v1.8.2
3 minute read
Date: June 30, 2026
Breaking changes
- The
XRateLimitHeadersOptionDisabledconstant inBackendTrafficPolicynow correctly holds the value"Off"to match the CRD enum (previously"Disabled"). Since"Disabled"was never a valid CRD enum value and would have been rejected by the API server, no existing manifests are affected. SecurityPolicyspec.apiKeyAuth.extractFromadmission validation is now stricter: the list must contain at least one entry, each entry must specify exactly one ofheaders,params, orcookies, and source names must be non-empty. SecurityPolicies that previously applied with an empty or ambiguousextractFrom(which produced no usable API key sources) will now be rejected and must be corrected before upgrading.
Security updates
New features
- Added support for disabling the
crdsdependency on the gateway-helm chart viacrds.enabledvariable.
Bug fixes
- Fixed API key auth credential ordering to avoid unnecessary xDS updates.
- Fixed the EnvoyProxy resource not allowing IPv6 ranges in loadBalancerSourceRanges when configuring the envoy service.
- Fixed HTTPRoute, GRPCRoute, TLSRoute, TCPRoute, and UDPRoute Accepted condition being set to False when an attached listener is not programmed due to a missing TLS certificate ref; listener programmed state is now correctly separated from route acceptance.
- Fixed Backend TLS
alpnProtocols: []to disable upstream ALPN instead of inheriting EnvoyProxy BackendTLS defaults. - Fixed BackendTrafficPolicy rate limit validation failing on Kubernetes 1.36, which now cross-validates integer ranges against their configured maximum, by validating the affected field as int64.
- Fixed the generated
install.yamlcreating a duplicate ValidatingAdmissionPolicy and its binding which causedkustomize buildto fail with a duplicate resource error. - Fixed an
ExternalNameService referenced as a route backend producing an invalid xDS cluster (with an empty address) that failed IR validation and stalled config delivery for the whole snapshot.ExternalNameServices are now explicitly rejected as backends with aResolvedRefs: Falseroute condition; use an Envoy GatewayBackendresource with an FQDN endpoint instead. - Fixed ListenerSet hostname conflict resolution to apply listener precedence: Gateway-owned listeners win over ListenerSet listeners, and among ListenerSet listeners the first in processing order wins. Conflicted ListenerSet listeners now correctly report Accepted=False with the conflict reason. The Gateway’s AttachedListenerSets count now only reflects ListenerSets with at least one accepted listener.
- Fixed Gateway status reporting
Programmed: Falsewith reasonAddressNotAssignedwhen the Envoy LoadBalancer service has no load balancer ingress (e.g. bare-metal clusters without a load balancer controller) but has addresses configured inspec.externalIPs, such as via an EnvoyProxy service patch. The external IPs are now used as a fallback for the Gateway status addresses. - Fixed EnvoyGateway config hot-reload to apply defaults before validation, so validators always run against a fully-defaulted struct on both the startup and reload paths.
- Fixed HTTPRoute per-retry timeout (derived from
rule.timeouts.backendRequest) not being applied when no retry backoff was configured. - Fixed shared global rate limit rules with a
costfield not working as expected.
Performance improvements
Deprecations
Other changes
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.