v2.2.0-beta.6

🎉 Welcome to the v2.2.0-beta.6 release of the kgateway project!

Release Notes

Changes since v2.2.0-beta.5

Breaking Changes

• [Internal break only] jwt renamed to jwtAuth, apiKeyAuthentication renamed to apiKeyAuth (#13254)

New Features

• Support Gateway.spec.addresses for agentgateway (#13197)
• Added support for CipherSuite configuration on frontend tls policy. (#13219)
• support maxRequestHeadersKb field in ListenerPolicy (#13224)
• Added tracing support for AgentgatewayPolicy. (#13226)
• PodDisruptionBudget and HorizontalPodAutoscaler are now options for the agentgateway proxy via AgentgatewayParameters. (#13237)
• PodDisruptionBudget is now an option for the agentgateway and envoy control planes. (#13238)
• add preserveExternalRequestId generateRequestId to HttpListenerPolicy and ListenerPolicy users can now disable the generation of Request ID and preserve external request ID (#13250)

Bug Fixes

• Fixes a bug with GatewayParameters on a Gateway that use OmitDefaultSecurityContext when parameters are also present on the GatewayClass. (#13046)
• Detect the port for listeners without a defined port. It selects 80 for HTTP and 443 for HTTPS. Other protocols do not support automatic port detection and listeners without a defined port are not accepted (#13253)

Cleanup

• Isolated GoReleaser build tool dependencies to separate tools submodule, reducing main module size by ~31% (#13205)
• Envoy controller: Changes the k8s Container name from 'kgateway' to 'controller' (#13232)

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm charts are available at:

• cr.kgateway.dev/kgateway-dev/charts/kgateway.
• cr.agentgateway.dev/charts/agentgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.2.0-beta.6
• cr.kgateway.dev/kgateway-dev/sds:v2.2.0-beta.6
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.0-beta.6
• cr.agentgateway.dev/agentgateway-controller:v2.2.0-beta.6

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.0-beta.6 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.0-beta.6 --namespace kgateway-system --create-namespace
helm install agentgateway-crds oci://cr.agentgateway.dev/charts/agentgateway-crds --version v2.2.0-beta.6 --namespace agentgateway-system --create-namespace
helm install agentgateway oci://cr.agentgateway.dev/charts/agentgateway --version v2.2.0-beta.6 --namespace agentgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.2.0-beta.5

🎉 Welcome to the v2.2.0-beta.5 release of the kgateway project!

Release Notes

Changes since v2.2.0-beta.4

New Features

• backendTLSPolicy: support secret ref kind for caCertificateRefs (#13117)
• Add new multi-arch controller image for agentgateway (#13194)
• Bump Agentgateway to 0.11.0
  Add support for Canadian Social Insurance Number prompt guards for Agentgateway
  (#13199)
• Added configuration for stateful/stateless session routng for mcp backends. (#13201)
• Added timeout to agentgateway's ExtAuth policy (#13202)
• Add disable field to API key authentication in TrafficPolicy, allowing routes to selectively opt-out of gateway-level authentication requirements. (#13217)

Cleanup

• Switched to credential_injector filter for xds Authorization header (#13212)

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm charts are available at:

• cr.kgateway.dev/kgateway-dev/charts/kgateway.
• cr.agentgateway.dev/charts/agentgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.2.0-beta.5
• cr.kgateway.dev/kgateway-dev/sds:v2.2.0-beta.5
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.0-beta.5
• cr.agentgateway.dev/agentgateway-controller:v2.2.0-beta.5

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.0-beta.5 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.0-beta.5 --namespace kgateway-system --create-namespace
helm install agentgateway-crds oci://cr.agentgateway.dev/charts/agentgateway-crds --version v2.2.0-beta.5 --namespace agentgateway-system --create-namespace
helm install agentgateway oci://cr.agentgateway.dev/charts/agentgateway --version v2.2.0-beta.5 --namespace agentgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.2.0-beta.4

🎉 Welcome to the v2.2.0-beta.4 release of the kgateway project!

Release Notes

Changes since v2.2.0-beta.3

Breaking Changes

• AgentgatewayParameters rawConfig breaking change to allow configuring binds, e.g., and other things in config.yaml but outside of its config section (#13127)

New Features

• [rustformation] support parsing body as json and implemented all documented jinja custom functions (#12950)
• Support setting of tls options in connections to remote jwks sources. (#13014)
• Support Gateway.spec.addresses. We currently support one IP address type value that will be used in the gateway's Service loadbalancerIP. (#13070)
• Added mode for MCP authentication and support for Unspecified IDPs. (#13111)

Bug Fixes

• Enhanced agentgateway backend error handling and status condition propagation. (#13073)
• Support DNS lookup family settings in the ingress-use-waypoint cluster config (#13085)
• Server-side apply field manager name cleanup. (#13108)
• Fixed agentgateway passthrough auth policy. (#13125)
• Fixed the AI prompt guard api to align with other enums MASK is now Mask and REJECT is now Reject. These are enforced by CEL in the API. (#13177)

Cleanup

• Added codeowners for kgateway for API maintainers and CI maintainers. (#12635)
• Reverts the GatewayClass rename back from agentgateway-v2 to agentgateway. (#13163)

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm charts are available at:

• cr.kgateway.dev/kgateway-dev/charts/kgateway.
• cr.agentgateway.dev/charts/agentgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.2.0-beta.4
• cr.kgateway.dev/kgateway-dev/sds:v2.2.0-beta.4
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.0-beta.4

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.0-beta.4 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.0-beta.4 --namespace kgateway-system --create-namespace
helm install agentgateway-crds oci://cr.agentgateway.dev/charts/agentgateway-crds --version v2.2.0-beta.4 --namespace agentgateway-system --create-namespace
helm install agentgateway oci://cr.agentgateway.dev/charts/agentgateway --version v2.2.0-beta.4 --namespace agentgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.2.0-beta.3

🎉 Welcome to the v2.2.0-beta.3 release of the kgateway project!

⚠️ Important ⚠️

This release contains significant changes to the agentgateway component.
Please review the migration guide if you are using kgateway with agentgateway.

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.0-beta.3 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.0-beta.3 --namespace kgateway-system --create-namespace

helm install agentgateway-crds oci://ghcr.io/kgateway-dev/charts/agentgateway-crds --version v2.2.0-beta.3 --namespace agentgateway-system --create-namespace
helm install agentgateway oci://ghcr.io/kgateway-dev/charts/agentgateway --version v2.2.0-beta.3 --namespace agentgateway-system --create-namespace

Release Notes

Changes between v2.2.0-beta.1 and v2.2.0-beta.3

Breaking Changes

• Add option to allow missing JWT.
  [Internal break only] Changed the gateway extension API. Providers are now nested within JWT.
  (#12998)
• Updated agentgateway resources to use new agentgateway.dev GVK. DirectResponse for agentgateway is now only configurable through the AgentgatewayPolicy instead of the separate DirectResponse CRD. (#13013)
• agentgateway can no longer be configured with GatewayParameters, only with AgentgatewayParameters. (#13054)
• Split helm UX into dedicated charts for Envoy based kgateway and agentgateway (#13062)
• Renames controller kgateway.dev/agentgateway to agentgateway.dev/agentgateway, breaking legacy agentgateway installations. The bundled GatewayClass using the agentgateway data plane is renamed from agentgateway to agentgateway-v2. (#13088)

New Features

• Add multi-network support to agentgateway syncer for cross-network workload discovery and routing in ambient mode. (#12858)
• Allow configuring cipher suites, ecdh curves, minimum TLS version, maximum TLS version using tls options map. (#12917)
• add support for remote JWKS (#12939)
• Add global disable option for JWT policy (#12945)
• Adds priorityClassName to the Pod struct used in GatewayParameters in order to set the corresponding priorityClassName field in the gateway-proxy pod. (#12949)
• Add HTTP support for ExtAuth (#12952)
• Add support for circuit breakers in BackendConfigPolicy. (#12957)
• Add helm values for setting custom GatewayParameters for bundled gatewayclasses (#12960)
• Add support for configuring an API key authentication in TrafficPolicy with keys defined in secret(s) (#12962)
• Added support for MCP authentication for agentgateway. (#12966)
• Add a ListenerPolicy CRD and ProxyProtocol config in it. (#12979)
• Add basic auth configuration to TrafficPolicy. (#12983)
• Add stats matcher config to GatewayPparameters (#12985)
• Add support for gzip response compression and request decompression in TrafficPolicy. (#12986)
• Add earlyRequestHeaderModifier to HTTPListenerPolicy. this allows performing header modifications before a route is selected. (#12992)
• add regex path rewrite (#13001)
• Added metrics and logs for envoy xDS errors. (#13003)
• Add PerConnectionBufferLimit to ListenerPolicy
  Deprecate PerConnectionBufferLimit annotation on Gateway resources
  (#13016)
• Added a new AgentgatewayParameters API in agentgateway.dev/v1alpha1 (#13018)
• Adds OAuth2 policy to enable OAuth2 and OIDC flows with Envoy as the
  Gateway.
  (#13051)
• Implement FrontendTLConfig in the Gateway API
  Implementation specific details:
  • Allow multiple caCertificateRefs
  • Allow caCertificateRefs to reference secrets as well as configmaps
  • Added the kgateway.dev/verify-certificate-hash to listener TLS options to allow configuration of validate client certificates.
    (#13064)
• Added kgateway.dev/verify-subject-alt-names TLS option (#13097)
• OAuth2: allow customizing cookie settings and denying redirects for
  matching requests.
  (#13099)

Bug Fixes

• Clear stale TrafficPolicy and HTTPListenerPolicy status after the policy has all invalid TargetRefs (#12883)
• Enforce ReferenceGrants for cross namespace Secrets references used by XListenerSets (#12954)
• Fixed agentgateway global ratelimit translation for token unit. (#12959)
• Fixed issue with stale configuration when changing a service traffic distribution. (#13005)
• Use TARGETPLATFORM when building envoyinit container (#13048)

Deprecations

• HTTPListenerPolicy is now deprecated. Use the httpSettings under ListenerPolicy instead. (#13066)

Cleanup

• Removed enabled from agentgateway in GatewayParameters as it should only use controllerName to know if its agentgateway or envoy (#13017)

Dependency Updates

• bump envoy-gloo to v1.36.3-patch1 (#13058)

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.2.0-beta.3
• cr.kgateway.dev/kgateway-dev/sds:v2.2.0-beta.3
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.0-beta.3

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.2.0-beta.2

Test release only, not intended for usage

v2.1.2

🎉 Welcome to the v2.1.2 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.2
• cr.kgateway.dev/kgateway-dev/sds:v2.1.2
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.2

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.2 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.2 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changes from kgateway-dev/kgateway between v2.1.1 and v2.1.2

Bug Fixes

• Agentgateway: Handles HTTPRoute timeouts per Gateway API spec. (#12766)
• Fixes endpoint synchronization for inference extension plugin. (#12810)
• Fix a bug where a listener on a ListenerSet can not read a secret in its own namespace
  Enforce ReferenceGrants for cross namespace Secrets references used by XListenerSets
  (#12995)

Cleanup

• Removes kubectl wait workaround for gateway-api-inference-extension/issues/1315 in Makefile since it's no longer needed. (#12820)

Dependency Updates

• Inference: Bumps Inference Gateway dependency to v1.1.0. (#12813)
• updated envoy-gloo to v1.35.7-patch1 (#13057)

v2.2.0-beta.1

🎉 Welcome to the v2.2.0-beta.1 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.2.0-beta.1
• cr.kgateway.dev/kgateway-dev/sds:v2.2.0-beta.1
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.0-beta.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.0-beta.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.0-beta.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changelog

Changes from kgateway-dev/kgateway between v2.2.0-alpha.1 and v2.2.0-beta.1

Breaking Changes

• Introduces a new setting KGW_ENABLE_GATEWAY_API_EXPERIMENTAL_FEATURES to gate experimental Gateway API features and APIs. Defaults to false (#12695)
• Added new AgentgatewayPolicy to replace TrafficPolicy for agentgateway. Added support for backend and frontend configuration. (#12723)
• Remove AI policy from TrafficPolicy. (#12901)

New Features

• Allows users to define GatewayClasses using any controller. E.g., a user can create a custom GatewayClass with an arbitrary name that uses controllerName kgateway.dev/agentgateway to duplicate the behavior of the built-in GatewayClass agentgateway. A user may still choose to patch the built-in GatewayClass to change its behavior via GatewayParameters, but now it is also possible to choose to just create a new GatewayClass that refers to equivalent GatewayParameters. One motivation: two different teams that want different GatewayParameters for class agentgateway. Another motivation: clean GitOps with entirely new resources, no patching required. (#12733)
• Added event reporting for agentgateway gateways that indicates when a gateway has nacked an update (#12770)
• Added JWT Authentication configuration to the TrafficPolicy and support for JWT Providers to the GatewayExtension. (#12811)
• Add support for Azure OpenAI backends with agentgateway. (#12836)
• rustformation: implemented remove headers and some jinja custom functions (#12848)
• Introduced support for remote jwks in JWTAuthentication policies. (#12850)
• Added support for OpenAI Responses API and Anthropic token counting route types. Added prompt caching configuration for Bedrock enabling up to 90% cost reduction and significantly faster response times. (#12855)
• Introduce support for basic auth, api-key auth, and inline jwt auth policies to agent gateway (#12886)
• Add support for multiple certificateRefs in listener tls section (#12895)
• support TLS termination for TCPRoutes (#12906)

Bug Fixes

• Fix a bug where agw did not work with listenersets allowed by the namespace selector (#12838)
• Clear stale HTTPRoute status after the route has all invalid ParentRefs (#12852)
• Fixed mcp authorization parsing for backend policy on AgentgatewayPolicy. (#12897)
• fix: set default alpn on transport socket
  Allow configuring ALPN protocols using kgateway.dev/alpn-protocols TLS option
  (#12903)
• Fix a bug where a listener on a listenerset can not read a secret in its own namespace (#12936)

Cleanup

• Support for InferencePool with the kgateway class, which was deprecated in v2.1, has been removed. Support is available with the agentgateway class. (#12689)
• rustformations module reorganization, doc and build improvement (#12764)
• Use the TransformationPolicy API directly as rustformation config (#12803)
• Removes the deprecated spec.kube.aiExtension from the GatewayParameters API. Users should migrate to using the agentgateway dataplane for AI capabilities. (#12840)
• Adds TCPRoute && TLSRoute to the list of gated experimental gateway API features.
  Enable experimental gateway API features by default.
  (#12881)
• Inference: Moves InferencePool status code to agentgateway package. (#12902)

v2.2.0-alpha.1

🎉 Welcome to the v2.2.0-alpha.1 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.2.0-alpha.1
• cr.kgateway.dev/kgateway-dev/sds:v2.2.0-alpha.1
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.2.0-alpha.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.2.0-alpha.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.2.0-alpha.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

v2.1.1

🎉 Welcome to the v2.1.1 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.1
• cr.kgateway.dev/kgateway-dev/sds:v2.1.1
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.1

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.1 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.1 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changelog

New Features

• Allow using kgateway.dev/http-redirect-status-code annotation to
  configure the allowed HTTP redirect status codes as an override
  API with the RequestRedirect filter.
  (#12612)

Bug Fixes

• Deps: Bumps agentgateway from v0.10.1 to v0.10.3. (#12668)

Cleanup

• bumped envoy to v1.35.6 (#12683)

v2.1.0

🎉 Welcome to the v2.1.0 release of the kgateway project!

Installation

The kgateway project is available as a Helm chart and docker images.

Helm Charts

The Helm chart is available at cr.kgateway.dev/kgateway-dev/charts/kgateway.

Docker Images

The docker images are available at:

• cr.kgateway.dev/kgateway-dev/kgateway:v2.1.0
• cr.kgateway.dev/kgateway-dev/sds:v2.1.0
• cr.kgateway.dev/kgateway-dev/envoy-wrapper:v2.1.0

Quickstart

Try installing this release:

helm install kgateway-crds oci://cr.kgateway.dev/kgateway-dev/charts/kgateway-crds --version v2.1.0 --namespace kgateway-system --create-namespace
helm install kgateway oci://cr.kgateway.dev/kgateway-dev/charts/kgateway --version v2.1.0 --namespace kgateway-system --create-namespace

For detailed installation instructions and next steps, please visit our quickstart guide.

Changelog

Breaking Changes

• Updates the status API for TrafficPolicy and HTTPListenerPolicy to use Gateway API v1alpha2.PolicyStatus API. (#11141)

• Switching to Envoy's /stats/prometheus?usedonly endpoint to only get statistics that Envoy has updated (counters incremented at least once, gauges changed at least once, and histograms added to at least once). (#11358)

• Use kgateway.dev/inherited-policy-priority: ShallowMergePreferParent
  instead of delegation.kgateway.dev/inherited-policy-priority: PreferParent
  and kgateway.dev/inherited-policy-priority: ShallowMergePreferChild
  instead of delegation.kgateway.dev/inherited-policy-priority: PreferChild,
  as annotations to define inherited policy priority for delegated routes.

  By default, child HTTPRoute policies take precedence over parent
  HTTPRoute policies for delegated routes.
  (#11675)

• remove insecureSkipVerify field from Backend and AI ssl validation (#11819)

• Adds disable field to extAuth, extProc, cors, buffer policies to allow
  disabling the policies per-route.

  Breaking change: extAuth.enablement has been removed in favor of
  extAuth.disable.
  (#11893)

• Inference: Replaces InferencePool v1alpha2 with v1 (#11965)

• Add generic gRPC request timeout to GatewayExtension gRPC services
  Add failOpen support to all GatewayExtension external providers
  Change ExtProc GatewayExtension provider to failOpen by default
  (#12239)

• Rename agentGateway to agentgateway for consistency in helm values. Rename GatewayParameters agentGateway field to agentgateway. (#12293)

• As waypoint functionality is alpha, disable it by default. It can be enabled by setting the waypoint.enabled helm value to true (#12385)

• Bumps Gateway API dependency to v1.4.0. Previous Gateway API CRDs must be replaced with v1.4.0. API type changes must be manually converted. BackendTLSPolicy is promoted from v1alpha3 to v1. The v1alpha3 scheme is removed due to the BackendTLSPolicy promotion. Users must replace v1alpha3 instances of BackendTLSPolicy with v1 after installing the Gateway API v1.4.0 CRDs. (#12439)

• Updates gateway-api-inference-extension version to v1.0.1 and removes inferencepools.inference.networking.x-k8s.io CRD. (#12466)

New Features

• Enables kgateway to act as the control plane for agentgateway. (#11151)
• Enables policy attachment using labels using the targetSelectors API for kgateway policy APIs. (#11163)
• Introduce BYO global rate limiting so operators can expose an external rate-limit service through a GatewayExtension resource and reference that extension from a TrafficPolicy. This enables users to configure both local and cluster-wide quotas within the same API surface. (#11169)
• Add a setting to toggle the listener bind address to either ipv4 or ipv6 (#11196)
• Add support for dynamic forward proxy. (#11197)
• Introduce BackendConfigPolicy api to allow configuring envoy clusters. (#11214)
• Enables setting annotations on Deployment generated by kgateway Helm chart. (#11224)
• Adds InferencePool status management to Inference Extension endpointpicker (EPP) Plugin. (#11230)
• Enables multiple kgateway installs in separate namespaces, and implements discoveryNamespaceSelectors to control the namespaces that are considered for config discovery by a kgateway instance based on label selectors. (#11238)
• Respect DestinationRule TCP keepalive settings (#11246)
• CORS support has been added and can be configured in the TrafficPolicy or in HTTPRoute, depending on the desired policy. (#11252)
• Allows a Kubernetes gateway to have more than 64 listeners by implementing ListenerSets defined in https://gateway-api.sigs.k8s.io/geps/gep-1713. Listener Sets can define their own listeners and be mapped to a parent gateway via their parentRef. The Kubernetes gateway will have the merged list of all listeners from itself and attached ListenerSets. This experimental feature requires the xlistenersets.gateway.networking.x-k8s.io CRD to be present. (#11255)
• Invalid durations in our CRDs will now be rejected using CEL, before the CR is admitted. (#11266)
• Allow TrafficPolicy to targetRef using section name. (#11272)
• Add PathOverride and AuthHeaderOverride fields for custom LLM provider endpoints (#11282)
• add TargetSelectors field in BackendConfigPolicySpec to enable selection of resources with matchLabels. (#11289)
• Support for CSRF policy has been added to the TrafficPolicy. (#11302)
• backendconfigpolicy: add ssl config (#11308)
• Support sessionPersistence on HTTPRoute (#11320)
• Add control plane metrics support for observability of controller, collections, and translation operations. (#11342)
• Adds initial InferencePool e2e tests (#11344)
• added support for extended gateway parameters (#11346)
• Support Service appProtocols http2, grpc, and grpc-web. (#11352)
• backendconfigpolicy: add load balancer configuration (#11365)
• Enables configuring the payload transformation mode for AWS Lambda
  backends.
  (#11381)
• Allow configuring app protocol on Static Backends. (#11384)
• add health check config to backendconfigpolicy (#11393)
• For kubernetes services, set IgnoreHealthOnHostRemoval to true on the cluster. (#11395)
• Adds support for OpenTelemetry Tracing & Access Log Support. This can be configured via the HTTPListenerPolicy (#11396)
• add http2 protocol options to backendconfigpolicy (#11455)
• Add useRemoteAddress, xffNumTrustedHops, serverHeaderTransformation, and streamIdleTimeout to HTTPListenerPolicy #11231 (#11462)
• Users can now define custom environment variables for the envoy proxy container via the gateway parameters.
  It can be specified as a list via GatewayParameters.spec.kube.envoyContainer.env
  (#11463)
• Added image, security context and resource configuration on GatewayParameters for agentgateway. (#11464)
• Enables sorting of HTTPRoutes using weights assigned with the
  kgateway.dev/route-weight annotation when KGW_WEIGHTED_ROUTE_PRECEDENCE=true.
  (#11470)
• Added CEL validation to enforce proper attachment semantics for policy APIs. This ensures that policies can only be attached to valid Gateway API resources. (#11499)
• Allow setting listener-level perConnectionBufferLimitBytes by setting the kgateway.dev/per-connection-buffer-limit annotation on the gateway. ([#11505](https://github.com/kgateway-dev/k...