v1.6.0

Changes Since v1.5.1

GEP & API Graduation

• UDPRoute & TCPRoute Graduation:
  • UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
  • TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
• GEP Status Updates:
  • Add GEP for the XBackend resource into Experimental status (#4488, @keithmattix)
  • Move TCPRoute GEP to Standard (#4783, @zac-nixon)
  • Move UDPRoute GEP to Standard (#5030, @rikatz)

Feature

• API & Validation Enhancements:
  • API validation updated for HTTPRoute retries: retry.codes must now be unique and retry.attempts must be >= 1. (#4907, @snorwin)
  • Increase the number of allowed Certificate Authority references from 8 to 16. (#4088, @root30)
  • The TLSRoute CRD validation has been adjusted to allow up to 1024 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
  • BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
  • Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
• Conformance Infrastructure:
  • Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
• Remove the idleTimeout field from the experimental SessionPersistence API. (#4771, @gcs278)

Documentation

• Migration & Site Updates:
  • Migrate documentation from MkDocs to Docsy. (#4734, @iromanycheva-eng)
  • The new wizard should be available at https://gateway-api.sigs.k8s.io/wizard. (#4584, @bexxmodd)
• API Specs & Guidance Clarifications:
  • Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
  • Add the missing ListenersNotValid programmed reason for listenerSets. (#4586, @davidjumani)
  • Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
  • Clarified CORS API documentation to describe behavior based on allowCredentials instead of credentialed requests. (#4663, @snorwin)
  • Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
  • Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
• Fixes:
  • Grammar fix in docs for concepts/use cases. (#4798, @jkburges)

Bug or Regression

• IPv6 Support:
  • Fix GatewayFrontendClientCertificateValidationInsecureFallback, GatewayFrontendClientCertificateValidation, and GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4636, @zirain)
  • Fix GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4629, @zirain)
• ValidatingAdmissionPolicy (VAP) Fixes:
  • Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
  • Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
• CRD & Schema Validation:
  • Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
  • Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
• API & Validation Fixes:
  • It is disallowed to have repeated filters of type CORS. (#4639, @DamianSawicki)
  • Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
  • Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
  • Make referencegrant.spec field required. (#4845, @bexxmodd)

Test & Conformance

• New Conformance Tests:
  • Add conformance test ListenerSetAllowedRoutesCrossNamespace which verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber)
  • Added a conformance test covering the Gateway Accepted condition with reason ListenersNotValid and the Listener Accepted condition with reason UnsupportedProtocol. (#4807, @snorwin)
  • Added conformance test GatewayInvalidParametersRef that verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin)
  • Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
• Test Machinery & Framework Updates:
  • Conformance: ExpectMirroredRequest now starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei)
  • The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4570, @howardjohn)
  • The gRPC conformance request helper no longer closes a caller-supplied (injected) Options.GRPCClient; it closes only the DefaultClient it creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
• Updates & Fixes to Existing Tests:
  • The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing)
  • Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
  • Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
  • Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
  • Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)
  • conformance: add missing gateway-api/skip-this-for-readiness annotation to invalid gateways (#5027, @snorwin)
  • The GRPCRouteWeight conformance test now sends its distribution-sampling requests through the injectable Options.GRPCClient instead of a hardcoded DefaultClient, allowing implementations that supply a custom gRPC client to run it. (#5004, @lexfrei)
  • The HTTPRouteRequestPercentageMirror conformance test now derives its acceptance band from the binomial standard deviation instead of a flat ±15% relative tolerance, removing sampling-variance flakes at low mirror percentages. (#5005, @lexfrei)
  • Removed HTTPRoute retry tests with connection errors and backend timeouts (#4994, @snorwin)

What's Changed

• TLSRoute: Add conformance test for with Invalid BackendRef Kind by @rostislavbobo in #4504
• TLSRoute: Add conformance test for with nonexistent BackendRef by @rostislavbobo in #4507
• CORS: HTTPCORSFilter and GEP 1767 clean-ups by @DamianSawicki in #4506
• Finalize CORS gep adjustments by @rikatz in #4515
• docs: update broken link for Acnodal EPIC and Cilium Slack by @natherz97 in #4422
• conformance test: CORS by @rikatz in #4494
• [main] Promote client-certificate validation features to Standard by @k8s-infra-cherrypick-robot in #4532
• conformance: Re-add ListenerSetAllowedRoutesSupportedKinds by @davidjumani in #4512
• Update docs about cert-manager by @adrianmoisey in #4539
• CORS conformance fixes regarding credentials and wildcards by @DamianSawicki in #4542
• fix: FailFast should return when test failed by @zirain in #4540
• cleanup: fix typo by @snorwin in #4546
• cleanup: align types for listener ResolvedRefs condition reason by @snorwin in #4543
• fix: use omitzero instead of omitempty for supportedKinds to ensure backward compatibility by @snorwin in #4551
• remove copyright years after 2025 by @LiorLieberman in #4562
• conformance: client certificate AllowInsecureFallback validation mode tests by @snorwin in #4468
• Add script to verify release artifacts. by @bexxmodd in #4527
• fix: enable safe-upgrades VAP to permit upgrades of experimental CRDs by @snorwin in #4557
• bump lychee and fix local links by @rikatz in #4573
• Documentation for GEP-91 Client Certificate Validation Configuration by @kl52752 in #4552
• Docs gep 3155 by @kl52752 in #4553
• fix: Update listener set programmed conditions by @davidjumani in #4586
• Add missing IgnoreWhitespace: true by @DamianSawicki in #4567
• fix: Remove missing namespace in example manifests by @davidjumani in #4591
• TLSRoute: Add conformance tests for connection rejection by @rostislavbobo in #4583
• Update CEL validation of allowOrigins by @DamianSawicki in #4594
• docs: prevent patch releases from invalidating conformance reports. by @howardjohn in #4596
• conformance: tune and allow configuring polling interval by @howardjohn in #4570
• safe-upgrade: allow installing experimental when no current CRD is in… by @howardjohn in #4603
• mark promoted features on GEP lists by @rikatz in #4601
• docs: Add documentation for ListenerSets by @davidjumani in #4568
• docs: Update site-docs for 1.5 by @kflynn in #4609
• tlsroute: allow FIN or RST instead of just RST by @howardjohn in #4615
• Fix for release artifact validation CI by @bexxmodd in #4620
• fix: propagate context and fix defer leak in DumpEchoLogs by @samzong in #4617
• docs: Document 404 behavior when request doesn't match any Listener by @AlirezaPourchali in #4408
• fix GatewayFrontendInvalidDefaultClientCertificateValidation test by @zirain in #4629
• fix: improve GatewayMustHaveAttachedListeners log by @zirain in #4623
• fix: align short name by @zirain in #4619
• Add Hostname concept and explanation document by @youngnick in #4516
• Add 204 as a possible cors preflight response code by @jcmoraisjr in #4627
• Controller matching wizard by @bexxmodd in #4584
• fix: use JoinHostPort by @zirain in #4636
• Disallow repeated CORS filters by CEL by @DamianSawicki in #4639
• fix SetupTimeoutConfig by @zirain in #4630
• Minute clean-ups in conformance tests for CORS by @DamianSawicki in #4634
• Creates a consts for common values in conformance by @carmal891 in #4541
• fix: fix typo error by @yuluo-yx in #4638
• docs: add total column to conformance reports by @howardjohn in #4597
• docs: fix broken links from security-model rename by @pl4nty in #4658
• update ListenerConditionConflicted condition docs by @davidjumani in #4659
• allow absent conflict condition for non-conflicted listeners by @zhaohuabing in #4642
• limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only by @zirain in #4665
• Docs: Remove deprecated copy_on_write option by @Seo-yul in #4678
• add a way to override timeout configs with a flag by @LiorLieberman in #4671
• docs: fix mkdocs redirects warning by @Seo-yul in #4680
• docs: Add feature names to guides and concepts pages by @robscott in #4672
• implement findings on gh actions by @rikatz in #4622
• some formatting changes to wizard ui. by @bexxmodd in #4656
• conformance: fix ListenerSetAllowedRoutesSupportedKinds flaking by @howardjohn in #4675
• align TLSRoute with hostname concept by @vinayakray19 in #4650
• CORS: clarify API documentation and remove conformance tests for credentialed requests by @snorwin in #4663
• 2734 - update gateway infrastructure annotations to 16 by @wenisman in #4707
• docs: Include patch versions in wizard data and add v1.5 features by @snorwin in #4710
• GatewayInfrastructure: use uncached client lookups by @howardjohn in #4717
• conformance: Move Inference Extension conformance helper functions to gateway-api/conformance by @ericdbishop in #4602
• Define union features by @rikatz in #4452
• generator: omit top-level CRD status from manifests by @MatteoFari in #4712
• conformance: update tests to use gatewayv1 APIs by @cnvergence in #4722
• Make monthly release action to be manually triggered with supplied tag. by @bexxmodd in #4736
• Add well-known labels package for GEP-1762 by @carmal891 in #4705
• Add Google Analytics loader and event tracking for wizard by @iromanycheva-eng in #4721
• start using images from registry.k8s.io by @upodroid in #4728
• Specify the usage of BackendTLSPolicy as a union feature by @rikatz in #4745
• Add gateway:util:excludeFromCRD comments for complex CEL validations by @AndrewCharlesHay in #4714
• conformance: make weight test 100x faster by @howardjohn in #4740
• Update HTTPRoute BackendRefs public docs to match API spec. by @briantkennedy in #4758
• docs: better feature comparison table by @howardjohn in #4744
• docs: clarify RequestHeaderModifier set behavior by @ShaanveerS in #4684
• conformance: Add tests for omitted and empty backendRefs by @optix2000 in #4750
• cleanup-test-resources option by @zhaohuabing in #4776
• GEP-1619: Remove idleTimeout from SessionPersistence API by @gcs278 in #4771
• Add session persistence conformance test plan by @salonichf5 in #4482
• Make explicit call about resource name restrictions by @rikatz in #4787
• Fix Google Analytics custom events in Controller Matching Wizard by @iromanycheva-eng in #4782
• docs: update ReferenceGrant API references to v1 by @JoeyC-Dev in #4796
• Issue-4087: Increase MaxItems for CACertificateRefs validation by @root30 in #4088
• Fix grammar/sentence by @jkburges in #4798
• fix mismatched annotation by @davidxia in #4793
• stop building arm64 images on preverify jobs by @rikatz in #4803
• V1.5 Implementations page review by @youngnick in #4741
• Update the bundle version for VAP and add it as a release step. by @bexxmodd in #4759
• Fix MeshHTTPRoute307Redirect conformance test by @jgreeer in #4806
• Mkdocs Migration Python CLI for #3860 by @RoseWrightdev in #3999
• Make conformance reports require just major and minor GW API versions by @rikatz in #4792
• fix: drop GRPCRoute from supported kinds assertion as the test does not require to support them by @snorwin in #4805
• test(conformance): add test for Gateway Accepted condition with InvalidParameters reason by @snorwin in #4808
• EXP: UDPRoute by @zac-nixon in #4720
• Bump golangci-lint (and KAL) to support Go 1.26 by @erikgb in #4820
• Bump K8s dependencies to 1.36 by @erikgb in #4819
• fix: add j2_line_comment_prefix back to mkdocs configuration by @JoeyC-Dev in #4822
• PROVISIONAL: Backend GEP by @keithmattix in #4818
• #4826 Fix inconsistencies in ListenerSet example by @vovtz in #4827
• test(conformance): add tests for Gateway listener Accepted condition with UnsupportedProtocol reason by @snorwin in #4807
• Add missing API doc for BackendTLSPolicy as union feature by @rikatz in #4828
• EXP: TCPRoute GEP by @zac-nixon in #4783
• Update RELEASE.md by @kflynn in #4836
• gep-4768: Standardized Telemetry API (provisional) by @gkhom in #4775
• docs: Add guidance preferring GRPCRoute for gRPC by @kahirokunn in #4513
• Increase TLSRoute hostnames limit from 16 to 1024 by @alexanderstephan in #4332
• [gep-1713] ListenerSet: Fix typos and other inconsistencies by @dprotaso in #4824
• grpc: do not require unique hostnames with http by @howardjohn in #4598
• Enable golangci-lint modernize linter by @erikgb in #4821
• conformance: add cross-namespace ListenerSet AllowedRoutes test by @asauber in #4841
• [breaking change] Remove optional marker from ReferenceGrant.Spec by @bexxmodd in #4845
• Prevent arbitrary code execution hack scripts by @bexxmodd in #4846
• Fix Stored DOM XSS in Controller Wizard by @bexxmodd in #4848
• Migrate documentation from MkDocs to Docsy by @iromanycheva-eng in #4734
• Remove legacy mkdocs files by @rikatz in #4855
• add GEP 3965: Implementation-Specific Matches by @howardjohn in #4676
• fix wizard theme compatibility for dark mode by @bexxmodd in #4857
• Add verify-crdify script to detect breaking changes in CRDs by @ElenaZvereva in #4830
• Secure monthly-release workflow by @bexxmodd in #4849
• test: retry simulation for echo-basic backend by @snorwin in #4862
• bump controller-tools by @rikatz in #4864
• docs: fix header background color by @snorwin in #4863
• fix: initialize retry count map to prevent nil map panic by @snorwin in #4866
• docs: add front matter to GEP pages to fix search links by @gcs278 in #4868
• cleanup: fix docs build variable mismatch and script error handling by @samzong in #4616
• EXP: Backend Resource by @keithmattix in #4488
• docs: ensure example files reference proper pages + update API version by @JoeyC-Dev in #4840
• docs: fix broken links in README.md by @arybolovlev in #4877
• feat(echo-basic): Add UDP Echo server by @zac-nixon in #4871
• Update UDPRoute gep to add more conformance and clarification by @rikatz in #4879
• Update TCPRoute gep to add more conformance and clarification by @rikatz in #4878
• test(conformance): Add TCPRoute conformance tests for GEP-2644 by @zac-nixon in #4874
• test(conformance): add normative tests for HTTPRoute retries by @snorwin in #4817
• test(conformance): Add UDPRoute conformance tests for GEP-2645 by @zac-nixon in #4861
• Add guidance on API documentation by @rikatz in #4160
• Set release title to tag name in monthly release workflow by @bexxmodd in #4886
• conformance: make timeout and other fields configurable via yaml by @ericdbishop in #4773
• test: enhance retry simulation with TCP failure mode and retry delay by @snorwin in #4897
• test: remove backoff from normative HTTPRoute retry tests by @snorwin in #4898
• [release-1.6] bump dependencies and remove deprecated h2c package by @k8s-infra-cherrypick-robot in #4904
• [release-1.6] Skip conformance options test to avoid replacing flags by @k8s-infra-cherrypick-robot in #4906
• [release-1.6] api: use listType=set for HTTPRoute retry status codes and validate retry attempts >= 1 by @k8s-infra-cherrypick-robot in #4907
• [release-1.6] test(conformance) Touch up L4 conformance by @k8s-infra-cherrypick-robot in #4909
• [release-1.6] test(conformance): add test for HTTPRoute retries with timeouts by @k8s-infra-cherrypick-robot in #4910
• [release-1.6] conformance: add ListenerSet tests for Route parentRefs by @k8s-infra-cherrypick-robot in #4912
• [release-1.6] feat(apis): Promote TCPRoute to v1 by @k8s-infra-cherrypick-robot in #4920
• [release-1.6] feat(apis): Promote UDPRoute to v1 by @k8s-infra-cherrypick-robot in #4923
• [release-1.6] EXP: XBackend Implementation by @k8s-infra-cherrypick-robot in #4924
• [release-1.6] stop using selfsigned certificate on tlsroute tests and reuse cert function by @k8s-infra-cherrypick-robot in #4930
• [release-1.6] conformance: check pods in namespaces by @k8s-infra-cherrypick-robot in #4944
• [release-1.6] conformance: start the mirror log window before the requests are sent by @k8s-infra-cherrypick-robot in #4952
• [release-1.6] Close only the gRPC client the request helper owns by @k8s-infra-cherrypick-robot in #4953
• release v1.6.0-rc.1 by @bexxmodd in #4957
• Correct Backend in changelog by @keithmattix in #4964
• [release-1.6] Run Gateway and BackendTLSPolicy conformance tests in parallel by @k8s-infra-cherrypick-robot in #4967
• [release-1.6] chore: Update TCP && UDP Route version in conformance tests by @k8s-infra-cherrypick-robot in #4981
• [release-1.6] fix: Invalid listener in TCPRouteInvalidNonTCPListener by @k8s-infra-cherrypick-robot in #4984
• [release-1.6] fix: remove HTTPRoute retry tests with connection errors and backend timeouts by @snorwin in #4994
• [release-1.6] test(conformance): add test covering shared and dedicated routes across multiple Gateways by @k8s-infra-cherrypick-robot in #4997
• [release-1.6] conformance: avoid mirror log races (Backport of #4887) by @youngnick in #5002
• [release-1.6] Derive percentage-mirror tolerance from the binomial standard deviation by @k8s-infra-cherrypick-robot in #5005
• [release-1.6] Route the GRPCRouteWeight sampler through the injectable GRPCClient by @k8s-infra-cherrypick-robot in #5004
• [release-1.6] Add an injectable WebSocket dialer to the conformance suite by @k8s-infra-cherrypick-robot in #5003
• Preping v1.6.0-rc.2 release. by @bexxmodd in #5007
• [release-1.6] conformance: add missing gateway-api/skip-this-for-readiness annotation to invalid gateways by @k8s-infra-cherrypick-robot in #5027
• version bump and changelog update for v1.6.0 release. by @bexxmodd in #5029

New Contributors

• @natherz97 made their first contribution in #4422
• @jukie made their first contribution in #4525
• @samzong made their first contribution in #4617
• @AlirezaPourchali made their first contribution in #4408
• @abdallahmahran10 made their first contribution in #4610
• @yuluo-yx made their first contribution in #4638
• @pl4nty made their first contribution in #4657
• @vinayakray19 made their first contribution in #4650
• @szkaraddd made their first contribution in #4702
• @tyxeron made their first contribution in #4694
• @wenisman made their first contribution in #4707
• @MatteoFari made their first contribution in #4712
• @upodroid made their first contribution in #4728
• @AndrewCharlesHay made their first contribution in #4714
• @ShaanveerS made their first contribution in #4684
• @optix2000 made their first contribution in #4750
• @jkburges made their first contribution in #4798
• @davidxia made their first contribution in #4793
• @RoseWrightdev made their first contribution in #3999
• @vovtz made their first contribution in #4827
• @gkhom made their first contribution in #4775
• @alexanderstephan made their first contribution in #4332
• @perbu made their first contribution in #4831
• @ElenaZvereva made their first contribution in #4830
• @arybolovlev made their first contribution in #4877

Full Changelog: v1.5.1...v1.6.0