Welcome to the biggest release of the Kubernetes Gateway API yet! Version 1.5, announced on February 27, 2026, marks a major step forward by promoting six highly anticipated experimental features to the Standard (Stable) channel. Alongside these feature upgrades, the project itself has adopted a new release process designed for greater reliability and predictability. Whether you're a platform engineer managing multi-tenant clusters or an application developer configuring ingress, these changes directly impact how you build and manage networking in Kubernetes. In this article, we break down the seven most important developments in Gateway API v1.5, from the new release train model to each of the newly stabilized features. Let's dive in.
1. New Release Process: Streamlined Cadence
Gateway API v1.5 introduces a release train model, aligning the project with the proven approach used by Kubernetes SIG Release. Under this model, a feature freeze date is set, and any features ready by that date—both experimental and standard—are shipped together. If the documentation isn't complete, the feature doesn't ship. This shift ensures a more predictable cadence and higher quality releases. The project also formalized Release Manager and Release Shadow roles, with Flynn (Buoyant) and Beka Modebadze (Google) coordinating the v1.5 effort. Their work smoothed out rough edges in the process, and they will continue leading future releases. For contributors and users alike, this means clearer timelines and fewer surprises.
2. ListenerSet: Scalable Listener Management
Before v1.5, all listeners had to be defined directly on the Gateway object. That worked for simple setups but created headaches in complex, multi‑tenant environments. Platform teams and application teams often needed to coordinate changes to the same Gateway, safely delegating ownership of individual listeners was tricky, and extending an existing Gateway required modifying the original resource. ListenerSet (GEP-1713) solves these problems by letting you define listeners independently and merge them onto a target Gateway. It also raises the listener limit beyond 64, crucial for large deployments with many hostnames. The Gateway's listener field remains mandatory, but ListenerSet adds flexibility without sacrificing control. For example, a central infrastructure team can define a Gateway with a default HTTP listener, while two application teams each contribute their own ListenerSet resources in separate namespaces—all attaching to the same Gateway. This separation of concerns is a game changer for platform engineers.
3. TLSRoute: Dedicated TLS Routing
TLSRoute has moved from experimental to stable, giving you a native way to route TLS‑encrypted traffic based on the Server Name Indication (SNI) field. Previously, TLS routing often required workarounds or custom controllers. Now, you can declaratively define how TLS‑terminated traffic flows to backend services, simplifying mutual TLS and certificate management. This feature is especially valuable for service meshes and any scenario where you need fine‑grained control over encrypted connections without exposing plaintext inside the cluster.
4. HTTPRoute CORS Filter: Cross‑Origin Requests Made Easy
Managing Cross‑Origin Resource Sharing (CORS) in Kubernetes has traditionally been a manual, inconsistent task. The new HTTPRoute CORS Filter, now stable, allows you to specify CORS headers directly in your HTTPRoute resource. You can define allowed origins, methods, headers, and credentials policies without modifying backend applications or adding sidecars. This promotes consistent, declarative CORS handling across all your services, reducing misconfiguration and improving security posture for web applications.
5. Client Certificate Validation: Secure mTLS Connections
Mutual TLS (mTLS) requires verifying client certificates, but until now Gateway API lacked a standardized way to configure validation. The newly stable Client Certificate Validation feature fills that gap. It lets you specify required client certificate parameters—such as allowed subject names and issuer details—directly in the Gateway or route configuration. This enables zero‑trust networking patterns where every connection is authenticated on both sides, without relying on external admission controllers or custom annotations. Platform teams can now enforce strong mTLS policies across the entire gateway infrastructure.
6. Certificate Selection for Gateway TLS Origination
When a Gateway originates TLS connections to backend services (e.g., for TLS passthrough or re‑encryption), it needs to select the right certificate. The stable Certificate Selection feature provides a clean way to reference certificates from Secrets, with support for advanced selection criteria like issuer and key usage. This eliminates the need for manual certificate injection or complex mutating webhooks. For large deployments with many services, automated certificate selection reduces operational overhead and improves security by ensuring the correct certificate is always used.
7. ReferenceGrant: Controlled Cross‑Namespace References
Kubernetes Network Policy and Gateway API often require referencing resources across namespaces—for example, a Route in namespace A pointing to a Service in namespace B. ReferenceGrant, now stable, provides a secure, explicit mechanism for granting such cross‑namespace access. Administrators create a ReferenceGrant object in the target namespace, specifying the source namespace and the kinds of references allowed. This replaces earlier ad‑hoc methods and aligns with Kubernetes security best practices by ensuring that no cross‑namespace reference works without explicit permission.
Conclusion
Gateway API v1.5 is a landmark release, bringing crucial scalability, security, and usability improvements to the Standard channel. From the new release train model that promises a more predictable future, to each of the six stabilized features—ListenerSet, TLSRoute, CORS Filter, Client Certificate Validation, Certificate Selection, and ReferenceGrant—these changes address real‑world pain points for both platform teams and application developers. Combined, they make Gateway API an even more robust foundation for Kubernetes networking. To get started, check out the official Gateway API documentation and the v1.5.1 patch release already available. Whether you're migrating from Ingress or expanding an existing Gateway setup, these features will help you build more maintainable, secure, and scalable networks. We thank the entire SIG Network community and the release team for their dedication to making this release possible.