v1.8.1

Date: June 4, 2026

Breaking changes

• Moved the Gateway API safe-upgrades ValidatingAdmissionPolicy resources out of the CRD bundle and into the gateway-helm chart templates so tools such as Flux no longer treat them as CRDs. During upgrades, two upgrade cases require action: (1) if you install Gateway API CRDs separately (e.g. with the gateway-crds-helm chart and helm install --skip-crds), the safe-upgrades ValidatingAdmissionPolicy and its binding are now rendered by the gateway-helm chart, so add Helm ownership metadata (the meta.helm.sh/release-name, meta.helm.sh/release-namespace annotations and the app.kubernetes.io/managed-by=Helm label) to the ValidatingAdmissionPolicy/safe-upgrades.gateway.networking.k8s.io and ValidatingAdmissionPolicyBinding/safe-upgrades.gateway.networking.k8s.io resources before upgrading so Helm can manage them (see https://gateway.envoyproxy.io/v1.8/install/install-helm/#installing-crds-separately); (2) if Gateway API CRDs and safe upgrade policy resources are managed by your cloud provider (or any other mechanism outside this chart), note that --skip-crds does not skip chart-templated resources, so disable rendering of the safe-upgrades ValidatingAdmissionPolicy by setting crds.gatewayAPI.safeUpgradePolicy.enabled=false (see https://gateway.envoyproxy.io/v1.8/install/install-helm/#clusters-with-compatible-provider-managed-gateway-api-crds).

Security updates

• Fixed xDS server authentication bypass in GatewayNamespaceMode, adding Unary Interceptor and validating SotW requests, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-22xc-xg2r-9j7v.
• Fixed a path normalization bypass in the Lua validator sandbox that allowed submitted Lua to read sensitive controller files during validation, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-wcrf-9vrr-854f.
• Fixed missing read lock when accessing the wasm HTTP server cache map, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-8fv2-88gg-hm7q.
• Fixed an issue that caused a nil-dereference when SecurityPolicy targets TCPRoute without spec.authorization, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-m2v6-2jmh-4c68.
• Fixed an issue that OCI layer extraction allocates memory from untrusted tar header, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-h7pq-86h8-rp5x.
• Fixed an issue that custom backendRef cross-namespace ReferenceGrant bypass, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-fcrp-7gc2-93g7.
• Fixed an issue that Wasm HTTP fetch decompresses gzip without output-size limit, refer to https://github.com/envoyproxy/gateway/security/advisories/GHSA-cxpq-8v7q-cg56.

New features

Bug fixes

• Fixed the xDS server in GatewayNamespaceMode serving a stale certificate after cert-manager rotation by re-reading the cert from disk on every TLS handshake.
• Fixed controller panic when processing backend tls settings.
• Fixed BackendTLSPolicy selection to prefer section name over wildcard match on the same backend.
• Fixed ClientTrafficPolicy TLS cipher validation rejecting supported IANA/RFC cipher suite names.
• Fixed Kubernetes provider namespace-scoped watches to always include the controller namespace so Envoy Gateway can read its own infrastructure resources.
• Fixed TLS secrets with non-canonical PEM formatting (e.g. unusual line endings) being passed verbatim to Envoy, which could cause BoringSSL errors such as BAD_END_LINE. Cert and key PEM data is now re-encoded to a canonical form before being delivered as xDS resources.
• Fixed MaxStreamDuration not being set on CommonHttpProtocolOptions for non-route cluster.
• Fixed egctl x status all/xroute/xpolicy failing when a Gateway API CRD (e.g. TCPRoute) is not installed in the cluster; missing CRDs are now skipped silently, or reported on stderr with -v.
• Fixed Kubernetes Service and ServiceImport appProtocol values kubernetes.io/ws and kubernetes.io/wss to force HTTP/1.1 upstream connections instead of negotiating HTTP/2, avoiding compatibility issues with WebSocket backends that do not support RFC 8441 extended CONNECT.
• Fixed Gateway getting stuck at Programmed=False after its LoadBalancer Service IP was restored, by ignoring LastTransitionTime when comparing status conditions.
• Fixed HPA maxReplicas required message typo in gateway-helm chart.
• Fixed invalid listeners blocking valid ones during conflict detection by validating each listener’s spec independently before running conflict resolution.

Performance improvements

Deprecations

Other changes