v1.6.2

  less than a minute  

Date: January 12, 2026

Breaking changes

Security updates

  • Fixed CVE-2026-22771: arbitrary code execution through EnvoyExtensionPolicy Lua scripts.

New features

  • Change benchmark report to JSON format.

Bug fixes

  • Fixed an issue where BackendTrafficPolicy does not validate maximum value of requestBuffer limit.
  • Fixed an issue where observedGeneration is missing from the EnvoyPatchPolicy status.
  • Fixed a nil pointer error when applying BackendTrafficPolicy to HTTPRoutes with no backendRefs.
  • Fixed ExternalTrafficPolicy not being applied to Envoy Service when ServiceType is NodePort.
  • Fixed CRL ref not processed by gateway controller.

Performance improvements

Deprecations

Other changes


Last modified January 13, 2026: chore: remove lint.whitenoise and enable markdown lint MD009 (#7887) (8eabdb2)