (#4758) @briantkennedy
  • conformance: Add reports for gloo-gateway (#4757) @davidjumani
  • conformance: Add tests for omitted and empty backendRefs (#4750) @optix2000
  • Specify the usage of BackendTLSPolicy as a union feature (#4745) @rikatz
  • docs: better feature comparison table (#4744) @howardjohn
  • build(deps): bump the mkdocs-deps group across 1 directory with 4 updates (#4742) @app/dependabot
  • V1.5 Implementations page review (#4741) @youngnick
  • conformance: make weight test 100x faster (#4740) @howardjohn
  • Make monthly release action to be manually triggered with supplied tag. (#4736) @bexxmodd
  • Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API (#4733) @zac-nixon
  • manually bump dependencies (#4732) @rikatz
  • start using images from registry.k8s.io (#4728) @upodroid
  • build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 (#4725) @app/dependabot
  • conformance: update tests to use gatewayv1 APIs (#4722) @cnvergence
  • Add Google Analytics loader and event tracking for wizard (#4721) @iromanycheva-eng
  • EXP: UDPRoute (#4720) @zac-nixon
  • Add gateway:util:excludeFromCRD comments for complex CEL validations (#4714) @AndrewCharlesHay
  • generator: omit top-level CRD status from manifests (#4712) @MatteoFari
  • Add well-known labels package for GEP-1762 (#4705) @carmal891
  • docs: clarify RequestHeaderModifier set behavior (#4684) @ShaanveerS
  • conformance: Move Inference Extension conformance helper functions to gateway-api/conformance (#4602) @ericdbishop
  • Add session persistence conformance test plan (#4482) @salonichf5
  • Define union features (#4452) @rikatz
  • Issue-4087: Increase MaxItems for CACertificateRefs validation (#4088) @root30
  • Add conformance report for Contour 1.33.0 and Gateway API 1.3.0 (#4076) @sunjayBhatia
  • Mkdocs Migration Python CLI for #3860 (#3999) @RoseWrightdev

monthly-2026.04

monthly-2026.04 Pre-release
Pre-release

Choose a tag to compare

@github-actions github-actions released this 08 Apr 21:33
Immutable release. Only release title and notes can be modified.
4d0fba7

Gateway API monthly-2026.04 Release Notes

This is the monthly release for the Gateway API experimental channel for April 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

To install the CRDs for this release, use install monthly-2026.04-install.yaml:

kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.04/monthly-2026.04-install.yaml

To build using this release in Go, include this release in your go.mod:

require sigs.k8s.io/gateway-api monthly-2026.04

and run go mod tidy. You'll find that monthly-2026.04 gets replaced by a Go pseudoversion; this is expected.

Changes Summary

Full Changelog: monthly-2026.01...monthly-2026.04

Merged Pull Requests (monthly-2026.01 to monthly-2026.04)

  • Adding new reviewers along with some cleanup (#4730) @robscott
  • Update NGINX Gateway Fabric conformance for 1.5 (#4718) @sjberman
  • GatewayInfrastructure: use uncached client lookups (#4717) @howardjohn
  • Add GKE Gateway conformance report for v1.5.0 (#4716) @szkaraddd
  • Add report for v1.5.1 (#4715) @jukie
  • docs: Include patch versions in wizard data and add v1.5 features (#4710) @snorwin
  • Add NGF v2.5.0 pre-release conformance report (#4709) @sjberman
  • Misc cleanup for v1.5 (#4708) @snorwin
  • 2734 - update gateway infrastructure annotations to 16 (#4707) @wenisman
  • conformance: Adds v1.5.1 Report for kgateway (#4703) @davidjumani
  • update conformance report of gke-gateway for v1.4.0 (#4702) @szkaraddd
  • Add v1.5.1 conformance report for Traefik Proxy (#4700) @kevinpollet
  • build(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /hack/mkdocs/image in the mkdocs-deps group (#4696) @app/dependabot
  • conformance: Add Airlock Microgateway 5.0.0 conformance reports (#4694) @tyxeron
  • conformance: bump agentgateway to v1.0.0 (#4691) @howardjohn
  • Add conformance reports for haproxy ingress (#4688) @jcmoraisjr
  • build(deps): bump the non-k8s group across 1 directory with 4 updates (#4682) @app/dependabot
  • build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4681) @app/dependabot
  • docs: fix mkdocs redirects warning (#4680) @Seo-yul
  • Docs: Remove deprecated copy_on_write option (#4678) @Seo-yul
  • conformance: fix ListenerSetAllowedRoutesSupportedKinds flaking (#4675) @howardjohn
  • docs: Add feature names to guides and concepts pages (#4672) @robscott
  • add a way to override timeout configs with a flag (#4671) @LiorLieberman
  • limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) @zirain
  • CORS: clarify API documentation and remove conformance tests for credentialed requests (#4663) @snorwin
  • update ListenerConditionConflicted condition docs (#4659) @davidjumani
  • docs: fix broken links from security-model rename (#4658) @pl4nty
  • docs: remove 1.3 spec from nav (#4657) @pl4nty
  • some formatting changes to wizard ui. (#4656) @bexxmodd
  • align TLSRoute with hostname concept (#4650) @vinayakray19
  • build(deps): bump the k8s-io group across 4 directories with 5 updates (#4644) @app/dependabot
  • build(deps): bump the mkdocs-deps group across 1 directory with 2 updates (#4643) @app/dependabot
  • allow absent conflict condition for non-conflicted listeners (#4642) @zhaohuabing
  • conformance: add v1.4.1 report for Kong Operator v2.1.2 (#4640) @pmalek
  • Disallow repeaded CORS filters by CEL (#4639) @DamianSawicki
  • fix: fix typo error (#4638) @yuluo-yx
  • fix: use JoinHostPort (#4636) @zirain
  • Minute clean-ups in conformance tests for CORS (#4634) @DamianSawicki
  • fix SetupTimeoutConfig (#4630) @zirain
  • fix GatewayFrontendInvalidDefaultClientCertificateValidation test (#4629) @zirain
  • conformance: add v1.5.0 report for agentgateway (#4628) @howardjohn
  • Add 204 as a possible cors preflight response code (#4627) @jcmoraisjr
  • fix: improve GatewayMustHaveAttachedListeners log (#4623) @zirain
  • implement findings on gh actions (#4622) @rikatz
  • Fix for release artifact validation CI (#4620) @bexxmodd
  • fix: align short name (#4619) @zirain
  • fix: propagate context and fix defer leak in DumpEchoLogs (#4617) @samzong
  • tlsroute: allow FIN or RST instead of just RST (#4615) @howardjohn
  • cleanup: update GEPS to reflect release 1.5 (#4614) @snorwin
  • build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#4611) @app/dependabot
  • conformance: add Amazon VPC Lattice Gateway API Controller v2.0.1 report (#4610) @abdallahmahran10
  • docs: Update site-docs for 1.5 (#4609) @kflynn
  • conformance: add v1.4.1 agentgateway (#4606) @howardjohn
  • safe-upgrade: allow installing experimental when no current CRD is in… (#4603) @howardjohn
  • mark promoted features on GEP lists (#4601) @rikatz
  • docs: add total column to conformance reports (#4597) @howardjohn
  • docs: prevent patch releases from invalidating conformance reports. (#4596) @howardjohn
  • Update CEL validation of allowOrigins (#4594) @DamianSawicki
  • fix: Remove missing namespace in example manifests (#4591) @davidjumani
  • fix: Update listener set programmed conditions (#4586) @davidjumani
  • Controller matching wizard (#4584) @bexxmodd
  • TLSRoute: Add conformance tests for connection rejection (#4583) @rostislavbobo
  • Update CORS docs for Standard graduation (#4579) @DamianSawicki
  • build(deps): bump sigs.k8s.io/controller-tools from 0.20.0 to 0.20.1 in /tools in the k8s-io group across 1 directory (#4577) @app/dependabot
  • build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4575) @app/dependabot
  • build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4574) @app/dependabot
  • bump lychee and fix local links (#4573) @rikatz
  • Bumping API approval link for v1.5 (#4572) @robscott
  • conformance: tune and allow configuring polling interval (#4570) @howardjohn
  • docs: Add documentation for ListenerSets (#4568) @davidjumani
  • Add missing IgnoreWhitespace: true (#4567) @DamianSawicki
  • TLSRoute: Use v1 for conformance tests (#4566) @rostislavbobo
  • remove copyright years after 2025 (#4562) @LiorLieberman
  • Misc v1.5.0 conformance improvements (#4560) @howardjohn
  • Create TLSRoute documentation (#4558) @rikatz
  • fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs (#4557) @snorwin
  • Docs gep 3155 (#4553) @kl52752
  • Documentation for GEP-91 Client Certificate Validation Configuration (#4552) @kl52752
  • fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility (#4551) @snorwin
  • cleanup: fix typo (#4546) @snorwin
  • cleanup: align types for listener ResolvedRefs condition reason (#4543) @snorwin
  • CORS conformance fixes regarding credentials and wildcards (#4542) @DamianSawicki
  • Creates a consts for common values in conformance (#4541) @carmal891
  • fix: FailFast should return when test failed (#4540) @zirain
  • Update docs about cert-manager (#4539) @adrianmoisey
  • build(deps): bump the k8s-io group across 4 directories with 5 updates (#4537) @app/dependabot
  • VAP for release v1.5 (#4533) @robscott
  • [main] Promote client-certificate validation features to Standard (#4532) @k8s-infra-cherrypick-robot
  • Add script to verify release artifacts. (#4527) @bexxmodd
  • Update conformance report for Envoy-Gateway v1.7.0 (#4525) @jukie
  • promote CORS to standard (#4521) @rikatz
  • Add Hostname concept and explanation document (#4516) @youngnick
  • Finalize CORS gep adjustments (#4515) @rikatz
  • conformance: Re-add ListenerSetAllowedRoutesSupportedKinds (#4512) @davidjumani
  • TLSRoute: Add conformance test for with nonexistent BackendRef (#4507) @rostislavbobo
  • CORS: HTTPCORSFilter and GEP 1767 clean-ups (#4506) @DamianSawicki
  • TLSRoute: Add conformance test for with Invalid BackendRef Kind (#4504) @rostislavbobo
  • docs: Add "When to Use GRPCRoute" section to GRPCRoute API types doc (#4502) @kahirokunn
  • build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4501) @app/dependabot
  • build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#4500) @app/dependabot
  • ListenerSet: Promote to standard (#4499) @davidjumani
  • Quote start in CORS GEP (#4498) @Stevenjin8
  • Promote GEP-91 Client Certificate Validation for TLS terminating at t… (#4496) @kl52752
  • bump libraries manually before RC (#4495) @rikatz
  • conformance test: CORS (#4494) @rikatz
  • Promote GEP-3155 Certificate selection when Gateways originate TLS (#4489) @kl52752
  • TLSRoute: Add conformance test TCPRoute being invalide for TLS listener (#4487) @rostislavbobo
  • Use TCPServer for TLSRoute tests instead of MQTT (#4485) @rikatz
  • fix: HTTPRoute redirect test (#4484) @zirain
  • Implement TCPServer for tests (#4483) @rikatz
  • conformance: support fail fast (#4479) @zirain
  • Drop HotMigration feature from ListenerSet (#4477) @dprotaso
  • conformance: invalid default client certificate validation config (#4476) @kl52752
  • Add conformance for tlsroute mixed listeners (#4475) @rikatz
  • Gravitee Kubernetes Operator 4.10.3 conformance report for 1.4.0 (#4474) @a-cordier
  • conformance: follow-up on TLSRoute TLSRoute rejection conformance tests (#4473) @rostislavbobo
  • docs: add white and black logo variants (#4472) @snorwin
  • build(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/mkdocs/image in the mkdocs-deps group (#4470) @app/dependabot
  • Conformance report for NGINX Gateway Fabric 2.4.0 (#4469) @bjee19
  • conformance: client certificate AllowInsecureFallback validation mode tests (#4468) @snorwin
  • Fix inconsistencies on TLSRoute GEP feature names (#4467) @rikatz
  • fix redirect for the old security-model link (#4465) @rikatz
  • cleanup: simplify client certificate handling in test machinery (#4463) @snorwin
  • Update KAL and fix new findings (#4461) @rikatz
  • Remove broken link from security guide (#4460) @rikatz
  • fix: update pattern for ...
Read more

v1.5.1

Choose a tag to compare

@bexxmodd bexxmodd released this 14 Mar 00:51
e7677b7

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.1

Major Changes Since v1.5.0

GEP

  • Updates the documentation around the ListenerConditionConflicted condition (#4669, @davidjumani)

Conformance

  • Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665, @zirain)
  • Fix conformance test not working on IPv6 (#4646, @zirain)
  • The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4664, @zhaohuabing)
  • Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted (#4624, @howardjohn)

What's Changed

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Choose a tag to compare

@kflynn kflynn released this 27 Feb 02:57
3797b63

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.0

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

TLSRoute and ListenerSet have graduated to the Standard channel as v1. In 1.5.0, TLSRoute v1alpha2 is present only in the Experimental channel; in 1.6, it will be removed from the Experimental channel too.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

  • It prevents installing Experimental CRDs once you've installed Standard CRDs.
  • It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

  • Gateway/HTTPRoute level authentication (GEP-1494)

Full Changelog

Full Changelog: v1.4.1...v1.5.0

Dependencies

Added

  • github.com/Masterminds/semver/v3: v3.4.0
  • github.com/chzyer/readline: v1.5.1
  • github.com/gkampitakis/ciinfo: v0.3.2
  • github.com/gkampitakis/go-diff: v1.3.2
  • github.com/gkampitakis/go-snaps: v0.5.15
  • github.com/ianlancetaylor/demangle: f615e6b
  • github.com/joshdk/go-junit: v1.0.0
  • github.com/maruel/natural: v1.1.1
  • github.com/mfridman/tparse: v0.18.0
  • github.com/tidwall/gjson: v1.18.0
  • github.com/tidwall/match: v1.1.1
  • github.com/tidwall/pretty: v1.2.1
  • github.com/tidwall/sjson: v1.2.5

Changed

  • cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
  • github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
  • github.com/cncf/xds/go: 2ac532f → 0feb691
  • github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
  • github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
  • github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
  • github.com/google/pprof: d1b30fe → 294ebfa
  • github.com/mailru/easyjson: v0.9.0 → v0.9.1
  • github.com/miekg/dns: v1.1.68 → v1.1.72
  • github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
  • github.com/onsi/gomega: v1.38.1 → v1.39.1
  • github.com/prometheus/client_golang: v1.23.0 → v1.23.2
  • github.com/prometheus/common: v0.65.0 → v0.66.1
  • github.com/prometheus/procfs: v0.17.0 → v0.19.2
  • github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
  • github.com/spf13/cobra: v1.9.1 → v1.10.2
  • github.com/spf13/pflag: v1.0.7 → v1.0.10
  • github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
  • github.com/stretchr/testify: v1.11.0 → v1.11.1
  • go.etcd.io/bbolt: v1.4.2 → v1.4.3
  • go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
  • go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
  • go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
  • go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
  • go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
  • go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
  • go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
  • go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
  • go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
  • go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
  • go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
  • go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
  • go.opentelemetry.io/otel: v1.37.0 → v1.38.0
  • go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
  • go.uber.org/zap: v1.27.0 → v1.27.1
  • go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
  • golang.org/x/crypto: v0.41.0 → v0.47.0
  • golang.org/x/mod: v0.27.0 → v0.32.0
  • golang.org/x/net: v0.43.0 → v0.49.0
  • golang.org/x/oauth2: v0.30.0 → v0.34.0
  • golang.org/x/sync: v0.16.0 → v0.19.0
  • golang.org/x/sys: v0.35.0 → v0.40.0
  • golang.org/x/telemetry: 1a19826 → bd525da
  • golang.org/x/term: v0.34.0 → v0.39.0
  • golang.org/x/text: v0.28.0 → v0.33.0
  • golang.org/x/time: v0.12.0 → v0.14.0
  • golang.org/x/tools: v0.36.0 → v0.41.0
  • google.golang.org/genproto/googleapis/api: 8d1bb00 → ab9386a
  • google.golang.org/genproto/googleapis/rpc: ef028d9 → ab9386a
  • google.golang.org/grpc: v1.75.1 → v1.78.0
  • google.golang.org/protobuf: v1.36.8 → v1.36.11
  • k8s.io/api: v0.34.1 → v0.35.1
  • k8s.io/apiextensions-apiserver: v0.34.1 → v0.35.1
  • k8s.io/apimachinery: v0.34.1 → v0.35.1
  • k8s.io/apiserver: v0.34.1 → v0.35.1
  • k8s.io/client-go: v0.34.1 → v0.35.1
  • k8s.io/code-generator: v0.34.1 → v0.35.1
  • k8s.io/component-base: v0.34.1 → v0.35.1
  • k8s.io/gengo/v2: c297c0c → ec3ebc5
  • k8s.io/kms: v0.34.1 → v0.35.1
  • k8s.io/kube-openapi: d7b6acb → 589584f
  • k8s.io/utils: 0af2bda → 914a6e7
  • sigs.k8s.io/controller-runtime: v0.22.1 → v0.23.1
  • sigs.k8s.io/controller-tools: v0.19.0 → v0.20.1
  • sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

  • github.com/kisielk/errcheck: v1.5.0
  • github.com/kisielk/gotool: v1.0.0
  • github.com/pkg/errors: v0.9.1
  • github.com/zeebo/errs: v1.4.0
  • golang.org/x/xerrors: 5ec99f8

v1.5.0-rc.3

v1.5.0-rc.3 Pre-release
Pre-release

Choose a tag to compare

@bexxmodd bexxmodd released this 26 Feb 14:35
95af031

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Changes Since v1.5.0-rc.2

  • Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4604 @howardjohn)

What's Changed

Full Changelog: v1.5.0-rc.2...v1.5.0-rc.3

v1.5.0-rc.2

v1.5.0-rc.2 Pre-release
Pre-release

Choose a tag to compare

@kflynn kflynn released this 25 Feb 02:57
488006c

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Changes Since v1.5.0-rc.1

  • CORS Origin values are now validated by CEL to disallow unsupported values in the host portion (#4595, @DamianSawicki -- see discussion in #3648)
  • Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs (#4578, @snorwin)
  • Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4556, @snorwin)
  • Add the missing ListenersNotValid programmed reason for listenerSets (#4589, @davidjumani)
  • The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4599, @howardjohn)

What's Changed

Full Changelog: v1.5.0-rc.1...v1.5.0-rc.2

v1.5.0-rc.1

v1.5.0-rc.1 Pre-release
Pre-release

Choose a tag to compare

@youngnick youngnick released this 13 Feb 04:43
a9b501b

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

Since TLSRoute and ListenerSet have graduated to the Standard channel, TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

  • It prevents installing Experimental CRDs once you've installed Standard CRDs.
  • It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

  • Gateway/HTTPRoute level authentication (GEP-1494)

Changes by Kind

Test

  • Add conformance test to check that only Accepted Routes are considered as attachedRoute on Gateway status (#4362, @davidesalerno)
  • Added conformance tests for invalid backend TLS configurations and the Gateway ResolvedRefs condition (#4389, @snorwin)
  • Adds a conformance test for BackendTLSPolicy so that when a ConfigMap contents are changed, it should be reconciled by the controller. (#4360, @Thealisyed)

GEPs

  • Adding initial conformance tests for XListenerSets (#3890, @davidjumani)
  • Adds the AttachedListeners conditions to the Gateway status which is the count of successful ListenerSet attachments to the gateway (#4211, @davidjumani)
  • Allow only static port ports for listenerSets (#4426, @davidjumani)
  • Fix the description of what conditions count as a valid attachedRoute on Gateway status (#4341, @davidesalerno)
  • TLSRoute gep creation (#4064, @rikatz)

Feature

  • Adds TLS mode validation for TLS protocol on ListenerSet Listener. (#4451, @rostislavbobo)
  • Allow implementation-specific values for wellKnownCACertificates in BackendTLSPolicy (#4401, @snorwin)
  • Promote ReferenceGrant to v1 (#4458, @rikatz)
  • Support for client certificate validation for TLS terminating at the Gateway is now in Standard (#4496, @kl52752)
  • Support for defining Gateway client certificate when Gateways originate TLS connection to Backends is now in Standard. (#4489, @kl52752)
  • TLSRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" and "v1alpha3" version of this API are deprecated and will be removed in the future. (#4439, @rostislavbobo)

Documentation

  • Added a "When to Use GRPCRoute" section to the GRPCRoute API types documentation, with guidance on when to use HTTPRoute vs GRPCRoute and for controller implementers. (#4502, @kahirokunn)
  • Adds the AttachedListeners conditions to the Gateway status for the GEP and details for ListenerSets conformance tests (#4205, @davidjumani)
  • Define a new Reason type for Listener's Condition status to reflect invalid Client Certificate Validation Configuration for Gateway. (#4443, @kl52752)
  • Updating versioning docs located at https://gateway-api.sigs.k8s.io/concepts/versioning/ (#4308, @bexxmodd)

Bug or Regression

  • Added minItems=1 validation to HTTPRoute.spec.rules to prevent creation of HTTPRoute resources without any rules. (#4301, @snorwin)
  • Only allow cookieConfig with type: Cookie (#4411, @LiorLieberman)

Other (Cleanup or Flake)

  • Remove TCPRoute support from TLS listeners (#4427, @rikatz)
  • Update the Gateway status to include AttachedListenerSets - the count of ListenerSets that have successfully attached to the gateway (#4358, @davidjumani)

Uncategorized

Dependencies

Added

  • github.com/Masterminds/semver/v3: v3.4.0
  • github.com/chzyer/readline: v1.5.1
  • github.com/gkampitakis/ciinfo: v0.3.2
  • github.com/gkampitakis/go-diff: v1.3.2
  • github.com/gkampitakis/go-snaps: v0.5.15
  • github.com/ianlancetaylor/demangle: f615e6b
  • github.com/joshdk/go-junit: v1.0.0
  • github.com/maruel/natural: v1.1.1
  • github.com/mfridman/tparse: v0.18.0
  • github.com/tidwall/gjson: v1.18.0
  • github.com/tidwall/match: v1.1.1
  • github.com/tidwall/pretty: v1.2.1
  • github.com/tidwall/sjson: v1.2.5

Changed

Read more