kubernetes-sigs/gateway-api monthly-2026.04 on GitHub

Gateway API monthly-2026.04 Release Notes

This is the monthly release for the Gateway API experimental channel for April 2026. This release includes the latest features and fixes from Gateway API's main branch.

Using this Release

To install the CRDs for this release, use install monthly-2026.04-install.yaml:

kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/monthly-2026.04/monthly-2026.04-install.yaml

To build using this release in Go, include this release in your go.mod:

require sigs.k8s.io/gateway-api monthly-2026.04

and run go mod tidy. You'll find that monthly-2026.04 gets replaced by a Go pseudoversion; this is expected.

Changes Summary

Full Changelog: monthly-2026.01...monthly-2026.04

Merged Pull Requests (monthly-2026.01 to monthly-2026.04)

Adding new reviewers along with some cleanup (#4730) @robscott
Update NGINX Gateway Fabric conformance for 1.5 (#4718) @sjberman
GatewayInfrastructure: use uncached client lookups (#4717) @howardjohn
Add GKE Gateway conformance report for v1.5.0 (#4716) @szkaraddd
Add report for v1.5.1 (#4715) @jukie
docs: Include patch versions in wizard data and add v1.5 features (#4710) @snorwin
Add NGF v2.5.0 pre-release conformance report (#4709) @sjberman
Misc cleanup for v1.5 (#4708) @snorwin
2734 - update gateway infrastructure annotations to 16 (#4707) @wenisman
conformance: Adds v1.5.1 Report for kgateway (#4703) @davidjumani
update conformance report of gke-gateway for v1.4.0 (#4702) @szkaraddd
Add v1.5.1 conformance report for Traefik Proxy (#4700) @kevinpollet
build(deps): bump mkdocs-material from 9.7.5 to 9.7.6 in /hack/mkdocs/image in the mkdocs-deps group (#4696) @app/dependabot
conformance: Add Airlock Microgateway 5.0.0 conformance reports (#4694) @tyxeron
conformance: bump agentgateway to v1.0.0 (#4691) @howardjohn
Add conformance reports for haproxy ingress (#4688) @jcmoraisjr
build(deps): bump the non-k8s group across 1 directory with 4 updates (#4682) @app/dependabot
build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4681) @app/dependabot
docs: fix mkdocs redirects warning (#4680) @Seo-yul
Docs: Remove deprecated copy_on_write option (#4678) @Seo-yul
conformance: fix ListenerSetAllowedRoutesSupportedKinds flaking (#4675) @howardjohn
docs: Add feature names to guides and concepts pages (#4672) @robscott
add a way to override timeout configs with a flag (#4671) @LiorLieberman
limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only (#4665) @zirain
CORS: clarify API documentation and remove conformance tests for credentialed requests (#4663) @snorwin
update ListenerConditionConflicted condition docs (#4659) @davidjumani
docs: fix broken links from security-model rename (#4658) @pl4nty
docs: remove 1.3 spec from nav (#4657) @pl4nty
some formatting changes to wizard ui. (#4656) @bexxmodd
align TLSRoute with hostname concept (#4650) @vinayakray19
build(deps): bump the k8s-io group across 4 directories with 5 updates (#4644) @app/dependabot
build(deps): bump the mkdocs-deps group across 1 directory with 2 updates (#4643) @app/dependabot
allow absent conflict condition for non-conflicted listeners (#4642) @zhaohuabing
conformance: add v1.4.1 report for Kong Operator v2.1.2 (#4640) @pmalek
Disallow repeaded CORS filters by CEL (#4639) @DamianSawicki
fix: fix typo error (#4638) @yuluo-yx
fix: use JoinHostPort (#4636) @zirain
Minute clean-ups in conformance tests for CORS (#4634) @DamianSawicki
fix SetupTimeoutConfig (#4630) @zirain
fix GatewayFrontendInvalidDefaultClientCertificateValidation test (#4629) @zirain
conformance: add v1.5.0 report for agentgateway (#4628) @howardjohn
Add 204 as a possible cors preflight response code (#4627) @jcmoraisjr
fix: improve GatewayMustHaveAttachedListeners log (#4623) @zirain
implement findings on gh actions (#4622) @rikatz
Fix for release artifact validation CI (#4620) @bexxmodd
fix: align short name (#4619) @zirain
fix: propagate context and fix defer leak in DumpEchoLogs (#4617) @samzong
tlsroute: allow FIN or RST instead of just RST (#4615) @howardjohn
cleanup: update GEPS to reflect release 1.5 (#4614) @snorwin
build(deps): bump actions/setup-go from 6.2.0 to 6.3.0 (#4611) @app/dependabot
conformance: add Amazon VPC Lattice Gateway API Controller v2.0.1 report (#4610) @abdallahmahran10
docs: Update site-docs for 1.5 (#4609) @kflynn
conformance: add v1.4.1 agentgateway (#4606) @howardjohn
safe-upgrade: allow installing experimental when no current CRD is in… (#4603) @howardjohn
mark promoted features on GEP lists (#4601) @rikatz
docs: add total column to conformance reports (#4597) @howardjohn
docs: prevent patch releases from invalidating conformance reports. (#4596) @howardjohn
Update CEL validation of allowOrigins (#4594) @DamianSawicki
fix: Remove missing namespace in example manifests (#4591) @davidjumani
fix: Update listener set programmed conditions (#4586) @davidjumani
Controller matching wizard (#4584) @bexxmodd
TLSRoute: Add conformance tests for connection rejection (#4583) @rostislavbobo
Update CORS docs for Standard graduation (#4579) @DamianSawicki
build(deps): bump sigs.k8s.io/controller-tools from 0.20.0 to 0.20.1 in /tools in the k8s-io group across 1 directory (#4577) @app/dependabot
build(deps): bump the mkdocs-deps group in /hack/mkdocs/image with 2 updates (#4575) @app/dependabot
build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4574) @app/dependabot
bump lychee and fix local links (#4573) @rikatz
Bumping API approval link for v1.5 (#4572) @robscott
conformance: tune and allow configuring polling interval (#4570) @howardjohn
docs: Add documentation for ListenerSets (#4568) @davidjumani
Add missing IgnoreWhitespace: true (#4567) @DamianSawicki
TLSRoute: Use v1 for conformance tests (#4566) @rostislavbobo
Misc v1.5.0 conformance improvements (#4560) @howardjohn
Create TLSRoute documentation (#4558) @rikatz
fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs (#4557) @snorwin
Docs gep 3155 (#4553) @kl52752
Documentation for GEP-91 Client Certificate Validation Configuration (#4552) @kl52752
fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility (#4551) @snorwin
cleanup: fix typo (#4546) @snorwin
cleanup: align types for listener ResolvedRefs condition reason (#4543) @snorwin
CORS conformance fixes regarding credentials and wildcards (#4542) @DamianSawicki
Creates a consts for common values in conformance (#4541) @carmal891
fix: FailFast should return when test failed (#4540) @zirain
Update docs about cert-manager (#4539) @adrianmoisey
build(deps): bump the k8s-io group across 4 directories with 5 updates (#4537) @app/dependabot
VAP for release v1.5 (#4533) @robscott
[main] Promote client-certificate validation features to Standard (#4532) @k8s-infra-cherrypick-robot
Add script to verify release artifacts. (#4527) @bexxmodd
Update conformance report for Envoy-Gateway v1.7.0 (#4525) @jukie
promote CORS to standard (#4521) @rikatz
Add Hostname concept and explanation document (#4516) @youngnick
Finalize CORS gep adjustments (#4515) @rikatz
conformance: Re-add ListenerSetAllowedRoutesSupportedKinds (#4512) @davidjumani
TLSRoute: Add conformance test for with nonexistent BackendRef (#4507) @rostislavbobo
CORS: HTTPCORSFilter and GEP 1767 clean-ups (#4506) @DamianSawicki
TLSRoute: Add conformance test for with Invalid BackendRef Kind (#4504) @rostislavbobo
docs: Add "When to Use GRPCRoute" section to GRPCRoute API types doc (#4502) @kahirokunn
build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4501) @app/dependabot
build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#4500) @app/dependabot
ListenerSet: Promote to standard (#4499) @davidjumani
Quote start in CORS GEP (#4498) @Stevenjin8
Promote GEP-91 Client Certificate Validation for TLS terminating at t… (#4496) @kl52752
bump libraries manually before RC (#4495) @rikatz
conformance test: CORS (#4494) @rikatz
Promote GEP-3155 Certificate selection when Gateways originate TLS (#4489) @kl52752
TLSRoute: Add conformance test TCPRoute being invalide for TLS listener (#4487) @rostislavbobo
Use TCPServer for TLSRoute tests instead of MQTT (#4485) @rikatz
fix: HTTPRoute redirect test (#4484) @zirain
Implement TCPServer for tests (#4483) @rikatz
conformance: support fail fast (#4479) @zirain
Drop HotMigration feature from ListenerSet (#4477) @dprotaso
conformance: invalid default client certificate validation config (#4476) @kl52752
Add conformance for tlsroute mixed listeners (#4475) @rikatz
Gravitee Kubernetes Operator 4.10.3 conformance report for 1.4.0 (#4474) @a-cordier
conformance: follow-up on TLSRoute TLSRoute rejection conformance tests (#4473) @rostislavbobo
docs: add white and black logo variants (#4472) @snorwin
build(deps): bump pymdown-extensions from 10.20 to 10.20.1 in /hack/mkdocs/image in the mkdocs-deps group (#4470) @app/dependabot
Conformance report for NGINX Gateway Fabric 2.4.0 (#4469) @bjee19
conformance: client certificate AllowInsecureFallback validation mode tests (#4468) @snorwin
Fix inconsistencies on TLSRoute GEP feature names (#4467) @rikatz
fix redirect for the old security-model link (#4465) @rikatz
cleanup: simplify client certificate handling in test machinery (#4463) @snorwin
Update KAL and fix new findings (#4461) @rikatz
Remove broken link from security guide (#4460) @rikatz
fix: update pattern for wellKnownCACertificates (#4459) @snorwin
Promote referencegrant to v1 (#4458) @rikatz
conformance: invalid client certificate validation (#4456) @kl52752
cleanup: align gateway TLS feature naming (#4455) @snorwin
add aws lbc conformance report and implementation page (#4453) @shuqz
ListenerSet: Add TLS mode validation for TLS protocol (#4451) @rostislavbobo
build(deps): bump the k8s-io group across 2 directories with 1 update (#4449) @app/dependabot
build(deps): bump actions/checkout from 6.0.1 to 6.0.2 (#4448) @app/dependabot
conformance: add TLSRoute termination feature exposure tests (#4447) @Thealisyed
conformance: Add listenerSet conformance tests to match the GEP (#4445) @davidjumani
client certificate validation: invalid config API changes (#4443) @kl52752
conformance: normative test for client certificate validation (#4442) @kl52752
Gateway: Add TLS mode validation for TLS protocol (#4441) @rostislavbobo
TLSRoute: Promote to standard (#4439) @rostislavbobo
Github action script for the monthly releases (#4438) @bexxmodd
conformance: add TLSRoute hostname intersection conformance tests (#4437) @rostislavbobo
Add snorwin as conformance reviewer (#4436) @rikatz
fix(ingress-migration-guide): create rule blocks for each host (#4435) @marttimourujarvi
Conformance: Adds v1.4.1 Report for kgateway (#4434) @danehans
conformance: add TLSRoute rejection conformance tests (#4433) @Thealisyed
build(deps): bump actions/setup-go from 6.1.0 to 6.2.0 (#4431) @app/dependabot
Fix apiVersion typo in HTTP query parameter matching guide (#4430) @dohaelsawy
fix GRPCRoute header match example (#4429) @Stevenjin8
Fix Typos in ListenerSet Conditions Comments (#4428) @gcs278
Remove TCPRoute support from TLS listeners (#4427) @rikatz
Revise GEP-1713: Allow only static ports for ListenerSets (#4426) @davidjumani
GEP-3388 Update API implementation and example manifest on gep page (#4424) @ericdbishop
Fix the table on api-overview (#4423) @rikatz
docs: update broken link for Acnodal EPIC and Cilium Slack (#4422) @natherz97
Update HTTPRoute timeouts channel information (#4419) @rumeshmadhusanka
build(deps): bump the non-k8s group across 1 directory with 2 updates (#4418) @app/dependabot
Revert dependabot job, add new dependency group (#4417) @rikatz
add conformance badge for asm (#4415) @MaYuan-02
dependabot: make a post-pr action to sync modules (#4412) @rikatz
restrict CEL for session persistence (#4411) @LiorLieberman
Update SIG Network Google Group link (#4409) @aojea
docs: Document 404 behavior when request doesn't match any Listener (#4408) @AlirezaPourchali
gateway api v1.3 conformance report for alibabacloud service mesh (#4406) @MaYuan-02
Bump tested Kubernetes versions to 1.35 (#4405) @erikgb
api: allow implementation-specific values for wellKnownCACertificates (#4401) @snorwin
conformance: refactor TLS handling in http roundtripper (#4399) @snorwin
docs: fix typo in CONTRIBUTING.md and README.md (#4395) @kube-gopher
Fix BackendTLSPolicy conflict resolution to use namespace/name (#4393) @neeraj542
conformance: added tests for invalid backend TLS configuration (#4389) @snorwin
build(deps): bump github.com/miekg/dns from 1.1.68 to 1.1.69 in /conformance (#4386) @app/dependabot
Add new Terminology documentation (#4383) @youngnick
Upgrade K8s dependencies to 1.35 (#4376) @erikgb
conformance: test cases for HTTPS connection coalescing (#4364) @snorwin
test: AttachedRoutes conformance tests to count only Accepted routes (#4362) @davidesalerno
conformance: add a conformance test for BackendTLSPolicy (#4360) @Thealisyed
conformance: add v1.3.0 report for Kong Operator v2.0.6 (#4337) @pmalek
Update versioning docs to reflect recent changes in the release process. (#4308) @bexxmodd
Wildcards are forbidden in CORS response headers to credentialed requests rather than with allowCredentials: True (#4281) @DamianSawicki
conformance: allow passing GatewayStaticAddresses from CLI (#4234) @howardjohn
Add security considerations guide, update security model (#4219) @rikatz
Revise GEP-1713: Update gateway status and conformance test details for ListenerSets (#4205) @davidjumani
conformance: TLSRoute with Terminate mode (#4137) @phuhung273
tests: Add conformace tests for listenersets (#3890) @davidjumani