How Does Gateway API Compare to Ingress?

advanced|ingressdevopssreplatform engineerCKA
TL;DR

Gateway API is the successor to Ingress, offering a more expressive, role-oriented, and extensible routing model. It separates infrastructure concerns (GatewayClass, Gateway) from application routing (HTTPRoute), supports TCP/UDP/gRPC natively, and eliminates the need for controller-specific annotations.

Detailed Answer

The Gateway API is the next generation of Kubernetes service networking, designed to overcome the limitations of Ingress. It provides a more expressive, portable, and role-oriented way to configure traffic routing.

Why Ingress Needed a Successor

Ingress has served Kubernetes well, but has fundamental limitations:

  1. Annotation sprawl: Advanced features require controller-specific annotations that are not portable
  2. HTTP-only: No native support for TCP, UDP, or gRPC
  3. Flat model: No separation between infrastructure and application concerns
  4. Limited extensibility: Adding new features requires new annotations or CRDs per controller

Gateway API Resource Model

Gateway API introduces three resource layers:

GatewayClass  → Infrastructure provider defines the type (managed by provider)
    └── Gateway  → Cluster operator configures the listener (managed by ops)
          └── HTTPRoute  → Developer defines routing rules (managed by dev)

GatewayClass (Infrastructure Provider)

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: cloud-lb
spec:
  controllerName: example.com/gateway-controller

Gateway (Cluster Operator)

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: production-gateway
  namespace: infra
spec:
  gatewayClassName: cloud-lb
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: wildcard-tls
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              gateway-access: "true"
    - name: http
      protocol: HTTP
      port: 80

HTTPRoute (Application Developer)

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: api-routes
  namespace: app-team
spec:
  parentRefs:
    - name: production-gateway
      namespace: infra
  hostnames:
    - "api.example.com"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /v1
      backendRefs:
        - name: api-v1
          port: 80
          weight: 90
        - name: api-v2
          port: 80
          weight: 10
    - matches:
        - path:
            type: PathPrefix
            value: /v2
      backendRefs:
        - name: api-v2
          port: 80

Comparison: Ingress vs Gateway API

| Feature | Ingress | Gateway API | |---|---|---| | Protocols | HTTP/HTTPS only | HTTP, HTTPS, TCP, UDP, gRPC, TLS | | Traffic splitting | Via annotations (non-portable) | Native weighted backendRefs | | Header-based routing | Via annotations | Native match rules | | Role separation | None | GatewayClass / Gateway / Route | | Cross-namespace routing | No | Yes, with explicit grants | | Extensibility | Annotations | ExtensionRefs, Policy objects | | Portability | Low (annotation-dependent) | High (standardized API) |

Key Advantages of Gateway API

1. Traffic Splitting (Canary/Blue-Green)

rules:
  - backendRefs:
      - name: app-v1
        port: 80
        weight: 90    # 90% of traffic
      - name: app-v2
        port: 80
        weight: 10    # 10% of traffic

This is a first-class feature — no annotations needed.

2. Header-Based Routing

rules:
  - matches:
      - headers:
          - type: Exact
            name: x-canary
            value: "true"
    backendRefs:
      - name: canary-service
        port: 80

3. Cross-Namespace Routing

Application teams can attach routes to a shared Gateway in a different namespace:

spec:
  parentRefs:
    - name: shared-gateway
      namespace: infra         # Gateway in infra namespace
      sectionName: https       # Specific listener

4. TCP and UDP Routing

apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TCPRoute
metadata:
  name: database-route
spec:
  parentRefs:
    - name: tcp-gateway
  rules:
    - backendRefs:
        - name: database-service
          port: 5432

When to Use Which

| Situation | Recommendation | |---|---| | New cluster, greenfield project | Gateway API | | Existing cluster with Ingress working fine | Stay with Ingress, plan migration | | Need TCP/UDP routing | Gateway API | | Need traffic splitting | Gateway API | | Need cross-namespace routing | Gateway API | | Simple HTTP routing only | Either works | | Controller does not support Gateway API | Ingress |

Why Interviewers Ask This

Interviewers ask this to gauge whether you are aware of the evolving Kubernetes networking landscape and can evaluate when to adopt newer APIs over established ones.

Common Follow-Up Questions

Is Gateway API production-ready?
Yes. HTTPRoute, Gateway, and GatewayClass reached GA in Kubernetes 1.28. Many controllers (Nginx, Traefik, Cilium, Istio) support it.
Can Gateway API and Ingress coexist in the same cluster?
Yes. They are separate API groups and can be used alongside each other. Many teams migrate incrementally.
What is the role-oriented model of Gateway API?
Infrastructure providers manage GatewayClass, cluster operators manage Gateway, and application developers manage HTTPRoute. This maps to real organizational structures.

Key Takeaways

  • Gateway API is the official successor to Ingress with broader protocol support and a role-oriented model.
  • It eliminates annotation sprawl by using typed, validated resource fields.
  • Migration from Ingress to Gateway API can be done incrementally since both coexist.

Related Questions

What Is Kubernetes Ingress?How Do Ingress Controllers Compare?

You Might Also Like

How Does a LoadBalancer Service Work in Kubernetes?What Is the Kubernetes Pod Networking Model?
Back to Ingress Interview Questions