v1.7.5
2 minute read
Date: July 8, 2026
Breaking changes
Security updates
- Bumped Envoy to
1.37.5(through1.37.4), which includes multiple security fixes. Refer to the Envoy 1.37.5 release notes. - Bumped Envoy ratelimit image to
f2fb1577. - Bumped Go to 1.26.5 and 1.25.12, which includes security fixes to the
crypto/tlsandospackages.
New features
Bug fixes
- Fixed the EnvoyProxy resource not allowing IPv6 ranges in loadBalancerSourceRanges when configuring the envoy service.
- Fixed Backend TLS
alpnProtocols: []to disable upstream ALPN instead of inheriting EnvoyProxy BackendTLS defaults. - Fixed API key auth credential ordering to avoid unnecessary xDS updates.
- Fixed an
ExternalNameService referenced as a route backend producing an invalid xDS cluster (with an empty address) that failed IR validation and stalled config delivery for the whole snapshot.ExternalNameServices are now explicitly rejected as backends with aResolvedRefs: Falseroute condition; use an Envoy GatewayBackendresource with an FQDN endpoint instead. - Fixed Gateway status reporting
Programmed: Falsewith reasonAddressNotAssignedwhen the Envoy LoadBalancer service has no load balancer ingress (e.g. bare-metal clusters without a load balancer controller) but has addresses configured inspec.externalIPs, such as via an EnvoyProxy service patch. The external IPs are now used as a fallback for the Gateway status addresses. - Fixed EnvoyGateway config hot-reload to apply defaults before validation, so validators always run against a fully-defaulted struct on both the startup and reload paths.
- Fixed a nil-pointer panic when
provider.kubernetes.deployis configured without atype. - Fixed DaemonSet pod not using the configured custom ServiceAccount name.
- Fixed the rate limit
requestsCRD field to useformat: int64so Kubernetes 1.36 accepts themaximumconstraint.
Performance improvements
Deprecations
Other changes
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.