RC

Cilium Gateway API

The Evolution to a Modern Ingress

The Gateway API is a paradigm shift from the legacy Ingress API, offering a role-oriented, expressive, and portable framework for modern cloud-native environments.

Legacy Ingress API: The Constraints

  • 🚫
    Monolithic Model: Blends infrastructure and application concerns, creating operational bottlenecks.
  • 🚫
    Limited Protocols: Primarily designed for HTTP/S, with poor support for TCP, UDP, or gRPC.
  • 🚫
    "Annotation Hell": Relies on non-portable, vendor-specific annotations for advanced features.
  • 🚫
    Brittle Permissions: Flawed permission model struggles with multi-tenant and multi-team scaling.

Gateway API: The Future

  • Role-Oriented: Separates concerns with `GatewayClass`, `Gateway`, and `HTTPRoute`.
  • Expressive & Portable: Native support for advanced routing and traffic management in a standardized spec.
  • Extensible by Design: Natively supports multiple protocols and has clear extension points.
  • Secure by Default: Explicit, secure cross-namespace routing via `ReferenceGrant`.

Cilium's eBPF-Powered Architecture

Cilium integrates a sidecar-less Envoy proxy with the eBPF datapath for kernel-level performance and identity-aware security. Interact with the diagram to trace a request.

1. External Request
2. eBPF Intercept
3. Envoy L7 Process
5. Forward to Pod
4. Policy Enforcement

Implementation Guide

Deploying the Cilium Gateway API requires key prerequisites and a straightforward installation process. Follow these steps to get up and running.

Use Case Cookbook

Replicate common Ingress patterns with the Gateway API's native features. Select a use case to see the `HTTPRoute` configuration.

Zero-Trust Ingress Security

Cilium enables a two-step, identity-based policy model for ingress. Both flows must be explicitly allowed by a `CiliumNetworkPolicy`. Click the arrows to see the required policy.

🌐 world
Policy 1
🛡️ ingress
Policy 2
🚀 backend

Troubleshooting Assistant

This tool helps you diagnose common problems. Select a symptom to see the recommended diagnostic checks, commands, and expected outcomes.

Phased Migration Strategy

A "big bang" cutover is risky. Follow this phased approach for a safe, controlled migration from legacy Ingress to the Cilium Gateway API.

1

Audit & Plan

Use `ingress2gateway` tool, audit YAML, and identify manual conversion tasks.

2

Deploy in Parallel

Install Cilium Gateway API and provision a new `Gateway` with a separate external IP.

3

Migrate & Test

Migrate non-critical services first. Update DNS with a low TTL and test thoroughly.

4

Gradual Cutover

Migrate production services in small, manageable batches. Monitor each batch carefully.

5

Decommission

After a stable monitoring period, remove the legacy Ingress controller and resources.