Welcome to a comprehensive Q&A about the Gateway API v1.5 release, the largest update from the Kubernetes SIG Network community. Released on February 27, 2026, this version focuses on promoting six widely-requested experimental features to the Standard (Stable) channel. These include ListenerSet, TLSRoute, HTTPRoute CORS Filter, Client Certificate Validation, Certificate Selection for Gateway TLS Origination, and ReferenceGrant. Additionally, the project has adopted a release train model to ensure a more predictable cadence. Below, we answer your most pressing questions about what’s new and how to take advantage of these enhancements.
What is the most significant change in Gateway API v1.5?
The biggest change is the promotion of six experimental features to the Standard channel, marking them as stable and production-ready. Among these, ListenerSet stands out because it fundamentally improves how listeners are managed on Gateway objects. Instead of defining all listeners directly on the Gateway—which created coordination challenges in multi-tenant environments—ListenerSet allows platform and application teams to define listeners independently and merge them onto a shared Gateway. This also removes the previous 64-listener limit, enabling large-scale deployments. Other newly stable features like TLSRoute, CORS Filter, client certificate validation, certificate selection for TLS origination, and ReferenceGrant round out the release, each addressing specific networking needs.
How has the release process changed and why?
Gateway API v1.5 introduces a release train model, similar to Kubernetes itself. Under this approach, a feature freeze date is set, and any feature that is fully ready—including documentation—is included in the release. This shift aims to produce a more reliable and predictable cadence. The project also formalized Release Manager and Release Shadow roles, with Flynn (Buoyant) and Beka Modebadze (Google) leading the effort. Their work ensures smoother coordination and better visibility into the release lifecycle. This change applies to both Experimental and Standard channels, meaning features must meet all readiness criteria before being shipped.
What is ListenerSet and how does it improve multi-tenancy?
ListenerSet (GEP-1713, led by Dave Protasowski and David Jumani) allows listeners to be defined independently from the Gateway object and then merged onto a target Gateway. Before this feature, all listeners had to be specified directly on the Gateway, requiring platform and application teams to coordinate changes on the same resource. This made safe delegation of listener ownership difficult and required modifying the original Gateway to extend it. With ListenerSet, each team can create their own ListenerSet resource in their namespace, attach it to a shared Gateway, and contribute listeners without conflicting. Additionally, it enables attaching more than 64 listeners to a single Gateway—critical for large-scale deployments with many hostnames. Note that the listeners field on the Gateway itself remains mandatory and must include at least one valid listener.
What does the new TLSRoute feature allow?
TLSRoute is now stable in Gateway API v1.5. It enables routing of TLS (Transport Layer Security) traffic based on the Server Name Indication (SNI) value, without terminating TLS at the gateway. This is particularly useful for passthrough TLS scenarios where the backend is expected to handle decryption. TLSRoute works alongside existing HTTPRoute and TCPRoute resources, offering a declarative way to manage TLS-level routing in Kubernetes. It allows operators to define rules that match SNI names and forward traffic to appropriate backends, all while keeping the TLS handshake intact. This feature is essential for multi-service deployments where different services require their own TLS certificates.
How does the new CORS filter work for HTTPRoutes?
The HTTPRoute CORS Filter is a new stable feature that allows you to configure Cross-Origin Resource Sharing (CORS) headers directly within an HTTPRoute rule. CORS is a browser security mechanism that controls how resources from one origin can be accessed by web pages from another origin. With this filter, you can define allowed origins, methods, headers, and whether credentials are included—all without needing to modify backend services or use a separate ingress controller configuration. The filter integrates seamlessly into the HTTPRoute spec, making it easier to manage CORS policies as part of your routing rules. For example, you can allow requests from https://example.com while blocking others. This is a huge simplification for frontend developers and platform teams managing APIs.
What is Client Certificate Validation and why is it important?
Client Certificate Validation is a stable feature in v1.5 that allows Gateway API implementors to require and validate client TLS certificates during the handshake. This adds a layer of mutual TLS (mTLS) authentication, ensuring that only clients with a valid certificate from a trusted CA can connect to the gateway. You can specify which CA certificates to trust and configure revocation checks. This is critical for zero-trust security models, where every connection must be authenticated, not just encrypted. By promoting this to Standard, Gateway API now provides a robust, declarative way to enforce client certificate validation, reducing the need for custom middleware or sidecar proxies.
How does Certificate Selection work for Gateway TLS origination?
Certificate Selection for Gateway TLS origination gives fine-grained control over which TLS certificate the gateway uses when originating a connection to a backend. Previously, the gateway might use a default certificate, but now you can specify a specific certificate from a Kubernetes Secret based on the route or backend. This is particularly useful when a gateway handles multiple domains and needs to present the correct certificate for each upstream connection. The feature works by allowing you to reference a certificate in a route rule, ensuring that the gateway uses the appropriate identity when connecting to backends that require client certificate authentication. It enhances security and flexibility, especially in scenarios with strict certificate policies.
What is ReferenceGrant and when should I use it?
ReferenceGrant is a stable resource that controls cross-namespace references in Gateway API. By default, resources like HTTPRoute can only reference objects in the same namespace (e.g., Services, Secrets). ReferenceGrant allows a namespace owner to explicitly permit references from another namespace. For example, if you have a central ingress controller in namespace gateway-system and application routes in app-team, you need a ReferenceGrant in gateway-system to allow the HTTPRoute to reference services in app-team. This is crucial for multi-tenant setups where teams manage their own routes but share a common gateway. ReferenceGrant ensures safe delegation without compromising security—only explicitly allowed cross-namespace references are permitted.