Introducing KubeLB 1.3: Advanced Security with WAF, Seamless Gateway API Migration, and Supply Chain Integrity

We are proud to announce the release of KubeLB 1.3! This release represents a significant leap forward in securing your edge infrastructure and modernizing your traffic management. From introducing a powerful Web Application Firewall (WAF) to streamlining the transition to the Gateway API, KubeLB 1.3 is designed to help you build safer, more resilient platforms

Release Highlights of KubeLB 1.3

Web Application Firewall (WAF)

KubeLB has introduced Web Application Firewall (WAF) capabilities as an Enterprise Edition (EE) Alpha feature. With KubeLB WAF, you can protect your applications from SQL injection, XSS, and other injection attacks without application changes from a single point of control.

Learn more in the KubeLB Ingress to Gateway API Converter how-to.

Ingress to Gateway API Migration

The Kubernetes ecosystem is rapidly adopting the Gateway API as the new standard for traffic management, offering far greater expressiveness and extensibility than traditional Ingress. This shift is critical as the community has announced that ingress-nginx has entered retirement mode and will reach End of Life (EOL) in March 2026. After this date, it will receive no further security patches or bug fixes.

For a deeper understanding of the security and maintenance implications driving this change, we highly recommend reading the Statement from the Kubernetes Steering and Security Response Committees.

However, migrating existing resources manually is often complex and error-prone. To bridge this gap and accelerate your modernization journey, KubeLB 1.3 introduces an automated conversion tool as a Beta Feature.

Learn more in the KubeLB Ingress to Gateway API Converter how-to.

Supply Chain Security

KubeLB v1.3 introduces comprehensive supply chain security for both Community Edition (CE) and Enterprise Edition (EE):

• Artifact Integrity: Includes SBOM Generation (SPDX format) and Keyless Artifact Signing via Sigstore Cosign for all binaries, images, and Helm charts.
• Automated Vetting: Features automated Vulnerability Scanning (blocking releases on HIGH/CRITICAL findings) and Dependency Monitoring.
• Compliance: These measures ensure compliance with NTIA Minimum Elements, Executive Order 14028, and SLSA guidelines.

Learn more in the Supply Chain Security documentation.

KubeLB Enterprise Edition (EE) Features

• Web Application Firewall (WAF): WAF capabilities as an Alpha feature.
• Circuit Breakers: Configurable circuit breakers for Envoy Clusters at Global or Tenant level.
• Traffic Policies: Support for Envoy Gateway’s BackendTrafficPolicy and ClientTrafficPolicy.
• Metrics: Additional metrics for Connection Manager and EE components.

KubeLB Community Edition (CE) Features

• Ingress to Gateway API Migration (Beta): Automated conversion from Ingress to Gateway API resources.
• Observability: Prometheus metrics for CCM, Manager, and Envoy Control Plane. Grafana dashboards for monitoring KubeLB components.
• Revamped E2E Tests: E2E tests revamped to use chainsaw framework, now running in CI/CD pipeline.
• Graceful Envoy Shutdown: Envoy Proxy gracefully drains listeners before termination to avoid downtimes.
• Overload Manager: Configurable overload manager and global connection limits using custom Envoy bootstrap.
• Custom Envoy Image: Custom Envoy Proxy image through the EnvoyProxy configuration.

KubeLB Security and Compliance

Security

Due to CVEs announced on 2nd Feb 2026, we have updated the kubelb-addons chart to v0.3.1 with dependency bumps and security fixes(#257) and also release KubeLB v1.3.1 and v1.2.2 with the same security fixes.

ingress-nginx 4.14.1 → 4.14.3

• CVE-2026-1580 - auth-method nginx configuration injection
• CVE-2026-24512 - rules.http.paths.path nginx configuration injection
• CVE-2026-24513 - auth-url protection bypass
• CVE-2026-24514 - Admission Controller denial of service

Reference: [Security Advisory] Multiple issues in ingress-nginx

envoy-gateway 1.6.2 → 1.6.3

• CVE-2025-0913 - Use-after-free in c-ares DNS resolver

cert-manager v1.19.2 → v1.19.3

• GHSA-gx3x-vq4p-mhhv - DoS via malformed DNS response

Get Started with KubeLB 1.3 Today

• Check out the release on GitHub and give us a star! ;)
• Read the docs: Go through the detailed release notes and documentation for specific configuration guides.

We encourage all users to upgrade to v1.3 and explore the new capabilities that KubeLB has to offer. A huge thank you to our entire community, our customers, and the dedicated contributors who helped shape this incredible release. We can’t wait to see what you build with KubeLB 1.3!