Major Changes Since v1.5.1

GEP & API Graduation

• UDPRoute & TCPRoute Graduation:
  • UDPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4923, @zac-nixon)
  • TCPRoute has graduated to GA. We recommend using the "v1" API version with this API now. The "v1alpha2" version of this API is deprecated and will be removed in the future. (#4920, @zac-nixon)
• GEP Status Updates:
  • Add GEP for the Backend resource into Provisional status (#4818, @keithmattix)
  • Move TCPRoute GEP to Experimental (#4878, @rikatz)
  • Move UDPRoute GEP to Experimental (#4879, @rikatz)
  • TCPRoute GEP (#4783, @zac-nixon)

Feature

• API & Validation Enhancements:
  • API validation updated for HTTPRoute retries: retry.codes must now be unique and retry.attempts must be >= 1. (#4907, @snorwin)
  • Increase the number of allowed Certificate Authority references from 8 to 16. (#4088, @root30)
  • The TLSRoute CRD validation has been adjusted to allow up to 4096 hostnames and rules per TLSRoute resource. Operators must validate kube-apiserver, etcd and Gateway controller behavior with representative manifests prior to enabling the new limit in production. (#4332, @alexanderstephan)
  • BackendTLSPolicy now can be used in combination with other routes types. (#4745, @rikatz)
  • Allow the usage of up to 16 annotations on the gateway infrastructure object. (#4707, @wenisman)
• Graduations:
  • CORS filter is now part of the standard channel. (#4521, @rikatz)
• ValidatingAdmissionPolicy (VAP):
  • Adds a VAP that prohibits:
    • Installation of experimental CRDs on top of standard channel CRDs (within the same API group).
    • Installation of monthly releases.
    • Installation of older releases. (#4533, @robscott)
• Conformance Infrastructure:
  • Added conformance tests for UDPRoute (GEP-2645), a new GATEWAY-UDP conformance profile, a SupportTCPRoute feature, and a UDP/TCP echo server in echo-basic gated on UDP_ECHO_SERVER. (#4861, @zac-nixon)
• Remove the idleTimeout field from the experimental SessionPersistence API. (#4771, @gcs278)

Documentation

• Migration & Site Updates:
  • Migrate documentation from MkDocs to Docsy. (#4734, @iromanycheva-eng)
  • The new wizard should be available at https://gateway-api.sigs.k8s.io/wizard. (#4584, @bexxmodd)
• New Documentation:
  • Add documentation for TLSRoute. (#4558, @rikatz)
  • Adds documentation around ListenerSets. (#4568, @davidjumani)
• API Specs & Guidance Clarifications:
  • Add missing apidoc for BackendTLSPolicy extended support. (#4828, @rikatz)
  • Add the missing ListenersNotValid programmed reason for listenerSets. (#4586, @davidjumani)
  • Added documentation guidance recommending GRPCRoute for gRPC traffic. (#4513, @kahirokunn)
  • Clarified CORS API documentation to describe behavior based on allowCredentials instead of credentialed requests. (#4663, @snorwin)
  • Previously, implementations were required to reject GRPCRoute and HTTPRoutes on the same hostname (however, few implementations did this). Now, implementations may optionally do this, or allow them to coincide. (#4598, @howardjohn)
  • Updates the documentation around the ListenerConditionConflicted condition. (#4659, @davidjumani)
• Releases & Results:
  • Add AWS Load Balancer Controller conformance results for v1.5.0 Gateway API. (#4733, @zac-nixon)
• Fixes:
  • Grammar fix in docs for concepts/use cases. (#4798, @jkburges)

Bug or Regression

• IPv6 Support:
  • Fix GatewayFrontendClientCertificateValidationInsecureFallback, GatewayFrontendClientCertificateValidation, and GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4636, @zirain)
  • Fix GatewayFrontendInvalidDefaultClientCertificateValidation failing on IPv6 clusters. (#4629, @zirain)
• ValidatingAdmissionPolicy (VAP) Fixes:
  • Fixed an issue where the ValidatingAdmissionPolicy prevented experimental CRDs from being installed at all (instead of only when standard CRDs already exist). (#4603, @howardjohn)
  • Fixed the safe-upgrades ValidatingAdmissionPolicy to allow upgrades of experimental CRDs. (#4557, @snorwin)
• CRD & Schema Validation:
  • Generated Gateway API CRD install manifests no longer include top-level CustomResourceDefinition status fields with invalid null values, fixing strict schema validation failures in tools such as kubeconform. (#4712, @MatteoFari)
  • Replace omitempty with omitzero for supportedKinds in ListenerStatus to preserve backward compatibility for controllers reconciling older Gateway API versions. (#4551, @snorwin)
• API & Validation Fixes:
  • It is disallowed to have repeated filters of type CORS. (#4639, @DamianSawicki)
  • Limit HTTPRouteHTTPSListenerDetectMisdirectedRequests to h2 only. (#4665, @zirain)
  • Make explicit call about resource names requiring to be RFC 1035 compliant. (#4787, @rikatz)
  • Make referencegrant.spec field required. (#4845, @bexxmodd)

Test & Conformance

• New Conformance Tests:
  • Add conformance test ListenerSetAllowedRoutesCrossNamespace which verifies that a ListenerSet only allows routes in its own namespace by default. (#4841, @asauber)
  • Added a conformance test covering the Gateway Accepted condition with reason ListenersNotValid and the Listener Accepted condition with reason UnsupportedProtocol. (#4807, @snorwin)
  • Added conformance test GatewayInvalidParametersRef that verifies a Gateway referencing an invalid parameters is rejected. (#4808, @snorwin)
  • Conformance: add ListenerSet tests for Route parentRef cases. (#4912, @asauber)
  • Implement conformance test for CORS. (#4494, @rikatz)
• Test Machinery & Framework Updates:
  • Conformance: ExpectMirroredRequest now starts its log window before the requests are sent, so mirrors are not missed on high-latency data planes. (#4952, @lexfrei)
  • The default polling interval for conformance tests has been decreased. This can be modified by the new DefaultPollInterval. (#4570, @howardjohn)
  • The gRPC conformance request helper no longer closes a caller-supplied (injected) Options.GRPCClient; it closes only the DefaultClient it creates internally. This lets implementations reuse a custom gRPC client across requests. (#4953, @lexfrei)
• Updates & Fixes to Existing Tests:
  • The conflicted=false condition is not required anymore in the listener status for non-conflicted listeners. (#4642, @zhaohuabing)
  • Fix TLSRoute conformance test to stop relying on self-signed certificates. (#4930, @rikatz)
  • Fixed MeshHTTPRoute307Redirect conformance test bug where the wrong manifest was used. (#4806, @jgreeer)
  • Update Gateway version to v1 in UDP conformance test. (#4722, @cnvergence)
  • Updated the TLSRoute conformance tests to allow FINs where previously RST was asserted. (#4615, @howardjohn)

What's Changed

• Update RELEASE.md by @kflynn in #4836
• Conformance report for NGINX Gateway Fabric 2.6.0 by @ciarams87 in #4837
• gep-4768: Standardized Telemetry API (provisional) by @gkhom in #4775
• docs: Add guidance preferring GRPCRoute for gRPC by @kahirokunn in #4513
• Increase TLSRoute hostnames limit from 16 to 1024 by @alexanderstephan in #4332
• build(deps): bump the non-k8s group across 2 directories with 1 update by @dependabot[bot] in #4838
• [gep-1713] ListenerSet: Fix typos and other inconsistencies by @dprotaso in #4824
• grpc: do not require unique hostnames with http by @howardjohn in #4598
• Add Ciilum conformance report for v1.5.1 by @youngnick in #4829
• Add conformance report for Varnish Gateway v0.20.0 by @perbu in #4831
• Enable golangci-lint modernize linter by @erikgb in #4821
• conformance: add cross-namespace ListenerSet AllowedRoutes test by @asauber in #4841
• [breaking change] Remove optional marker from ReferenceGrant.Spec by @bexxmodd in #4845
• Prevent arbitrary code execution hack scripts by @bexxmodd in #4846
• Fix Stored DOM XSS in Controller Wizard by @bexxmodd in #4848
• Migrate documentation from MkDocs to Docsy by @iromanycheva-eng in #4734
• Remove legacy mkdocs files by @rikatz in #4855
• add GEP 3965: Implementation-Specific Matches by @howardjohn in #4676
• fix wizard theme compatibility for dark mode by @bexxmodd in #4857
• build(deps): bump actions/setup-node from 4.1.0 to 6.4.0 by @dependabot[bot] in #4850
• Add verify-crdify script to detect breaking changes in CRDs by @ElenaZvereva in #4830
• Secure monthly-release workflow by @bexxmodd in #4849
• build(deps-dev): bump autoprefixer from 10.4.27 to 10.5.0 in /site by @dependabot[bot] in #4852
• test: retry simulation for echo-basic backend by @snorwin in #4862
• bump controller-tools by @rikatz in #4864
• docs: fix header background color by @snorwin in #4863
• build(deps): bump the k8s-io group across 4 directories with 5 updates by @dependabot[bot] in #4865
• fix: initialize retry count map to prevent nil map panic by @snorwin in #4866
• docs: add front matter to GEP pages to fix search links by @gcs278 in #4868
• cleanup: fix docs build variable mismatch and script error handling by @samzong in #4616
• EXP: Backend Resource by @keithmattix in #4488
• Update Envoy Gateway conformance report for v1.5.1 by @jukie in #4860
• docs: ensure example files reference proper pages + update API version by @JoeyC-Dev in #4840
• docs: fix broken links in README.md by @arybolovlev in #4877
• feat(echo-basic): Add UDP Echo server by @zac-nixon in #4871
• Update UDPRoute gep to add more conformance and clarification by @rikatz in #4879
• Update TCPRoute gep to add more conformance and clarification by @rikatz in #4878
• test(conformance): Add TCPRoute conformance tests for GEP-2644 by @zac-nixon in #4874
• test(conformance): add normative tests for HTTPRoute retries by @snorwin in #4817
• test(conformance): Add UDPRoute conformance tests for GEP-2645 by @zac-nixon in #4861
• Add guidance on API documentation by @rikatz in #4160
• Set release title to tag name in monthly release workflow by @bexxmodd in #4886
• conformance: make timeout and other fields configurable via yaml by @ericdbishop in #4773
• test: enhance retry simulation with TCP failure mode and retry delay by @snorwin in #4897
• test: remove backoff from normative HTTPRoute retry tests by @snorwin in #4898
• [release-1.6] bump dependencies and remove deprecated h2c package by @k8s-infra-cherrypick-robot in #4904
• [release-1.6] Skip conformance options test to avoid replacing flags by @k8s-infra-cherrypick-robot in #4906
• [release-1.6] api: use listType=set for HTTPRoute retry status codes and validate retry attempts >= 1 by @k8s-infra-cherrypick-robot in #4907
• [release-1.6] test(conformance) Touch up L4 conformance by @k8s-infra-cherrypick-robot in #4909
• [release-1.6] test(conformance): add test for HTTPRoute retries with timeouts by @k8s-infra-cherrypick-robot in #4910
• [release-1.6] conformance: add ListenerSet tests for Route parentRefs by @k8s-infra-cherrypick-robot in #4912
• [release-1.6] feat(apis): Promote TCPRoute to v1 by @k8s-infra-cherrypick-robot in #4920
• [release-1.6] feat(apis): Promote UDPRoute to v1 by @k8s-infra-cherrypick-robot in #4923
• [release-1.6] EXP: XBackend Implementation by @k8s-infra-cherrypick-robot in #4924
• [release-1.6] stop using selfsigned certificate on tlsroute tests and reuse cert function by @k8s-infra-cherrypick-robot in #4930
• [release-1.6] conformance: check pods in namespaces by @k8s-infra-cherrypick-robot in #4944
• [release-1.6] conformance: start the mirror log window before the requests are sent by @k8s-infra-cherrypick-robot in #4952
• [release-1.6] Close only the gRPC client the request helper owns by @k8s-infra-cherrypick-robot in #4953

New Contributors

• @gkhom made their first contribution in #4775
• @alexanderstephan made their first contribution in #4332
• @perbu made their first contribution in #4831
• @ElenaZvereva made their first contribution in #4830
• @arybolovlev made their first contribution in #4877

Full Changelog: monthly-2026.05...v1.6.0-rc.1