Release notes

Review summaries of the main changes in the Gloo Gateway 2.0 release.

report

Make sure that you review the breaking changes 🔥 that were introduced in this release and the impact that they have on your current environment.

General information

The release notes on this page cover the new features that were introduced or deprecated in 2.0.x

The release notes include important installation changes and known issues. They also highlight ways that you can take advantage of new features or enhancements to improve your product usage.

For more information, see the following related resources: Gloo Gateway changelog or kgateway changelog: A full list of changes.

Upgrade guide: Steps to upgrade from the previous minor version to the current version.
Version reference: Information about Solo’s version support.

🔥 Breaking changes

Review details about the following breaking changes. The severity is intended as a guide to help you assess how much attention to pay to this area during the upgrade, but can vary depending on your environment.

🚨 High

Review severe changes that can impact production and require manual intervention.

New v2 API

Gloo Gateway now offers enterprise features on top of the open source kgateway project. Kgateway is the most mature and widely deployed gateway in Kubernetes for microservices, agentic AI, and inference workloads. Based on the Kubernetes Gateway API, kgateway provides purpose-built Envoy and Rust-based proxies that you can configure based on the needs of your workloads. To learn more about the different proxy types and when to use them, see Deployment patterns. For more information about the kgateway open source project, see the kgateway docs.

As you migrate from Gloo Gateway 1.x, keep the following considerations in mind:

v1 resource	v2 resource	Description
Upstreams	Backend and BackendConfigPolicy	Upstreams were replaced by Gloo Gateway Backends. Previously, Upstreams defined not only a backing service but also policy configuration for the service, such as TLS or health checks. In 2.x, the backend and policy configuration are decoupled. For backing services, create a Backend. Backends allow you to configure static or external services to which you want to route traffic or apply policies. For policies on the backing service, such as to enable TLS/mTLS, outlier detection, load balancing, and health checks, create a BackendConfigPolicy.
HTTPListenerOptions and ListenerOptions	HTTPListenerPolicy	HTTPListenerOptions and ListenerOptions were replaced by the HTTPListenerPolicy that allows you to configure policies for an Envoy Gateway listener, such as access logs or tracing.
RouteOptions and VirtualHostOptions	GlooTrafficPolicy	RouteOptions and VirtualHostOptions were replaced by Gloo Gateway’s GlooTrafficPolicy. The GlooTrafficPolicy is a superset of kgateway’s TrafficPolicy and provides additional fields to enable enterprise capabilities, such as JWT authentication and authorization, external authentication with API keys and OAuth providers, and enhanced MCP and LLM support. With a GlooTrafficPolicy, you can attach the policy where you need it, such as to an HTTPRoute, HTTPRoute rule, Gateway, or ListenerSet.
External auth, rate limiting, and external processing providers	GatewayExtension	To configure external auth, rate limiting, or extProc providers, you use a GatewayExtension resource. This resource lets you set provider-specific settings, such as timeouts and fail open policies. For more information, check out the extauth, rate limiting, and extProc guides.
Gloo UI	no change	You can use the Gloo UI that you are familiar with to gain insights into the Gloo Gateway control and data plane. in addition, you can leverage the pre-built Gloo Gateway operational dashboard in Grafana to monitor the performance and health of these components. For more information, see OTel stack.
Gloo Mesh Enterprise VirtualDestinations	no change	Gloo Gateway offers support for Gloo Mesh Enterprise VirtualDestinations and ambient mesh APIs to seamlessly allow you to integrate Gloo Gateway as an ingress gateway to your service mesh. For more information, see Istio.

Multiple RateLimitConfigs

Only one RateLimitConfig can be applied per GlooTrafficPolicy at a time. In Gloo Gateway 1.x versions, multiple RateLimitConfigs could be specified in a RouteOption resource. Consider a different attachment strategy for rate limiting in Gloo Gateway 2.x. For example, you might create a 1:1 mapping between RateLimitConfig, GlooTrafficPolicy, and the attached resource such as a Gateway or HTTPRoute. For more information, see the GlooTrafficPolicy attachment options.

Support Envoy-based Istio Ambient waypoints

Envoy-based Istio Ambient waypoints are no longer supported. As such, the gloo-gateway-v2-waypoint GatewayClass is removed.

Deprecated support for AI Gateway and Inference Extension with Envoy

AI Gateway and Inference Extension support for Envoy-based gateway proxies is removed. If you want to use AI capabilities, use a Rust-based agentgateway proxy instead that is purpose-built for agentic workloads.

Fail open policy for ExtProc providers

The default fail open policy for ExtProc providers changed from false to true. Because of that, requests are forwarded to the upstream service, even if the ExtProc server is unavailable. To change this policy, set the spec.extProc.failOpen field to false in your GatewayExtension resource.

Changes in policy merging

With the introduction of new policy resources, such as a GlooTrafficPolicy, the rules for applying multiple policies changed. As such, new ways of policy merging, inheritance, and order priority were introduced. For more information, see the Policy docs.

🔔 Medium

Review changes that might have impact to production and require manual intervention, but possibly not until the next version is released.

No medium-severity changes are currently reported.

ℹ️ Low

Review informational updates that you might want to implement but that are unlikely to materially impact production.

No low-severity changes are currently reported.

🌟 New features

Agentgateway enterprise (beta)

Agentgateway enterprise is a new data plane that provides secure AI connectivity for agents, tools, LLMs, and inference workloads in your cloud-native environment.

info

Agentgateway enterprise is a beta feature. For more information, see Alpha and beta release process.

Agentgateway enterprise is based on the agentgateway open source project.

To use agentgateway enterprise, enable the agentgateway.enabled setting during the Helm installation and include your agentgateway license key. Then, when you create a Gateway resource, you can specify the agentgateway-enterprise GatewayClass to use agentgateway enterprise as the data plane.

For more information, see the About topic.

Global policy attachment

By default, you must attach policies to resources that are in the same namespace. Now, you can enable a feature to create a “global” namespace for policies. Then, these global policies can attach to resources in any namespace in your cluster through label selectors. For more information, see the Global policy attachment docs.

Multiple installations

With discovery namespace selectors, you can now install multiple Gloo Gateway control planes in the same environment.

Weighted routing

Now, you can configure weights for more fine-grained control over your routing rules. This feature is disabled by default. To enable it, see the Weighted routing docs.

Additional proxy pod template customization

Gateway proxies are created with a default proxy template that is stored in the default GatewayParameters resource. To change the default settings, you create a custom GatewayParameters resource and deploy a Gateway with it. Gloo Gateway now has more options to customize the gateway proxies’ default pod template, including configuration for nodeSelectors,affinity, tolerations, topologySpreadConstraints, and externalTrafficPolicy.

For more information, see Customize the proxy. To find all the values that you can change, see the PodTemplate reference in the GatewayParameters API.

Horizontal Pod Autoscaling

You can bring your own Horizontal Pod Autoscaler (HPA) plug-in to Gloo Gateway. This way, you can automatically scale gateway proxy pods up and down based on certain thresholds, like memory and CPU consumption. For more information, see Horizontal Pod Autoscaling (HPA).

HTTP1.0/0.9 support

Configure your gateway proxy to accept the HTTP/1.0 and HTTP/0.9 protocols so that you can support legacy applications. For more information, see HTTP/1.0 and HTTP/0.9.

Dynamic Forward Proxy

Configure the gateway proxy to use a Dynamic Forward Proxy (DFP) filter to allow the proxy to act as a generic HTTP(S) forward proxy without the need to preconfigure all possible upstream hosts. Instead, the DFP dynamically resolves the upstream host at request time by using DNS.

For more information, see Dynamic Forward Proxy (DFP).

Session affinity

You can configure different types of session affinity for your Envoy-based gateway proxies:

Change the loadbalancing algorithm: By default, incoming requests are forwarded to the instance with the least requests. You can change this behavior and instead use a round robin or random algorithm to forward the request to a backend service.
Consistent hashing: Set up soft session affinity between a client and a backend service by using consistent hashing algorithms.
Session persistence: Set up “strong” session affinity or sticky sessions to ensure that traffic from a client is always routed to the same backend instance for the duration of a session.

Passive health checks with outlier detection

Configure passive health checks and remove unhealthy hosts from the load balancing pool with an outlier detection policy. An outlier detection policy sets up several conditions, such as retries and ejection percentages, that kgateway uses to determine if a service is unhealthy. When an unhealthy service is detected, the outlier detection policy defines how the service is removed from the pool of healthy destinations to send traffic to. For more information, see Outlier detection.

New operations dashboard

When you install the OTel stack, you can now leverage the new Gloo Gateway operations dashboard for Grafana. This dashboard shows important metrics at a glance, such as the translation and reconciliation time, total number of operations, the number of resources in your cluster, and latency.

Leader election enabled

Leader election is enabled by default to ensure that you can run Gloo Gateway in a multi-control plane replica setup for high availability.

You can disable leader election by setting the controller.disableLeaderElection to true in your Helm chart.

  helm upgrade -i gloo-gateway oci://us-docker.pkg.dev/solo-public/gloo-gateway/charts/gloo-gateway \
     -n gloo-system \
     --version 2.0.2 \
     --set licensing.glooGatewayLicenseKey=$GLOO_GATEWAY_LICENSE_KEY \
     --set controller.disableLeaderElection=true

Solo Enterprise for kgateway

Gloo Gateway (K8s GW API)

Gloo Edge

Release notes

General information link

🔥 Breaking changes link

🚨 High link

New v2 API link

Multiple RateLimitConfigs link

Support Envoy-based Istio Ambient waypoints link

Deprecated support for AI Gateway and Inference Extension with Envoy link

Fail open policy for ExtProc providers link

Changes in policy merging link

🔔 Medium link

ℹ️ Low link

🌟 New features link

Agentgateway enterprise (beta) link

Global policy attachment link

Multiple installations link

Weighted routing link

Additional proxy pod template customization link

Horizontal Pod Autoscaling link

HTTP1.0/0.9 support link

Dynamic Forward Proxy link

Session affinity link

Passive health checks with outlier detection link

New operations dashboard link

Leader election enabled link