✦ For everyone, free.

Practical knowledge for real and everyday life

Home

20 Kubernetes Ingress and Gateway Routing

Kubernetes Ingress and Gateway Routing enables secure, scalable external access to internal services through defined rules and protocols.

Kubernetes Ingress and Gateway Routing is the set of API mechanisms that manage how external HTTP and HTTPS traffic is routed into a cluster, allowing host- and path-based rules to direct requests to the correct internal Service and centralizing concerns such as TLS termination that would otherwise need to be duplicated across many individually exposed Services.


The Problem Ingress Solves

Limits of Basic Service Exposure

Exposing every Service directly through a NodePort or a dedicated LoadBalancer becomes costly and unwieldy as the number of externally reachable applications grows, since each exposed Service typically consumes its own external IP address or port range.

A Shared Entry Point

Ingress solves this by providing a single, shared entry point that can route incoming traffic to many different backend Services based on the request's hostname or URL path, consolidating external exposure behind one or a small number of load balancers.


The Ingress Resource

Declarative Routing Rules

An Ingress resource declares a set of rules mapping hostnames and paths to backend Services and ports, describing the desired routing behavior without specifying how that behavior should be implemented at the network level.

The Ingress Controller

An Ingress resource by itself does nothing without an Ingress controller running in the cluster, which watches Ingress objects and configures the actual underlying proxy, such as a reverse proxy or a cloud load balancer, to implement the declared rules.

request ( host , path ) Service

TLS Termination

Centralizing Certificate Management

Ingress resources can reference TLS certificates stored as Secrets, allowing a single Ingress controller to terminate HTTPS connections for many different hostnames, removing the need for individual applications to manage their own certificates.

Automated Certificate Provisioning

Many clusters pair Ingress with automated certificate issuance tools that watch Ingress resources and provision or renew TLS certificates automatically, reducing the operational burden of manual certificate management.


Limitations of the Ingress API

A Narrow, HTTP-Focused Model

The original Ingress API was designed narrowly around basic HTTP routing, and different Ingress controllers extended it with inconsistent, vendor-specific annotations to support more advanced features such as traffic splitting or custom load balancing behavior.


The Gateway API

A More Expressive Successor

The Gateway API was introduced as a more expressive, role-oriented alternative to Ingress, separating concerns between infrastructure operators who manage shared Gateway resources and application developers who define Routes attached to those Gateways.

Gateways and Routes

A Gateway resource represents a listener configuration, such as which ports and protocols are exposed, while separate Route resources, such as HTTPRoute, describe how specific traffic matching certain criteria should be forwarded to backend Services, allowing more granular and portable routing configuration than Ingress annotations.

Protocol Flexibility

Unlike Ingress, which is focused primarily on HTTP and HTTPS, the Gateway API is designed to support a broader range of protocols, including TCP, UDP, and gRPC, through a common and extensible resource model.


Routing Architecture Diagram

External Ingress/Gateway Service A Service B Service C