Skip to main content
< All Topics

Kubernetes Gateway API

Posted
Updated
Author -Rajkumar Aute
Views95

Hello learners, and welcome back to DevSecOpsGuru.in! Today, we are going to dive deep into a massive shift in the Kubernetes networking world: the Kubernetes Gateway API. If you have ever struggled with messy Ingress files, this is the modern, standardized, and highly flexible upgrade you have been waiting for.

Let’s break this down completely, from beginner-friendly concepts to production-grade DevSecOps architecture!

When you deploy applications in Kubernetes, you need a safe way for the outside world (your users) to access them. For years, the standard tool was “Ingress.” However, as apps grew complex, Ingress became too rigid and hard to manage for large teams.

Feature / ConceptKubernetes IngressIngress ControllerIngressClassGateway API (Gateway & HTTPRoute)
Component TypeDeclarative API Resource (YAML object)Active Infrastructure (Pod/Software)Declarative API Resource (YAML object)Declarative API Resources (Suite of YAML objects)
Primary FunctionDefines the Layer 7 (HTTP/HTTPS) routing rules, hostnames, and TLS certificates.Reads the routing rules and executes the actual traffic proxying/load balancing.Maps a specific Ingress resource to a specific Ingress Controller implementation.Provides an extensible, role-based, multi-protocol (L4/L7) routing framework.
Execution StatePassive. It does nothing on its own without a controller.Active. Runs continuously as a background process (e.g., NGINX, HAProxy).Passive. Acts strictly as a configuration link/label.Passive. Requires a Gateway Controller to implement the defined infrastructure.
Native vs. 3rd PartyNative Kubernetes API (networking.k8s.io/v1).Third-party (maintained by vendors like F5, Traefik Labs, or community).Native Kubernetes API (networking.k8s.io/v1).Native K8s SIG project (gateway.networking.k8s.io).
Lifecycle OwnerApplication Developer (defines how their app is accessed).Cluster Administrator / Platform Engineer (manages the proxy infrastructure).Cluster Administrator (defines available infrastructure classes).Distributed: Admins manage GatewayClass/Gateway; Devs manage HTTPRoute.
Cross-Namespace SupportLimited. Rules generally must reside in the same namespace as the backend Service.Global or Namespace-scoped depending on deployment configuration.Global (Cluster-scoped object).Native. HTTPRoute in namespace A can attach to a Gateway in namespace B securely.
Protocol SupportStrictly Layer 7 (HTTP/HTTPS).Can sometimes handle Layer 4 via vendor-specific custom annotations/ConfigMaps.N/A (Just a mapping object).Native Layer 4 (TCP/UDP) and Layer 7 (HTTP/HTTPS/gRPC) support.

Enter the Kubernetes Gateway API! Think of it as “Ingress 2.0.” It is a modern, standardized set of rules to manage network traffic entering and leaving your cluster. It supports multiple protocols (HTTP, HTTPS, TCP, UDP, gRPC) and allows different teams (like infrastructure admins and app developers) to work together safely without breaking each other’s configurations.

Imagine a large, modern apartment building:

  • NodePort/LoadBalancer (The Old Way): This is like giving everyone outside a direct, unmanaged phone line to every single flat. It is messy, expensive, and insecure!
  • Legacy Ingress: Think of this as a receptionist at the front desk who only speaks English (HTTP) and uses a very basic notebook to direct guests. If you need special VIP rules, the receptionist gets confused unless you hand them messy custom sticky notes (which are like Kubernetes annotations).
  • Gateway API (The Modern Way): This is a high-tech, smart lobby system. It has a Building Manager (Infrastructure Team) who sets up the physical security gates (GatewayClass and Gateway). Then, the individual Flat Owners (Developers) can set up their own digital smart-passes (HTTPRoute, TCPRoute) to let their specific guests in. It speaks multiple languages natively and handles everything smoothly without bothering the building manager for every single visitor!

Key details to remember

  • Gateway API ≠ API Gateway: Gateway API is a set of Kubernetes rules/resources, while an API Gateway (like Kong or NGINX) is the actual software doing the proxy work.
  • Role-Oriented: Designed for different personas (Platform Admins manage Gateways, Developers manage Routes).
  • Expressive: Natively supports header matching, traffic splitting, and weight-based routing without messy annotations.
  • Multi-Protocol: Supports HTTP, HTTPS, TCP, UDP, and gRPC out of the box.
  • Standardized: Replaces fragmented, vendor-specific Ingress controllers with a universal, portable Kubernetes standard.
FeatureLegacy Kubernetes IngressModern Gateway API
Protocol SupportMostly HTTP/HTTPSHTTP, HTTPS, gRPC, TCP, UDP
Role SeparationBlurry (Devs & Admins fight over 1 file)Clear (Admin = Gateway, Dev = Route)
Traffic Splitting (Canary)Requires vendor-specific annotationsBuilt-in natively
Cross-Namespace RoutingHard or impossibleNatively supported via ReferenceGrant

The Evolution of From Ingress to Gateway API

While Ingress was a foundational tool in the early days of Kubernetes, its rigid design struggled to keep up with modern networking demands. The Gateway API was introduced as a robust, standardized replacement to solve the growing pains associated with Ingress.

The Limitations of Traditional Ingress (Why We Left)

  • Protocol Limitations: Ingress was strictly designed for Layer 7 traffic (HTTP/HTTPS). Routing Layer 4 traffic (like TCP or UDP) was impossible without implementing custom, non-standard workarounds.
  • “Annotation Hell” and Vendor Lock-in: Because Ingress only understood basic HTTP/HTTPS, vendors (like NGINX or Traefik) had to invent custom YAML annotations (e.g., nginx.ingress.kubernetes.io/rewrite-target) to support advanced features like rate limiting, traffic splitting, header manipulation, or retries. This destroyed portability if you migrated to a new Ingress controller, your YAML files would break.
  • Single Persona Bottleneck: Ingress forced both infrastructure configuration (e.g., port binding, TLS) and application routing (e.g., path mapping) into a single object. This made it incredibly difficult to implement Role-Based Access Control (RBAC) across different engineering teams safely.

How Gateway API Fixes the Problem

The Gateway API provides a much larger, native vocabulary inside Kubernetes, standardizing advanced networking features into the core specification so you no longer have to rely on vendor-specific annotations.

  • Broad Protocol Support: Gateway API natively supports HTTP, gRPC, TCP, UDP, and TLS straight out of the box.
  • Role-Oriented Architecture: Instead of a single crowded Ingress.yaml file, the Gateway API separates concerns by splitting the configuration into distinct resources. This allows cluster administrators and application developers to work independently without stepping on each other’s toes.

The Role-Oriented Model of Gateway API

Think of the Kubernetes Gateway API like a set of Lego blocks. By cleanly separating infrastructure configuration from application routing, teams only need to manage the YAML files they are directly responsible for. This role-based design makes cluster networking significantly more secure, scalable, and manageable for everyone involved.

The architecture is smartly split across three distinct personas and their respective resources:

1. GatewayClass (The Blueprint)

  • Owned by: Infrastructure Provider / Platform Team
  • Purpose: Acts as a template defining the underlying load balancer or controller technology (e.g., NGINX, AWS ALB, Istio, Envoy, or Cilium).
  • Key Detail: A single Kubernetes cluster can support multiple GatewayClasses simultaneously. For example, you might create an external-lb class for public internet traffic and an internal-lb class for private, cross-service corporate traffic.

2. Gateway (The Infrastructure Layer)

  • Owned by: Cluster Operator / Admin
  • Purpose: The actual instantiation of a GatewayClass. It requests and provisions the specific load balancer configuration from the infrastructure provider.
  • Example: “I am opening Port 80 on the cluster and allowing traffic.”
  • Listeners: Inside the Gateway spec, operators define “Listeners” to control the entry points. Listeners specify the logical endpoints (e.g., Port 80 for HTTP, Port 443 for HTTPS), manage TLS certificates, and dictate exactly which namespaces are authorized to attach routes to this Gateway.

3. *Route (The Traffic Intelligence)

  • Owned by: Application Developer
  • Purpose: Defines the application-specific traffic routing logic that snaps into the Gateway.
  • Example: “If traffic hits Port 80 and the path is /app, send it to my specific Kubernetes Service.”
  • Strong Typing: Instead of generic routes, developers use highly typed resources depending on the specific traffic, such as HTTPRoute, GRPCRoute, TCPRoute, or UDPRoute.

These Route resources contain the actual intelligence for the traffic lifecycle, which is broken down into three main mechanisms:

MechanismDescription
MatchesThe rules for intercepting traffic based on paths, headers, query parameters, or specific HTTP methods.
FiltersActions taken on the request before it reaches the backend. Examples include adding or removing headers, request mirroring, URL rewriting, or setting retry budgets.
BackendsThe final destination for the traffic. This is usually a standard Kubernetes Service, but it can also be a custom target like a cloud storage bucket.

Advanced Concepts & Capabilities

Cross-Namespace Routing (Safe Multi-Tenancy)

One of the most powerful features of the Gateway API is its ability to decouple the Gateway from the application routes.

  • allowedRoutes: A Cluster Operator can deploy a shared Gateway in a gateway-infra namespace and configure the Listener’s allowedRoutes to accept HTTPRoutes from the app-team-a and app-team-b namespaces.
  • ReferenceGrant: If Team A wants their HTTPRoute to forward traffic to a Service in Team B’s namespace, they can’t just do it blindly (which would be a security risk). Team B must explicitly create a ReferenceGrant resource to permit Team A’s route to send traffic to their service.

The GAMMA Initiative (Service Mesh Integration)

Originally, the Gateway API was designed for North-South traffic (traffic entering the cluster from the outside). However, through the GAMMA (Gateway API for Mesh Management and Administration) initiative, the exact same API is now used for East-West traffic (traffic between microservices inside the cluster). Instead of attaching an HTTPRoute to a Gateway, you can attach it directly to a Kubernetes Service to define mesh routing rules.

Extensibility and AI Workloads

Because it relies on Custom Resource Definitions (CRDs), the Gateway API is highly extensible. A prime example is the recent Gateway API Inference Extension, which allows the API to intelligently route traffic to Large Language Models (LLMs) based on GPU availability, token cache, and model criticality, effectively turning a standard Gateway into an “AI Gateway.”You’ve got a great grasp of the core concepts! Your summary perfectly captures the essence of the Kubernetes Gateway API. To build on that foundation, here is a deeper dive into the architecture, advanced capabilities, and the specific problems this API was built to solve.

Why Gateway API is Replacing Ingress

The traditional Kubernetes Ingress resource is now officially frozen, meaning all new network routing features are being developed exclusively for the Gateway API. The shift was necessary because Ingress had several structural limitations:

  • Protocol Limitations: Ingress was strictly designed for Layer 7 (HTTP/HTTPS). Routing Layer 4 traffic (TCP/UDP) required custom workarounds. Gateway API natively supports HTTP, gRPC, TCP, UDP, and TLS out of the box.
  • Annotation Hell: Because Ingress was a single, rigid resource, advanced features like traffic splitting, header manipulation, or retries were implemented via vendor-specific annotations (e.g., nginx.ingress.kubernetes.io/rewrite-target). This destroyed portability across different Ingress controllers. Gateway API standardizes these features into the core specification.
  • Single Persona Bottleneck: Ingress forced infrastructure configuration and application routing into the same object, making it difficult to define Role-Based Access Control (RBAC) across different teams.

The Role-Oriented Model

As you noted, the API is split across three personas. Here is a closer look at what each resource actually does under the hood:

GatewayClass

Infrastructure Provider: Think of this as the “template” or “blueprint.” It defines which controller will actually manage the traffic (e.g., Istio, Envoy, Cilium, NGINX). You can have multiple GatewayClasses in a single cluster for example, an external-lb class for public internet traffic and an internal-lb class for private corporate traffic.

The GatewayClass is a cluster-scoped resource within the Kubernetes Gateway API (gateway.networking.k8s.io API group) that formalizes the separation of concerns between infrastructure provisioning and application routing. It operates analogously to a StorageClass in the Persistent Volume subsystem. Just as a StorageClass abstracts the underlying storage provisioner (e.g., AWS EBS, GCP Persistent Disk) from the user requesting a volume, the GatewayClass abstracts the underlying network data plane and load balancing infrastructure from the users deploying routing rules.

In a role-oriented architecture, the GatewayClass is strictly the domain of the Infrastructure Provider or Platform Administrator. It establishes the operational boundaries and technical specifications for how traffic ingress and egress will be handled at the cluster edge or within a service mesh.

Core Technical Components

A standard GatewayClass definition relies on several critical fields to dictate controller behavior:

  • controllerName: This is the most crucial attribute. It is a domain-prefixed string (e.g., networking.istio.io/gateway-controller, io.cilium/gateway-controller) that explicitly signals which ingress controller or infrastructure provisioner must reconcile Gateway resources referencing this class. If the specified controller is not running in the cluster, any associated Gateway objects will remain in an unprovisioned or unaccepted state.
  • parametersRef: This field elevates the GatewayClass from a simple label to a highly extensible blueprint. It provides a typed object reference to a configuration resource (such as a ConfigMap or a Custom Resource Definition specific to the controller). This allows the Platform Admin to attach global, infrastructure-specific configurations to the class. For example, an AWS Elastic Load Balancing controller might reference a custom resource dictating specific VPC subnets, security group attachments, or AWS WAF integrations.
  • status Subresource: The GatewayClass includes a status mechanism where the designated controller reports its operational readiness. The controller will typically update the conditions array to reflect whether it has successfully acknowledged the class (e.g., Accepted: True) or if there are configuration errors (e.g., an invalid parametersRef).
Multi-Tenancy and Environment Segmentation

The ability to deploy multiple GatewayClasses simultaneously is fundamental to supporting complex, multi-tenant, and hybrid-cloud environments. By instantiating distinct classes, administrators can enforce strict physical and logical isolation.

Common deployment patterns include:

  • External vs. Internal Traffic: Defining a GatewayClass named external-internet-facing that provisions external cloud load balancers with public IP addresses, alongside an internal-vpc-only class that provisions internal load balancers restricted to corporate network CIDR blocks.
  • Hardware / Performance Tiers: Creating distinct classes for different performance requirements, such as a high-throughput-dpdk class utilizing a specialized underlying data plane, versus a standard-nginx class for lightweight administrative interfaces.
  • Controller Heterogeneity: Running multiple specialized controllers in a single cluster without conflict. A cluster might use the Google Kubernetes Engine (GKE) Gateway controller for north-south traffic entering the cluster, while utilizing a Cilium or Istio GatewayClass strictly for east-west service mesh routing and L7 policy enforcement.
The Provisioning Lifecycle

When a user (typically a Cluster Operator or Application Developer) creates a Gateway resource, they must specify a gatewayClassName.

  1. Instantiation: The Kubernetes API server accepts the Gateway object.
  2. Reconciliation: The controller identified by the GatewayClass‘s controllerName detects the new Gateway.
  3. Infrastructure Realization: The controller reads the blueprint provided by the GatewayClass (including any parametersRef) and dynamic data from the Gateway (such as requested listener ports and TLS certificates). It then interacts with the underlying infrastructure spinning up an Envoy proxy deployment, configuring an AWS Network Load Balancer, or updating eBPF maps to physically realize the requested networking topology.

Gateway

Cluster Operator:This is the actual instantiation of a GatewayClass. It requests a specific load balancer configuration from the infrastructure provider.

  • Listeners: Inside the Gateway spec, operators define “Listeners” which specify the logical endpoints (e.g., Port 80 for HTTP, Port 443 for HTTPS), the TLS certificates to use, and exactly which namespaces are allowed to attach routes to this Gateway.

The Gateway resource (gateway.networking.k8s.io) functions as the concrete instantiation of the logical networking blueprint defined by a GatewayClass. While the GatewayClass is managed by the Infrastructure Provider to define how traffic is handled, the Gateway is strictly the domain of the Cluster Operator. It represents a specific, physical or logical networking endpoint such as a cloud provider’s Application Load Balancer (ALB), an in-cluster Envoy proxy deployment, or a hardware load balancer appliance provisioned to handle traffic for a defined set of applications.

When a Cluster Operator creates a Gateway, the associated controller dynamically provisions the underlying infrastructure. A critical component of this instantiation is the addresses array within the Gateway specification. Operators can use this field to request specific networking parameters, such as explicitly requesting a static IPv4/IPv6 address, specifying an internal versus external IP configuration, or allowing the infrastructure provider to dynamically assign an ephemeral address. If the requested address cannot be provisioned, the controller reports the failure via the Gateway status conditions, preventing traffic blackholes.

Listener Architecture: Protocol and Interface Definition

Within the Gateway specification, the listeners array defines the precise logical endpoints exposed by the provisioned infrastructure. A Listener acts as a traffic gateway for a specific combination of protocol, port, and hostname.

The technical anatomy of a Listener requires several strict definitions:

  • name: A unique, domain-safe identifier within the Gateway (e.g., web-http, api-https).
  • port: The specific network port (e.g., 80, 443, 8443) on which the underlying proxy or load balancer will listen for incoming connections.
  • protocol: The L4/L7 protocol expected on this port. Supported core protocols include HTTP, HTTPS, TCP, UDP, and TLS. The protocol dictates which type of Route resources (e.g., HTTPRoute, TCPRoute) are permitted to attach to this Listener.
  • hostname: An optional but highly critical field for L7 traffic routing and Server Name Indication (SNI). By specifying a hostname (e.g., api.example.com or *.example.com), the Gateway can multiplex multiple Listeners on the same port, directing traffic based on the HTTP Host header or the TLS SNI extension.

Advanced TLS Configuration Modes

For secure Listeners (using HTTPS or TLS protocols), the tls block defines how cryptographic termination is handled at the Gateway edge. The Gateway API supports two primary TLS modes:

  1. Terminate: The Gateway itself decrypts the incoming traffic. The tls.certificateRefs field must point to a Kubernetes Secret (typically of type kubernetes.io/tls) containing the necessary public certificate and private key. Once terminated, the Gateway can inspect the L7 payload (e.g., HTTP headers, paths) to make advanced routing decisions before forwarding the traffic often re-encrypting it to the backend services.
  2. Passthrough: The Gateway does not decrypt the traffic. Instead, it utilizes the unencrypted SNI data from the TLS handshake to determine the routing destination. The encrypted byte stream is forwarded directly to the backend pod, which assumes the responsibility of TLS termination. This is crucial for strict end-to-end encryption requirements and zero-trust network architectures.

Route Attachment and Namespace Boundary Control (AllowedRoutes)

One of the most powerful architectural advancements in the Gateway API over the legacy Ingress API is its robust, decentralized RBAC model, governed by the allowedRoutes specification within each Listener. This mechanism dictates exactly which application teams (operating in specific namespaces) are permitted to attach their routing rules to the Gateway.

The allowedRoutes.namespaces.from field supports three configurations:

  • Same: Only Routes residing in the exact same namespace as the Gateway resource can attach to this Listener. This enforces a strict, isolated operational model.
  • All: Routes from any namespace in the cluster can attach. This is common for a centralized ingress model where a single public load balancer serves the entire cluster.
  • Selector: The most granular and secure approach. The Cluster Operator defines a label selector (e.g., matchLabels: { shared-gateway-access: "true" }). Only namespaces possessing this specific label can attach Routes to the Listener.

Furthermore, allowedRoutes.kinds allows the Operator to restrict the type of routes. For example, a Listener on port 443 could be restricted to only accept HTTPRoute resources, explicitly rejecting TCPRoute or TLSRoute attachments, thereby enforcing L7 traffic inspection.

Gateway Status and Infrastructure Reconciliation

Because Gateway provisioning involves external infrastructure, the API relies heavily on asynchronous state reporting. The status subresource provides real-time operational feedback from the underlying controller.

The most critical condition is Programmed. When status.conditions reports Programmed: True, it confirms that the controller has successfully translated the Gateway specification, provisioned the physical/virtual load balancer, allocated the necessary IP addresses, and successfully bound the requested Listeners. Additionally, each Listener maintains its own status block, detailing its supportedKinds and the total number of attachedRoutes, allowing Operators to audit precisely how many application rules are actively bound to a specific port and protocol.

The Route Resource: Application-Layer Traffic Management

  • *Route (Application Developer):The routing layer is highly typed. You don’t just use a generic route; you use an HTTPRoute, GRPCRoute, TCPRoute, or UDPRoute. These resources contain the actual intelligence:
    • Matches: Rules based on paths, headers, query parameters, or HTTP methods.
    • Filters: Actions taken on the request before it hits the backend (e.g., adding/removing headers, request mirroring, URL rewriting, or setting retry budgets).
    • Backends: Where the traffic ultimately goes (usually a Kubernetes Service, but it can also be a custom backend like a cloud storage bucket).

In the Gateway API architecture, Route resources (gateway.networking.k8s.io) represent the exclusive domain of the Application Developer. While the Gateway provisions the physical or logical listening endpoints, the Route resources contain the declarative intelligence dictating how traffic entering those listeners is evaluated, modified, and ultimately directed to backend workloads. This explicit decoupling allows developers to manage their own application routing life cycles independently of the core network infrastructure.

Strong Typing and Protocol-Specific Schemas

Unlike the monolithic Ingress API, the Gateway API utilizes strictly typed Route objects. This architectural decision enforces schema validation at the Kubernetes API server level, ensuring that routing logic strictly aligns with the underlying network protocol.

  • HTTPRoute: Designed for Layer 7 HTTP/HTTPS traffic. It supports advanced L7 evaluation, including HTTP headers, methods, and query parameters.
  • GRPCRoute: Optimized for gRPC traffic, allowing routing based on gRPC service and method names, handling the specific multiplexing requirements of HTTP/2.
  • TCPRoute & UDPRoute: Designed for Layer 4 traffic. These routes handle raw byte streams and datagrams, forwarding traffic purely based on the designated port without L7 inspection.
  • TLSRoute: Used for SNI-based routing of encrypted TLS streams (Passthrough mode), routing traffic without terminating the encryption at the Gateway.

Attachment Mechanism: parentRefs

For a Route to become active, it must bind to a Gateway. This is achieved through the parentRefs array. The Route declares its intent to attach to a specific Gateway (and optionally, a specific sectionName or listener port). The Gateway controller evaluates this request against the Gateway’s allowedRoutes RBAC policies. If the binding is authorized, the Route’s status is updated to reflect that the parent Gateway has accepted the configuration.

Anatomy of a Routing Rule

The core operational logic of a Route is contained within its rules array. Each rule defines an independent processing pipeline consisting of Matches, Filters, and Backends. The controller evaluates rules sequentially or based on specificity (e.g., longest path match first).

1. Matches: Request Evaluation Criteria

The matches array defines the conditions a request must satisfy to trigger the associated rule. For an HTTPRoute, the HTTPRouteMatch object supports highly granular L7 criteria:

  • Path Matching: Supports Exact matches (e.g., /api/v1), PathPrefix matches (e.g., /api/), and RegularExpression matching.
  • Header Matching: Evaluates the presence or specific values of HTTP headers (e.g., routing traffic where x-user-tier: premium).
  • Query Parameter Matching: Evaluates URL query strings (e.g., ?version=v2).
  • Method Matching: Restricts routes to specific HTTP verbs (e.g., GET, POST, PUT).

Multiple match conditions within a single match object are evaluated using a logical AND. Multiple match objects within a rule are evaluated using a logical OR.

2. Filters: Request and Response Mutation

If a request satisfies the match criteria, the filters array dictates actions the data plane must execute before forwarding the request to the backend, or upon receiving the response. Standard filters include:

  • RequestHeaderModifier / ResponseHeaderModifier: Injects, overwrites, or removes headers. Critical for appending tracing IDs or stripping sensitive headers before they reach the backend.
  • URLRewrite: Modifies the request path or hostname. For example, stripping a /v1/ prefix before forwarding the request to a microservice that only expects /.
  • RequestRedirect: Instructs the client to redirect (HTTP 301/302). Commonly used for forcing HTTP to HTTPS or redirecting deprecated endpoints.
  • RequestMirror: Duplicates the incoming request and sends a “fire-and-forget” copy to an alternate backend. This is heavily utilized for shadow traffic testing in production environments without impacting the primary request path.

3. Backends: Destination Resolution and Traffic Splitting

The backendRefs array defines the ultimate destination for the processed request.

  • Target Resolution: The most common backend is a standard Kubernetes Service. However, the Gateway API is highly extensible, allowing backendRefs to target custom resources, such as an AWS S3 bucket, a serverless function, or an external ServiceImport in a multi-cluster mesh.
  • Weight-Based Routing: Each backend reference includes a weight field (defaulting to 1). By defining multiple backends with specific weights (e.g., Backend A: 90, Backend B: 10), developers can execute precise traffic splitting. This natively supports complex deployment strategies like canary releases, A/B testing, and blue-green deployments directly at the ingress layer.

HTTPRoute

HTTPRoute is the primary workhorse resource in the Kubernetes Gateway API (Generally Available in v1). While a Gateway defines how traffic enters the cluster (listening ports, IP addresses, TLS termination), an HTTPRoute defines where that traffic goes and what happens to it along the way. It is responsible for routing HTTP and HTTPS traffic to backend services based on a rich set of programmable rules.

Anatomy of an HTTPRoute

An HTTPRoute manifest is highly structured and divided into four primary sections:

A. Parent References (parentRefs)

This section binds the route to a parent resource, instructing the infrastructure on where this route should be attached.

  • Gateway Attachment: You can target a specific Gateway by name, a specific listener within that Gateway by sectionName, or multiple listeners via a port.
  • Cross-Namespace: Developers can attach their HTTPRoute (in an application namespace) to a Gateway (in an infrastructure namespace), enabling true role-oriented decoupling.
  • Service Mesh: In newer Gateway API releases (v1.1+), parentRefs can also target a Kubernetes Service to control East-West service mesh traffic using the exact same API.

B. Hostnames (hostnames)

Defines the domains the route applies to (e.g., api.example.com or *.example.com).

  • Hostnames are evaluated before any routing rules.
  • If multiple routes attach to the same Gateway, the routing tree resolves the most specific hostname match first.

C. Rules (rules)

The core engine of the HTTPRoute. Each rule contains matches, filters, and backend references.

1. Matches (matches) Determine if an incoming request should be processed by this rule.

  • Path: Match by PathPrefix (e.g., /api), Exact (e.g., /login), or RegularExpression.
  • Headers: Match exact or regular expression header values (e.g., env: canary).
  • Query Parameters: Match specific URL parameters (e.g., ?version=v2).
  • Method: Match HTTP methods (e.g., GET, POST).
  • Logic: Multiple conditions within a single match are evaluated with an AND operator. Multiple match objects within a rule are evaluated with an OR operator.

2. Filters (filters) Perform operations on the request or response during the routing lifecycle.

  • RequestHeaderModifier / ResponseHeaderModifier: Add, set, or remove HTTP headers.
  • RequestRedirect: Issue 3xx redirects (e.g., redirecting HTTP to HTTPS, or redirecting deprecated paths).
  • URLRewrite: Modify the path or hostname before forwarding to the backend (cannot be combined with RequestRedirect).
  • RequestMirror: Clone traffic to a secondary backend. This is highly beneficial for traffic shadowing/testing. v1.3.0 introduced percentage-based mirroring.
  • CORS: Cross-Origin Resource Sharing filters to handle preflight requests natively (introduced in v1.3.0).
  • ExtensionRef: Allows plugging in custom, vendor-specific filters (e.g., attaching a specific Web Application Firewall policy).

3. Backend References (backendRefs) Defines the destination for the traffic if the rule matches.

  • Targets standard Kubernetes Service objects.
  • Weights: Used natively for traffic splitting. For example, assigning a weight of 90 to svc-v1 and 10 to svc-v2 facilitates Canary deployments or A/B testing without requiring complex proxy-specific annotations.

D. Timeouts (timeouts)

Gateway API v1 introduced standardized timeout configurations directly on the route object:

  • request: The timeout for the entire client request to complete.
  • backendRequest: The timeout for a single request from the Gateway to the backend service.

Key Differences from Traditional Ingress

  • Role-Based Decoupling: The Gateway is owned by platform administrators, while the HTTPRoute is owned by application developers in their respective namespaces.
  • No More Annotation Sprawl: Advanced routing features (header matching, traffic weighting, mirroring, redirects) are built strictly into the core API schema, removing the heavy reliance on fragile, controller-specific annotations that plagued the older Ingress API.

ReferenceGrant: A powerful security feature that allows safe sharing of resources across different namespaces (e.g., routing traffic from a Gateway in a platform namespace to a Service in a dev namespace).

Traffic Splitting (Canary Deployments)

(The Killer Feature)

One of the biggest reasons to move to the Gateway API is native Traffic Splitting.

Imagine you wrote a new version of your app (Version 2). You don’t want to send 100% of your users to V2 immediately, because if it crashes, everyone goes down. Instead, you want to send 90% of traffic to V1, and 10% to V2 to test the waters. This is called a Canary Deployment.

With the Gateway API, this is incredibly easy and built right in using weights.

Advanced Concepts & Capabilities

Cross-Namespace Routing (Safe Multi-Tenancy)

One of the most powerful features of the Gateway API is its ability to decouple the Gateway from the application routes.

  • allowedRoutes: A Cluster Operator can deploy a shared Gateway in a gateway-infra namespace and configure the Listener’s allowedRoutes to accept HTTPRoutes from the app-team-a and app-team-b namespaces.
  • ReferenceGrant: If Team A wants their HTTPRoute to forward traffic to a Service in Team B’s namespace, they can’t just do it blindly (which would be a security risk). Team B must explicitly create a ReferenceGrant resource to permit Team A’s route to send traffic to their service.

The GAMMA Initiative (Service Mesh Integration)

Originally, the Gateway API was designed for North-South traffic (traffic entering the cluster from the outside). However, through the GAMMA (Gateway API for Mesh Management and Administration) initiative, the exact same API is now used for East-West traffic (traffic between microservices inside the cluster). Instead of attaching an HTTPRoute to a Gateway, you can attach it directly to a Kubernetes Service to define mesh routing rules.

Extensibility and AI Workloads

Because it relies on Custom Resource Definitions (CRDs), the Gateway API is highly extensible. A prime example is the recent Gateway API Inference Extension, which allows the API to intelligently route traffic to Large Language Models (LLMs) based on GPU availability, token cache, and model criticality, effectively turning a standard Gateway into an “AI Gateway.”

DevSecOps Architects, let’s talk about production-grade deployments. In a true enterprise environment, the Gateway API is the ultimate enabler for secure, zero-trust, edge-to-mesh architectures.

  • Edge-to-Mesh Integration (GAMMA): Modern implementations allow you to use the Gateway API not just for North-South traffic (entering the cluster), but also for East-West traffic (service-to-service via a Service Mesh). The GAMMA (Gateway API for Mesh Management and Administration) initiative is bringing Service Mesh routing into this exact same API standard, unifying edge and mesh configurations.
  • Zero-Trust and Security: You can enforce TLS termination at the Gateway layer using hardened certificates from cert-manager, while using ReferenceGrant to strictly control which namespaces can attach routes to the corporate Gateway. This prevents a compromised developer namespace from hijacking the main domain’s traffic or spoofing routes.
  • Production Tooling & Implementations: You cannot just apply the Gateway API CRDs and expect it to work; you need a conformant data-plane controller. Here are the top production-grade tools supporting this natively:
    • Istio: Excellent for full Service Mesh + Gateway capabilities. Official Website
    • Cilium / Isovalent: Powered by eBPF, insanely fast, great for DevSecOps network policies. Official Website
    • Envoy Gateway: The official Gateway API implementation driven by the Envoy proxy community. Official Website
    • Kong Gateway Operator: High-performance, highly scalable API gateway. Official Website
    • NGINX Gateway Fabric: F5/NGINX’s official conformance tool for the new standard. Official Website
Additional Details
  • The “API Gateway” vs “Gateway API” Confusion: Let’s clear up a massive industry confusion. Gateway API is a Kubernetes specification (a bunch of CRDs). An API Gateway (like Apigee, Kong, AWS API Gateway) is a software product that handles rate limiting, billing, and auth. You can actually use the Gateway API specs to configure your API Gateway product inside Kubernetes!
  • State of the API: As of late 2023/2024, the Gateway API hit v1 (General Availability) for core features like HTTPRoute, Gateway, and GatewayClass. TCP/UDP routing is still evolving but highly usable in beta.
  • Ingress is NOT fully deprecated yet: It is “frozen.” No new features are being added to standard Ingress, but it will stick around for a long time. However, all new open-source networking development is happening in the Gateway API space.
Key Components
  1. GatewayClass: Created by the Infrastructure Provider (e.g., AWS, Azure, or your Platform team). It defines the type of load balancer or proxy to use (like NGINX, Istio, or Envoy).
  2. Gateway: Created by the Cluster Operator. It represents an actual instance of the traffic-handling infrastructure (like a physical or cloud load balancer listening on port 80 or 443).
  3. Routes (HTTPRoute, TCPRoute, UDPRoute): Created by Application Developers. These define the actual rules how a request like /login should be safely routed to the backend login-service pod.
  4. ReferenceGrant: A powerful security feature that allows safe sharing of resources across different namespaces (e.g., routing traffic from a Gateway in a platform namespace to a Service in a dev namespace).
Key Characteristics
  • Role-Oriented Design: It separates the duties. Your infrastructure team manages the heavy lifting, and your dev team manages the app routing. No more accidental configuration breaks!
  • Extensible & Portable: You can easily swap out your underlying proxy (e.g., moving from Traefik to Envoy) without rewriting all your developer routing rules.
  • Highly Expressive: You can route traffic based on HTTP headers, methods, query parameters, and easily split traffic for testing out of the box.
Use Cases
  • Multi-Tenant Clusters: Safely sharing a single load balancer across multiple application teams using different namespaces.
  • Advanced Deployments: Doing smooth Canary deployments or Blue-Green deployments with native traffic weighting.
  • Non-HTTP Traffic: Routing database traffic (TCP) or video streaming (UDP) right alongside your web traffic.
Benefits
  • No more “annotation soup” cluttering up your YAML files.
  • Better security through strict RBAC (Role-Based Access Control) boundaries.
  • Vendor neutrality write your configurations once, and run them anywhere.
Best Practices
  • Adopt Role Segregation: Let your Platform team handle GatewayClass and Gateway. Empower devs to handle Routes.
  • Use ReferenceGrants Carefully: Only grant cross-namespace access when absolutely necessary to maintain a secure, zero-trust environment.
  • Migrate Gradually: Don’t rip out Ingress overnight. Run your Ingress controllers and Gateway API side-by-side during migration to test the waters.
  • Challenge: Complexity Overhead.
    • Problem: For a simple 1-node sandbox, deploying GatewayClass, Gateway, and HTTPRoute feels like YAML bloat compared to one simple Ingress file.
    • Solution: Use it where it makes sense. If you have a single tiny app, standard Ingress is fine. Scale to Gateway API when teams grow.
  • Challenge: Controller Conflicts.
    • Problem: Running an old Ingress Controller and a new Gateway API Controller on the same ports causes binding failures.
    • Solution: Ensure proper IP allocation or use different load balancer IPs/ports for testing them side-by-side during migration.
  • Limitation: Vendor Feature Parity.
    • Problem: Not all controllers support 100% of the Gateway API spec yet (e.g., UDP routing might be missing in some).
    • Solution: Always verify the official Kubernetes Gateway API Conformance page before choosing a production tool.
  • Istio: Excellent for full Service Mesh + Gateway capabilities.
  • Cilium / Isovalent: Powered by eBPF, insanely fast, perfect for DevSecOps network policies.
  • Envoy Gateway: The official Gateway API implementation driven by the Envoy proxy community.
  • Kong Gateway Operator: High-performance, highly scalable API gateway.
  • NGINX Gateway Fabric: F5/NGINX’s official conformance tool for the new standard.
Contents
Scroll to Top