Skip to content

[Upstream Breaking Change] Gateway API v1.4.0 → v1.5.0 #65

New issue
New issue
Open
Open
[Upstream Breaking Change] Gateway API v1.4.0 → v1.5.0#65
Labels
automationcriticalupstream-breaking-change
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 28, 2026

Summary

Gateway API v1.5.0 has been released with breaking changes that may affect the gateway provider installations. The current pin is v1.4.0 in install-gateway-provider-dependencies.sh line 39.

Breaking Changes

1. TLSRoute v1alpha2 Removed from Experimental Channel

TLSRoute has graduated to v1 in the Standard channel. TLSRoute v1alpha2 and XListenerSet are no longer included in the Experimental channel.

  • Impact: If llm-d uses TLSRoute v1alpha2 or XListenerSet from experimental channel, those CRDs will be unavailable
  • Mitigation: Migrate to TLSRoute v1 (requires Kubernetes 1.31+)

2. ValidatingAdmissionPolicy (VAP) Added

Gateway API 1.5 introduces a VAP called safe-upgrades.gateway.networking.k8s.io that:

  • Prevents installing Experimental CRDs after Standard CRDs are installed

  • Prevents downgrading from v1.5 to earlier versions

  • Impact: Installation order and rollback procedures may be blocked

  • Mitigation: Delete the VAP before performing these operations

3. TLSRoute CEL Validation Requires Kubernetes 1.31+

The new TLSRoute v1 uses CEL validation that requires Kubernetes 1.31 or higher.

  • Impact: Cannot use TLSRoute on Kubernetes 1.30 or earlier
  • Affected clusters: Check minimum Kubernetes version in E2E environments

New Standard Features (GA)

  • Gateway Client Certificate validation (GEP-91, GEP-3567)
  • Certificate selection for Gateway TLS origination (GEP-3155)
  • ListenerSet support (GEP-1713)
  • HTTPRoute CORS filter (GEP-1767)
  • TLSRoute v1 (GEP-2643)
  • ReferenceGrant moves to v1

Files Affected

  • guides/prereq/gateway-provider/install-gateway-provider-dependencies.sh line 39

Recommended Actions

  1. Check TLSRoute usage: Search for TLSRoute v1alpha2 references

    grep -r "v1alpha2" . --include="*.yaml" --include="*.yml"
grep -r "TLSRoute" . --include="*.yaml" --include="*.yml"

  2. Verify Kubernetes version compatibility: Ensure all clusters are 1.31+ if using TLSRoute

  3. Test upgrade path: Verify VAP doesn't block existing installation procedures

  4. Review changelog: Check for additional API changes: kubernetes-sigs/gateway-api@v1.4.1...v1.5.0

Upstream Release

Generated by Upstream Dependency Monitor

Metadata

Metadata

Assignees

No one assigned

    Labels

    automationcriticalupstream-breaking-change

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions