GatewayClass<\/code>, Gateway<\/code>, and HTTPRoute<\/code><\/li>\n- How to implement path-based routing using the Gateway API and more.<\/li>\n<\/ul>\n
Let’s get started.<\/p>\n
What is Kubernetes Gateway API?<\/h2>\n
As the name suggests, the Gateway API is a Kubernetes feature that helps create gateways for external traffic<\/strong> entering your cluster.<\/p>\nBut if Ingress already does that, why do we need something new?<\/em><\/p>\nIngress<\/strong> is the traffic routing mechanism primarily used in Kubernetes environments. However, it comes with several limitations. For example,<\/p>\n\n- It supports only host and path-based routing for HTTP\/HTTPS (Layer 7).<\/li>\n
- Cross-namespace routing is complex and not straightforward.<\/li>\n
- Relies heavily on annotations for anything beyond basic routing<\/li>\n
- and more..<\/li>\n<\/ul>\n
So, to overcome all the Ingress limitations, the Kubernetes Gateway API was developed.<\/p>\n
The Gateway API has the following key features.<\/p>\n
\n- Gateway API can perform L4 and L7 routing<\/strong> based on HTTP, gRPC, or TCP\/UDP (experimental)<\/li>\n
- Can route traffic based on HTTP headers.<\/li>\n
- Can perform cross-namespace routing.<\/strong><\/li>\n
- Supports weighted traffic routing, blue-green deployments, canary deployments, and more.<\/li>\n
- Reduced reliance on vendor-specific controller annotations, making configurations more portable across environments.<\/li>\n
- Gateway API also works well with service mesh<\/a> integrations such as Istio<\/a>, Linkerd, etc.<\/li>\n<\/ol>\n
In summary, the Gateway API is an improved version of Kubernetes Ingress that offers more powerful and flexible traffic management.<\/p>\n
So if you already have a solid understanding of Kubernetes Ingress, Ingress Controllers, and their limitations, picking up the Gateway API concepts is easier.<\/p>\n
\n\ud83d\udcda<\/div>\nIf you are looking for a detailed guide to setup Istio on a Kubernetes Cluster, then here is a detailed guide<\/a>.<\/div>\n<\/div>\nKubernetes Gateway Concepts<\/h2>\n
Before we get into the hands-on section, let’s understand the key concepts behind the Gateway API.<\/p>\n
Gateway API Resources<\/h3>\n
The following are the key native resources that are part of the Kubernetes Gateway API.<\/p>\n
\nGatewayClass<\/strong><\/code> (cluster scoped) : This resource is used to select which controller (Nginx, Envoy, Istio etc) will manage the Gateway resources. It is similar to ingressClass<\/code> in Kubernetes ingress<\/a>.<\/li>\nGateway<\/code><\/strong> (namespace scoped): The Gateway resource defines how external traffic enters the cluster. Creating a Gateway triggers the controller to provision a real cloud Load Balancer<\/li>\nHTTPRoute<\/code><\/strong> (namespace scoped): The HTTPRoute resource defines how traffic should be routed to applications inside the cluster once it reaches the Gateway for HTTP traffic. <\/li>\ngRPCRoute<\/code><\/strong>(namespace scoped): Resource to manage the gRPC traffic.<\/li>\nReferenceGrants<\/code><\/strong> (namespace scoped): This resource is used primarily for enabling cross namespace routing.<\/li>\n<\/ol>\nThese objects by themselves cannot route or implement traffic routing in the cluster. The objects mentioned above mainly hold the configuration for how traffic should be routed. <\/strong>So you can call it the config layer.<\/p>\nTo actually route traffic, we need a Gateway API controller implementation.<\/p>\n
Gateway API Controller<\/h3>\n
In Ingress controllers, we define routing rules in the Ingress object<\/strong>. The Ingress Controller<\/strong> handles the actual routing.<\/p>\nThe same concept applies to the Gateway API.<\/p>\n
While the Gateway API provides many objects to manage cluster traffic, the actual routing is done by a Gateway API Controller<\/strong>. This controller is not built into Kubernetes. You need to set up a third-party (vendor) controller, just like with Ingress.<\/p>\nVarious Gateway API controllers are available. The following are some of the popular ones.<\/p>\n
\n- Nginx Gateway Fabric<\/a><\/li>\n
- Kong Gateway<\/a><\/li>\n
- Envoy Gateway<\/a><\/li>\n
- Traefik Gateway<\/a><\/li>\n<\/ol>\n\n\ud83d\udca1<\/div>\nFor this guide, we we have used the Nginx Gateway Fabric controller as a example. The core workflow remains that same for all the controllers.<\/div>\n<\/div>\n
Nginx Gateway Fabric Architecture<\/h2>\n
To understand Gateway API concepts better, you need to understand the controller architecture<\/strong>. So we will use NGINX Gateway Fabric to understand how a controller implementation works with Gateway API.<\/p>\nThe Nginx Gateway Fabric has the following two components.<\/p>\n
\n- Control Plane and<\/li>\n
- Data Plane<\/li>\n<\/ol>\n
The following image illustrates the architecture of the Nginx Gateway Fabric controller.<\/p>\n![\"architecture](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2026\/04\/image-41.png\")
<\/figure>\nControl Plane (Handles Config)<\/h3>\n
The control plane runs as a pod called the fabric controller. It’s a Kubernetes controller<\/strong> that watches Gateway API resources. When you define routing rules, the controller reads them and converts them into NGINX config files.<\/p>\nBut the controller does not handle real traffic<\/strong>. It doesn’t run NGINX itself.<\/p>\n\n\ud83d\udca1<\/div>\nIn a normal ingress implemenation, the controller itself will handle the traffic.<\/div>\n<\/div>\nData Plane (Proxy Layer)<\/h3>\n
The data plane handles the actual traffic. It’s a separate NGINX proxy pod that gets created automatically when you create a Gateway<\/strong> resource. This pod runs NGINX along with an NGINX agent.<\/p>\nA Kubernetes Service is also created for the NGINX pod. This service is exposed to the outside world using a LoadBalancer or NodePort, so client requests can reach your app.<\/p>\n
Whenever routing rules change, the fabric controller sends<\/strong> the updated NGINX config to the agent using gRPC. The agent then applies the new config to the NGINX pod to route traffic correctly.<\/p>\nNow that we have looked in to key Gateway API concepts, lets understand how everything works together to handle the traffic.<\/p>\n
Gateway API Traffic Flow<\/h2>\n
The following image shows how the traffic is routed to the cluster pods from outside world through the Kubernetes Gateway API resources. It’s meant to give you a high-level overview of how everything is connected<\/p>\n![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2026\/04\/image-63.png\")
Image illustrates the relationship between the Gateway API resources, controller and the proxy pod that actually handles the traffic<\/span><\/figcaption><\/figure>\nHere is how it works.<\/p>\n
\n- When we install the Gateway API Controller, it only deploys the Control Plane Controller.<\/li>\n
- When we create a Gateway Custom Resource<\/strong> configuration for our application, the Control Plane controller (Nginx Fabric) creates a Data Plane (Proxy Pod – Nginx agent) and a Load Balancer for it.<\/li>\n
- All the configurations from the Gateway<\/strong> and HTTPRoute<\/strong> custom resources are converted into routing rules inside proxy pod..<\/li>\n
- When someone tries to access the application, the request goes through the external Load Balancer, then reaches the Gateway API Data Plane (Proxy pod).<\/li>\n
- The proxy pod will then send the traffic to the correct backend services based on rules.<\/li>\n<\/ol>\n
Now that you have an understanding of how Gateway API works, lets do the hands on exercise. You will be able to relate better to all the concepts we learned so far when we go through the practical steps.<\/p>\n
Setup Prerequisites<\/h2>\n
The following are the requirements for the setup<\/p>\n
\n- Kubernetes Cluster<\/a> v1.30 or higher.<\/li>\n
- Helm<\/a> [Local Machine]<\/li>\n
- Kubectl<\/a> [Local Machine]<\/li>\n<\/ol>\n
We can begin the installation from the Gateway API.<\/p>\n
Setup Gateway API in the Kubernetes Cluster<\/h2>\n
The Gateway API setup consists of three important section.<\/p>\n
\n- Gateway API CRD installation<\/li>\n
- Gateway API controller installation<\/li>\n
- Gateway API object creation and traffic validation.<\/li>\n<\/ol>\n
We will look at all the steps in detail.<\/p>\n
Step 1: Install Gateway API CRDs<\/h3>\n
The Gateway API objects are not available as native objects in Kubernetes. We need to enable them by installing the Gateway API Custom Resource Definitions (CRDs)<\/p>\n
To install the Gateway API CRDs, use the following command. To get the latest version of the CRD, please visit this page<\/a>. At the time of updating this guide, v1.3.0 is the latest version.<\/p>\nkubectl apply -f https:\/\/github.com\/kubernetes-sigs\/gateway-api\/releases\/download\/v1.3.0\/standard-install.yaml<\/code><\/pre>\nNow, validate the installed CRDs using the following command. You should see the five CRD resources we discussed earlier.<\/p>\n
$ kubectl get crds | grep gateway\n\ngatewayclasses.gateway.networking.k8s.io 2025-05-21T13:49:23Z\ngateways.gateway.networking.k8s.io 2025-05-21T13:49:29Z\ngrpcroutes.gateway.networking.k8s.io 2025-05-21T13:49:32Z\nhttproutes.gateway.networking.k8s.io 2025-05-21T13:49:35Z\nreferencegrants.gateway.networking.k8s.io 2025-05-21T13:49:36Z<\/code><\/pre>\nYou can also check the API resources to get more details about the registered CRDs.<\/p>\n
$ kubectl api-resources --api-group=gateway.networking.k8s.io\n\nNAME SHORTNAMES APIVERSION NAMESPACED KIND\ngatewayclasses gc gateway.networking.k8s.io\/v1 false GatewayClass\ngateways gtw gateway.networking.k8s.io\/v1 true Gateway\ngrpcroutes gateway.networking.k8s.io\/v1 true GRPCRoute\nhttproutes gateway.networking.k8s.io\/v1 true HTTPRoute\nreferencegrants refgrant gateway.networking.k8s.io\/v1beta1 true ReferenceGrant<\/code><\/pre>\nStep 2: Install Gateway API Controller<\/h3>\n
There are various controllers that support the Gateway API, you can refer to the supported controllers list in the official documentation<\/a>.<\/p>\nFor this tutorial, we will be using the NGINX Gateway Fabric Controller<\/strong>, which is now generally available (GA).<\/p>\nWe’ll deploy the controller using Helm. To pull the Helm chart<\/a>, run the following command:<\/p>\ngit clone https:\/\/github.com\/techiescamp\/cka-certification-guide.git\n\ncd cka-certification-guide\/helm-charts\/nginx-gateway-fabric\/<\/code><\/pre>\nThis will give the local copy of the Helm chart so we can modify and store it in version control systems like GitHub.<\/p>\n
The modifiable values will be available in the values.yaml<\/code> file, and we can make changes in this file as per our requirements.<\/p>\nThe following snapshot is the directory structure of the Nginx Gateway Fabric Controller<\/strong> Helm Chart.<\/p>\ncontrolplane:~\/cka-certification-guide\/helm-charts\/nginx-gateway-fabric$ tree\n.\n|-- Chart.yaml\n|-- README.md\n|-- crds\n| |-- gateway.nginx.org_clientsettingspolicies.yaml\n| |-- gateway.nginx.org_nginxgateways.yaml\n| |-- gateway.nginx.org_nginxproxies.yaml\n| |-- gateway.nginx.org_observabilitypolicies.yaml\n| |-- gateway.nginx.org_snippetsfilters.yaml\n| `-- gateway.nginx.org_upstreamsettingspolicies.yaml\n|-- custom-values.yaml\n|-- templates\n| |-- _helpers.tpl\n| |-- certs-job.yaml\n| |-- clusterrole.yaml\n| |-- clusterrolebinding.yaml\n| |-- deployment.yaml\n| |-- nginxgateway.yaml\n| |-- nginxproxy.yaml\n| |-- scc.yaml\n| |-- service.yaml\n| `-- serviceaccount.yaml\n|-- values.schema.json\n`-- values.yaml<\/code><\/pre>\nNote: The custom-values.yaml<\/code>file we have created for the Gateway API customization, that we explain in the NodePort section.<\/p><\/blockquote>\n\n\ud83d\udca1<\/div>\nIn the controller Helm chart, the default service type values.yaml<\/code> is set to LoadBalancer<\/code>. This means that when you deploy it in a cloud environment, it will automatically provision a LoadBalancer.<\/p>\nIf you’re not deploying in a cloud environment, you’ll need to expose the controller service using a NodePort<\/code> instead. Refer to the NodePort section<\/a> for instructions on how to deploy the controller with this configuration.<\/div>\n<\/div>\n
![\"\"](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2026\/04\/image-43.png\")
<\/figure>\n![\"listing](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/07\/image-19.png\")
<\/figure>\n![\"describing](\"https:\/\/storage.ghost.io\/c\/5f\/2f\/5f2f4d20-2abf-4534-8d40-7aa233aedd43\/content\/images\/2025\/07\/image-25.png\")
<\/figure>\n