Gateway API 1.4: New Features

Gateway API 1.4: New Features Ready to rock your Kubernetes networking? The Kubernetes SIG Network community presented the General Availability (GA) release of Gateway API (v1.4.0)! Released on October 6, 2025, version 1.4.0 reinforces the path for modern, expressive, and extensible service networking in Kubernetes. Gateway API v1.4.0 brings three new features to the Standard channel (Gateway API's GA release channel): BackendTLSPolicy for TLS between gateways and backends supportedFeatures in GatewayClass status Named rules for Routes and introduces three new experimental features: Mesh resource for service mesh configuration Default gateways to ease configuration burden** externalAuth filter for HTTPRoute Graduations to Standard Channel Backend TLS policy Leads: Candace Holman , Norwin Schnyder , Katarzyna Łach GEP-1897: BackendTLSPolicy BackendTLSPolicy is a new Gateway API type for specifying the TLS configuration of the connection from the Gateway to backend pod(s). . Prior to the introduction of BackendTLSPolicy, there was no API specification that allowed encrypted traffic on the hop from Gateway to backend. The BackendTLSPolicy validation configuration requires a hostname. This hostname serves two purposes. It is used as the SNI header when connecting to the backend and for authentication, the certificate presented by the backend must match this hostname, unless subjectAltNames is explicitly specified. If subjectAltNames (SANs) are specified, the hostname is only used for SNI, and authentication is performed against the SANs instead. If you still need to authenticate against the hostname value in this case, you MUST add it to the subjectAltNames list. BackendTLSPolicy validation configuration also requires either caCertificateRefs or wellKnownCACertificates . caCertificateRefs refer to one or more (up to 8) PEM-encoded TLS certificate bundles. If there are no specific certificates to use, then depending on your implementation, you may use wellKnownCACertificates , set to "System" to tell the Gateway to use an implementation-specific set of trusted CA Certificates. In this example, the BackendTLSPolicy is configured to use certificates defined in the auth-cert ConfigMap to connect with a TLS-encrypted upstream connection where pods backing the auth service are expected to serve a valid certificate for auth.example.com . It uses subjectAltNames with a Hostname type, but you may also use a URI type. apiVersion: gateway.networking.k8s.io/v1 kind: BackendTLSPolicy metadata: name: tls-upstream-auth spec: targetRefs: - kind: Service name: auth group: "" sectionName: "https" validation: caCertificateRefs: - group: "" # core API group kind: ConfigMap name: auth-cert subjectAltNames: - type: "Hostname" hostname: "auth.example.com" In this example, the BackendTLSPolicy is configured to use system certificates to connect with a TLS-encrypted backend connection where Pods backing the dev Service are expected to serve a valid certificate for dev.example.com . apiVersion: gateway.networking.k8s.io/v1 kind: BackendTLSPolicy metadata: name: tls-upstream-dev spec: targetRefs: - kind: Service name: dev group: "" sectionName: "btls" validation: wellKnownCACertificates: "System" hostname: dev.example.com More information on the configuration of TLS in Gateway API can be found in Gateway API - TLS Configuration . Status information about the features that an implementation supports Leads: Lior Lieberman , Beka Modebadze GEP-2162: Supported features in GatewayClass Status GatewayClass status has a new field, supportedFeatures . This addition allows implementations...

Preview: ~500 words