v1.5.1

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.1

Major Changes Since v1.5.0

GEP

• Updates the documentation around the ListenerConditionConflicted condition (#4669, @davidjumani)

Conformance

• Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665, @zirain)
• Fix conformance test not working on IPv6 (#4646, @zirain)
• The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4664, @zhaohuabing)
• Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted (#4624, @howardjohn)

What's Changed

• fix: D'oh. Got the full-changelog URL wrong. by @kflynn in #4608
• [release-1.5] tlsroute: allow FIN or RST instead of just RST by @k8s-infra-cherrypick-robot in #4624
• [release-1.5] fix SetupTimeoutConfig by @k8s-infra-cherrypick-robot in #4647
• [release-1.5] fix: use JoinHostPort by @zirain in #4646
• [release-1.5] Minute clean-ups in conformance tests for CORS by @k8s-infra-cherrypick-robot in #4652
• [release-1.5] fix: propagate context and fix defer leak in DumpEchoLogs by @k8s-infra-cherrypick-robot in #4625
• [release-1.5] Disallow repeaded CORS filters by CEL by @k8s-infra-cherrypick-robot in #4645
• [release-1.5] Add 204 as a possible cors preflight response code by @k8s-infra-cherrypick-robot in #4637
• [release-1.5] fix: improve GatewayMustHaveAttachedListeners log by @k8s-infra-cherrypick-robot in #4632
• [release-1.5] allow absent conflict condition for non-conflicted listeners by @k8s-infra-cherrypick-robot in #4664
• [release-1.5] update ListenerConditionConflicted condition docs by @k8s-infra-cherrypick-robot in #4669
• limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) by @zirain in #4667
• Patch 1.5.1 release. by @bexxmodd in #4685

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.0

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

TLSRoute and ListenerSet have graduated to the Standard channel as v1. In 1.5.0, TLSRoute v1alpha2 is present only in the Experimental channel; in 1.6, it will be removed from the Experimental channel too.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

• It prevents installing Experimental CRDs once you've installed Standard CRDs.
• It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

• Gateway Client Certificate validation (GEP-91, GEP-3567)
• Certificate selection for Gateway TLS origination (GEP-3155)
• ListenerSet support (GEP-1713)
• HTTPRoute CORS filter (GEP-1767)
• TLSRoute v1 (GEP-2643)

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

• Gateway/HTTPRoute level authentication (GEP-1494)

Full Changelog

Full Changelog: v1.4.1...v1.5.0

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/chzyer/readline: v1.5.1
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/ianlancetaylor/demangle: f615e6b
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5

Changed

• cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
• github.com/cncf/xds/go: 2ac532f → 0feb691
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
• github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
• github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
• github.com/google/pprof: d1b30fe → 294ebfa
• github.com/mailru/easyjson: v0.9.0 → v0.9.1
• github.com/miekg/dns: v1.1.68 → v1.1.72
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
• github.com/onsi/gomega: v1.38.1 → v1.39.1
• github.com/prometheus/client_golang: v1.23.0 → v1.23.2
• github.com/prometheus/common: v0.65.0 → v0.66.1
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.2
• github.com/spf13/pflag: v1.0.7 → v1.0.10
• github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
• github.com/stretchr/testify: v1.11.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
• go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel: v1.37.0 → v1.38.0
• go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
• go.uber.org/zap: v1.27.0 → v1.27.1
• go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
• golang.org/x/crypto: v0.41.0 → v0.47.0
• golang.org/x/mod: v0.27.0 → v0.32.0
• golang.org/x/net: v0.43.0 → v0.49.0
• golang.org/x/oauth2: v0.30.0 → v0.34.0
• golang.org/x/sync: v0.16.0 → v0.19.0
• golang.org/x/sys: v0.35.0 → v0.40.0
• golang.org/x/telemetry: 1a19826 → bd525da
• golang.org/x/term: v0.34.0 → v0.39.0
• golang.org/x/text: v0.28.0 → v0.33.0
• golang.org/x/time: v0.12.0 → v0.14.0
• golang.org/x/tools: v0.36.0 → v0.41.0
• google.golang.org/genproto/googleapis/api: 8d1bb00 → ab9386a
• google.golang.org/genproto/googleapis/rpc: ef028d9 → ab9386a
• google.golang.org/grpc: v1.75.1 → v1.78.0
• google.golang.org/protobuf: v1.36.8 → v1.36.11
• k8s.io/api: v0.34.1 → v0.35.1
• k8s.io/apiextensions-apiserver: v0.34.1 → v0.35.1
• k8s.io/apimachinery: v0.34.1 → v0.35.1
• k8s.io/apiserver: v0.34.1 → v0.35.1
• k8s.io/client-go: v0.34.1 → v0.35.1
• k8s.io/code-generator: v0.34.1 → v0.35.1
• k8s.io/component-base: v0.34.1 → v0.35.1
• k8s.io/gengo/v2: c297c0c → ec3ebc5
• k8s.io/kms: v0.34.1 → v0.35.1
• k8s.io/kube-openapi: d7b6acb → 589584f
• k8s.io/utils: 0af2bda → 914a6e7
• sigs.k8s.io/controller-runtime: v0.22.1 → v0.23.1
• sigs.k8s.io/controller-tools: v0.19.0 → v0.20.1
• sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

• github.com/kisielk/errcheck: v1.5.0
• github.com/kisielk/gotool: v1.0.0
• github.com/pkg/errors: v0.9.1
• github.com/zeebo/errs: v1.4.0
• golang.org/x/xerrors: 5ec99f8

v1.5.0-rc.3

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Changes Since v1.5.0-rc.2

• Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4604 @howardjohn)

What's Changed

• [release-1.5] safe-upgrade: allow installing experimental when no current CRD is in… by @k8s-infra-cherrypick-robot in #4604

Full Changelog: v1.5.0-rc.2...v1.5.0-rc.3

v1.5.0-rc.2

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Changes Since v1.5.0-rc.1

• CORS Origin values are now validated by CEL to disallow unsupported values in the host portion (#4595, @DamianSawicki -- see discussion in #3648)
• Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs (#4578, @snorwin)
• Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4556, @snorwin)
• Add the missing ListenersNotValid programmed reason for listenerSets (#4589, @davidjumani)
• The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4599, @howardjohn)

What's Changed

• [release-1.5] cleanup: fix typo by @k8s-infra-cherrypick-robot in #4550
• [release-1.5] cleanup: align types for listener ResolvedRefs condition reason by @k8s-infra-cherrypick-robot in #4554
• [release-1.5] build(deps): bump the k8s-io group across 4 directories with 5 updates by @k8s-infra-cherrypick-robot in #4548
• [release-1.5] CORS conformance fixes regarding credentials and wildcards by @k8s-infra-cherrypick-robot in #4547
• [release-1.5] fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility by @k8s-infra-cherrypick-robot in #4556
• [release-1.5] remove copyright years after 2025 by @k8s-infra-cherrypick-robot in #4565
• [release-1.5] TLSRoute: Use v1 for conformance tests by @k8s-infra-cherrypick-robot in #4569
• [release-1.5] fix: FailFast should return when test failed by @k8s-infra-cherrypick-robot in #4549
• [release-1.5] Misc v1.5.0 conformance improvements by @k8s-infra-cherrypick-robot in #4563
• [release-1.5] conformance: client certificate AllowInsecureFallback validation mode tests by @k8s-infra-cherrypick-robot in #4564
• [release-1.5] Add missing IgnoreWhitespace: true by @k8s-infra-cherrypick-robot in #4590
• [release-1.5] fix: Update listener set programmed conditions by @k8s-infra-cherrypick-robot in #4589
• [release-1.5] Update CEL validation of allowOrigins by @k8s-infra-cherrypick-robot in #4595
• [release-1.5] fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs by @snorwin in #4578
• [release-1.5] TLSRoute: Add conformance tests for connection rejection by @k8s-infra-cherrypick-robot in #4593
• [release-1.5] conformance: tune and allow configuring polling interval by @k8s-infra-cherrypick-robot in #4599
• CHANGELOG and version number updates for 1.5.0-rc.2 by @kflynn in #4600

Full Changelog: v1.5.0-rc.1...v1.5.0-rc.2

v1.5.0-rc.1

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

Since TLSRoute and ListenerSet have graduated to the Standard channel, TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

• It prevents installing Experimental CRDs once you've installed Standard CRDs.
• It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

• Gateway Client Certificate validation (GEP-91, GEP-3567)
• Certificate selection for Gateway TLS origination (GEP-3155)
• ListenerSet support (GEP-1713)
• HTTPRoute CORS filter (GEP-1767)
• TLSRoute v1 (GEP-2643)

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

• Gateway/HTTPRoute level authentication (GEP-1494)

Changes by Kind

Test

• Add conformance test to check that only Accepted Routes are considered as attachedRoute on Gateway status (#4362, @davidesalerno)
• Added conformance tests for invalid backend TLS configurations and the Gateway ResolvedRefs condition (#4389, @snorwin)
• Adds a conformance test for BackendTLSPolicy so that when a ConfigMap contents are changed, it should be reconciled by the controller. (#4360, @Thealisyed)

GEPs

• Adding initial conformance tests for XListenerSets (#3890, @davidjumani)
• Adds the AttachedListeners conditions to the Gateway status which is the count of successful ListenerSet attachments to the gateway (#4211, @davidjumani)
• Allow only static port ports for listenerSets (#4426, @davidjumani)
• Fix the description of what conditions count as a valid attachedRoute on Gateway status (#4341, @davidesalerno)
• TLSRoute gep creation (#4064, @rikatz)

Feature

• Adds TLS mode validation for TLS protocol on ListenerSet Listener. (#4451, @rostislavbobo)
• Allow implementation-specific values for wellKnownCACertificates in BackendTLSPolicy (#4401, @snorwin)
• Promote ReferenceGrant to v1 (#4458, @rikatz)
• Support for client certificate validation for TLS terminating at the Gateway is now in Standard (#4496, @kl52752)
• Support for defining Gateway client certificate when Gateways originate TLS connection to Backends is now in Standard. (#4489, @kl52752)
• TLSRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" and "v1alpha3" version of this API are deprecated and will be removed in the future. (#4439, @rostislavbobo)

Documentation

• Added a "When to Use GRPCRoute" section to the GRPCRoute API types documentation, with guidance on when to use HTTPRoute vs GRPCRoute and for controller implementers. (#4502, @kahirokunn)
• Adds the AttachedListeners conditions to the Gateway status for the GEP and details for ListenerSets conformance tests (#4205, @davidjumani)
• Define a new Reason type for Listener's Condition status to reflect invalid Client Certificate Validation Configuration for Gateway. (#4443, @kl52752)
• Updating versioning docs located at https://gateway-api.sigs.k8s.io/concepts/versioning/ (#4308, @bexxmodd)

Bug or Regression

• Added minItems=1 validation to HTTPRoute.spec.rules to prevent creation of HTTPRoute resources without any rules. (#4301, @snorwin)
• Only allow cookieConfig with type: Cookie (#4411, @LiorLieberman)

Other (Cleanup or Flake)

• Remove TCPRoute support from TLS listeners (#4427, @rikatz)
• Update the Gateway status to include AttachedListenerSets - the count of ListenerSets that have successfully attached to the gateway (#4358, @davidjumani)

Uncategorized

• Added conformance tests validating Gateway behavior for connection coalescing when SNI and Host headers do not match, including correct use of HTTP 421 for potentially misdirected requests. (#4364, @snorwin)
• Adds TLS mode validation for TLS protocol on Gateway Listener. (#4441, @rostislavbobo)
• Adds conformance tests for ListenerSets (#4445, @davidjumani)
• Https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v3.0.0 (#4453, @shuqz)
• Implement conformance test for CORS (#4494, @rikatz)
• Promote ListenerSet to standard (#4499, @davidjumani)

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/chzyer/readline: v1.5.1
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/ianlancetaylor/demangle: f615e6b
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5

Changed

• cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
• github.com/cncf/xds/go: 2ac532f → 0feb691
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
• github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
• github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
• github.com/google/pprof: d1b30fe → 294ebfa
• github.com/mailru/easyjson: v0.9.0 → v0.9.1
• github.com/miekg/dns: v1.1.68 → v1.1.72
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
• github.com/onsi/gomega: v1.38.1 → v1.39.1
• github.com/prometheus/client_golang: v1.23.0 → v1.23.2
• github.com/prometheus/common: v0.65.0 → v0.66.1
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.2
• github.com/spf13/pflag: v1.0.7 → v1.0.10
• github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
• github.com/stretchr/testify: v1.11.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
• go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
• ...

monthly-2026.01

Gateway API monthly-2026.01 Release Notes

This is the monthly release for the Gateway API experimental channel for January 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

• To install the CRDs for this release, use install monthly-2026.01-install.yaml:

  kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.01/monthly-2026.01-install.yaml
  

• To build using this release in Go, include this release in your go.mod:

  require sigs.k8s.io/gateway-api monthly-2026.01
  

  and run go mod tidy. You'll find that monthly-2026.01 gets replaced by a Go pseudoversion; this is expected.

Cautions

N/A

Changes Summary

Bundle Version

• Updated bundle version from v1.4.0 to v1.4.1 across all experimental CRDs

Gateway API Enhancements

• Added attachedListenerSets field to Gateway status for tracking ListenerSet attachments
• Clarified AttachedRoutes counting logic to only include Routes with Accepted: true condition
• Updated BackendTLSPolicy documentation with expanded support level guidance

Documentation Improvements

• Fixed grammar and typos throughout CRD descriptions (e.g., "case sensitive" → "case-sensitive", "retryable" → "retriable")
• Improved clarity of namespace access error messages
• Enhanced ListenerSet attachment documentation with clearer conditions

Affected Resources

• BackendTLSPolicy, Gateway, GatewayClass, GRPCRoute, HTTPRoute, ReferenceGrant, TCPRoute, TLSRoute, UDPRoute
• XBackendTrafficPolicy, XListenerSet, XMesh

What's Changed

• Update External Auth GEP to be Experimental by @youngnick in #4297
• Optimize mesh (GRPC|HTTP)RouteWeight tests by @LiorLieberman in #4300
• Perform Implementations page review for v1.4 by @youngnick in #4238
• Fix GCL version with bugfix for git problem by @rikatz in #4313
• Fix incorrect spec change for Policy objects by @youngnick in #4304
• chore(1.4.1): CHANGELOG and version updates by @kflynn in #4317
• fix(build): build-install-yaml needs to tolerate $1 being unset. Oops. by @kflynn in #4319
• chore(1.4.1): Update README and guide for 1.4.1 by @kflynn in #4320
• conformance: normative test for backend client certificate in Gateway by @snorwin in #4119
• api: Update gateway status to include AttachedListeners by @davidjumani in #4211
• Add verbose flag to golangci-lint command by @LiorLieberman in #4311
• Add github actions update to dependabot by @rikatz in #4312
• Move GEPs out of ToC and re-add provisional by @rikatz in #4277
• conformance: Add Airlock Microgateway 4.8.0 report for v1.4.0 and v1.4.1 by @root30 in #4285
• Spelling by @jsoref in #4279
• Fix docs typos by @nurzhan-zhanuzak in #4328
• fix: target object status description by @guicassolato in #4275
• build(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4331
• gep: refine CACertificateRefs description for frontend TLS by @snorwin in #4183
• Update the ListenerSet GEP per Kubecon discussions by @rikatz in #4286
• Adding more HTTPRoute guides by @robscott in #4326
• Adding ingress-nginx welcome guide along with new "getting started" section by @robscott in #4334
• build(deps): bump actions/checkout from 4.2.2 to 6.0.1 by @dependabot[bot] in #4323
• build(deps): bump actions/setup-go from 5.5.0 to 6.1.0 by @dependabot[bot] in #4324
• build(deps): bump the k8s-io group across 4 directories with 4 updates by @dependabot[bot] in #4325
• GEP-2643: TLSRoute by @rikatz in #4064
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates by @dependabot[bot] in #4352
• conformance: check ObservedGeneration of status conditions for HTTPRoutes, Gateways and Gatewayclasses with polling by @pmalek in #4339
• chore: add sigs.k8s.io to dependabot config by @rikatz in #4366
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates by @dependabot[bot] in #4367
• Conformance report for NGINX Gateway Fabric 2.3.0 by @sjberman in #4365
• build(deps): bump sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4 in /conformance by @dependabot[bot] in #4289
• implementations: update Azure Application Gateway for Containers badge by @ffurrer2 in #4343
• Clarify at least 3 implementations must upload their report to appear by @xtineskim in #4373
• Gravitee Kubernetes Operator 4.8.5 conformance report for 1.3.0 by @a-cordier in #4059
• 1.4.0 Conformance report for NGINX Gateway Fabric by @sjberman in #4372
• Update NGF conformance report by @sjberman in #4379
• Fix link to design goals in migrating-from-ingress.md by @JoeyC-Dev in #4380
• Add a link validator and fix broken links by @rikatz in #4363
• Fix AttachedRoutes documentation aligned to count only Accepted Routes by @davidesalerno in #4341
• Use correct link when mentioning conformance levels by @Stevenjin8 in #4391
• Clarify gep-1713 language to make it clear ListenerSet to Gateway is 1:1 by @zac-nixon in #4390
• build(deps): bump pymdown-extensions from 10.19.1 to 10.20 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4398
• Bump golangci-lint to the latest version (v2) by @erikgb in #4377
• docs: rename rogue listener.routes per ffd6005 by @cavcrosby in #4400
• BackendTLSPolicy GEP - add Implementation-specific behavior by @rikatz in #4381
• fix: add MinItems=1 validation to HTTPRoute rules by @snorwin in #4301
• submit 1.3 conformance report for aws lbc by @shuqz in #4384
• api: Update Gateway status to reflect changes to GEP-1713 by @davidjumani in #4358
• docs: add rikatz as maintainer by @shaneutt in #4403
• docs: fix typo in CONTRIBUTING.md and README.md by @kube-gopher in #4395

New Contributors

• @davidjumani made their first contribution in #4211
• @nurzhan-zhanuzak made their first contribution in #4328
• @ffurrer2 made their first contribution in #4343
• @a-cordier made their first contribution in #4059
• @JoeyC-Dev made their first contribution in #4380
• @davidesalerno made their first contribution in #4341
• @zac-nixon made their first contribution in #4390
• @cavcrosby made their first contribution in #4400
• @shuqz made their first contribution in #4384
• @kube-gopher made their first contribution in #4395

Full Changelog: monthly-2025.12...monthly-2026.01

v1.4.1

Warning: Regarding the Experimental CRDs - please note that the experimental CRDs for this release are too large for a standard kubectl apply. You may receive an error like metadata.annotations: Too long: may not be more than 262144 bytes. To work around this please use kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml. We're looking into ways to reduce the size for future releases to avoid this.

Note: The installation YAML originally published with this release on 2025-12-04 mistakenly included changes from PR 3823 in the Standard channel, and from PRs 3774, 3823, and 4158 in the Experimental channel. After discussion among the Gateway API maintainers, we decided that the changes were minor enough that it was safe to modify the YAML in-place, which we did on 2026-02-10. Apologies for the confusion!

Changes Since v1.4.0

BackendTLSPolicy

• BackendTLSPolicy supports only a single targetRef per policy while Gateway API works through edge cases around representing the status of multiple targetRefs in a single policy. This restriction is expected to be lifted in a future release. (#4316, #4298)
• SAN validation in BackendTLSPolicy is correctly marked as standard. (#4194)
• BackendTLSPolicy status is correctly marked as a subresource. (#4245)

Conformance

• Conformance tests for mesh routing with weights have been made faster. (#4315)
• BackendTLSPolicy conformance tests are included in the GATEWAY-HTTP profile. (#4223)

Thanks to

Ciara Stacke, Lior Lieberman, Nick Young, Norwin Schnyder, Ricardo Pchevuzinske Katz, and zirain

Full Changelog

Full Changelog: v1.4.0...v1.4.1

monthly-2025.12

Gateway API monthly-2025.12 Release Notes

This is the first of the monthly releases for the Gateway API experimental channel. These releases will be published monthly and include the latest features and fixes from Gateway API's main branch.

Using this Release

• To install the CRDs for this release, use install monthly-2025.12-install.yaml:

  kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2025.12/monthly-2025.12-install.yaml
  

• To build using this release in Go, include this release in your go.mod:

  require sigs.k8s.io/gateway-api monthly-2025.12
  

  and run go mod tidy. You'll find that monthly-2025.12 gets replaced by a Go pseudoversion; this is expected.

Cautions

N/A

Changes

Gateway resource

• Add a ResolvedRefs condition to Gateway status to indicate that the object references for the Gateway that are not part of a specific Listener configuration were able to be resolved (#4195).

HTTPRoute resource

• Add support for HTTP 303 (See Other), 307 (Temporary Redirect), and 308 (Permanent Redirect) status codes in HTTPRoute redirect filters (#3823).

BackendTLSPolicy CRD

• Properly make status a subresource (#4242).
• Core conformance for BackendTLSPolicy allows only a single targetRef for now, while we sort out how to manage some edge cases in status (#4296)

Full Changelog: v1.4.0...monthly-2025.12

What's Changed

• v1.4.0-rc.2 by @shaneutt in #4130
• build(deps): bump golang.org/x/net from 0.43.0 to 0.44.0 by @dependabot[bot] in #4108
• build(deps): bump github.com/stretchr/testify from 1.11.0 to 1.11.1 by @dependabot[bot] in #4050
• Fix "Red Hat" spelling in implementation docs. by @coderbydesign in #3989
• Upload gke-gateway conformance report for v1.3.0 by @syw14 in #4122
• Adds a clean-generated target to remove stale generated files by @carmal891 in #4082
• Update GEP process docs with more details by @youngnick in #4109
• chore: merge in updates from release v1.4.0 by @shaneutt in #4146
• docs: add rikatz to OWNERS_ALIASES by @shaneutt in #4147
• docs: add provisional GEP for extending TLS Validation in BackendTLSPolicy by @snorwin in #4153
• Update implementations.md fix agentgateway broken link by @linsun in #4157
• Update CRD generator to handle errors encountered during generation. by @joshlreese in #4158
• Fix inconsistencies on TLSRoute documentation by @rikatz in #4139
• Add 307 / 308 Redirect Status Code Support by @davidwin93 in #3823
• build(deps): bump sigs.k8s.io/controller-runtime from 0.22.1 to 0.22.3 by @dependabot[bot] in #4169
• Improve apiref with experimental and ignored CRD description by @rikatz in #4132
• cleanup: fix mismatch of GEP status between index.md and metadata.yaml by @snorwin in #4176
• Docs: Adds CRD Install Workaround by @danehans in #4174
• Fix doc building and unreadable mermaid by @Stevenjin8 in #4179
• Fix CRD markers by @KillianGolds in #4178
• Use correct make rules for building docs in devguide by @Stevenjin8 in #4180
• Use go tools and reduce main go.mod by @rikatz in #4181
• build(deps): bump pyyaml from 6.0.2 to 6.0.3 in /hack/mkdocs/image by @dependabot[bot] in #4135
• Group mkdocs bumps by @rikatz in #4159
• build(deps): bump google.golang.org/grpc from 1.75.1 to 1.76.0 by @dependabot[bot] in #4167
• build(deps): bump golang.org/x/net from 0.44.0 to 0.46.0 by @dependabot[bot] in #4168
• build(deps): bump google.golang.org/protobuf from 1.36.8 to 1.36.10 by @dependabot[bot] in #4142
• build(deps): bump golang.org/x/tools from 0.36.0 to 0.38.0 by @dependabot[bot] in #4166
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 5 updates by @dependabot[bot] in #4189
• Docs: Update GEP-1294 to document ServiceImport as backendRef (#4185) by @kahirokunn in #4186
• gep: refine ClientCertificateRef description for backend TLS by @snorwin in #4123
• cleanup: Add missing BackendTLSPolicy GA reference and switch SAN validation feature to standard by @snorwin in #4191
• Add NGF conformance profiles for 2.2.0 release by @ciarams87 in #4197
• Rename GAMMA Leads to Mesh Leads in contributor ladder for clarity by @LiorLieberman in #4200
• Add kgw 1.4 conformance report by @timflannagan in #4202
• Add a docs team by @rikatz in #4203
• cleanup(docs): update docs to reflect BackendTLSPolicy GA by @snorwin in #4204
• Implement multi version for apiref by @rikatz in #4190
• build(deps): bump mkdocs-macros-plugin from 1.4.0 to 1.4.1 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4201
• features: Correct BackendTLSPolicyFeature godoc by @timflannagan in #4210
• conformance: Add Airlock Microgateway 4.8.0-alpha1 report for v1.4.0 by @root30 in #4208
• Fix that allows to --all-features and --exempt-features flags work together by @bexxmodd in #4149
• Fix the API ref links by @rikatz in #4215
• build(deps): bump mkdocs-material from 9.6.22 to 9.6.23 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4218
• Increase timeout in ExpectMirroredRequest by @kl52752 in #4206
• Submit conformance v1.4 API report for GKE Gateway by @kl52752 in #4214
• fix: add BackendTLSPolicy features to GATEWAY-HTTP profile by @snorwin in #4199
• Update v1.4 conformance report for Envoy Gateway by @zirain in #4216
• Fix gke-gateway conformance report 1.3 filename by @syw14 in #4221
• conformance: add Agentgateway and Istio report for v1.4.0 by @howardjohn in #4209
• GEP-713 enhancements by @guicassolato in #3609
• Add conformance report for Traefik Proxy by @kevinpollet in #4207
• Update Avi Kubernetes Operator (AKO) versions in the list of Gateway API implementations by @pkoshtavmware in #4226
• Conformance: Adds Port Response Header to Echo Server by @danehans in #4230
• docs: fix broken links by @zirain in #4217
• Fix link to 1.28.0 default report in README by @bexxmodd in #4232
• remove redundant one by @kl52752 in #4228
• Update Gateway API version badge by @nmengin in #4224
• docs: update godoc for BackendRef by @snorwin in #4155
• build(deps): bump golang.org/x/sync from 0.17.0 to 0.18.0 by @dependabot[bot] in #4236
• Conformance: Add Cilium conformance report for v1.4 by @xtineskim in #4233
• build(deps): update markdown requirement from ~=3.9 to ~=3.10 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4237
• build(deps): bump the...

v1.4.0

Warning: Regarding the Experimental CRDs - please note that the experimental CRDs for this release are too large for a standard kubectl apply. You may receive an error like metadata.annotations: Too long: may not be more than 262144 bytes. To work around this please use kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml. We're looking into ways to reduce the size for future releases to avoid this.

Major Changes since v1.3.0

Breaking Changes

Experimental CORS Support in HTTPRoute - Breaking Change for AllowCredentials Field

Users of the Experimental CORS AllowCredentials field can now specify false.
The underlying API specification type has changed from a enum of type boolean to
just a boolean, so users deploying HTTPRoutes via libraries and evaluating the
experimental CORS support will need to adjust for the change in types. Please
see #3895 for more details.

Standard GRPCRoute - Spec Field Required (Technicality)

This PR makes grpcroute.spec a required field. This is technically a
backward-incompatible change, as previously the field was unintentionally
treated as optional because we erroneously used omitempty on .spec (unlike
other APIs). Since the codebase didn't yet enforce explicit required markers,
that omitempty allowed a missing .spec.

Because .spec contains essential route configuration, omitting it renders a
GRPCRoute unusable and causes route implementation to fail, so we expect this
change will not have adverse effects, but wanted to call it out all the same.
Please see #3937 for more details.

GEPs

New Features

In this release, the following major features are moving to the Standard
channel and are now considered generally available:

• GEP-1897 BackendTLSPolicy - Configuration of TLS from the Gateway to Backends
• GEP-3164 SupportedFeatures - Status information about the features that an implementation supports.

In this release, we introduced the following new features are moving to the
Experimental channel, for implementations to evaluate:

• GEP-3949 Mesh Resource - Mesh-wide configuration and supported features.
• GEP-3793 Default Gateways - Allowing Gateways to program some routes by default.
• GEP-1494 HTTP External Auth - Enabling External Auth for HTTPRoute.

Other Iterations

• GEP-1897: standardizing behavior for invalid BackendTLSPolicy by @snorwin in #3909
• GEP-1897: describe TargetRefs conflict-resolution rules in BackendTLSPolicy by @snorwin in #4048
• GEP-2627: DNS Configuration - Initial Provisional PR by @maleck13 in #2712
• GEP-1713: Revisions by @dprotaso in #3744
• GEP 91: Update Goals and Prior Art by @arkodg in #3838
• GEP-91: Address connection coalescing security issue - API updates by @kl52752 in #3960 and #3942
• GEP-1494: Update gRPC Auth config by @youngnick in #4061
• GEP 3779: East/West Identity-Based Authorization by @LiorLieberman in #3822
• GEP-3792: Off-Cluster Gateways by @kflynn in #3851
• GEP-3798: Adding initial Provisional GEP for client ip based session persistence by @arihantg in #3844
• GEP-696: Update the possible states by @mlavacca in #3901
• TLSRoute: Require hostnames and bump version to v1alpha3 by @rostislavbobo in #3872
• TLSRoute: Require hostnames via +required by @rostislavbobo in #3918
• TLSRoute: Set MaxItems=1 for rules[] in v1alpha3 by @rostislavbobo in #3971
• Update Auth GEP with Implementable details by @youngnick in #3884
• add GRPCRouteExtendedFeatures to AllFeatures list by @skriss in #4046
• Allow preprepared CoreDNS image to be used by @aaronjwood in #3906
• Specify SAN validation precedence over Hostname validation by @kl52752 in #4039
• docs: move GEP-3798 to Deferred for now by @shaneutt in #3947

Bug or Regression

• The boolean "TrueField" introduced for CORS can cause generator issues by @shaneutt in #3895
• Mark grpcroutes spec as required by @rikatz in #3937

Administrative

• chore: remove inactive reviewers by @shaneutt in #3829
• Adding Lior to Mesh Leads by @robscott in #3877

Changes by Kind

API

HTTPRoute

In the Standard channel, we've now added a Name field to HTTPRouteRule
and HTTPRouteMatch.

Documentation

• Enable dark mode switch on docs by @rikatz in #3977
• docs: Add v1.3 conformance report table by @snorwin in #3810
• docs: Update HTTPRoute status example by @jonstacks in #3784
• Add time extensions to release management doc by @shaneutt in #3943
• Update implementations.md with removal policy by @youngnick in #3863
• TLSRoute: Hostnames godoc by @rostislavbobo in #3925
• Make feature name required for Experimental by @youngnick in #3859
• Support comparison of response protocol by @zirain in #3986
• docs: note about expectations when a gep misses a release timeline by @shaneutt in #3866

CI & Testing

• Enable Kubernetes API Linter by @rikatz in #3917
• Use envtest for CRD validation tests by @rikatz in #3948

Conformance Tests

• Add mesh conformance tests structure and a first test by @LiorLieberman in #3729
• Add mesh conformance tests for httproute redirect(s) by @LiorLieberman in #3777
• Improve feature name readability in conformance reports by @08volt in #3564
• conformance: add Hook in ConformanceTestSuite by @zirain in #3786
• add mesh conformance for request header modifier by @LiorLieberman in #3812
• add httproute weight based routing mesh conformance tests by @LiorLieberman in #3827
• Add mesh core conformance tests for httproute same-namespace attachment by @LiorLieberman in #3833
• add httproute matching conformance mesh by @LiorLieberman in #3831
• add mesh conformance for httproute-queryparmas-match by @LiorLieberman in #3834
• fix meshredirectport and schemeredirect mesh conformance features by @LiorLieberman in #3847
• Add body to http.Request and roundTripper.request to extend conformance testutil ability to send request with body. by @zetxqx in #3853
• Infer SupportedFeatures in Conformance Tests (GEP-2162) [#3759] by @bexxmodd in #3848
• Improve distribution tests in conformance for MeshHTTPRouteWeight by @carsontham in #3855
• feat(conformance): validate implementation flags by @mlavacca in #3715
• Issue 3138 - Conformance Tests for BackendTLSPolicy - normative by @candita in #3212
• Fix(conformance report) Add Skip test count in Conformance Report if RunTest is configured. by @zetxqx in #3966
• Add Conformance test for Invalid BackendTLSPolicy TLS settings by @kl52752 in #3930
• Improve distribution tests in conformance for HTTPRouteWeight by @carsontham in #3880
• BackendTLSPolicy conformance tests for observedGeneration bump by @snorwin in #3997...

v1.4.0-rc.2

Changes Since v1.4.0-rc.1

• Allow preprepared CoreDNS image to be used by @aaronjwood in #3906
• Update index.md field after moving BackendTLS struct by @kl52752 in #4041
• Issue 3940: Move BackendTLSPolicy to standard by @candita in #4074
• Add allowOrigins configuration to CORSAllowCredentialsBehavior and perform cleanup by @snorwin in #4094
• fix: fix validation and wording when making gateway spec addresses value optional by @bjee19 in #4084
• Fix broken link in TLS Configuration page by @4n86rakam1 in #4091
• Automate GEP TOC generation and validate by @rikatz in #4075
• conformance: fix per-test cleanup by @howardjohn in #4104
• Added flag for running mesh conformance suite and automatically inferring supported features from Mesh.Status by @bexxmodd in #4097
• Fixed couple of typos in conformance tests. by @bexxmodd in #4106
• Issue 3940: Update BackendTLSPolicy GEP to move to standard by @candita in #4099
• Removing experimental annotation from SupportedFeatures in GWC Status. by @bexxmodd in #4115
• conformance: fix invalid BackendTLSPolicy conformance test by @howardjohn in #4105
• fix: use inferred supported features to set extendedSupportedFeatures by @snorwin in #4113
• conformance: make backend TLS tests IPv6-safe by @howardjohn in #4120
• concepts/tooling.md: Add Headlamp tool by @illume in #4083
• docs: update implements page by @zirain in #3996
• Fix broken link in TLS Configuration page by @4n86rakam1 in #4091

New Contributors

• @aaronjwood made their first contribution in #3906
• @illume made their first contribution in #4083
• @4n86rakam1 made their first contribution in #4091

Full Changelog

Full Changelog: v1.4.0-rc.1...v1.4.0-rc2