Releases: kgateway-dev/kgateway
Release list
v2.2.9
🎉 Welcome to the v2.2.9 release of the kgateway project!
Release Notes
Changes since v2.2.8
Bug Fixes
- Fix a reconnect-time xDS race where Envoy could briefly receive routes and listeners before all referenced backend clusters were present, causing transient NC/500 responses during controller restart. Uses a brief first-connect grace period (configurable via KGW_XDS_FIRST_CONNECT_DELAY). (#13868, #14386)
- Fixed TrafficPolicy retry translation for HTTPS listeners by applying retry policy at route level. (#14304)
- Fixed north-south traffic to a global service continuing to route to a local pod for the duration of its termination grace period. kgateway now drains a terminating pod (deletionTimestamp set) from ServiceEntry-derived endpoints and fails over to a healthy peer-cluster endpoint, consistent with the east-west (ztunnel) path and the Kubernetes Service backend path. (#14334)
- Fixed TrafficPolicy validation to include retry and timeout configuration. (#14337)
- kgateway no longer overwrites an existing Kubernetes Service for a Gateway unless the Service has a matching Gateway ownerReference or kgateway ownership metadata. (#14350)
- Fixed TrafficPolicy retry translation for HTTPS listeners by applying retry policy at route level. (#14392)
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.9
- cr.kgateway.dev/kgateway-dev/sds:v2.2.9
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.9
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.9 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.9 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.4.0-beta.1
🎉 Welcome to the v2.4.0-beta.1 release of the kgateway project!
Release Notes
Changes since v2.4.0-alpha.2
New Features
- Envoy routes generated by kgateway now carry a
io.kgateway.route_source
filter metadata entry with the originating xRoute's kind, group, name,
namespace, and rule name — enabling tracing correlation and access-log
filtering against route origin.
(#13620) - Added asyncFetch and retryPolicy options to the JWT provider remote JWKS configuration, enabling asynchronous JWKS fetching/caching and retries with exponential backoff. (#14211)
- Add support for Gateway API 1.6.0 (#14245)
- Add internal redirect feature in TrafficPolicy (#14261)
- Added support for excluding Istio ServiceEntries from kgateway ServiceEntry backend and endpoint discovery using Kubernetes label selectors. (#14328)
- TrafficPolicy retry configuration is now applied at the route level instead of the virtual host level, making retry policy precedence between TrafficPolicy and the builtin HTTPRouteRetry policy explicit and consistent. (#14360)
- Added a new
priorityGroupsbackend type to the Backend API, enabling active/passive failover between static backends. Each group in the ordered list becomes an Envoy priority level; traffic fails over to the next group when the preceding groups' endpoints are unhealthy, and recovers automatically. Combine with an active health check via BackendConfigPolicy to drive failover. (#14379) - added get cookie functions to transformation template funcion (#14385)
Bug Fixes
- Fix a reconnect-time xDS race where Envoy could briefly receive routes and listeners before all referenced backend clusters were present, causing transient NC/500 responses during controller restart. (#13868)
- Fixed two HTTPListenerPolicy/DirectResponse cases where an IR field could be compared by pointer identity instead of value, causing spurious re-translations. (#14331)
- Fixed north-south traffic to a global service continuing to route to a local pod for the duration of its termination grace period. kgateway now drains a terminating pod (deletionTimestamp set) from ServiceEntry-derived endpoints and fails over to a healthy peer-cluster endpoint, consistent with the east-west (ztunnel) path and the Kubernetes Service backend path. (#14332)
- Fixed a bug where a TrafficPolicy timeout (and other route-level settings) targeting a Gateway HTTP listener section was silently ignored. (#14374)
- Fix a bug where per-client xDS snapshots could be withheld indefinitely (reverts #13868/#13958), stranding running gateway pods on stale endpoints and starving newly created pods of any configuration until they crashloop. The control plane now publishes snapshots unconditionally and instead delays each newly connected client's first xDS response by a short grace period (default 1s, configurable via KGW_XDS_FIRST_CONNECT_DELAY; 0 disables) so per-client translation can converge before the first snapshot is served. Trade-off: in environments where per-client translation exceeds the grace period, a controller restart can once again cause a brief, self-healing burst of upstream-connect (NC) errors on reconnecting proxies; raise KGW_XDS_FIRST_CONNECT_DELAY if you observe this. (#14380)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.4.0-beta.1
- cr.kgateway.dev/kgateway-dev/sds:v2.4.0-beta.1
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.4.0-beta.1
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.4.0-beta.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.4.0-beta.1 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.6
🎉 Welcome to the v2.3.6 release of the kgateway project!
Release Notes
Changes since v2.3.5
New Features
- Added support for excluding Istio ServiceEntries from kgateway ServiceEntry backend and endpoint discovery using Kubernetes label selectors. (#14328)
- Added support for excluding Istio ServiceEntries from kgateway ServiceEntry backend and endpoint discovery using Kubernetes label selectors. (#14359)
Bug Fixes
- Fixed a bug where a Gateway, Route, Backend, or ListenerSet status observedGeneration could intermittently freeze at a stale value after a spec change, due to a skew between the translation cache and the status syncer's cache. (#14302)
- Fixed TrafficPolicy retry translation for HTTPS listeners by applying retry policy at route level. (#14304)
- Fixed two HTTPListenerPolicy/DirectResponse cases where an IR field could be compared by pointer identity instead of value, causing spurious re-translations. (#14331)
- Fixed north-south traffic to a global service continuing to route to a local pod for the duration of its termination grace period. kgateway now drains a terminating pod (deletionTimestamp set) from ServiceEntry-derived endpoints and fails over to a healthy peer-cluster endpoint, consistent with the east-west (ztunnel) path and the Kubernetes Service backend path. (#14335)
- Fixed TrafficPolicy validation to include retry and timeout configuration. (#14336)
- Fixed HttpListenerPolicy and DirectResponse being re-translated unnecessarily because their IR Equals methods compared pointer-bearing fields by identity instead of by value. (#14342)
- kgateway no longer overwrites an existing Kubernetes Service for a Gateway unless the Service has a matching Gateway ownerReference or kgateway ownership metadata. (#14351)
- Reverted the per-client xDS whole-snapshot readiness gates, which could withhold a gateway's configuration indefinitely when it referenced a backend that can never become ready (for example an ExternalName Service) — stranding already-connected proxies on stale endpoints and crash-looping newly started proxy pods. Readiness is now handled by a bounded per-stream first-connect grace period (configurable via KGW_XDS_FIRST_CONNECT_DELAY, defaulting to 1s). (#14387)
Cleanup
- Fixed GatewayExtension equality to include the object source, and Listener equality to ignore parent object metadata churn (e.g. resourceVersion bumps from status writes), preventing missed updates and spurious recomputation. (#14248)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.6
- cr.kgateway.dev/kgateway-dev/sds:v2.3.6
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.6
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.6 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.6 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.4.0-alpha.2
🎉 Welcome to the v2.4.0-alpha.2 release of the kgateway project!
Release Notes
Changes since v2.4.0-alpha.1
New Features
- Added BackendConfigPolicy zone-aware routing with native Envoy prefer-local and force-local support, including bootstrap locality wiring for Envoy proxies. (#13978)
- Add
requestAttributesfield toGatewayExtensionext_proc config, allowing
Envoy attributes (e.g.source.address) to be forwarded to ext_proc servers.
(#14109) - Added Envoy local reply configuration to
ListenerPolicy(#14146) - Added an
AssumeRoleAWS auth type to the Backend API (spec.aws.auth.assumeRole) for per-Backend STS role chaining, used for both Lambda request signing and EC2 instance discovery. The previousspec.aws.ec2.roleArnfield is replaced byspec.aws.auth.assumeRole.roleArn. (#14148) - EC2 backends now report an
EndpointsDiscoveredstatus condition reflecting whether runtime endpoint discovery succeeded, including credential, authorization, and zero-match failures. (#14173) - added reference grant mode (#14209)
- Added support for GatewayHTTPListenerIsolation conformance behavior for HTTP listeners. (#14234)
Bug Fixes
- kgateway no longer overwrites an existing Kubernetes Service for a Gateway unless the Service has a matching Gateway ownerReference or kgateway ownership metadata. (#14145)
- Fixed a bug where a BackendConfigPolicy health check host (HTTP host or gRPC authority) was ignored for Static backends because the endpoint-level hostname overrode it, causing health checks to use the wrong Host header. (#14201)
- Fixed route Hostname/ServiceEntry backendRefs to the requested port on multi-port hosts (#14212)
- Advertise support for the Gateway API BackendTLSPolicySANValidation conformance feature. (#14214)
- ServiceEntry clusters with workloadSelector-backed pod endpoints now respect pod readiness: NotReady pods are excluded from routing, matching the EndpointSlice-based Service behavior and enabling locality failover when all locally selected pods are NotReady. WorkloadEntry and inline ServiceEntry endpoints are unaffected. (#14222)
- Fixed EC2 backend discovery serving endpoints resolved under an outdated config (e.g. the old port) for up to a refresh interval after a Backend spec change. Spec changes and newly created EC2 backends now trigger an immediate discovery refresh, and a credential rotation combined with a transient AWS API failure no longer drops healthy endpoints. (#14228)
- fix: resolve FrontendTLS CA certificate references in the Gateway's namespace when listeners are contributed by a ListenerSet, rather than incorrectly looking in the ListenerSet's namespace. (#14232)
- Strict validation (KGW_VALIDATION_MODE=STRICT) now caches validation verdicts by config content
hash, eliminating redundant envoy invocations across per-client translation and recomputes. New
settings: KGW_VALIDATOR_MODE (CACHE [default] | BINARY) and KGW_VALIDATOR_CACHE_SIZE (default
4096).
(#14253) - Fix ListenerPolicy with
clientCertificateValidationnot being marked asAttachedif there are other policies applied to the same target (#14278) - Fix excessive DNS queries from gateway pods by rendering the xDS cluster address as a rooted FQDN (trailing dot), preventing DNS search-domain expansion under the default ndots:5 resolver config. (#14291)
- Fixed a bug where a Gateway, Route, Backend, or ListenerSet status observedGeneration could intermittently freeze at a stale value after a spec change, due to a skew between the translation cache and the status syncer's cache. (#14302)
Cleanup
- Added kgateway validation metrics for Envoy validation calls, cache behavior, results, and duration by validation caller. (#14026)
- Reduced controller memory usage by interning policy ref ID strings retained in policy merge tracking. (#14217)
- Fixed GatewayExtension equality to include the object source, and Listener equality to ignore parent object metadata churn (e.g. resourceVersion bumps from status writes), preventing missed updates and spurious recomputation. (#14248)
- Improved strict HTTPRoute validation performance by batching full-route Envoy validation per virtual host. (#14269)
Dependency Updates
- upgrade envoy to v1.38.3 (#14314)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.4.0-alpha.2
- cr.kgateway.dev/kgateway-dev/sds:v2.4.0-alpha.2
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.4.0-alpha.2
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.4.0-alpha.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.4.0-alpha.2 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.5
🎉 Welcome to the v2.3.5 release of the kgateway project!
Release Notes
Changes since v2.3.4
Bug Fixes
- Fixed BackendConfigPolicy health check host and gRPC authority overrides for static backends. (#14290)
- Use a rooted FQDN for the default xDS service address to avoid DNS search-domain expansion during Envoy DNS resolution. (#14296)
Dependency Updates
- upgraded envoy to 1.37.5 (#14300)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.5
- cr.kgateway.dev/kgateway-dev/sds:v2.3.5
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.5
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.5 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.5 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.2.8
🎉 Welcome to the v2.2.8 release of the kgateway project!
Release Notes
Changes since v2.2.7
Dependency Updates
- upgraded envoy to 1.36.9 (#14301)
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.8
- cr.kgateway.dev/kgateway-dev/sds:v2.2.8
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.8
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.8 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.8 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.4
🎉 Welcome to the v2.3.4 release of the kgateway project!
Release Notes
Changes since v2.3.3
New Features
- added reference grant mode (#14238)
Bug Fixes
- Fixed route Hostname/ServiceEntry backendRefs to the requested port on multi-port hosts (#14259)
- ServiceEntry clusters with workloadSelector-backed pod endpoints now respect pod readiness: NotReady pods are excluded from routing, matching the EndpointSlice-based Service behavior and enabling locality failover when all locally selected pods are NotReady. WorkloadEntry and inline ServiceEntry endpoints are unaffected. (#14262)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.4
- cr.kgateway.dev/kgateway-dev/sds:v2.3.4
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.4
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.4 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.4 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.2.7
🎉 Welcome to the v2.2.7 release of the kgateway project!
Release Notes
Changes since v2.2.6
New Features
- added reference grant mode (#14239)
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.7
- cr.kgateway.dev/kgateway-dev/sds:v2.2.7
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.7
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.7 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.7 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.3.3
🎉 Welcome to the v2.3.3 release of the kgateway project!
Changes since v2.3.2
New Features
- added max_headers_count setting to ListenerPolicy (#14207)
Bug Fixes
- Strict validation (KGW_VALIDATION_MODE=STRICT) now caches validation verdicts by config content
hash, eliminating redundant envoy invocations across per-client translation and recomputes. New
settings: KGW_VALIDATOR_MODE (CACHE [default] | BINARY) and KGW_VALIDATOR_CACHE_SIZE (default
4096).
(#14242)
Dependency Updates
- upgraded envoy to v1.37.4 (#14246)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.3.3
- cr.kgateway.dev/kgateway-dev/sds:v2.3.3
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.3.3
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.3.3 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.3.3 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.
v2.2.6
🎉 Welcome to the v2.2.6 release of the kgateway project!
Release Notes
Changes since v2.2.5
New Features
- added max_headers_count setting to ListenerPolicy (#14208)
Dependency Updates
- upgraded envoy to v1.36.8 (#14247)
Contributors
Thanks to all the contributors who made this release possible:
Installation
The kgateway project is available as a Helm chart and docker images.
Helm Charts
The Helm charts are available at:
Docker Images
The docker images are available at:
- cr.kgateway.dev/kgateway-dev/kgateway:v2.2.6
- cr.kgateway.dev/kgateway-dev/sds:v2.2.6
- cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.6
Quickstart
Try installing this release:
helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.6 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.6 --namespace kgateway-system --create-namespace
For detailed installation instructions and next steps, please visit our quickstart guide.

















