Introduction
The Kubernetes SIG Network community has delivered a significant milestone with the release of Gateway API v1.5, announced on February 27, 2026. This version marks the largest update yet, focusing on promoting six widely-requested features from the Experimental channel to the Standard (GA) channel. The v1.5.1 patch release is already available, ensuring stability and addressing immediate feedback. Special thanks go to all Gateway API contributors for their tireless efforts in making this release possible.
A New Release Process for Consistency
Starting with v1.5, the Gateway API project has adopted a release train model inspired by the Kubernetes SIG Release workflow. Under this model, a feature freeze date is set, and any features that are complete—including their documentation—are included in the release. This approach ensures a predictable cadence and higher quality, as incomplete features are not rushed out. The release team now includes dedicated Release Manager and Release Shadow roles. Kudos to Flynn (Buoyant) and Beka Modebadze (Google) for coordinating the first release under this new process; they will continue to lead future releases.
Six Features Graduate to Standard
The v1.5 release promotes the following experimental features to the Standard channel:
- ListenerSet – Enables independent listener definitions that can be merged onto a Gateway.
- TLSRoute – Provides TLS-aware routing for non-HTTP protocols.
- HTTPRoute CORS Filter – Simplifies cross-origin resource sharing configuration directly in HTTP routes.
- Client Certificate Validation – Enhances security by validating client certificates at the Gateway level.
- Certificate Selection for Gateway TLS Origination – Allows fine-grained control over which certificates are used for TLS termination.
- ReferenceGrant – Enables cross-namespace references while maintaining security boundaries.
ListenerSet: Revolutionizing Multi-Tenant Gateways
Before ListenerSet, all listeners had to be defined directly on the Gateway object. While this worked for simple setups, it created coordination challenges in multi-tenant environments. Platform teams and application teams often had to edit the same Gateway, risking conflicts. Delegating ownership of individual listeners was cumbersome, and extending Gateways required direct modification of the original resource.
ListenerSet solves these problems by allowing listeners to be defined as independent resources that can be attached to a target Gateway. This enables:
- Safe delegation of listener management to different teams.
- Support for more than 64 listeners on a single Gateway—critical for large-scale deployments.
- Separation of concerns between infrastructure and application operators.
How it works: A ListenerSet resource attaches to a Gateway (or multiple Gateways) and contributes one or more listeners. The Gateway controller merges listeners from both the Gateway’s own listeners field and any attached ListenerSets. Note that the Gateway’s listeners field remains mandatory and must contain at least one valid listener.
For example, a central infrastructure team can define a base Gateway with a default HTTP listener, while two separate application teams create ListenerSet resources in their own namespaces. Each ListenerSet attaches to the same Gateway, adding listeners without requiring direct edits to the Gateway object. This model simplifies large-scale, multi-tenant ingress management.
Other Promoted Features at a Glance
TLSRoute
This feature extends Gateway API to handle TLS-encrypted traffic beyond HTTP. TLSRoute allows routing of raw TLS connections based on SNI (Server Name Indication), enabling use cases like secure database connections or custom protocol handling.
HTTPRoute CORS Filter
Configure CORS headers directly within HTTPRoute rules, eliminating the need for sidecar proxies or backend application logic. This filter provides fine-grained control over allowed origins, methods, and headers, simplifying frontend-backend integration.
Client Certificate Validation
This feature enforces mutual TLS (mTLS) at the Gateway level by validating client certificates. It supports revocation checks and certificate chain validation, adding a robust security layer for service-to-service communication.
Certificate Selection for Gateway TLS Origination
When a Gateway originates TLS connections to backend services, this feature allows selecting specific certificates from Secrets based on the target service. This is valuable in environments where different backends require different client certificates.
ReferenceGrant
ReferenceGrant enables cross-namespace references in Gateway API resources (e.g., a Route referencing a Secret in another namespace) while respecting security policies. It provides an explicit opt-in mechanism, preventing unauthorized access to resources.
Looking Ahead
With v1.5, Gateway API solidifies its position as the future of Kubernetes ingress and service networking. The new release train model ensures regular, reliable updates, while the graduation of these six features addresses real-world demands for scalability, security, and multi-tenancy. The community encourages users to explore the ListenerSet and other promoted features, and to provide feedback for future iterations.