v1.6.0-rc.1

Major Changes Since v1.5.1

GEP & API Graduation

• UDPRoute & TCPRoute Graduation:
  • UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
  • TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
• GEP Status Updates:
  • Add GEP for the XBackend resource into Experimental status (#4488, @keithmattix)
  • Move TCPRoute GEP to Standard (#4878, @rikatz)
  • Move UDPRoute GEP to Standard (#4879, @rikatz)
  • TCPRoute GEP (#4783, @zac-nixon)

Feature

• API & Validation Enhancements:
  • API validation updated for HTTPRoute retries: retry.codes must now be unique and retry.attempts must be >= 1. (#4907, @snorwin)
  • Increase the number of allowed Certificate Authority references from 8 to 16. (#4088, @root30)
  • The TLSRoute CRD validation has been adjusted to allow up to 4096 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
  • BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
  • Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
• Graduations:
  • CORS filter is now part of the standard channel. (#4521, @rikatz)
• ValidatingAdmissionPolicy (VAP):
  • Adds a VAP that prohibits:
    • Installation of experimental CRDs on top of standard channel CRDs (within the same API group).
    • Installation of monthly releases.
    • Installation of older releases. (#4533, @robscott)
• Conformance Infrastructure:
  • Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
• Remove the idleTimeout field from the experimental SessionPersistence API. (#4771, @gcs278)

Documentation

• Migration & Site Updates:
  • Migrate documentation from MkDocs to Docsy. (#4734, @iromanycheva-eng)
  • The new wizard should be available at https://gateway-api.sigs.k8s.io/wizard. (#4584, @bexxmodd)
• New Documentation:
  • Add documentation for TLSRoute. (#4558, @rikatz)
  • Adds documentation around ListenerSets. (#4568, @davidjumani)
• API Specs & Guidance Clarifications:
  • Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
  • Add the missing ListenersNotValid programmed reason for listenerSets. (#4586, @davidjumani)
  • Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
  • Clarified CORS API documentation to describe behavior based on allowCredentials instead of credentialed requests. (#4663, @snorwin)
  • Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
  • Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
• Releases & Results:
  • Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API. (#4733, @zac-nixon)
• Fixes:
  • Grammar fix in docs for concepts/use cases. (#4798, @jkburges)

Bug or Regression

• IPv6 Support:
  • Fix GatewayFrontendClientCertificateValidationInsecureFallback, GatewayFrontendClientCertificateValidation, and GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4636, @zirain)
  • Fix GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4629, @zirain)
• ValidatingAdmissionPolicy (VAP) Fixes:
  • Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
  • Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
• CRD & Schema Validation:
  • Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
  • Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
• API & Validation Fixes:
  • It is disallowed to have repeated filters of type CORS. (#4639, @DamianSawicki)
  • Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
  • Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
  • Make referencegrant.spec field required. (#4845, @bexxmodd)

Test & Conformance

• New Conformance Tests:
  • Add conformance test ListenerSetAllowedRoutesCrossNamespace which verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber)
  • Added a conformance test covering the Gateway Accepted condition with reason ListenersNotValid and the Listener Accepted condition with reason UnsupportedProtocol. (#4807, @snorwin)
  • Added conformance test GatewayInvalidParametersRef that verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin)
  • Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
  • Implement conformance test for CORS. (#4494, @rikatz)
• Test Machinery & Framework Updates:
  • Conformance: ExpectMirroredRequest now starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei)
  • The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4570, @howardjohn)
  • The gRPC conformance request helper no longer closes a caller-supplied (injected) Options.GRPCClient; it closes only the DefaultClient it creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
• Updates & Fixes to Existing Tests:
  • The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing)
  • Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
  • Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
  • Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
  • Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)

What's Changed

• Update RELEASE.md by @kflynn in #4836
• Conformance report for NGINX Gateway Fabric 2.6.0 by @ciarams87 in #4837
• gep-4768: Standardized Telemetry API (provisional) by @gkhom in #4775
• docs: Add guidance preferring GRPCRoute for gRPC by @kahirokunn in #4513
• Increase TLSRoute hostnames limit from 16 to 1024 by @alexanderstephan in #4332
• build(deps): bump the non-k8s group across 2 directories with 1 update by @dependabot[bot] in #4838
• [gep-1713] ListenerSet: Fix typos and other inconsistencies by @dprotaso in #4824
• grpc: do not require unique hostnames with http by @howardjohn in #4598
• Add Ciilum conformance report for v1.5.1 by @youngnick in #4829
• Add conformance report for Varnish Gateway v0.20.0 by @perbu in #4831
• Enable golangci-lint modernize linter by @erikgb in #4821
• conformance: add cross-namespace ListenerSet AllowedRoutes test by @asauber in #4841
• [breaking change] Remove optional marker from ReferenceGrant.Spec by @bexxmodd in #4845
• Prevent arbitrary code execution hack scripts by @bexxmodd in #4846
• Fix Stored DOM XSS in Controller Wizard by @bexxmodd in #4848
• Migrate documentation from MkDocs to Docsy by @iromanycheva-eng in #4734
• Remove legacy mkdocs files by @rikatz in #4855
• add GEP 3965: Implementation-Specific Matches by @howardjohn in #4676
• fix wizard theme compatibility for dark mode by @bexxmodd in #4857
• build(deps): bump actions/setup-node from 4.1.0 to 6.4.0 by @dependabot[bot] in #4850
• Add verify-crdify script to detect breaking changes in CRDs by @ElenaZvereva in https://github.com/kubernetes-si...

monthly-2026.05

Gateway API monthly-2026.05 Release Notes

This is the monthly release for the Gateway API experimental channel for May 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

To install the CRDs for this release, use install monthly-2026.05-install.yaml:

kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.05/monthly-2026.05-install.yaml

To build using this release in Go, include this release in your go.mod:

require sigs.k8s.io/gateway-api monthly-2026.05

and run go mod tidy. You'll find that monthly-2026.05 gets replaced by a Go pseudoversion; this is expected.

Changes Summary

Full Changelog: monthly-2026.04...monthly-2026.05

Merged Pull Requests (monthly-2026.04 to monthly-2026.05)

• Add missing API doc for BackendTLSPolicy as union feature (#4828) @rikatz
• #4826 Fix inconsistencies in ListenerSet example (#4827) @vovtz
• fix: add j2_line_comment_prefix back to mkdocs configuration (#4822) @JoeyC-Dev
• Bump golangci-lint (and KAL) to support Go 1.26 (#4820) @erikgb
• Bump K8s dependencies to 1.36 (#4819) @erikgb
• PROVISIONAL: Backend GEP (#4818) @keithmattix
• test(conformance): add test for Gateway Accepted condition with InvalidParameters reason (#4808) @snorwin
• test(conformance): add tests for Gateway listener Accepted condition with UnsupportedProtocol reason (#4807) @snorwin
• Fix MeshHTTPRoute307Redirect conformance test (#4806) @jgreeer
• fix: drop GRPCRoute from supported kinds assertion as the test does not require to support them (#4805) @snorwin
• stop building arm64 images on preverify jobs (#4803) @rikatz
• Fix grammar/sentence (#4798) @jkburges
• docs: update ReferenceGrant API references to v1 (#4796) @JoeyC-Dev
• fix mismatched annotation (#4793) @davidxia
• Make conformance reports require just major and minor GW API versions (#4792) @rikatz
• Make explicit call about resource name restrictions (#4787) @rikatz
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4784) @app/dependabot
• Fix Google Analytics custom events in Controller Matching Wizard (#4782) @iromanycheva-eng
• cleanup-test-resources option (#4776) @zhaohuabing
• GEP-1619: Remove idleTimeout from SessionPersistence API (#4771) @gcs278
• Add conformance report for agentgateway v1.1.0 (#4765) @howardjohn
• build(deps): bump the k8s-io group across 4 directories with 5 updates (#4761) @app/dependabot
• Update the bundle version for VAP and add it as a release step. (#4759) @bexxmodd
• Update HTTPRoute BackendRefs public docs to match API spec. (#4758) @briantkennedy
• conformance: Add reports for gloo-gateway (#4757) @davidjumani
• conformance: Add tests for omitted and empty backendRefs (#4750) @optix2000
• Specify the usage of BackendTLSPolicy as a union feature (#4745) @rikatz
• docs: better feature comparison table (#4744) @howardjohn
• build(deps): bump the mkdocs-deps group across 1 directory with 4 updates (#4742) @app/dependabot
• V1.5 Implementations page review (#4741) @youngnick
• conformance: make weight test 100x faster (#4740) @howardjohn
• Make monthly release action to be manually triggered with supplied tag. (#4736) @bexxmodd
• Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API (#4733) @zac-nixon
• manually bump dependencies (#4732) @rikatz
• start using images from registry.k8s.io (#4728) @upodroid
• build(deps): bump actions/setup-go from 6.3.0 to 6.4.0 (#4725) @app/dependabot
• conformance: update tests to use gatewayv1 APIs (#4722) @cnvergence
• Add Google Analytics loader and event tracking for wizard (#4721) @iromanycheva-eng
• EXP: UDPRoute (#4720) @zac-nixon
• Add gateway:util:excludeFromCRD comments for complex CEL validations (#4714) @AndrewCharlesHay
• generator: omit top-level CRD status from manifests (#4712) @MatteoFari
• Add well-known labels package for GEP-1762 (#4705) @carmal891
• docs: clarify RequestHeaderModifier set behavior (#4684) @ShaanveerS
• conformance: Move Inference Extension conformance helper functions to gateway-api/conformance (#4602) @ericdbishop
• Add session persistence conformance test plan (#4482) @salonichf5
• Define union features (#4452) @rikatz
• Issue-4087: Increase MaxItems for CACertificateRefs validation (#4088) @root30
• Add conformance report for Contour 1.33.0 and Gateway API 1.3.0 (#4076) @sunjayBhatia
• Mkdocs Migration Python CLI for #3860 (#3999) @RoseWrightdev

monthly-2026.04

Gateway API monthly-2026.04 Release Notes

This is the monthly release for the Gateway API experimental channel for April 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

To install the CRDs for this release, use install monthly-2026.04-install.yaml:

kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.04/monthly-2026.04-install.yaml

To build using this release in Go, include this release in your go.mod:

require sigs.k8s.io/gateway-api monthly-2026.04

and run go mod tidy. You'll find that monthly-2026.04 gets replaced by a Go pseudoversion; this is expected.

Changes Summary

Full Changelog: monthly-2026.01...monthly-2026.04

Merged Pull Requests (monthly-2026.01 to monthly-2026.04)

• Adding new reviewers along with some cleanup (#4730) @robscott
• Update NGINX Gateway Fabric conformance for 1.5 (#4718) @sjberman
• GatewayInfrastructure: use uncached client lookups (#4717) @howardjohn
• Add GKE Gateway conformance report for v1.5.0 (#4716) @szkaraddd
• Add report for v1.5.1 (#4715) @jukie
• docs: Include patch versions in wizard data and add v1.5 features (#4710) @snorwin
• Add NGF v2.5.0 pre-release conformance report (#4709) @sjberman
• Misc cleanup for v1.5 (#4708) @snorwin
• 2734 - update gateway infrastructure annotations to 16 (#4707) @wenisman
• conformance: Adds v1.5.1 Report for kgateway (#4703) @davidjumani
• update conformance report of gke-gateway for v1.4.0 (#4702) @szkaraddd
• Add v1.5.1 conformance report for Traefik Proxy (#4700) @kevinpollet
• build(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /hack/mkdocs/image in the mkdocs-deps group (#4696) @app/dependabot
• conformance: Add Airlock Microgateway 5.0.0 conformance reports (#4694) @tyxeron
• conformance: bump agentgateway to v1.0.0 (#4691) @howardjohn
• Add conformance reports for haproxy ingress (#4688) @jcmoraisjr
• build(deps): bump the non-k8s group across 1 directory with 4 updates (#4682) @app/dependabot
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4681) @app/dependabot
• docs: fix mkdocs redirects warning (#4680) @Seo-yul
• Docs: Remove deprecated copy_on_write option (#4678) @Seo-yul
• conformance: fix ListenerSetAllowedRoutesSupportedKinds flaking (#4675) @howardjohn
• docs: Add feature names to guides and concepts pages (#4672) @robscott
• add a way to override timeout configs with a flag (#4671) @LiorLieberman
• limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) @zirain
• CORS: clarify API documentation and remove conformance tests for credentialed requests (#4663) @snorwin
• update ListenerConditionConflicted condition docs (#4659) @davidjumani
• docs: fix broken links from security-model rename (#4658) @pl4nty
• docs: remove 1.3 spec from nav (#4657) @pl4nty
• some formatting changes to wizard ui. (#4656) @bexxmodd
• align TLSRoute with hostname concept (#4650) @vinayakray19
• build(deps): bump the k8s-io group across 4 directories with 5 updates (#4644) @app/dependabot
• build(deps): bump the mkdocs-deps group across 1 directory with 2 updates (#4643) @app/dependabot
• allow absent conflict condition for non-conflicted listeners (#4642) @zhaohuabing
• conformance: add v1.4.1 report for Kong Operator v2.1.2 (#4640) @pmalek
• Disallow repeaded CORS filters by CEL (#4639) @DamianSawicki
• fix: fix typo error (#4638) @yuluo-yx
• fix: use JoinHostPort (#4636) @zirain
• Minute clean-ups in conformance tests for CORS (#4634) @DamianSawicki
• fix SetupTimeoutConfig (#4630) @zirain
• fix GatewayFrontendInvalidDefaultClientCertificateValidation test (#4629) @zirain
• conformance: add v1.5.0 report for agentgateway (#4628) @howardjohn
• Add 204 as a possible cors preflight response code (#4627) @jcmoraisjr
• fix: improve GatewayMustHaveAttachedListeners log (#4623) @zirain
• implement findings on gh actions (#4622) @rikatz
• Fix for release artifact validation CI (#4620) @bexxmodd
• fix: align short name (#4619) @zirain
• fix: propagate context and fix defer leak in DumpEchoLogs (#4617) @samzong
• tlsroute: allow FIN or RST instead of just RST (#4615) @howardjohn
• cleanup: update GEPS to reflect release 1.5 (#4614) @snorwin
• build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#4611) @app/dependabot
• conformance: add Amazon VPC Lattice Gateway API Controller v2.0.1 report (#4610) @abdallahmahran10
• docs: Update site-docs for 1.5 (#4609) @kflynn
• conformance: add v1.4.1 agentgateway (#4606) @howardjohn
• safe-upgrade: allow installing experimental when no current CRD is in… (#4603) @howardjohn
• mark promoted features on GEP lists (#4601) @rikatz
• docs: add total column to conformance reports (#4597) @howardjohn
• docs: prevent patch releases from invalidating conformance reports. (#4596) @howardjohn
• Update CEL validation of allowOrigins (#4594) @DamianSawicki
• fix: Remove missing namespace in example manifests (#4591) @davidjumani
• fix: Update listener set programmed conditions (#4586) @davidjumani
• Controller matching wizard (#4584) @bexxmodd
• TLSRoute: Add conformance tests for connection rejection (#4583) @rostislavbobo
• Update CORS docs for Standard graduation (#4579) @DamianSawicki
• build(deps): bump sigs.k8s.io/controller-tools from 0.20.0 to 0.20.1 in /tools in the k8s-io group across 1 directory (#4577) @app/dependabot
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4575) @app/dependabot
• build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4574) @app/dependabot
• bump lychee and fix local links (#4573) @rikatz
• Bumping API approval link for v1.5 (#4572) @robscott
• conformance: tune and allow configuring polling interval (#4570) @howardjohn
• docs: Add documentation for ListenerSets (#4568) @davidjumani
• Add missing IgnoreWhitespace: true (#4567) @DamianSawicki
• TLSRoute: Use v1 for conformance tests (#4566) @rostislavbobo
• remove copyright years after 2025 (#4562) @LiorLieberman
• Misc v1.5.0 conformance improvements (#4560) @howardjohn
• Create TLSRoute documentation (#4558) @rikatz
• fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs (#4557) @snorwin
• Docs gep 3155 (#4553) @kl52752
• Documentation for GEP-91 Client Certificate Validation Configuration (#4552) @kl52752
• fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility (#4551) @snorwin
• cleanup: fix typo (#4546) @snorwin
• cleanup: align types for listener ResolvedRefs condition reason (#4543) @snorwin
• CORS conformance fixes regarding credentials and wildcards (#4542) @DamianSawicki
• Creates a consts for common values in conformance (#4541) @carmal891
• fix: FailFast should return when test failed (#4540) @zirain
• Update docs about cert-manager (#4539) @adrianmoisey
• build(deps): bump the k8s-io group across 4 directories with 5 updates (#4537) @app/dependabot
• VAP for release v1.5 (#4533) @robscott
• [main] Promote client-certificate validation features to Standard (#4532) @k8s-infra-cherrypick-robot
• Add script to verify release artifacts. (#4527) @bexxmodd
• Update conformance report for Envoy-Gateway v1.7.0 (#4525) @jukie
• promote CORS to standard (#4521) @rikatz
• Add Hostname concept and explanation document (#4516) @youngnick
• Finalize CORS gep adjustments (#4515) @rikatz
• conformance: Re-add ListenerSetAllowedRoutesSupportedKinds (#4512) @davidjumani
• TLSRoute: Add conformance test for with nonexistent BackendRef (#4507) @rostislavbobo
• CORS: HTTPCORSFilter and GEP 1767 clean-ups (#4506) @DamianSawicki
• TLSRoute: Add conformance test for with Invalid BackendRef Kind (#4504) @rostislavbobo
• docs: Add "When to Use GRPCRoute" section to GRPCRoute API types doc (#4502) @kahirokunn
• build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4501) @app/dependabot
• build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#4500) @app/dependabot
• ListenerSet: Promote to standard (#4499) @davidjumani
• Quote start in CORS GEP (#4498) @Stevenjin8
• Promote GEP-91 Client Certificate Validation for TLS terminating at t… (#4496) @kl52752
• bump libraries manually before RC (#4495) @rikatz
• conformance test: CORS (#4494) @rikatz
• Promote GEP-3155 Certificate selection when Gateways originate TLS (#4489) @kl52752
• TLSRoute: Add conformance test TCPRoute being invalide for TLS listener (#4487) @rostislavbobo
• Use TCPServer for TLSRoute tests instead of MQTT (#4485) @rikatz
• fix: HTTPRoute redirect test (#4484) @zirain
• Implement TCPServer for tests (#4483) @rikatz
• conformance: support fail fast (#4479) @zirain
• Drop HotMigration feature from ListenerSet (#4477) @dprotaso
• conformance: invalid default client certificate validation config (#4476) @kl52752
• Add conformance for tlsroute mixed listeners (#4475) @rikatz
• Gravitee Kubernetes Operator 4.10.3 conformance report for 1.4.0 (#4474) @a-cordier
• conformance: follow-up on TLSRoute TLSRoute rejection conformance tests (#4473) @rostislavbobo
• docs: add white and black logo variants (#4472) @snorwin
• build(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/mkdocs/image in the mkdocs-deps group (#4470) @app/dependabot
• Conformance report for NGINX Gateway Fabric 2.4.0 (#4469) @bjee19
• conformance: client certificate AllowInsecureFallback validation mode tests (#4468) @snorwin
• Fix inconsistencies on TLSRoute GEP feature names (#4467) @rikatz
• fix redirect for the old security-model link (#4465) @rikatz
• cleanup: simplify client certificate handling in test machinery (#4463) @snorwin
• Update KAL and fix new findings (#4461) @rikatz
• Remove broken link from security guide (#4460) @rikatz
• fix: update pattern for ...

v1.5.1

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.1

Major Changes Since v1.5.0

GEP

• Updates the documentation around the ListenerConditionConflicted condition (#4669, @davidjumani)

Conformance

• Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665, @zirain)
• Fix conformance test not working on IPv6 (#4646, @zirain)
• The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4664, @zhaohuabing)
• Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted (#4624, @howardjohn)

What's Changed

• fix: D'oh. Got the full-changelog URL wrong. by @kflynn in #4608
• [release-1.5] tlsroute: allow FIN or RST instead of just RST by @k8s-infra-cherrypick-robot in #4624
• [release-1.5] fix SetupTimeoutConfig by @k8s-infra-cherrypick-robot in #4647
• [release-1.5] fix: use JoinHostPort by @zirain in #4646
• [release-1.5] Minute clean-ups in conformance tests for CORS by @k8s-infra-cherrypick-robot in #4652
• [release-1.5] fix: propagate context and fix defer leak in DumpEchoLogs by @k8s-infra-cherrypick-robot in #4625
• [release-1.5] Disallow repeaded CORS filters by CEL by @k8s-infra-cherrypick-robot in #4645
• [release-1.5] Add 204 as a possible cors preflight response code by @k8s-infra-cherrypick-robot in #4637
• [release-1.5] fix: improve GatewayMustHaveAttachedListeners log by @k8s-infra-cherrypick-robot in #4632
• [release-1.5] allow absent conflict condition for non-conflicted listeners by @k8s-infra-cherrypick-robot in #4664
• [release-1.5] update ListenerConditionConflicted condition docs by @k8s-infra-cherrypick-robot in #4669
• limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) by @zirain in #4667
• Patch 1.5.1 release. by @bexxmodd in #4685

Full Changelog: v1.5.0...v1.5.1

v1.5.0

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Gateway API v1.5.0

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

TLSRoute and ListenerSet have graduated to the Standard channel as v1. In 1.5.0, TLSRoute v1alpha2 is present only in the Experimental channel; in 1.6, it will be removed from the Experimental channel too.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

• It prevents installing Experimental CRDs once you've installed Standard CRDs.
• It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

• Gateway Client Certificate validation (GEP-91, GEP-3567)
• Certificate selection for Gateway TLS origination (GEP-3155)
• ListenerSet support (GEP-1713)
• HTTPRoute CORS filter (GEP-1767)
• TLSRoute v1 (GEP-2643)

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

• Gateway/HTTPRoute level authentication (GEP-1494)

Full Changelog

Full Changelog: v1.4.1...v1.5.0

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/chzyer/readline: v1.5.1
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/ianlancetaylor/demangle: f615e6b
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5

Changed

• cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
• github.com/cncf/xds/go: 2ac532f → 0feb691
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
• github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
• github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
• github.com/google/pprof: d1b30fe → 294ebfa
• github.com/mailru/easyjson: v0.9.0 → v0.9.1
• github.com/miekg/dns: v1.1.68 → v1.1.72
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
• github.com/onsi/gomega: v1.38.1 → v1.39.1
• github.com/prometheus/client_golang: v1.23.0 → v1.23.2
• github.com/prometheus/common: v0.65.0 → v0.66.1
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.2
• github.com/spf13/pflag: v1.0.7 → v1.0.10
• github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
• github.com/stretchr/testify: v1.11.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
• go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel: v1.37.0 → v1.38.0
• go.opentelemetry.io/proto/otlp: v1.5.0 → v1.7.0
• go.uber.org/zap: v1.27.0 → v1.27.1
• go.yaml.in/yaml/v2: v2.4.2 → v2.4.3
• golang.org/x/crypto: v0.41.0 → v0.47.0
• golang.org/x/mod: v0.27.0 → v0.32.0
• golang.org/x/net: v0.43.0 → v0.49.0
• golang.org/x/oauth2: v0.30.0 → v0.34.0
• golang.org/x/sync: v0.16.0 → v0.19.0
• golang.org/x/sys: v0.35.0 → v0.40.0
• golang.org/x/telemetry: 1a19826 → bd525da
• golang.org/x/term: v0.34.0 → v0.39.0
• golang.org/x/text: v0.28.0 → v0.33.0
• golang.org/x/time: v0.12.0 → v0.14.0
• golang.org/x/tools: v0.36.0 → v0.41.0
• google.golang.org/genproto/googleapis/api: 8d1bb00 → ab9386a
• google.golang.org/genproto/googleapis/rpc: ef028d9 → ab9386a
• google.golang.org/grpc: v1.75.1 → v1.78.0
• google.golang.org/protobuf: v1.36.8 → v1.36.11
• k8s.io/api: v0.34.1 → v0.35.1
• k8s.io/apiextensions-apiserver: v0.34.1 → v0.35.1
• k8s.io/apimachinery: v0.34.1 → v0.35.1
• k8s.io/apiserver: v0.34.1 → v0.35.1
• k8s.io/client-go: v0.34.1 → v0.35.1
• k8s.io/code-generator: v0.34.1 → v0.35.1
• k8s.io/component-base: v0.34.1 → v0.35.1
• k8s.io/gengo/v2: c297c0c → ec3ebc5
• k8s.io/kms: v0.34.1 → v0.35.1
• k8s.io/kube-openapi: d7b6acb → 589584f
• k8s.io/utils: 0af2bda → 914a6e7
• sigs.k8s.io/controller-runtime: v0.22.1 → v0.23.1
• sigs.k8s.io/controller-tools: v0.19.0 → v0.20.1
• sigs.k8s.io/structured-merge-diff/v6: v6.3.0 → v6.3.2

Removed

• github.com/kisielk/errcheck: v1.5.0
• github.com/kisielk/gotool: v1.0.0
• github.com/pkg/errors: v0.9.1
• github.com/zeebo/errs: v1.4.0
• golang.org/x/xerrors: 5ec99f8

v1.5.0-rc.3

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Changes Since v1.5.0-rc.2

• Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4604 @howardjohn)

What's Changed

• [release-1.5] safe-upgrade: allow installing experimental when no current CRD is in… by @k8s-infra-cherrypick-robot in #4604

Full Changelog: v1.5.0-rc.2...v1.5.0-rc.3

v1.5.0-rc.2

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Changes Since v1.5.0-rc.1

• CORS Origin values are now validated by CEL to disallow unsupported values in the host portion (#4595, @DamianSawicki -- see discussion in #3648)
• Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs (#4578, @snorwin)
• Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4556, @snorwin)
• Add the missing ListenersNotValid programmed reason for listenerSets (#4589, @davidjumani)
• The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4599, @howardjohn)

What's Changed

• [release-1.5] cleanup: fix typo by @k8s-infra-cherrypick-robot in #4550
• [release-1.5] cleanup: align types for listener ResolvedRefs condition reason by @k8s-infra-cherrypick-robot in #4554
• [release-1.5] build(deps): bump the k8s-io group across 4 directories with 5 updates by @k8s-infra-cherrypick-robot in #4548
• [release-1.5] CORS conformance fixes regarding credentials and wildcards by @k8s-infra-cherrypick-robot in #4547
• [release-1.5] fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility by @k8s-infra-cherrypick-robot in #4556
• [release-1.5] remove copyright years after 2025 by @k8s-infra-cherrypick-robot in #4565
• [release-1.5] TLSRoute: Use v1 for conformance tests by @k8s-infra-cherrypick-robot in #4569
• [release-1.5] fix: FailFast should return when test failed by @k8s-infra-cherrypick-robot in #4549
• [release-1.5] Misc v1.5.0 conformance improvements by @k8s-infra-cherrypick-robot in #4563
• [release-1.5] conformance: client certificate AllowInsecureFallback validation mode tests by @k8s-infra-cherrypick-robot in #4564
• [release-1.5] Add missing IgnoreWhitespace: true by @k8s-infra-cherrypick-robot in #4590
• [release-1.5] fix: Update listener set programmed conditions by @k8s-infra-cherrypick-robot in #4589
• [release-1.5] Update CEL validation of allowOrigins by @k8s-infra-cherrypick-robot in #4595
• [release-1.5] fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs by @snorwin in #4578
• [release-1.5] TLSRoute: Add conformance tests for connection rejection by @k8s-infra-cherrypick-robot in #4593
• [release-1.5] conformance: tune and allow configuring polling interval by @k8s-infra-cherrypick-robot in #4599
• CHANGELOG and version number updates for 1.5.0-rc.2 by @kflynn in #4600

Full Changelog: v1.5.0-rc.1...v1.5.0-rc.2

v1.5.0-rc.1

Note: This is a release candidate for v1.5.0. If while testing and running conformance for this release candidate you run into any problems, please send your feedback here (and feel free to create an issue as well)!

Warning: The Experimental channel CRDs are too large for a standard kubectl apply. To work around this please use kubectl apply --server-side=true instead -- or, even better, use kuberc to make server-side apply the default.

Major Changes Since v1.4.1

Breaking Changes

TLSRoute v1alpha2 and XListenerSet

Since TLSRoute and ListenerSet have graduated to the Standard channel, TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.

Additionally, note that TLSRoute's CEL validation requires Kubernetes 1.31 or higher.

Upgrades and ValidatingAdmissionPolicy

Gateway API 1.5 introduces a validating admission policy (VAP) called safe-upgrades.gateway.networking.k8s.io to guard against two specific concerns:

• It prevents installing Experimental CRDs once you've installed Standard CRDs.
• It prevents downgrading to a version prior to 1.5 after you've installed Gateway API 1.5.

These actions can't be known to be safe without detailed knowledge about your application and users. If you need to perform them, delete the safe-upgrades.gateway.networking.k8s.io VAP first.

New Features

In this release, the following major features are moving to the Standard channel and are now considered generally available:

• Gateway Client Certificate validation (GEP-91, GEP-3567)
• Certificate selection for Gateway TLS origination (GEP-3155)
• ListenerSet support (GEP-1713)
• HTTPRoute CORS filter (GEP-1767)
• TLSRoute v1 (GEP-2643)

Additionally, the ReferenceGrant resource is moving to v1.

Experimental

• Gateway/HTTPRoute level authentication (GEP-1494)

Changes by Kind

Test

• Add conformance test to check that only Accepted Routes are considered as attachedRoute on Gateway status (#4362, @davidesalerno)
• Added conformance tests for invalid backend TLS configurations and the Gateway ResolvedRefs condition (#4389, @snorwin)
• Adds a conformance test for BackendTLSPolicy so that when a ConfigMap contents are changed, it should be reconciled by the controller. (#4360, @Thealisyed)

GEPs

• Adding initial conformance tests for XListenerSets (#3890, @davidjumani)
• Adds the AttachedListeners conditions to the Gateway status which is the count of successful ListenerSet attachments to the gateway (#4211, @davidjumani)
• Allow only static port ports for listenerSets (#4426, @davidjumani)
• Fix the description of what conditions count as a valid attachedRoute on Gateway status (#4341, @davidesalerno)
• TLSRoute gep creation (#4064, @rikatz)

Feature

• Adds TLS mode validation for TLS protocol on ListenerSet Listener. (#4451, @rostislavbobo)
• Allow implementation-specific values for wellKnownCACertificates in BackendTLSPolicy (#4401, @snorwin)
• Promote ReferenceGrant to v1 (#4458, @rikatz)
• Support for client certificate validation for TLS terminating at the Gateway is now in Standard (#4496, @kl52752)
• Support for defining Gateway client certificate when Gateways originate TLS connection to Backends is now in Standard. (#4489, @kl52752)
• TLSRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" and "v1alpha3" version of this API are deprecated and will be removed in the future. (#4439, @rostislavbobo)

Documentation

• Added a "When to Use GRPCRoute" section to the GRPCRoute API types documentation, with guidance on when to use HTTPRoute vs GRPCRoute and for controller implementers. (#4502, @kahirokunn)
• Adds the AttachedListeners conditions to the Gateway status for the GEP and details for ListenerSets conformance tests (#4205, @davidjumani)
• Define a new Reason type for Listener's Condition status to reflect invalid Client Certificate Validation Configuration for Gateway. (#4443, @kl52752)
• Updating versioning docs located at https://gateway-api.sigs.k8s.io/concepts/versioning/ (#4308, @bexxmodd)

Bug or Regression

• Added minItems=1 validation to HTTPRoute.spec.rules to prevent creation of HTTPRoute resources without any rules. (#4301, @snorwin)
• Only allow cookieConfig with type: Cookie (#4411, @LiorLieberman)

Other (Cleanup or Flake)

• Remove TCPRoute support from TLS listeners (#4427, @rikatz)
• Update the Gateway status to include AttachedListenerSets - the count of ListenerSets that have successfully attached to the gateway (#4358, @davidjumani)

Uncategorized

• Added conformance tests validating Gateway behavior for connection coalescing when SNI and Host headers do not match, including correct use of HTTP 421 for potentially misdirected requests. (#4364, @snorwin)
• Adds TLS mode validation for TLS protocol on Gateway Listener. (#4441, @rostislavbobo)
• Adds conformance tests for ListenerSets (#4445, @davidjumani)
• Https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v3.0.0 (#4453, @shuqz)
• Implement conformance test for CORS (#4494, @rikatz)
• Promote ListenerSet to standard (#4499, @davidjumani)

Dependencies

Added

• github.com/Masterminds/semver/v3: v3.4.0
• github.com/chzyer/readline: v1.5.1
• github.com/gkampitakis/ciinfo: v0.3.2
• github.com/gkampitakis/go-diff: v1.3.2
• github.com/gkampitakis/go-snaps: v0.5.15
• github.com/ianlancetaylor/demangle: f615e6b
• github.com/joshdk/go-junit: v1.0.0
• github.com/maruel/natural: v1.1.1
• github.com/mfridman/tparse: v0.18.0
• github.com/tidwall/gjson: v1.18.0
• github.com/tidwall/match: v1.1.1
• github.com/tidwall/pretty: v1.2.1
• github.com/tidwall/sjson: v1.2.5

Changed

• cloud.google.com/go/compute/metadata: v0.7.0 → v0.9.0
• github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp: v1.29.0 → v1.30.0
• github.com/cncf/xds/go: 2ac532f → 0feb691
• github.com/envoyproxy/go-control-plane/envoy: v1.32.4 → v1.35.0
• github.com/envoyproxy/go-control-plane: v0.13.4 → 75eaa19
• github.com/go-jose/go-jose/v4: v4.1.1 → v4.1.3
• github.com/google/pprof: d1b30fe → 294ebfa
• github.com/mailru/easyjson: v0.9.0 → v0.9.1
• github.com/miekg/dns: v1.1.68 → v1.1.72
• github.com/onsi/ginkgo/v2: v2.22.0 → v2.28.0
• github.com/onsi/gomega: v1.38.1 → v1.39.1
• github.com/prometheus/client_golang: v1.23.0 → v1.23.2
• github.com/prometheus/common: v0.65.0 → v0.66.1
• github.com/prometheus/procfs: v0.17.0 → v0.19.2
• github.com/rogpeppe/go-internal: v1.13.1 → v1.14.1
• github.com/spf13/cobra: v1.9.1 → v1.10.2
• github.com/spf13/pflag: v1.0.7 → v1.0.10
• github.com/spiffe/go-spiffe/v2: v2.5.0 → v2.6.0
• github.com/stretchr/testify: v1.11.0 → v1.11.1
• go.etcd.io/bbolt: v1.4.2 → v1.4.3
• go.etcd.io/etcd/api/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/client/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/pkg/v3: v3.6.4 → v3.6.5
• go.etcd.io/etcd/server/v3: v3.6.4 → v3.6.5
• go.opentelemetry.io/auto/sdk: v1.1.0 → v1.2.1
• go.opentelemetry.io/contrib/detectors/gcp: v1.36.0 → v1.38.0
• go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp: v0.58.0 → v0.61.0
• go.opentelemetry.io/otel/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk/metric: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/sdk: v1.37.0 → v1.38.0
• go.opentelemetry.io/otel/trace: v1.37.0 → v1.38.0
• ...

monthly-2026.01

Gateway API monthly-2026.01 Release Notes

This is the monthly release for the Gateway API experimental channel for January 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

• To install the CRDs for this release, use install monthly-2026.01-install.yaml:

  kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.01/monthly-2026.01-install.yaml
  

• To build using this release in Go, include this release in your go.mod:

  require sigs.k8s.io/gateway-api monthly-2026.01
  

  and run go mod tidy. You'll find that monthly-2026.01 gets replaced by a Go pseudoversion; this is expected.

Cautions

N/A

Changes Summary

Bundle Version

• Updated bundle version from v1.4.0 to v1.4.1 across all experimental CRDs

Gateway API Enhancements

• Added attachedListenerSets field to Gateway status for tracking ListenerSet attachments
• Clarified AttachedRoutes counting logic to only include Routes with Accepted: true condition
• Updated BackendTLSPolicy documentation with expanded support level guidance

Documentation Improvements

• Fixed grammar and typos throughout CRD descriptions (e.g., "case sensitive" → "case-sensitive", "retryable" → "retriable")
• Improved clarity of namespace access error messages
• Enhanced ListenerSet attachment documentation with clearer conditions

Affected Resources

• BackendTLSPolicy, Gateway, GatewayClass, GRPCRoute, HTTPRoute, ReferenceGrant, TCPRoute, TLSRoute, UDPRoute
• XBackendTrafficPolicy, XListenerSet, XMesh

What's Changed

• Update External Auth GEP to be Experimental by @youngnick in #4297
• Optimize mesh (GRPC|HTTP)RouteWeight tests by @LiorLieberman in #4300
• Perform Implementations page review for v1.4 by @youngnick in #4238
• Fix GCL version with bugfix for git problem by @rikatz in #4313
• Fix incorrect spec change for Policy objects by @youngnick in #4304
• chore(1.4.1): CHANGELOG and version updates by @kflynn in #4317
• fix(build): build-install-yaml needs to tolerate $1 being unset. Oops. by @kflynn in #4319
• chore(1.4.1): Update README and guide for 1.4.1 by @kflynn in #4320
• conformance: normative test for backend client certificate in Gateway by @snorwin in #4119
• api: Update gateway status to include AttachedListeners by @davidjumani in #4211
• Add verbose flag to golangci-lint command by @LiorLieberman in #4311
• Add github actions update to dependabot by @rikatz in #4312
• Move GEPs out of ToC and re-add provisional by @rikatz in #4277
• conformance: Add Airlock Microgateway 4.8.0 report for v1.4.0 and v1.4.1 by @root30 in #4285
• Spelling by @jsoref in #4279
• Fix docs typos by @nurzhan-zhanuzak in #4328
• fix: target object status description by @guicassolato in #4275
• build(deps): bump pymdown-extensions from 10.17.2 to 10.18 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4331
• gep: refine CACertificateRefs description for frontend TLS by @snorwin in #4183
• Update the ListenerSet GEP per Kubecon discussions by @rikatz in #4286
• Adding more HTTPRoute guides by @robscott in #4326
• Adding ingress-nginx welcome guide along with new "getting started" section by @robscott in #4334
• build(deps): bump actions/checkout from 4.2.2 to 6.0.1 by @dependabot[bot] in #4323
• build(deps): bump actions/setup-go from 5.5.0 to 6.1.0 by @dependabot[bot] in #4324
• build(deps): bump the k8s-io group across 4 directories with 4 updates by @dependabot[bot] in #4325
• GEP-2643: TLSRoute by @rikatz in #4064
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates by @dependabot[bot] in #4352
• conformance: check ObservedGeneration of status conditions for HTTPRoutes, Gateways and Gatewayclasses with polling by @pmalek in #4339
• chore: add sigs.k8s.io to dependabot config by @rikatz in #4366
• build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates by @dependabot[bot] in #4367
• Conformance report for NGINX Gateway Fabric 2.3.0 by @sjberman in #4365
• build(deps): bump sigs.k8s.io/controller-runtime from 0.22.3 to 0.22.4 in /conformance by @dependabot[bot] in #4289
• implementations: update Azure Application Gateway for Containers badge by @ffurrer2 in #4343
• Clarify at least 3 implementations must upload their report to appear by @xtineskim in #4373
• Gravitee Kubernetes Operator 4.8.5 conformance report for 1.3.0 by @a-cordier in #4059
• 1.4.0 Conformance report for NGINX Gateway Fabric by @sjberman in #4372
• Update NGF conformance report by @sjberman in #4379
• Fix link to design goals in migrating-from-ingress.md by @JoeyC-Dev in #4380
• Add a link validator and fix broken links by @rikatz in #4363
• Fix AttachedRoutes documentation aligned to count only Accepted Routes by @davidesalerno in #4341
• Use correct link when mentioning conformance levels by @Stevenjin8 in #4391
• Clarify gep-1713 language to make it clear ListenerSet to Gateway is 1:1 by @zac-nixon in #4390
• build(deps): bump pymdown-extensions from 10.19.1 to 10.20 in /hack/mkdocs/image in the mkdocs-deps group by @dependabot[bot] in #4398
• Bump golangci-lint to the latest version (v2) by @erikgb in #4377
• docs: rename rogue listener.routes per ffd6005 by @cavcrosby in #4400
• BackendTLSPolicy GEP - add Implementation-specific behavior by @rikatz in #4381
• fix: add MinItems=1 validation to HTTPRoute rules by @snorwin in #4301
• submit 1.3 conformance report for aws lbc by @shuqz in #4384
• api: Update Gateway status to reflect changes to GEP-1713 by @davidjumani in #4358
• docs: add rikatz as maintainer by @shaneutt in #4403
• docs: fix typo in CONTRIBUTING.md and README.md by @kube-gopher in #4395

New Contributors

• @davidjumani made their first contribution in #4211
• @nurzhan-zhanuzak made their first contribution in #4328
• @ffurrer2 made their first contribution in #4343
• @a-cordier made their first contribution in #4059
• @JoeyC-Dev made their first contribution in #4380
• @davidesalerno made their first contribution in #4341
• @zac-nixon made their first contribution in #4390
• @cavcrosby made their first contribution in #4400
• @shuqz made their first contribution in #4384
• @kube-gopher made their first contribution in #4395

Full Changelog: monthly-2025.12...monthly-2026.01

v1.4.1

Warning: Regarding the Experimental CRDs - please note that the experimental CRDs for this release are too large for a standard kubectl apply. You may receive an error like metadata.annotations: Too long: may not be more than 262144 bytes. To work around this please use kubectl apply --server-side -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml. We're looking into ways to reduce the size for future releases to avoid this.

Note: The installation YAML originally published with this release on 2025-12-04 mistakenly included changes from PR 3823 in the Standard channel, and from PRs 3774, 3823, and 4158 in the Experimental channel. After discussion among the Gateway API maintainers, we decided that the changes were minor enough that it was safe to modify the YAML in-place, which we did on 2026-02-10. Apologies for the confusion!

Changes Since v1.4.0

BackendTLSPolicy

• BackendTLSPolicy supports only a single targetRef per policy while Gateway API works through edge cases around representing the status of multiple targetRefs in a single policy. This restriction is expected to be lifted in a future release. (#4316, #4298)
• SAN validation in BackendTLSPolicy is correctly marked as standard. (#4194)
• BackendTLSPolicy status is correctly marked as a subresource. (#4245)

Conformance

• Conformance tests for mesh routing with weights have been made faster. (#4315)
• BackendTLSPolicy conformance tests are included in the GATEWAY-HTTP profile. (#4223)

Thanks to

Ciara Stacke, Lior Lieberman, Nick Young, Norwin Schnyder, Ricardo Pchevuzinske Katz, and zirain

Full Changelog

Full Changelog: v1.4.0...v1.4.1