Home DevOps Kubernetes Gateway API
Advanced 5 min · July 12, 2026

Kubernetes Gateway API

Learn Kubernetes Gateway API with plain-English explanations and real examples..

N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.

Follow
Verified
production tested
July 12, 2026
last updated
2,073
articles · all by Naren
Before you start⏱ 30 min
  • Kubernetes cluster v1.24+, kubectl, familiarity with Kubernetes networking concepts (Services, Ingress), basic YAML, and one of the following Gateway API implementations installed: Istio 1.16+, Contour 1.24+, or NGINX Gateway Fabric 1.0+.
✦ Definition~90s read
What is Kubernetes Gateway API?

The Kubernetes Gateway API is a next-generation, role-oriented API for configuring service networking in Kubernetes, replacing the Ingress API with explicit support for traffic routing, header manipulation, and multi-team governance. It matters because it decouples infrastructure providers from application developers, enabling fine-grained control over L4/L7 traffic without vendor lock-in.

Think of Kubernetes Gateway API like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.

Use it when you need advanced routing, canary deployments, or multi-tenant service mesh integration beyond what Ingress can handle.

Plain-English First

Think of Kubernetes Gateway API like a tool in your DevOps toolkit — once you understand what it does and when to reach for it, managing Kubernetes clusters becomes second nature.

You've been running Ingress for years. It works—until it doesn't. A misconfigured path rewrite takes down production for 45 minutes because the Ingress controller silently dropped a regex. The Kubernetes Gateway API exists precisely to eliminate these failure modes. It's not just an upgrade; it's a fundamental rethinking of how traffic enters your cluster. By introducing explicit roles (GatewayClass, Gateway, HTTPRoute), it forces clarity: infrastructure teams own the gateway, application teams own the routes. No more fighting over a single Ingress resource. No more vendor-specific annotations that break on upgrade. If you're managing more than 10 services or have multiple teams sharing a cluster, the Gateway API is not optional—it's survival.

Why Ingress Failed and Gateway API Fixed It

The Ingress API was designed for simple HTTP(S) routing, but production demands quickly outgrew it. Teams resorted to vendor-specific annotations (e.g., nginx.ingress.kubernetes.io/rewrite-target) that locked them into a single controller. Worse, Ingress had no concept of role separation: a single Ingress resource could be edited by anyone, leading to accidental overwrites. The Gateway API solves this by splitting responsibilities: a cluster operator defines a Gateway (the entry point), and application teams define HTTPRoute resources that attach to it. This prevents conflicts and enables independent lifecycle management. Additionally, the Gateway API supports L4 (TCP/UDP) routing, header-based matching, and weighted traffic splitting natively—no annotations required. The result is a portable, extensible API that works across multiple implementations (e.g., Istio, Contour, NGINX Gateway Fabric).

gateway.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: prod-gateway
  namespace: infra
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    protocol: HTTP
    port: 80
    allowedRoutes:
      namespaces:
        from: Selector
        selector:
          matchLabels:
            team: app-team
Output
gateway.gateway.networking.k8s.io/prod-gateway created
🔥Namespace Isolation
The allowedRoutes field restricts which namespaces can attach routes to this gateway. This prevents untrusted teams from hijacking your ingress.
📊 Production Insight
We once had a production outage because a developer accidentally deleted the shared Ingress resource. With Gateway API, each team owns their HTTPRoute; the Gateway is immutable to them.
🎯 Key Takeaway
Gateway API enforces role separation, preventing the 'one Ingress to rule them all' antipattern.

Core Resources: GatewayClass, Gateway, and Route

The Gateway API defines three primary resource types. GatewayClass is a cluster-scoped resource that specifies a controller (e.g., istio.io/gateway-controller) and parameters. It's analogous to StorageClass for storage. Gateway is a namespaced resource that represents a load balancer or proxy instance. It references a GatewayClass and defines listeners (ports, protocols, TLS). Routes (HTTPRoute, TCPRoute, etc.) are namespaced resources that attach to Gateways via a parentRef. This three-tier model allows infrastructure teams to provision gateways while app teams define routing rules. For example, a GatewayClass might be 'istio' with parameters for auto-scaling, a Gateway in the 'infra' namespace listens on port 443, and an HTTPRoute in 'team-a' routes /api/* to a backend service. The separation ensures that changes to routing don't affect gateway configuration and vice versa.

httproute.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api-route
  namespace: team-a
spec:
  parentRefs:
  - name: prod-gateway
    namespace: infra
  hostnames:
  - api.example.com
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /v1/
    backendRefs:
    - name: api-v1
      port: 8080
    - matches:
      - path:
          type: PathPrefix
          value: /v2/
      backendRefs:
      - name: api-v2
        port: 8080
Output
httproute.gateway.networking.k8s.io/api-route created
💡Multiple BackendRefs
You can specify multiple backendRefs in a rule for weighted routing. Add a 'weight' field to each backend to control traffic splitting.
📊 Production Insight
When migrating from Ingress, we created a GatewayClass per controller version. This allowed us to test new Istio versions on a separate Gateway without affecting production.
🎯 Key Takeaway
GatewayClass, Gateway, and Route form a clean hierarchy that decouples infrastructure from application logic.
kubernetes-gateway-api THECODEFORGE.IO Kubernetes Gateway API Request Flow Step-by-step routing from client to backend service Client Request HTTP or HTTPS traffic arrives Gateway Listener Matches hostname and port HTTPRoute Match Path, header, or query match Filter Execution Request modification or redirect Backend Selection Weighted routing to service Backend Service Pod endpoints serve response ⚠ Missing route match leads to 404 Define explicit matches for all expected paths THECODEFORGE.IO
thecodeforge.io
Kubernetes Gateway Api

HTTPRoute Deep Dive: Matching, Filtering, and BackendRefs

HTTPRoute is the workhorse of the Gateway API. It supports advanced matching on path, headers, query parameters, and method. Each rule can have multiple matches (OR logic) and multiple backendRefs (with weights for canary). Filters allow request/response header modification, redirect, rewrite, and mirroring. For example, you can mirror 1% of traffic to a new service for testing without affecting users. The spec also supports timeouts and retries via policy attachments (e.g., RetryFilter). Crucially, HTTPRoute supports cross-namespace references via backendRefs with a namespace field, enabling service mesh patterns where a route in one namespace can forward to a service in another. This is a game-changer for multi-team clusters where shared services (e.g., auth) live in a different namespace.

httproute-advanced.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: canary-route
  namespace: team-b
spec:
  parentRefs:
  - name: prod-gateway
    namespace: infra
  rules:
  - matches:
    - headers:
      - name: X-Canary
        value: "true"
    backendRefs:
    - name: service-canary
      port: 80
  - matches:
    - path:
        type: PathPrefix
        value: /
    filters:
    - type: URLRewrite
      urlRewrite:
        path:
          type: ReplacePrefixMatch
          replacePrefixMatch: /new
    backendRefs:
    - name: service-stable
      port: 80
      weight: 90
    - name: service-canary
      port: 80
      weight: 10
Output
httproute.gateway.networking.k8s.io/canary-route created
⚠ Weighted Routing Gotcha
Weights are relative within a rule. If you have two backends with weights 90 and 10, they get 90% and 10% of traffic. But if you add a third backend with weight 10, the distribution becomes 90/10/10 (81.8%/9.1%/9.1%). Always verify total weight.
📊 Production Insight
We used header-based routing to direct internal QA traffic to a staging backend by setting a custom header in the QA proxy. This allowed zero-impact testing in production.
🎯 Key Takeaway
HTTPRoute provides native canary, header-based routing, and URL rewriting without vendor annotations.

TLS Termination and Passthrough

The Gateway API handles TLS at the listener level. You can configure TLS termination (where the gateway decrypts traffic) or TLS passthrough (where encrypted traffic is forwarded directly to the backend). For termination, you reference a Secret containing the certificate and key. For passthrough, you set mode: Passthrough and the route must be a TLSRoute (not HTTPRoute). This is critical for scenarios where the backend handles its own TLS (e.g., mTLS between services). The Gateway API also supports SNI matching, allowing multiple certificates on the same listener. Misconfiguring TLS is a common source of outages—forgetting to update a certificate before expiry, or using the wrong Secret namespace. Always use cert-manager to automate certificate provisioning and set up monitoring for certificate expiry.

gateway-tls.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: tls-gateway
  namespace: infra
spec:
  gatewayClassName: istio
  listeners:
  - name: https
    protocol: HTTPS
    port: 443
    tls:
      mode: Terminate
      certificateRefs:
      - name: wildcard-example-com
        namespace: cert-manager
    allowedRoutes:
      namespaces:
        from: All
Output
gateway.gateway.networking.k8s.io/tls-gateway created
⚠ Certificate Namespace
The certificateRefs can reference Secrets in other namespaces if the Gateway's namespace has permission. Use RBAC to restrict which namespaces can provide certificates.
📊 Production Insight
We once had a 2-hour outage because a certificate Secret was accidentally deleted during a namespace cleanup. We now use cert-manager with a ClusterIssuer and monitor certificate expiry with Prometheus alerts.
🎯 Key Takeaway
TLS configuration is centralized in the Gateway, not scattered across routes, simplifying certificate management.

Cross-Namespace Routing and Multi-Tenancy

One of the most powerful features of the Gateway API is its native support for cross-namespace references. A Gateway in the 'infra' namespace can accept routes from any namespace (or a selected set). Similarly, an HTTPRoute can reference a backend service in another namespace. This enables a multi-tenant model where a central platform team manages the gateway, and application teams manage their routes independently. To enforce isolation, use the allowedRoutes field on the Gateway listener to restrict which namespaces can attach routes. Additionally, use ReferenceGrant resources to explicitly allow cross-namespace references (e.g., a route in team-a referencing a service in shared-svcs). Without ReferenceGrant, the API server rejects the reference for security.

referencegrant.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
  name: allow-team-a
  namespace: shared-svcs
spec:
  from:
  - group: gateway.networking.k8s.io
    kind: HTTPRoute
    namespace: team-a
  to:
  - group: ""
    kind: Service
Output
referencegrant.gateway.networking.k8s.io/allow-team-a created
🔥ReferenceGrant is Mandatory
Without a ReferenceGrant, cross-namespace backendRefs will be rejected. This prevents accidental or malicious access to services in other namespaces.
📊 Production Insight
We run a shared Redis service in the 'data-plane' namespace. Each team's HTTPRoute references it via a backendRef with namespace: data-plane, secured by a ReferenceGrant. This eliminated duplicate Redis instances.
🎯 Key Takeaway
Cross-namespace routing with ReferenceGrant enables secure multi-tenant service mesh patterns.

Policy Attachment: Extending Gateway Behavior

The Gateway API uses a policy attachment model to extend functionality without modifying the core resources. Policies are custom resources that target Gateways, HTTPRoutes, or BackendRefs. Examples include RetryPolicy, TimeoutPolicy, RateLimitPolicy, and HealthCheckPolicy. These are defined by the implementation (e.g., Istio, Contour) and are not portable across implementations. However, the Gateway API provides a standard mechanism for attaching them via the 'targetRef' field. For example, you can attach a RetryPolicy to an HTTPRoute to configure retry attempts and timeouts. This keeps the core API clean while allowing vendors to innovate. When using policies, always check the implementation's documentation for supported policies and their behavior.

retrypolicy.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: networking.istio.io/v1beta1
kind: RetryPolicy
metadata:
  name: api-retry
  namespace: team-a
spec:
  targetRef:
    group: gateway.networking.k8s.io
    kind: HTTPRoute
    name: api-route
  retryOn: connect-failure,refused-stream,unavailable
  numRetries: 3
  perTryTimeout: 2s
Output
retrypolicy.networking.istio.io/api-retry created
💡Policy Portability
Policies are implementation-specific. If you switch from Istio to Contour, you'll need to rewrite policies. Consider abstracting policy logic with a GitOps tool.
📊 Production Insight
We used a custom RateLimitPolicy to protect a critical API from a DDoS attack. The policy was attached to the HTTPRoute and limited requests per IP to 100/min. It saved us from a cascading failure.
🎯 Key Takeaway
Policy attachment extends Gateway API functionality without bloating the core API, but at the cost of portability.
kubernetes-gateway-api THECODEFORGE.IO Gateway API Resource Hierarchy Layered components from cluster-wide to namespace-scoped Infrastructure GatewayClass Cluster Gateway Gateway (cluster) | Listener Config Namespace Routes HTTPRoute | TLSRoute | TCPRoute Backend Services Service | Endpoints Policy Attachment Retry Policy | Timeout Policy | Rate Limit THECODEFORGE.IO
thecodeforge.io
Kubernetes Gateway Api

Migration from Ingress to Gateway API

Migrating from Ingress to Gateway API requires careful planning. Start by identifying all Ingress resources and their annotations. Map each Ingress to a combination of Gateway and HTTPRoute. For simple cases, the mapping is straightforward: one Ingress becomes one HTTPRoute attached to a shared Gateway. For complex Ingresses with multiple rules, you may need multiple HTTPRoutes or a single route with multiple rules. Use the 'kubernetes.io/ingress.class' annotation to determine which controller handles the Ingress; the Gateway API equivalent is the gatewayClassName. During migration, run both Ingress and Gateway API in parallel by using different hostnames or paths. Gradually shift traffic by updating DNS or using weighted routing. Monitor for errors using the Gateway API status fields (e.g., .status.parents[].conditions).

migrate.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# List all Ingress resources
kubectl get ingress --all-namespaces -o json | jq '.items[] | {name: .metadata.name, namespace: .metadata.namespace, rules: .spec.rules}' > ingress-list.json

# Create a Gateway (example)
kubectl apply -f - <<EOF
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: migration-gateway
  namespace: infra
spec:
  gatewayClassName: istio
  listeners:
  - name: http
    protocol: HTTP
    port: 80
EOF

# Create HTTPRoute for each Ingress rule
# (Manual step: write YAML for each)

# Verify migration
kubectl get httproute --all-namespaces
kubectl describe gateway migration-gateway
Output
ingress-list.json created
gateway.gateway.networking.k8s.io/migration-gateway created
httproute.gateway.networking.k8s.io/my-route created
⚠ Annotation Dependency
Many Ingress controllers rely on annotations for features like rewrite or SSL redirect. These must be replaced with native Gateway API fields or policies. Do a thorough audit before migrating.
📊 Production Insight
We migrated 50 Ingresses over two weeks. The first week we ran both, using a separate Gateway for the new routes. We discovered that our custom annotation for rate limiting wasn't supported, so we had to implement a policy attachment.
🎯 Key Takeaway
Migrate incrementally by running both APIs in parallel and shifting traffic gradually.

Observability and Debugging

Debugging Gateway API issues requires understanding the status subresources. Each Gateway and HTTPRoute has a .status field that shows the conditions of the resource (e.g., Accepted, ResolvedRefs). For example, if an HTTPRoute references a non-existent backend, the status will show a condition with reason 'RefNotPermitted' or 'BackendNotFound'. Use 'kubectl describe' to view these conditions. Additionally, most implementations expose metrics and logs. For Istio, you can use 'istioctl proxy-status' to check the Envoy configuration. For Contour, check the contour pod logs. Common issues include: Gateway not ready (check GatewayClass exists), route not attached (check parentRef namespace and allowedRoutes), and backend not reachable (check service and endpoint existence). Always validate your YAML with 'kubectl apply --dry-run=client'.

debug.shBASH
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Check Gateway status
kubectl get gateway prod-gateway -n infra -o jsonpath='{.status.conditions}' | jq

# Check HTTPRoute status
kubectl get httproute api-route -n team-a -o jsonpath='{.status.parents[0].conditions}' | jq

# Check if backend service exists
kubectl get svc api-v1 -n team-a

# Check endpoints
kubectl get endpoints api-v1 -n team-a

# For Istio: check proxy status
istioctl proxy-status

# Dry-run validation
kubectl apply --dry-run=client -f httproute.yaml
Output
[{"type": "Accepted", "status": "True", "reason": "Accepted", "message": "Route is accepted"}]
💡Status Conditions
Always check the 'Accepted' condition. If it's False, the route is not being used. The 'ResolvedRefs' condition indicates whether backend references are valid.
📊 Production Insight
We had a mysterious 503 error. The HTTPRoute status showed 'ResolvedRefs: False' because the backend service was in a different namespace without a ReferenceGrant. The status message pointed directly to the issue.
🎯 Key Takeaway
Gateway API provides rich status conditions for debugging; use them before diving into implementation-specific logs.

Performance and Scaling Considerations

The Gateway API itself is a control plane API; performance depends on the underlying implementation. However, there are best practices to avoid bottlenecks. First, limit the number of routes attached to a single Gateway. Each route adds to the configuration complexity and can increase Envoy/NGINX reload times. For large clusters, consider partitioning traffic across multiple Gateways (e.g., per team or per hostname). Second, use GatewayClass parameters to tune the proxy (e.g., worker threads, connection limits). Third, monitor the Gateway's resource usage (CPU/memory) and set appropriate resource requests/limits. Fourth, be aware of the API server impact: creating many routes simultaneously can cause etcd pressure. Use a GitOps approach with batch updates. Finally, test your Gateway's performance under load before going to production.

gateway-class.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: istio
spec:
  controllerName: istio.io/gateway-controller
  parametersRef:
    group: networking.istio.io
    kind: IstioGatewayClassParams
    name: istio-params
---
apiVersion: networking.istio.io/v1alpha1
kind: IstioGatewayClassParams
metadata:
  name: istio-params
spec:
  replicas: 3
  resources:
    requests:
      cpu: 500m
      memory: 512Mi
    limits:
      cpu: 2
      memory: 2Gi
Output
gatewayclass.gateway.networking.k8s.io/istio created
istioGatewayClassParams.networking.istio.io/istio-params created
🔥Gateway Partitioning
For high-traffic clusters, create separate Gateways for critical vs. non-critical services. This prevents a noisy neighbor from affecting your main API.
📊 Production Insight
We had a Gateway with 200 HTTPRoutes. Envoy reloads took 30 seconds, causing connection drops. We split into three Gateways by team, reducing reload time to 5 seconds.
🎯 Key Takeaway
Performance tuning is implementation-specific; partition Gateways and monitor proxy resources to avoid bottlenecks.

Security Best Practices

Security in the Gateway API starts with the principle of least privilege. Use allowedRoutes on Gateway listeners to restrict which namespaces can attach routes. Use ReferenceGrant to control cross-namespace references. For TLS, always use TLS 1.2 or higher and strong cipher suites. Avoid using self-signed certificates in production; use cert-manager with a trusted CA. For authentication, consider using OIDC or JWT validation at the gateway level via policy attachments (e.g., RequestAuthentication in Istio). For network security, use NetworkPolicies to restrict traffic between pods. Additionally, audit your Gateway API resources regularly for misconfigurations. Tools like 'kube-score' or 'polaris' can check for common issues. Finally, enable audit logging on the API server to track changes to Gateway API resources.

network-policy.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: deny-all
  namespace: infra
spec:
  podSelector:
    matchLabels:
      app: gateway-proxy
  policyTypes:
  - Ingress
  - Egress
  ingress:
  - from:
    - namespaceSelector: {}
    ports:
    - port: 443
  egress:
  - to:
    - namespaceSelector: {}
    ports:
    - port: 8080
Output
networkpolicy.networking.k8s.io/deny-all created
⚠ Audit Logs
Enable Kubernetes audit logs for Gateway API resources. A misconfigured Gateway can expose internal services to the internet. Audit logs help detect unauthorized changes.
📊 Production Insight
A developer accidentally created a Gateway with allowedRoutes: from: All, exposing a staging service to the internet. We now enforce a policy that all Gateways must have allowedRoutes restricted to specific namespaces.
🎯 Key Takeaway
Secure Gateway API by restricting route attachment, using TLS best practices, and auditing configurations.
Ingress vs Gateway API Comparison Key differences in routing, multi-tenancy, and extensibility Ingress Gateway API Route Matching Basic host/path only Headers, query params, methods Multi-Tenancy Single namespace, shared rules Cross-namespace with RBAC TLS Termination Limited to Ingress spec Passthrough and termination Extensibility Annotations only Policy attachment via CRDs Observability No built-in metrics Standard status and conditions THECODEFORGE.IO
thecodeforge.io
Kubernetes Gateway Api

Future of Gateway API: GAMMA and Service Mesh Integration

The Gateway API is evolving to support service mesh use cases through the GAMMA initiative (Gateway API for Mesh Management and Administration). GAMMA extends the Gateway API to configure east-west traffic within the mesh, not just north-south. This means you can use the same API to define routing between services (e.g., HTTPRoute for mesh traffic). The goal is to unify ingress and mesh configuration under one API. Currently, this is experimental, but implementations like Istio already support it. For example, you can create an HTTPRoute with a parentRef pointing to a mesh gateway (e.g., istio-ingressgateway) or to a mesh service. This reduces the learning curve and operational complexity. Keep an eye on the GAMMA status and start experimenting in non-production clusters.

mesh-route.yamlYAML
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: mesh-route
  namespace: team-a
spec:
  parentRefs:
  - group: ""
    kind: Service
    name: my-service
    namespace: team-a
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: my-service-v2
      port: 8080
Output
httproute.gateway.networking.k8s.io/mesh-route created
🔥GAMMA is Experimental
Mesh routing via Gateway API is not yet stable. Check your implementation's documentation for support. Use with caution in production.
📊 Production Insight
We started using GAMMA for canary deployments within the mesh. It allowed us to use the same HTTPRoute resource for both ingress and mesh traffic, simplifying our GitOps workflows.
🎯 Key Takeaway
GAMMA aims to unify ingress and mesh routing under the Gateway API, reducing toolchain complexity.
⚙ Quick Reference
11 commands from this guide
FileCommand / CodePurpose
gateway.yamlapiVersion: gateway.networking.k8s.io/v1Why Ingress Failed and Gateway API Fixed It
httproute.yamlapiVersion: gateway.networking.k8s.io/v1Core Resources
httproute-advanced.yamlapiVersion: gateway.networking.k8s.io/v1HTTPRoute Deep Dive
gateway-tls.yamlapiVersion: gateway.networking.k8s.io/v1TLS Termination and Passthrough
referencegrant.yamlapiVersion: gateway.networking.k8s.io/v1beta1Cross-Namespace Routing and Multi-Tenancy
retrypolicy.yamlapiVersion: networking.istio.io/v1beta1Policy Attachment
migrate.shkubectl get ingress --all-namespaces -o json | jq '.items[] | {name: .metadata.n...Migration from Ingress to Gateway API
debug.shkubectl get gateway prod-gateway -n infra -o jsonpath='{.status.conditions}' | j...Observability and Debugging
gateway-class.yamlapiVersion: gateway.networking.k8s.io/v1Performance and Scaling Considerations
network-policy.yamlapiVersion: networking.k8s.io/v1Security Best Practices
mesh-route.yamlapiVersion: gateway.networking.k8s.io/v1Future of Gateway API

Key takeaways

1
Role Separation
Gateway API decouples infrastructure (Gateway) from application (Route) ownership, preventing conflicts and enabling multi-team clusters.
2
Advanced Routing
Native support for header matching, weighted canary, URL rewriting, and cross-namespace references eliminates vendor-specific annotations.
3
Policy Attachment
Extend functionality with implementation-specific policies (retry, timeout, rate limit) without bloating the core API.
4
Observability
Rich status conditions on Gateway and Route resources simplify debugging; always check 'Accepted' and 'ResolvedRefs' before diving into logs.
INTERVIEW PREP · PRACTICE MODE

Interview Questions on This Topic

Q01JUNIOR
What is the difference between Ingress and Gateway API?
Q02JUNIOR
Can I use Gateway API with my existing Ingress controller?
Q03JUNIOR
How do I handle TLS termination with Gateway API?
Q01 of 03JUNIOR

What is the difference between Ingress and Gateway API?

ANSWER
Ingress is a simpler, older API that lacks role separation and advanced routing features. Gateway API introduces GatewayClass, Gateway, and Route resources to decouple infrastructure from application
FAQ · 6 QUESTIONS

Frequently Asked Questions

01
What is the difference between Ingress and Gateway API?
02
Can I use Gateway API with my existing Ingress controller?
03
How do I handle TLS termination with Gateway API?
04
What is a ReferenceGrant and when do I need it?
05
Is Gateway API production-ready?
06
How do I migrate from Ingress to Gateway API without downtime?
N
Naren Founder & Principal Engineer

20+ years shipping production infrastructure and CI/CD at scale. Lessons pulled from things that broke in production.

Follow
Verified
production tested
July 12, 2026
last updated
2,073
articles · all by Naren
🔥

That's Kubernetes. Mark it forged?

5 min read · try the examples if you haven't

Previous
OPA Gatekeeper and Kyverno — Policy Engines
14 / 38 · Kubernetes
Next
Container Runtimes — containerd, CRI-O, and runc