Kubernetes Gateway API vs Ingress: A Practical Production Model for Platform Teams

Kubernetes Gateway API vs Ingress: A Practical Production Model for Platform Teams

Ingress still works, but new routing requirements in shared clusters are better served by Gateway API. This guide explains what changes operationally, what to migrate first, and how to validate support safely.

TL;DR

Ingress is not removed from Kubernetes, but its API is frozen and Kubernetes recommends Gateway API for future evolution. The practical win for platform teams is governance: GatewayClass and Gateway can be owned by infrastructure teams, while HTTPRoute and related route objects can be owned by application teams. Migration should be incremental, with Ingress and Gateway resources coexisting while behavior is validated against your specific implementation. Production success depends on conformance checks, supported feature verification, and explicit cross-namespace attachment policy rather than direct YAML translation.

Gateway API resource model showing GatewayClass, Gateway, and Route separation.
Gateway API maps platform ownership and application ownership more cleanly than annotation-heavy ingress models.

Gateway API Is Not Just a Syntax Upgrade from Ingress

Most teams evaluate Gateway API by comparing YAML fields. That is useful, but it misses the operational reason this migration matters. Ingress can still route production traffic effectively, but its API is frozen, and new routing governance requirements in shared clusters are better handled by Gateway API’s resource boundaries.

Kubernetes explicitly states that Ingress remains available while recommending Gateway for ongoing evolution. For platform teams, the pragmatic takeaway is simple: keep existing Ingress stable, but design new routing governance around Gateway API.

Gateway API resource model.
The model separates infrastructure gateway management from route-level application intent.

1. Treat Ownership Separation as the Primary Design Goal

Ingress often accumulates controller-specific annotations and mixed concerns. Gateway API gives you structured ownership layers:

  • GatewayClass: platform-level controller intent
  • Gateway: listener and attachment policy
  • HTTPRoute and other routes: application routing intent

This supports a cleaner policy model in multi-team clusters.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: shared-edge
  namespace: edge-platform
spec:
  gatewayClassName: standard-edge
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              edge-attach: "enabled"
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: tenant-a-api
  namespace: tenant-a
spec:
  parentRefs:
    - name: shared-edge
      namespace: edge-platform
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api
      backendRefs:
        - name: api-v1
          port: 8080
          weight: 90
        - name: api-v2
          port: 8080
          weight: 10

2. Use Gateway API Features Deliberately, Not All at Once

Gateway API supports richer behavior such as weighted traffic splitting and advanced matching, but feature depth varies by implementation and version. Production design should start with a narrow supported subset and expand only after validation.

A safe first scope:

  • route attachment policy with allowedRoutes
  • basic HTTPRoute host/path matching
  • controlled weighted backend rollout for one service

Then expand into broader traffic policy only after implementation checks pass in staging and production-like load.

3. Validate Conformance Before Large-Scale Migration

Gateway API documentation distinguishes Core, Extended, and implementation-specific capabilities. Teams should assume feature variance until validated.

At minimum, validate:

  • which route kinds your controller supports in your exact version
  • behavior for weighted traffic and header/method matching
  • cross-namespace attachment policy enforcement
  • coexistence behavior with existing ingress resources

For AWS Load Balancer Controller specifically, follow its Gateway support documentation rather than assuming upstream examples map 1:1 to your deployment.

4. Migrate in Parallel, Not by Big-Bang Cutover

Parallel migration avoids avoidable outage risk.

Recommended sequence:

  1. Keep current Ingress in service.
  2. Deploy Gateway objects for one low-risk route.
  3. Validate route policy, metrics, and failure behavior.
  4. Shift traffic gradually with weighted backend references.
  5. Repeat by service class.

This sequence creates rollback points per service instead of per cluster.

5. Why This Model Holds Up Better Than Ingress-Only Governance

Control AreaIngress-Only PatternGateway-Based PatternProduction Benefit
Ownership boundariesPlatform and app concerns often mixed in single objectsPlatform manages GatewayClass/Gateway, app teams manage RoutesClearer policy control and review ownership
Cross-namespace governanceOften implemented through conventionsAttachment policy is explicit in listener configurationFewer accidental route attachments
Traffic rollout behaviorController-specific patterns varyWeighted backend refs modeled at route levelMore consistent progressive delivery patterns
Migration safetyReplace-and-hope tendencyParallel Ingress and Gateway operationLower blast radius and clearer rollback
Feature validationImplicit trust in docsConformance plus implementation verificationFewer production surprises

What To Do Next

  1. Catalog current ingress objects by complexity and business criticality.
  2. Define ownership boundaries for GatewayClass, Gateway, and Route resources.
  3. Build a migration pilot for one non-critical route with weighted rollout.
  4. Add conformance and implementation checks to release readiness criteria.

Frequently Asked Questions

Q: Should we stop using Ingress immediately? No. Keep stable ingress traffic paths while introducing Gateway API incrementally.

Q: Is Gateway API guaranteed to behave identically across controllers? No. Validate behavior against your controller’s documented support and observed runtime behavior.

Q: Can Gateway API improve team autonomy? Yes, when ownership boundaries and attachment policy are enforced through resource design instead of informal conventions.

Resources

Comments

Post a Comment

Popular posts from this blog

Bootstrapping Kubernetes Clusters with Terraform and Argo CD: A Durable Two-Layer Approach

Image
Bootstrapping Kubernetes Clusters with Terraform and Argo CD: A Durable Two-Layer Approach Robust cluster bootstrap separates infrastructure provisioning from continuous reconciliation. This guide details a production-grade Terraform plus Argo CD model with explicit governance. TL;DR A production-ready Kubernetes bootstrap is more reliable when Terraform and Argo CD have explicit responsibilities. Terraform should provision and manage infrastructure primitives, cluster lifecycle resources, and state safety controls. Argo CD should continuously reconcile platform and workload resources from Git using declarative application definitions. This model reduces drift and clarifies incident ownership. Teams should harden Terraform workflows with plan review and state management controls, and treat Argo CD app-of-apps repositories as privileged automation surfaces with strict access and project boundaries. App-of-apps accelerates bootstrap, but should be managed as privileged automation. Bo...
Read more

Argo CD Auto-Sync and Health Checks: An Operator's Guide to Safe GitOps Reconciliation

Image
Argo CD Auto-Sync and Health Checks: An Operator's Guide to Safe GitOps Reconciliation Auto-sync and health are not the same thing in Argo CD. This guide shows how reconciliation, pruning, self-healing, retries, health checks, hooks, and sync waves fit together in real clusters. TL;DR Argo CD auto-sync and health checks solve different problems. Auto-sync decides when the controller reconciles Git with the cluster, while health checks decide whether the resulting resources are ready, degraded, or suspended. In practice, you need both: automated sync with prune and self-heal keeps desired state converged, retry refresh helps failed syncs recover on new revisions, and health checks plus custom Lua logic make readiness visible to operators. Sync waves and hooks add ordering when resources depend on each other. The control loop most teams misunderstand Argo CD has two separate jobs that often get blurred together in day-to-day platform talk. The first is reconciliation. Should Arg...
Read more

Kubernetes Multi-Tenancy with Namespaces and Network Policies: A Practical Guide for GitOps Teams

Image
Kubernetes Multi-Tenancy with Namespaces and Network Policies: A Practical Guide for GitOps Teams Namespaces are only the first layer of tenant isolation. This guide shows how to combine RBAC, Pod Security Admission, quotas, NetworkPolicies, and Flux service-account impersonation so teams can share a cluster without sharing blast radius. TL;DR Kubernetes multi-tenancy works only when you treat namespaces as one control in a larger isolation stack. A shared cluster needs per-tenant namespaces, namespace-scoped RBAC, Pod Security Admission labels, ResourceQuota and LimitRange defaults, and default-deny NetworkPolicies with explicit exceptions. If you use Flux CD, you also need controller lockdown and service-account impersonation so one tenant's GitOps objects cannot reach across namespaces. The practical goal is not perfect isolation from a namespace alone, but predictable blast-radius control for teams that share a cluster. A shared-cluster multi-tenancy model needs namespace bo...
Read more