Topic 09

Ingress and the Gateway API

NetworkingRouting

Ingress is HTTP routing into the cluster: one external entry point that sends requests to different Services by hostname and path, terminating TLS along the way. It exists so you do not provision a separate cloud load balancer for every service.

Ingress is also showing its age. The Gateway API is its successor — a richer, role-oriented model that is now the recommended direction for new routing. This topic covers both, and when to use which.

The Ingress Object

Routing an HTTP request in

Clientshop.example.com/api

→

Ingress / Gatewayhost + path, TLS

→

Serviceorders

→

Pods

An Ingress is a set of HTTP routing rules: for this host and this path prefix, send traffic to that Service. One Ingress can front many Services behind a single external IP, which is the whole point — host- and path-based virtual hosting without a load balancer per service.

An Ingress routing by host and path

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: site
spec:
  ingressClassName: nginx
  rules:
    - host: shop.example.com
      http:
        paths:
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: orders
                port:
                  number: 80

Ingress Controllers

The Ingress object is just data; nothing happens until an Ingress controller is running to read it and configure an actual proxy. NGINX, HAProxy, Traefik, and cloud-native controllers are common choices. The ingressClassName field picks which controller handles a given Ingress, so multiple controllers can coexist. Forgetting to install a controller is the classic "my Ingress does nothing" mistake.

TLS termination is configured on the Ingress by referencing a Secret that holds the certificate and key. The controller terminates HTTPS at the edge and forwards plain HTTP to the backend Services — though most setups pair this with cert-manager to issue and renew certificates automatically.

The Limits of Ingress

Ingress was scoped narrowly to HTTP host/path routing, so anything beyond that — header-based routing, traffic splitting for canaries, gRPC, TCP/UDP — was bolted on through controller-specific annotations. Those annotations are not portable: an Ingress tuned for NGINX does not behave the same on another controller. The model also blurs roles, mixing infrastructure concerns and application routing in one object owned by one team.

The Gateway API

The Gateway API replaces annotation-soup with first-class, portable resources and a clean separation of roles. A GatewayClass and Gateway are owned by the platform or infrastructure team (the listeners, IPs, and TLS), while HTTPRoute (and TCPRoute, gRPCRoute) are owned by application teams and attach to a Gateway. Header matching, traffic splitting, and cross-namespace routing are built in, not annotations.

For new clusters the Gateway API is the recommended path; Ingress remains widely deployed and fully supported, so you will meet both for years. The practical guidance: learn Ingress because it is everywhere, and prefer the Gateway API for anything new that needs more than basic host/path routing.

Ingress vs Gateway API

Ingress — simple host/path HTTP routing, one object, advanced features via non-portable annotations. Ubiquitous and supported.

Gateway API — role-separated, portable resources (Gateway + HTTPRoute) with header matching and traffic splitting built in. The recommended direction for new routing.

Common Mistakes

Creating an Ingress with no controller installed and wondering why nothing routes.
Relying on controller-specific annotations and assuming the Ingress is portable to another controller.
Pushing non-HTTP traffic (raw TCP, databases) through Ingress, which is designed for HTTP.
Hand-managing TLS certificates instead of automating issuance and renewal with cert-manager.
Starting a brand-new cluster on Ingress for advanced routing instead of evaluating the Gateway API first.

Best Practices

Install and verify an Ingress controller before creating Ingress objects; set ingressClassName explicitly.
Automate certificates with cert-manager rather than rotating Secrets by hand.
Front many Services with one Ingress (or Gateway) instead of a LoadBalancer per service.
Prefer the Gateway API for new routing that needs header matching, traffic splitting, or clean team boundaries.
Treat annotation-based Ingress features as controller lock-in and document them as such.

RelatedService — the L4 layer Ingress and Gateway route tocert-manager — automatic TLS certificate issuance and renewalCloud API gateways / ALB — managed L7 entry points as analogs

Knowledge Check

You created an Ingress but no traffic is routed. What is the most common reason?

No Ingress controller is installed to read the Ingress and configure a proxy
A separate LoadBalancer Service is required for every single host and path rule
The Ingress object must live in the kube-system namespace to route
Ingress routing only works once the Gateway API is also enabled

What is the main structural improvement of the Gateway API over Ingress?

Role separation and portable resources — Gateway (platform) vs HTTPRoute (app teams) — with features built in, not via annotations
It removes the need for any controller, since the kube-apiserver itself programs the proxies and routes traffic directly to backend Pods
It runs entirely on the control plane with no data-plane proxy at all
It supports only a single backend Service per Gateway object

Why are advanced Ingress features often non-portable across controllers?

They are expressed as controller-specific annotations rather than standard fields
Each Ingress object is pinned to one specific node and cannot move
Every Ingress controller defines its own mutually incompatible apiVersion for the object
TLS Secrets are stored in a controller-specific proprietary format

You got correct