Gateway API v1.3.0: Request Mirroring, CORS, and More

Home page — News — Gateway API v1.3.0: Request Mirroring, CORS, and More

Join the Kubernetes SIG Network community in celebrating the general availability of Gateway API v1.3.0, released on April 24, 2025. After extensive testing and conformance efforts, major implementations—Cilium 1.14, Envoy Gateway v1.4.0, Airlock Microgateway 4.6, and Istio 1.27—have already adopted these features, demonstrating rapid industry uptake.

Graduation to Standard Channel

Graduation of percentage-based request mirroring into the Standard channel marks a milestone in API stability, backed by semantic versioning guarantees as per the Gateway API Versioning Policy. Operators can now upgrade with confidence, knowing backward compatibility will be maintained.

Percentage-Based Request Mirroring

Leads: Lior Lieberman, Jake Bennert • See GEP-3171.

Enhanced HTTP request mirroring now supports percentage and fractional sampling. Gateways implement consistent-hash buckets to distribute mirror traffic evenly, minimizing bias at high request rates. Operators can specify an integer percent (0–100) or a numerator/denominator fraction, reducing control-plane churn.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: http-filter-mirror
spec:
  parentRefs:
    - name: mirror-gateway
  hostnames:
    - mirror.example
  rules:
    - backendRefs:
        - name: foo-v1
          port: 8080
      filters:
        - type: RequestMirror
          requestMirror:
            backendRef:
              name: foo-v2
              port: 8080
            percent: 42  # integer percent sampling

Texas Data Centers Build Gas Plants for AI Growth

2025-06-05

Additions to Experimental Channel

Experimental APIs now live under gateway.networking.x-k8s.io with an “X” prefix. This isolation ensures safe testing of emerging features before they graduate.

CORS Filtering

Leads: Liang Li, Eyal Pazz, Rob Scott • See GEP-1767.

Implementing the Fetch Standard CORS protocol at the gateway level offloads header management from upstream services. Configurable fields include allowOrigins, allowMethods, allowHeaders, exposeHeaders, allowCredentials, and maxAge. This centralizes security policy and reduces complexity in microservices.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
spec:
  parentRefs:
    - name: http-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /resource/foo
      filters:
        - type: CORS
          cors:
            allowOrigins: ["*"]
            allowMethods: ["GET","HEAD","POST"]
            allowHeaders: ["Accept","Content-Type"]

XListenerSets (Standardized Listener Merging)

Lead: Dave Protasowski • See GEP-1713.

XListenerSets decouple listener and TLS configuration from Gateway objects, enabling teams to manage certificates in their own namespaces. Gateways define allowedListeners to control which XListenerSets may attach, facilitating multi-tenant deployments and certificate rotation via cert-manager integrations.

Retry Budgets (XBackendTrafficPolicy)

Leads: Eric Bishop, Mike Morris • See GEP-3388.

XBackendTrafficPolicy merges load-balancing and retry controls into one CRD. The new retryConstraint.budget caps retries at a percentage of active requests over a sliding window, preventing retry storms and smoothing traffic spikes for backend stability.

apiVersion: gateway.networking.x-k8s.io/v1alpha1
kind: XBackendTrafficPolicy
spec:
  retryConstraint:
    budget: { percent: 20, interval: 10s }
    minRetryRate:
      count: 3
      interval: 1s

Performance and Scalability Analysis

CNCF benchmark tests show that percentage-based mirroring consumes <5% additional CPU on Envoy at 100 kRPS, scaling linearly. We recommend starting at <15% sampling in production and monitoring via Prometheus histograms.

FDA’s Elsa LLM Rollout Reveals Security and Accuracy Gaps

2025-06-05

Security Considerations

Centralizing CORS and TLS reduces service-side complexity but demands strict RBAC on CRDs. Controllers must validate certificateRefs namespaces to prevent privilege escalation. Audit logs at the API server level help detect unauthorized listener modifications.

Implementation Best Practices

Correlate mirror sampling with canary metrics in Grafana to assess performance impact.
Restrict CORS to explicit origins in production to minimize attack surface.
Use XListenerSets for certificate rotation, integrating with ACME operators.
Set retry budgets conservatively—client-side libraries handle retries differently (e.g., HTTP/2 vs. gRPC).

Kubernetes Gateway API for Optimized LLM Routing

2025-06-05

Try It Out

Install Gateway API CRDs on Kubernetes 1.26+ via the Getting Started Guide. Experimental manifests are under config/crd/experimental/. Conformant controllers include:

Airlock Microgateway 4.6
Cilium 1.14 (main)
Envoy Gateway v1.4.0
Istio 1.27-dev

Get Involved

Contribute to the Gateway API GitHub, propose GEPs, or join SIG Network meetings to help shape future releases.