On February 27, 2026, the Kubernetes SIG Network community released Gateway API v1.5 — the largest update yet. This version shifts from a fixed release schedule to a train model, meaning features ship when they're fully ready, including documentation. The big news? Six previously experimental features have been promoted to the Standard (GA) channel, making them production-ready. In this article, we break down each of these updates: ListenerSet, TLSRoute, HTTPRoute CORS Filter, Client Certificate Validation, Certificate Selection for Gateway TLS Origination, and ReferenceGrant. Whether you're a platform engineer or an application developer, these changes simplify multi-tenant networking and improve security. Let's dive in.
1. ListenerSet: Independent Listener Management at Scale
Before Gateway API v1.5, all listeners had to be defined directly on the Gateway object. This worked for simple setups but caused friction in complex, multi-tenant environments. Platform teams and application teams had to coordinate changes on the same Gateway, making listener ownership tricky and extensions cumbersome. The ListenerSet feature changes the game: listeners can now be defined independently and merged onto a target Gateway. This also lifts the previous 64-listener cap, enabling large-scale deployments with multiple hostnames per listener.
How does it work? A ListenerSet attaches to a Gateway and contributes one or more listeners. The Gateway controller merges these with any listeners already on the Gateway itself. For example, a central infrastructure team can define a default HTTP listener on the Gateway, while separate application teams create their own ListenerSets in different namespaces—all attaching to the same Gateway. This decoupling simplifies delegation and scaling.
2. TLSRoute: Reliable TLS/TCP Routing
With the promotion of TLSRoute to stable, Gateway API now offers a first-class resource for routing TCP traffic based on TLS parameters. Previously only available experimentally, TLSRoute allows you to route incoming TLS connections to different backends based on the Server Name Indication (SNI) or other conditions. This is essential for services that terminate TLS at the gateway and need to forward traffic to different internal services while preserving encryption. The stable GA status means you can rely on this resource in production without worrying about breaking changes.
3. HTTPRoute CORS Filter: Simplify Cross-Origin Requests
Cross-Origin Resource Sharing (CORS) is a common requirement for web applications that access APIs from different domains. The HTTPRoute CORS Filter allows you to configure CORS headers directly on HTTPRoute rules, making it easy to allow or restrict cross-origin requests without writing custom middleware. Now stable, this filter supports all standard CORS fields like AllowOrigin, AllowMethods, and AllowHeaders. It integrates seamlessly with other filters, reducing the need for separate configuration tools and keeping your Gateway resources clean.
4. Client Certificate Validation: Strengthen mTLS
Mutual TLS (mTLS) ensures both client and server authenticate each other. The Client Certificate Validation feature, now stable, gives you fine-grained control over which client certificates are accepted at the Gateway. You can specify certificate authorities, require certificates, or even restrict based on certificate attributes. This is critical for zero-trust networking and multi-tenant clusters where each tenant uses different client certificates. By moving to stable, this feature provides a hardened, production-ready mTLS policy layer.
5. Certificate Selection for Gateway TLS Origination
When a Gateway originates TLS to backend services, it needs to choose the right certificate. The Certificate Selection for Gateway TLS Origination feature (now stable) gives you a declarative way to specify which certificates the Gateway should use when establishing outgoing TLS connections. This is particularly useful in scenarios with multiple backends requiring different certificates, or when certificates are managed by separate teams. Previously experimental, this promotion ensures that certificate management for TLS origination is both flexible and reliable in production.
6. ReferenceGrant: Secure Cross-Namespace References
In Kubernetes, resources often need to refer to objects in other namespaces—for example, an HTTPRoute referencing a backend Service in a different namespace. The ReferenceGrant resource (now stable) provides an explicit mechanism for namespace owners to authorize such cross-namespace references. Without it, any cross-namespace reference would be insecure. With ReferenceGrant, you can grant specific permissions to specific sources, improving security and auditability. This feature is fundamental to the Gateway API's namespace-based delegation model and is now production-ready.
These six features represent a significant step forward for Gateway API, making it more scalable, secure, and usable in real-world deployments. The new release train model ensures that future iterations will be just as reliable. A huge thanks to all contributors, especially the Release Managers Flynn (Buoyant) and Beka Modebadze (Google) for streamlining the process. For more details, check the full Gateway API v1.5 changelog—and get ready to upgrade your gateways!