v2.1.1

🎉 Welcome to the v2.1.1 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.1
• cr.kgateway.dev/kgateway-dev/sds:v2.1.1
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changelog

New Features

• Allow using kgateway.dev/http-redirect-status-code annotation to
  configure the allowed HTTP redirect status codes as an override
  API with the RequestRedirect filter.
  (#12612)

Bug Fixes

• Deps: Bumps agentgateway from v0.10.1 to v0.10.3. (#12668)

Cleanup

• bumped envoy to v1.35.6 (#12683)

v2.1.0

🎉 Welcome to the v2.1.0 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.0
• cr.kgateway.dev/kgateway-dev/sds:v2.1.0
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.0

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.0 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.0 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changelog

Breaking Changes

• Updates the status API for TrafficPolicy and HTTPListenerPolicy to use Gateway API v1alpha2.PolicyStatus API. (#11141)

• Switching to Envoy's /stats/prometheus?usedonly endpoint to only get statistics that Envoy has updated (counters incremented at least once, gauges changed at least once, and histograms added to at least once). (#11358)

• Use kgateway.dev/inherited-policy-priority: ShallowMergePreferParent
  instead of delegation.kgateway.dev/inherited-policy-priority: PreferParent
  and kgateway.dev/inherited-policy-priority: ShallowMergePreferChild
  instead of delegation.kgateway.dev/inherited-policy-priority: PreferChild,
  as annotations to define inherited policy priority for delegated routes.

  By default, child HTTPRoute policies take precedence over parent
  HTTPRoute policies for delegated routes.
  (#11675)

• remove insecureSkipVerify field from Backend and AI ssl validation (#11819)

• Adds disable field to extAuth, extProc, cors, buffer policies to allow
  disabling the policies per-route.

  Breaking change: extAuth.enablement has been removed in favor of
  extAuth.disable.
  (#11893)

• Inference: Replaces InferencePool v1alpha2 with v1 (#11965)

• Add generic gRPC request timeout to GatewayExtension gRPC services
  Add failOpen support to all GatewayExtension external providers
  Change ExtProc GatewayExtension provider to failOpen by default
  (#12239)

• Rename agentGateway to agentgateway for consistency in helm values. Rename GatewayParameters agentGateway field to agentgateway. (#12293)

• As waypoint functionality is alpha, disable it by default. It can be enabled by setting the waypoint.enabled helm value to true (#12385)

• Bumps Gateway API dependency to v1.4.0. Previous Gateway API CRDs must be replaced with v1.4.0. API type changes must be manually converted. BackendTLSPolicy is promoted from v1alpha3 to v1. The v1alpha3 scheme is removed due to the BackendTLSPolicy promotion. Users must replace v1alpha3 instances of BackendTLSPolicy with v1 after installing the Gateway API v1.4.0 CRDs. (#12439)

• Updates gateway-api-inference-extension version to v1.0.1 and removes inferencepools.inference.networking.x-k8s.io CRD. (#12466)

New Features

• Enables kgateway to act as the control plane for agentgateway. (#11151)
• Enables policy attachment using labels using the targetSelectors API for kgateway policy APIs. (#11163)
• Introduce BYO global rate limiting so operators can expose an external rate-limit service through a GatewayExtension resource and reference that extension from a TrafficPolicy. This enables users to configure both local and cluster-wide quotas within the same API surface. (#11169)
• Add a setting to toggle the listener bind address to either ipv4 or ipv6 (#11196)
• Add support for dynamic forward proxy. (#11197)
• Introduce BackendConfigPolicy api to allow configuring envoy clusters. (#11214)
• Enables setting annotations on Deployment generated by kgateway Helm chart. (#11224)
• Adds InferencePool status management to Inference Extension endpointpicker (EPP) Plugin. (#11230)
• Enables multiple kgateway installs in separate namespaces, and implements discoveryNamespaceSelectors to control the namespaces that are considered for config discovery by a kgateway instance based on label selectors. (#11238)
• Respect DestinationRule TCP keepalive settings (#11246)
• CORS support has been added and can be configured in the TrafficPolicy or in HTTPRoute, depending on the desired policy. (#11252)
• Allows a Kubernetes gateway to have more than 64 listeners by implementing ListenerSets defined in https://gateway-api.sigs.k8s.io/geps/gep-1713. Listener Sets can define their own listeners and be mapped to a parent gateway via their parentRef. The Kubernetes gateway will have the merged list of all listeners from itself and attached ListenerSets. This experimental feature requires the xlistenersets.gateway.networking.x-k8s.io CRD to be present. (#11255)
• Invalid durations in our CRDs will now be rejected using CEL, before the CR is admitted. (#11266)
• Allow TrafficPolicy to targetRef using section name. (#11272)
• Add PathOverride and AuthHeaderOverride fields for custom LLM provider endpoints (#11282)
• add TargetSelectors field in BackendConfigPolicySpec to enable selection of resources with matchLabels. (#11289)
• Support for CSRF policy has been added to the TrafficPolicy. (#11302)
• backendconfigpolicy: add ssl config (#11308)
• Support sessionPersistence on HTTPRoute (#11320)
• Add control plane metrics support for observability of controller, collections, and translation operations. (#11342)
• Adds initial InferencePool e2e tests (#11344)
• added support for extended gateway parameters (#11346)
• Support Service appProtocols http2, grpc, and grpc-web. (#11352)
• backendconfigpolicy: add load balancer configuration (#11365)
• Enables configuring the payload transformation mode for AWS Lambda
  backends.
  (#11381)
• Allow configuring app protocol on Static Backends. (#11384)
• add health check config to backendconfigpolicy (#11393)
• For kubernetes services, set IgnoreHealthOnHostRemoval to true on the cluster. (#11395)
• Adds support for OpenTelemetry Tracing & Access Log Support. This can be configured via the HTTPListenerPolicy (#11396)
• add http2 protocol options to backendconfigpolicy (#11455)
• Add useRemoteAddress, xffNumTrustedHops, serverHeaderTransformation, and streamIdleTimeout to HTTPListenerPolicy #11231 (#11462)
• Users can now define custom environment variables for the envoy proxy container via the gateway parameters.
  It can be specified as a list via GatewayParameters.spec.kube.envoyContainer.env
  (#11463)
• Added image, security context and resource configuration on GatewayParameters for agentgateway. (#11464)
• Enables sorting of HTTPRoutes using weights assigned with the
  kgateway.dev/route-weight annotation when KGW_WEIGHTED_ROUTE_PRECEDENCE=true.
  (#11470)
• Added CEL validation to enforce proper attachment semantics for policy APIs. This ensures that policies can only be attached to valid Gateway API resources. (#11499)
• Allow setting listener-level perConnectionBufferLimitBytes by setting the kgateway.dev/per-connection-buffer-limit annotation on the gateway. ([#11505](https://github.com/kgateway-dev/k...

v2.1.0-rc.2

🎉 Welcome to the v2.1.0-rc.2 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.0-rc.2
• cr.kgateway.dev/kgateway-dev/sds:v2.1.0-rc.2
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.0-rc.2

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.0-rc.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.0-rc.2 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.0.5

🎉 Welcome to the v2.0.5 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.0.5
• cr.kgateway.dev/kgateway-dev/sds:v2.0.5
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.0.5

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.0.5 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.0.5 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.1.0-rc.1

🎉 Welcome to the v2.1.0-rc.1 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.0-rc.1
• cr.kgateway.dev/kgateway-dev/sds:v2.1.0-rc.1
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.0-rc.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.0-rc.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.0-rc.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changelog

Breaking Changes

• Updates the status API for TrafficPolicy and HTTPListenerPolicy to use Gateway API v1alpha2.PolicyStatus API. (#11141)
• Switching to Envoy's /stats/prometheus?usedonly endpoint to only get statistics that Envoy has updated (counters incremented at least once, gauges changed at least once, and histograms added to at least once). (#11358)
• Use kgateway.dev/inherited-policy-priority: ShallowMergePreferParent instead of delegation.kgateway.dev/inherited-policy-priority: PreferParent and kgateway.dev/inherited-policy-priority: ShallowMergePreferChild instead of delegation.kgateway.dev/inherited-policy-priority: PreferChild, as annotations to define inherited policy priority for delegated routes. By default, child HTTPRoute policies take precedence over parent HTTPRoute policies for delegated routes. (#11675)
• remove insecureSkipVerify field from Backend and AI ssl validation (#11819)
• Adds disable field to extAuth, extProc, cors, buffer policies to allow disabling the policies per-route. Breaking change: extAuth.enablement has been removed in favor of extAuth.disable. (#11893)
• Inference: Replaces InferencePool v1alpha2 with v1 (#11965)
• Add generic gRPC request timeout to GatewayExtension gRPC services. Add failOpen support to all GatewayExtension external providers. Change ExtProc GatewayExtension provider to failOpen by default. (#12239)
• Rename agentGateway to agentgateway for consistency in helm values. Rename GatewayParameters agentGateway field to agentgateway. (#12293)
• As waypoint functionality is alpha, disable it by default. It can be enabled by setting the waypoint.enabled helm value to true (#12385)

New Features

• Enables kgateway to act as the control plane for agentgateway. (#11151)
• Enables policy attachment using labels using the targetSelectors API for kgateway policy APIs. (#11163)
• Introduce BYO global rate limiting so operators can expose an external rate-limit service through a GatewayExtension resource and reference that extension from a TrafficPolicy. This enables users to configure both local and cluster-wide quotas within the same API surface. (#11169)
• Add a setting to toggle the listener bind address to either ipv4 or ipv6 (#11196)
• Add support for dynamic forward proxy. (#11197)
• Introduce BackendConfigPolicy api to allow configuring envoy clusters. (#11214)
• Enables setting annotations on Deployment generated by kgateway Helm chart. (#11224)
• Adds InferencePool status management to Inference Extension endpointpicker (EPP) Plugin. (#11230)
• Enables multiple kgateway installs in separate namespaces, and implements discoveryNamespaceSelectors to control the namespaces that are considered for config discovery by a kgateway instance based on label selectors. (#11238)
• Respect DestinationRule TCP keepalive settings (#11246)
• CORS support has been added and can be configured in the TrafficPolicy or in HTTPRoute, depending on the desired policy. (#11252)
• Allows a Kubernetes gateway to have more than 64 listeners by implementing ListenerSets defined in https://gateway-api.sigs.k8s.io/geps/gep-1713. Listener Sets can define their own listeners and be mapped to a parent gateway via their parentRef. The Kubernetes gateway will have the merged list of all listeners from itself and attached ListenerSets. This experimental feature requires the xlistenersets.gateway.networking.x-k8s.io CRD to be present. (#11255)
• Invalid durations in our CRDs will now be rejected using CEL, before the CR is admitted. (#11266)
• Allow TrafficPolicy to targetRef using section name. (#11272)
• Add PathOverride and AuthHeaderOverride fields for custom LLM provider endpoints (#11282)
• add TargetSelectors field in BackendConfigPolicySpec to enable selection of resources with matchLabels. (#11289)
• Support for CSRF policy has been added to the TrafficPolicy. (#11302)
• backendconfigpolicy: add ssl config (#11308)
• Support sessionPersistence on HTTPRoute (#11320)
• Add control plane metrics support for observability of controller, collections, and translation operations. (#11342)
• Adds initial InferencePool e2e tests (#11344)
• added support for extended gateway parameters (#11346)
• Support Service appProtocols http2, grpc, and grpc-web. (#11352)
• backendconfigpolicy: add load balancer configuration (#11365)
• Enables configuring the payload transformation mode for AWS Lambda backends. (#11381)
• Allow configuring app protocol on Static Backends. (#11384)
• add health check config to backendconfigpolicy (#11393)
• For kubernetes services, set IgnoreHealthOnHostRemoval to true on the cluster. (#11395)
• Adds support for OpenTelemetry Tracing & Access Log Support. This can be configured via the HTTPListenerPolicy (#11396)
• add http2 protocol options to backendconfigpolicy (#11455)
• Add useRemoteAddress, xffNumTrustedHops, serverHeaderTransformation, and streamIdleTimeout to HTTPListenerPolicy #11231 (#11462)
• Users can now define custom environment variables for the envoy proxy container via the gateway parameters. It can be specified as a list via GatewayParameters.spec.kube.envoyContainer.env. (#11463)
• Added image, security context and resource configuration on GatewayParameters for agentgateway. (#11464)
• Enables sorting of HTTPRoutes using weights assigned with the kgateway.dev/route-weight annotation when KGW_WEIGHTED_ROUTE_PRECEDENCE=true. (#11470)
• Added CEL validation to enforce proper attachment semantics for policy APIs. This ensures that policies can only be attached to valid Gateway API resources. (#11499)
• Allow setting listener-level perConnectionBufferLimitBytes by setting the kgateway.dev/per-connection-buffer-limit annotation on the gateway. (#11505)
• Privileged ports used (< 1024) on a listener are no longer mapped to a higher port. If listeners are using privileged ports before upgrading, there may be down time when the port mapping is updated. (#11508)
• Add support for setting request buffer limit using TrafficPolicy (#11523)
• The TrafficPolicy plugin now respects the route replacement mode setting (KGW_ROUTE_REPLACEMENT_MODE). When in strict mode, the plugin performs additional validation to catch invalid configurations before they reach Envoy. Invalid policies th...

v2.0.4

🎉 Welcome to the v2.0.4 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.0.4
• cr.kgateway.dev/kgateway-dev/sds:v2.0.4
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.0.4

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.0.4 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.0.4 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.0.3

🎉 Welcome to the v2.0.3 release of the kgateway project!

Changes

See #11406 for a list of changes included in this release.

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The Docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.0.3
• cr.kgateway.dev/kgateway-dev/sds:v2.0.3
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.0.3

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.0.3 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.0.3 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.0.2

🎉 Welcome to the v2.0.2 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.0.2
• cr.kgateway.dev/kgateway-dev/sds:v2.0.2
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.0.2

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.0.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.0.2 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.0.1

🎉 Welcome to the v2.0.1 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.0.1
• cr.kgateway.dev/kgateway-dev/sds:v2.0.1
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.0.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.0.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.0.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.0.0

🎉 Kgateway 2.0.0 – First CNCF Release 🎉

We're proud to announce kgateway v2.0.0, the first official release under the CNCF. Kgateway is a next-generation, open-source API gateway designed for secure, observable, and extensible Kubernetes-native environments.

Built on the Kubernetes Gateway API, kgateway lets you manage ingress and east-west traffic with scalable, policy-driven control—backed by CNCF governance and cloud-native best practices.

🚀 Release Highlights

• Kgateway custom resources to extend the Gateway API
• Advanced traffic management, including ExtProc and route delegation
• Enhanced security capabilities, including local rate limiting and BYO external authorization
• Open-sourced AI Gateway
• Refreshed KRT-based control plane
• Istio Ambient Waypoint integration

Coming from Gloo v1? Kgateway v2 has extensive API, CRD, and other changes.
We recommend following the kgateway quickstart to try it out.

📚 Read more about the 2.0 release details.