Gateway API
Gateway API is the Kubernetes-native successor to Ingress with role-based separation: infra teams own GatewayClass and Gateway, app teams own HTTPRoute. It supports traffic splitting, header-based routing, and TLS natively — no annotations required.
Core Resources
Gateway API separates concerns across three resource types owned by different personas. A GatewayClass names the implementation; a Gateway provisions load balancer infrastructure; Routes attach application-level routing rules.
Install Gateway API CRDs
Install the Gateway API CRDs before deploying a compatible gateway controller (Envoy Gateway, Istio, Cilium, etc.).
# Install Gateway API CRDs (standard channel)
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/latest/download/standard-install.yaml
# Verify CRDs
kubectl get crd | grep gateway.networking.k8s.io
# Check installed GatewayClasses (provided by the gateway controller)
kubectl get gatewayclassHTTPRoute Example
An HTTPRoute attaches to a Gateway listener and routes traffic by host and path. It supports weighted backends for canary deployments and can match on headers, query params, or methods.
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: prod-gateway
namespace: infra
spec:
gatewayClassName: envoy # GatewayClass name from your controller
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: myapp-tls-cert # K8s Secret with TLS cert
allowedRoutes:
namespaces:
from: All # allow HTTPRoutes from any namespace
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: myapp
namespace: default
spec:
parentRefs:
- name: prod-gateway
namespace: infra
sectionName: https
hostnames:
- "myapp.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api
backendRefs:
- name: myapp-api
port: 8080
weight: 90
- name: myapp-api-canary
port: 8080
weight: 10 # 10% canary traffic split
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: myapp-frontend
port: 3000