Skip to content
Kong Logo | Kong Docs Logo
search
  • We're Hiring!
  • Docs
    • Kong Gateway
    • Kong Konnect
    • Kong Mesh
    • Plugin Hub
    • decK
    • Kubernetes Ingress Controller
    • Insomnia
    • Kuma

    • Docs contribution guidelines
  • Plugin Hub
  • Support
  • Community
  • Kong Academy
Early Access
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Plugin Hub
  • decK
  • Kubernetes Ingress Controller
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • 2.8.x (latest)
  • 2.7.x
  • 2.6.x
  • 2.5.x
  • 2.4.x
  • 2.3.x
  • 2.2.x
  • 2.1.x
  • 2.0.x
  • 1.3.x
  • 1.2.x
  • 1.1.x
  • 1.0.x
    • FAQ
    • Version Support Policy
    • Stages of Software Availability
    • Changelog
    • Architecture
    • Custom Resources
    • Deployment Methods
    • Kong for Kubernetes with Kong Enterprise
    • High-Availability and Scaling
    • Resource Classes
    • Security
    • Ingress Resource API Versions
    • Gateway API
    • Kong Ingress on Minikube
    • Kong for Kubernetes
    • Kong for Kubernetes Enterprise
    • Kong for Kubernetes with Kong Enterprise
    • Kong Ingress on AKS
    • Kong Ingress on EKS
    • Kong Ingress on GKE
    • Admission Controller
    • Installing Gateway APIs
    • Getting Started with KIC
    • Upgrading from previous versions
    • Getting Started using Istio
      • Using the Kong(Cluster)Plugin Resource
      • Using the KongIngress Resource
      • Using KongConsumer and Credential Resources
      • Using the TCPIngress Resource
      • Using the UDPIngress Resource
    • Using the ACL and JWT Plugins
    • Using cert-manager with Kong
    • Configuring a Fallback Service
    • Using an External Service
    • Configuring HTTPS Redirects for Services
    • Using Redis for Rate Limiting
    • Integrate KIC with Prometheus/Grafana
    • Configuring Circuit-Breaker and Health-Checking
    • Setting up a Custom Plugin
    • Using Ingress with gRPC
    • Setting up Upstream mTLS
    • Exposing a TCP-based Service
    • Exposing a UDP-based Service
    • Using the mTLS Auth Plugin
    • Configuring Custom Entities
    • Using the OpenID Connect Plugin
    • Rewriting Hosts and Paths
    • Preserving Client IP Address
    • Using Gateway API
    • Using Kong with Knative
    • KIC Annotations
    • CLI Arguments
    • Custom Resource Definitions
    • Plugin Compatibility
    • Version Compatibility
    • Troubleshooting
    • Prometheus Metrics
    • Feature Gates
    • Gateway API Support

github-edit-pageEdit this page

report-issueReport an issue

enterprise-switcher-iconSwitch to OSS

On this page
  • Supported Gateway API Resources
  • Enable the feature
  • Testing connectivity to Kong
  • Set up an echo service
  • Add a GatewayClass and Gateway
  • Add an HTTPRoute
  • Alpha limitations
Kubernetes Ingress Controller
2.5.x
  • Home
  • Kubernetes Ingress Controller
  • Guides
  • Using Gateway API
You are browsing documentation for an outdated version. See the latest documentation here.

Using Gateway API

This feature is released as a tech preview (alpha-quality) and should not be deployed in a production environment.

Gateway API is a set of resources for configuring networking in Kubernetes. It expands on Ingress to configure additional types of routes (TCP, UDP, and TLS in addition to HTTP/HTTPS), support backends other than Service, and manage the proxies that implement routes.

Gateway API and Kong’s implementation of Gateway API are both in alpha stage and under active development. Features and implementation specifics will change before their initial general availability release.

Supported Gateway API Resources

Currently, the Kubernetes Ingress Controller’s implementation of the Gateway API supports the following resources:

  • Gateway and GatewayClass
  • HTTPRoute
  • TCPRoute
  • UDPRoute
  • TLSRoute

  • ReferencePolicy

Enable the feature

The Gateway API CRDs are not yet available by default in Kubernetes. You must first install them.

The default controller configuration disables Gateway API handling. To enable it, set ingressController.env.feature_gates: Gateway=true in your Helm values.yaml, or set CONTROLLER_FEATURE_GATES=Gateway=true if not using Helm.

Note that you must restart Pods with this flag set after installing the Gateway API CRDs.

If using Helm, you must use chart version 2.7 or higher. Older versions do not include the ServiceAccount permissions necessary for KIC to read Gateway API resources.

Testing connectivity to Kong

This guide assumes that the PROXY_IP environment variable is set to contain the IP address or URL pointing to Kong. Follow one of the deployment guides to configure this environment variable.

If everything is set up correctly, making a request to Kong should return HTTP 404 Not Found.

Note: If you are running the example using Minikube on MacOS, you may need to run minikube tunnel in a separate terminal window. This exposes LoadBalancer services externally, which is not enabled by default.

$ curl -i $PROXY_IP
HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Content-Length: 48
Server: kong/1.2.1

{"message":"no Route matched with those values"}

This is expected, as Kong does not yet know how to proxy the request.

Set up an echo service

Set up an echo service to demonstrate how to use the Kubernetes Ingress Controller:

kubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/echo-service.yaml

Add a GatewayClass and Gateway

The Gateway resource represents the proxy instance that handles traffic for a set of Gateway API routes, and a GatewayClass describes characteristics shared by all Gateways of a given type.

Add a GatewayClass:

$ echo "apiVersion: gateway.networking.k8s.io/v1alpha2
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: GatewayClass
metadata:
  name: kong
spec:
  controllerName: konghq.com/kic-gateway-controller
" | kubectl apply -f -
gatewayclass.gateway.networking.k8s.io/kong created

Add a Gateway:

$ echo "apiVersion: gateway.networking.k8s.io/v1alpha2
kind: Gateway
metadata:
  annotations:
    konghq.com/gateway-unmanaged: kong/kong-proxy
  name: kong
spec:
  gatewayClassName: kong
  listeners:
  - name: proxy
    port: 80
    hostname: kong.example
    protocol: HTTP
  - name: proxy-ssl
    port: 443
    hostname: kong.example
    protocol: HTTPS
" | kubectl apply -f -
gateway.gateway.networking.k8s.io/kong created

This configuration does not load any certificates, and will use a default self-signed certificate for HTTPS requests. If you have a TLS Secret you wish to use, you can add it with:

kubectl patch --type=json gateway kong -p='[{"op":"add","path":"/spec/listeners/1/tls","value":{"certificateRefs":[{"group":"","kind":"Secret","name":"example-cert-secret"}]}}]'

Change example-cert-secret to the name of your Secret.

Because KIC and Kong instances are installed independent of their Gateway resource, we set the konghq.com/gateway-unmanaged annotation to the <namespace>/<name> of the Kong proxy Service. This instructs KIC to populate that Kong Gateway resource with listener and status information.

You can check to confirm if KIC has updated the bound Gateway by inspecting the list of associated addresses:

kubectl get gateway kong -o=jsonpath='{.status.addresses}' | jq
[
  {
    "type": "IPAddress",
    "value": "10.96.179.122"
  },
  {
    "type": "IPAddress",
    "value": "172.18.0.240"
  }
]

Add an HTTPRoute

HTTPRoute resources are similar to Ingress resources: they contain a set of matching criteria for HTTP requests and upstream Services to route those requests to.

$ echo "apiVersion: gateway.networking.k8s.io/v1alpha2
kind: HTTPRoute
metadata:
  name: echo
  annotations:
    konghq.com/strip-path: "true"
spec:
  parentRefs:
  - group: gateway.networking.k8s.io
    kind: Gateway
    name: kong
  hostnames:
  - kong.example
  rules:
  - backendRefs:
    - group: ""
      kind: Service
      name: echo
      port: 80
      weight: 1
    matches:
    - path:
        type: PathPrefix
        value: /echo
" | kubectl apply -f -

After creating an HTTPRoute, accessing /echo/hostname forwards a request to the echo service’s /hostname path, which yields the name of the pod that served the request:

curl -i http://kong.example/echo/hostname --resolve kong.example:80:$PROXY_IP
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 21
Connection: keep-alive
Date: Fri, 28 Oct 2022 08:18:18 GMT
X-Kong-Upstream-Latency: 1
X-Kong-Proxy-Latency: 0
Via: kong/3.1.1

echo-658c5ff5ff-8cvgj%

Alpha limitations

Kubernetes Ingress Controller Gateway API support is a work in progress, and not all features of Gateway APIs are supported. In particular:

  • queryParam matches are not supported.
  • Gateway Listener configuration does not support TLSConfig. You can’t load certificates for HTTP Routes and TLS Routes via Gateway configuration, and must either accept the default Kong certificate or add certificates and SNI resources manually via the admin API in DB-backed mode.

  • Gateways are not provisioned automatically.
  • Kong only supports a single Gateway per GatewayClass.

  • HTTPRoutes cannot be bound to a specific port using a ParentReference. Kong serves all HTTP routes on all HTTP listeners.
Thank you for your feedback.
Was this page useful?
  • Kong
    THE CLOUD CONNECTIVITY COMPANY

    Kong powers reliable digital connections across APIs, hybrid and multi-cloud environments.

    • Company
    • Customers
    • Events
    • Investors
    • Careers Hiring!
    • Partners
    • Press
    • Contact
  • Products
    • Kong Konnect
    • Kong Gateway
    • Kong Mesh
    • Get Started
    • Pricing
  • Resources
    • eBooks
    • Webinars
    • Briefs
    • Blog
    • API Gateway
    • Microservices
  • Open Source
    • Install Kong Gateway
    • Kong Community
    • Kubernetes Ingress
    • Kuma
    • Insomnia
  • Solutions
    • Decentralize
    • Secure & Govern
    • Create a Dev Platform
    • API Gateway
    • Kubernetes
    • Service Mesh
Star
  • Terms•Privacy
© Kong Inc. 2023