v1.7.2
2 minute read
Date: April 16, 2026
Breaking changes
Security updates
- Bump golang to
1.25.9for security fixes to thecrypto/tlsandcrypto/x509packages. - Bump Envoy Proxy image to v1.37.2 for fixing several bugs. For more details, please refer to the Envoy Proxy v1.37.2 release notes.
- Bump Envoy ratelimit image to
05c08d03.
New features
Bug fixes
- Rejected ClientTrafficPolicy if invalid TLS cipher suites are configured.
- Fixed validation of XListenerSet certificateRefs
- Fixed standalone mode emitting non-actionable error logs for missing secrets and unsupported ratelimit deletion on every startup.
- Fixed xPolicy resources being processed from all namespaces when NamespaceSelector watch mode is configured in the Kubernetes provider.
- Fixed route status parent aggregation when the number of parents exceeds the Gateway API cap of 32.
- Fixed ratelimit deployment missing metrics container port (19001), which prevented PodMonitor/ServiceMonitor from targeting the metrics endpoint.
- Fixed GRPCRoute RequestMirror filter backend not being indexed, causing “service not found” errors for mirror targets that exist in the cluster.
- Fixed GRPCRoute not detecting conflicting RequestMirror and DirectResponse filters, which caused the mirror to be silently dropped.
- Fixed per-endpoint hostname override not working because the auto-generated wildcard hostname.
- Fixed Basic Authentication failing when htpasswd secrets use CRLF line endings by normalizing to LF before passing to Envoy.
- BackendTLSPolicy was ignored when configuring TLS for telemetry backends (access logs, tracing, metrics).
- Fixed client certificate secret never delivered when it is exclusively referenced by a SecurityPolicy
extAuth/jwt/oidcBackend. - Fixed xRoute status condition when route has mirror filter and the mirror backend has no endpoints.
- Fixed gateway-helm RBAC in GatewayNamespace mode with explicit
watch.namespaceslist by adding controller-namespace secret read permissions to infra-manager.
Performance improvements
- Reduced chances of listener drain due to Lua policy updates by migrating to LuaPerRoute.
Deprecations
Other changes
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.