envoy gateway api controller

Background

https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/

Envoy controller

https://gateway.envoyproxy.io/docs/tasks/quickstart/

Installation

https://gateway.envoyproxy.io/docs/tasks/quickstart/

helm install eg oci://docker.io/envoyproxy/gateway-helm --version v1.6.0 -n envoy-gateway-system --create-namespace

https://gateway.envoyproxy.io/latest/install/install-yaml/

quick start and learn how it works

$ kubectl apply -f https://github.com/envoyproxy/gateway/releases/download/v1.6.0/quickstart.yaml -n default
gatewayclass.gateway.networking.k8s.io/eg created
gateway.gateway.networking.k8s.io/eg created
serviceaccount/backend created
service/backend created
deployment.apps/backend created
httproute.gateway.networking.k8s.io/backend created

following the below service, you can access URL using external-ip

$ kubectl get svc -n envoy-gateway-system -l app.kubernetes.io/instance=eg
NAME            TYPE        CLUSTER-IP    EXTERNAL-IP   PORT(S)                                            AGE
envoy-gateway   ClusterIP   10.0.173.35   <none>        18000/TCP,18001/TCP,18002/TCP,19001/TCP,9443/TCP   76m
$ kubectl get svc -n envoy-gateway-system -l app.kubernetes.io/name=envoy
NAME                        TYPE           CLUSTER-IP    EXTERNAL-IP    PORT(S)        AGE
envoy-default-eg-e41e7b31   LoadBalancer   10.0.42.162   x.x.x.x        80:30436/TCP   72m
$ kubectl get gateway
NAME   CLASS   ADDRESS        PROGRAMMED   AGE
eg     eg      x.x.x.x        True         74m

ingress와의 차이점

	ingress	gateway api
component	ingress	gateway / httproute
additional features	annotation	CRD로 추가 제공

기본 생성시에는 ingress와 비교해보았을때에는 gateway 와 httproute만 제공되면 서비스가 가능하다.

• gateway : listener 역할 수행
• httproute : ingress에서 path 로 ingress내에 선언하였던 부분을 분리하여 설정할수 있다.
• 그외에도 다양한 crd를 활용할 수 있다.

$ kubectl get crd | grep gateway
backends.gateway.envoyproxy.io                        2025-11-21T04:43:10Z
backendtlspolicies.gateway.networking.k8s.io          2025-11-21T04:43:08Z
backendtrafficpolicies.gateway.envoyproxy.io          2025-11-21T04:43:11Z
clienttrafficpolicies.gateway.envoyproxy.io           2025-11-21T04:43:12Z
envoyextensionpolicies.gateway.envoyproxy.io          2025-11-21T04:43:12Z
envoypatchpolicies.gateway.envoyproxy.io              2025-11-21T04:43:13Z
envoyproxies.gateway.envoyproxy.io                    2025-11-21T04:43:14Z
gatewayclasses.gateway.networking.k8s.io              2025-11-21T04:43:08Z
gateways.gateway.networking.k8s.io                    2025-11-21T04:43:08Z
grpcroutes.gateway.networking.k8s.io                  2025-11-21T04:43:08Z
httproutefilters.gateway.envoyproxy.io                2025-11-21T04:43:15Z
httproutes.gateway.networking.k8s.io                  2025-11-21T04:43:09Z
referencegrants.gateway.networking.k8s.io             2025-11-21T04:43:08Z
securitypolicies.gateway.envoyproxy.io                2025-11-21T04:43:16Z
tcproutes.gateway.networking.k8s.io                   2025-11-21T04:43:08Z
tlsroutes.gateway.networking.k8s.io                   2025-11-21T04:43:08Z
udproutes.gateway.networking.k8s.io                   2025-11-21T04:43:08Z
xbackendtrafficpolicies.gateway.networking.x-k8s.io   2025-11-21T04:43:08Z
xlistenersets.gateway.networking.x-k8s.io             2025-11-21T04:43:08Z
xmeshes.gateway.networking.x-k8s.io                   2025-11-21T04:43:07Z

configuration

envoy-gateway.yaml

Usages

whitelist

$ curl -H "Host: www.example.com" xxx.xxx.xxx.xxx
RBAC: access denied

spec:
  authorization:
    defaultAction: Deny
    rules:
    - action: Allow
      principal:
        clientCIDRs:
        - 218.238.135.0/24
        - 4.194.122.0/24