Post 5/10 — From Ingress to Gateway API: Safer, Smarter Traffic Control
Published: (December 7, 2025 at 05:52 AM EST)
3 min read
Source: Dev.to
Source: Dev.to
Comparison: Ingress vs. Gateway API
| Aspect | Ingress | Gateway API |
|---|---|---|
| Scope | Cluster‑wide front door | Namespaced, multi‑tenant gateways |
| Roles | One YAML = shared config | Split into Gateway (ops) + HTTPRoute (dev) |
| Extensibility | Annotations galore | Typed fields + policies |
| Status | Controller‑specific | Standardized conditions |
Gateway API Concepts
- GatewayClass – Defines the underlying implementation (e.g., Istio, NGINX).
- Gateway – Deployed by platform teams; represents where traffic enters the cluster.
- HTTPRoute – Attached by application teams; describes how traffic should be routed.
| Component | Responsibility |
|---|---|
| Gateway | Specifies listeners, ports, and TLS termination. |
| HTTPRoute | Defines matches (hosts, paths, headers) and forwards traffic to Services. |
Example Manifests
gateway.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: web-gw
namespace: platform
spec:
gatewayClassName: nginx
listeners:
- name: https
port: 443
protocol: HTTPS
tls:
mode: Terminate
certificateRefs:
- name: my-cert
allowedRoutes:
namespaces:
from: Allroute.yaml
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: shop-route
namespace: shop
spec:
parentRefs:
- name: web-gw
namespace: platform
hostnames: ["shop.example.com"]
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: shop-svc
port: 80Advanced Features
rules:
- matches:
- headers:
- name: x-region
value: eu
backendRefs:
- name: shop-svc-eu
port: 80
filters:
- type: RequestTimeout
requestTimeout:
duration: 5s
- type: Retry
retry:
count: 3
statusCodes: ["5xx"]Weighted traffic splits (first‑class support):
backendRefs:
- name: shop-svc
port: 80
weight: 80
- name: shop-svc-canary
port: 80
weight: 20Multiple HTTPRoute objects can safely attach to a single Gateway, each scoped to its own namespace.
Migration: Ingress → Gateway API
Legacy Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: shop
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
tls:
- hosts: [shop.example.com]
secretName: my-cert
rules:
- host: shop.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: shop-svc
port:
number: 80After Migration
Apply the gateway.yaml and route.yaml shown above.
Verification
kubectl get gateways -A
kubectl get httproutes -A
kubectl describe httproute shop-routeCanary test
kubectl get endpoints shop-svc-canary -o wide
curl -H "x-canary:true" https://shop.example.comYou’ll observe controlled traffic flow, improved observability, and clearer ownership.
Common Commands
| Task | Command |
|---|---|
List GatewayClass objects | kubectl get gatewayclass |
| Inspect listeners of a gateway | kubectl describe gateway |
| List routes attached to a gateway | kubectl get httproute -A --field-selector spec.parentRefs.name= |
| Create TLS secret for the gateway | kubectl create secret tls my-cert --cert cert.pem --key key.pem -n platform |
| Test connectivity (skip TLS verification) | curl -k https://host |
Key fields to remember
listeners.protocol,tls.mode,allowedRoutesrules.matches,filters,backendRefs.weight
Pitfalls to Watch
- Policy attachment order – Gateway‑level policies are evaluated before Route‑level policies; precedence matters.
- Overlapping routes – Multiple
HTTPRouteobjects with the same host/path can lead to controller‑specific priority decisions. - Cross‑namespace references – If
allowedRoutes.from=Same, development teams cannot attach routes from other namespaces. - Controller support – Always check
status.conditionsonGatewayandHTTPRouteobjects to confirm listeners are accepted.
Conclusion
With Gateway API, Kubernetes finally provides policy‑aware traffic control that scales across teams and environments—safer, cleaner, and built for automation.
Next up: Helm Fundamentals (Post 6) – we’ll templatize these Gateway objects and parameterize routes the right way.