Version support
View supported Solo Enterprise for kgateway versions and their release cycle.
Review the following information about supported release versions for Solo Enterprise for kgateway, and supported versions of different open source projects within each release.
| Solo Enterprise for kgateway | Date | Kubernetes | Kubernetes Gateway API | kgateway OSS | Envoy | Helm | Istio |
|---|---|---|---|---|---|---|---|
| 2.1.x | 15 Jan 2026 | 1.29 - 1.34 | 1.4.0 | 2.2.x | v3 xDS API | >= 3.12 | 1.24 - 1.28 |
Solo Enterprise for kgateway
Solo Enterprise for kgateway offers n-3 patching support for bug and critical security fixes. In other words, the current release and the three previous releases of Solo Enterprise for kgateway are supported.
New features are not developed on or backported to stable branches. However, critical patches, bug fixes, and documentation fixes are backported to all actively supported branches.
Kubernetes
Solo Enterprise for kgateway is supported and tested with the latest Kubernetes version at the time of the Solo Enterprise for kgateway release, and all Kubernetes versions that were released up to 1 year before the latest version.
Envoy
By default, Solo Enterprise for kgateway offers support for n-1 of Envoy community releases. In specific support situations, fixes can be backported to n-2 or more without bumping the Envoy minor version. In other words, a fix can be developed based on the code that you deployed within the n-2 release timeframe.
Istio
Istio must run on a compatible version of Kubernetes. For example, Istio 1.27 is tested, but not supported, on Kubernetes 1.28. For more information, see the Istio docs.
Image variants
Distroless
By default, the Solo Enterprise for kgateway control and data planes deploy with distroless images. Distroless images do not contain package managers, shells, or any other programs that are generally found in a standard Linux distribution. The use of distroless variants is a standard practice adopted by various open source projects and proprietary applications.
FIPS
You can optionally update the images that the Solo Enterprise for kgateway control or data plane deploy with to use fips images instead.
A fips image complies with National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS), for use cases that require federal information processing capabilities. For example, you might provide a cloud service that runs in a Federal Risk and Authorization Management Program (FedRAMP) regulated environment. In such cases, you can use Solo Enterprise for kgateway’s FIPS images without the need for any additional tooling or CLIs.
Deploy a specific image variant
Update the image that you use for a particular Solo Enterprise for kgateway component.
Control plane
To change the image that the Solo Enterprise for kgateway control plane uses, update the Helm values of your Solo Enterprise for kgateway installation.
Get the values file for your current version.
helm get values enterprise-kgateway -n kgateway-system -o yaml > values.yaml open values.yamlAdd the following snippet to your Helm values file. Note that the repository includes the
-fipssuffix.controller: image: registry: us-docker.pkg.dev/solo-public/enterprise-kgateway repository: enterprise-kgateway-controller-fips tag: "2.1.5"Upgrade the control plane Helm installation.
helm upgrade -i -n kgateway-system enterprise-kgateway oci://us-docker.pkg.dev/solo-public/enterprise-kgateway/charts/enterprise-kgateway \ -f values.yaml \ --version 2.1.5
Data plane
By default, the proxy is deployed with one container envoy-wrapper that proxies incoming traffic. In addition, Solo Enterprise for kgateway creates external auth and rate limiting servers for each GatewayClass that is referenced by a Gateway.
To update the images that the proxy uses, or to update the external auth and rate limiting images, you use an EnterpriseKgatewayParameters resource and then deploy or update your Gateway to reference that resource.
Create an EnterpriseKgatewayParameters resource and define the image for each container that you want to use. Note that the
envoy-wrapperrequires the-fipssuffix in the repository, whereas the extauth and rate liming servers include the-fipssuffix in the image tag.kubectl apply -f- <<EOF apiVersion: enterprisekgateway.solo.io/v1alpha1 kind: EnterpriseKgatewayParameters metadata: name: fips namespace: kgateway-system spec: kube: # main container in gateway proxy envoyContainer: image: registry: us-docker.pkg.dev/solo-public/enterprise-kgateway repository: envoy-wrapper-fips tag: "2.1.5" pullPolicy: IfNotPresent # proxy extensions, such as redis cache, external auth and rate limiting service sharedExtensions: extauth: container: image: registry: gcr.io/gloo-mesh repository: ext-auth-service tag: "0.72.2-fips" ratelimiter: container: image: registry: gcr.io/gloo-mesh repository: rate-limiter tag: "0.17.2-fips" EOFCreate a GatewayClass resource that references the EnterpriseKgatewayParameters resource.
kubectl apply -f- <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: custom-enterprise-kgateway namespace: kgateway-system spec: controllerName: solo.io/enterprise-kgateway parametersRef: group: enterprisekgateway.solo.io kind: EnterpriseKgatewayParameters name: fips namespace: kgateway-system EOFCreate a Gateway with your custom GatewayClass.
kubectl apply -f- <<EOF kind: Gateway apiVersion: gateway.networking.k8s.io/v1 metadata: name: fips namespace: kgateway-system spec: gatewayClassName: custom-enterprise-kgateway listeners: - protocol: HTTP port: 8080 name: http allowedRoutes: namespaces: from: All EOFVerify that your gateway is deployed with your custom images.
kubectl get deploy/fips -n kgateway-system -o yaml kubectl get deploy/ext-auth-service-custom-enterprise-kgateway -n kgateway-system -o yaml kubectl get deploy/rate-limiter-custom-enterprise-kgateway -n kgateway-system -o yaml
Release cadence
Solo Enterprise for kgateway releases are built on the OSS codebase and typically follow the equivalent kgateway OSS release. The OSS version is released as the latest build, while the Enterprise version is released as the first stable build of that version.
Release development
Alpha and beta release process
New features for Solo Enterprise for kgateway and OSS are developed on main.
- For Enterprise, new features are often first released as
betabuilds. You can use these beta builds to test new features, or wait until the feature is released with the next stable Enterprise minor version. - For OSS, new features are released as patches off of
main.
To receive feedback and improve functionality for real use cases, these features are often released according to a feature maturity model. As the features are improved and stabilized, they are gradually moved through the stages of alpha, beta, and general availability (GA) support. Review the following table for the comparison points between each stage of feature maturity. To see the maturity of a feature, check the feature’s documentation.
| Comparison point | Alpha | Beta | GA |
|---|---|---|---|
| API | Can and will likely change | Unlikely to change | No change |
| Implementation | Can and will likely change | Can change, but user experience is maintained | No changes that affect user experience |
| Upgrade paths | Not guaranteed | Not guaranteed | Provided and tested |
| Requests for enhancement (RFEs) and bug fixes | RFEs and bug fixes prioritized | RFEs and bug fixes prioritized | Fully supported |
| Documentation | Not guaranteed and supplied with warnings | Supplied with warnings | Fully supplied |
| Automated testing | Internal testing, but little testing with real use cases | Internal testing and some testing with real use cases | Fully tested and validated with real use cases |
| Suggested usage | Exploration and feedback | Testing setups, demos, and POCs | Production setups |
Stable release process
Development of a quality stable release on main typically follows this process:
- New feature development is suspended on
main. - Release candidates are created, such as
.0-rc1,.0-rc2, and so on. - A full suite of tests is performed for each release candidate. Testing includes all documented workflows, a test matrix of all supported platforms, and more.
- Documentation for that release is prepared, vetted, and staged.
- The stable minor version is released.
- Feature development on
mainis resumed.
Experimental features in Gateway API
The following features are experimental in the upstream Kubernetes Gateway API project, and are subject to change.
| Feature | Minimum Gateway API version |
|---|---|
| ListenerSets | 1.3 |
| TCPRoutes | 1.3 |
| BackendTLSPolicy | 1.4 |
| CORS policies | 1.2 |
| Retries | 1.2 |
| Session persistence | 1.3 |
| HTTPRoute rule attachment option | 1.3 |
Sample command for version 1.4.0: Note that some CRDs are prefixed with X to indicate that the entire CRD is experimental and subject to change.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental-install.yaml
Additional support
Have other questions? Reach out to us on Slack or email sales@solo.io.