Envoy Gateway
Envoy Gateway brings the Kubernetes Gateway API to kinder clusters. It replaces Ingress with a more expressive routing model and supports HTTP, TLS, and TCP routes with a single controller.
kinder installs Envoy Gateway v1.3.1.
What gets installed
Section titled “What gets installed”| Resource | Namespace | Purpose |
|---|---|---|
| Envoy Gateway controller | envoy-gateway-system | Watches Gateway/HTTPRoute resources |
GatewayClass “eg” | cluster-scoped | Entry point for all Gateway resources |
| Gateway API CRDs | cluster-scoped | Gateway, HTTPRoute, GRPCRoute, etc. |
How to use
Section titled “How to use”Create a Gateway and an HTTPRoute using the eg GatewayClass:
apiVersion: gateway.networking.k8s.io/v1kind: Gatewaymetadata: name: my-gatewayspec: gatewayClassName: eg listeners: - name: http protocol: HTTP port: 80---apiVersion: gateway.networking.k8s.io/v1kind: HTTPRoutemetadata: name: my-routespec: parentRefs: - name: my-gateway rules: - matches: - path: type: PathPrefix value: / backendRefs: - name: my-service port: 80MetalLB assigns the gateway an external IP automatically when both addons are enabled.
How to verify
Section titled “How to verify”Check that the GatewayClass is accepted:
kubectl get gatewayclass egExpected output:
NAME CONTROLLER ACCEPTED AGEeg gateway.envoyproxy.io/gatewayclass True 60sVerify the controller pod is running:
kubectl get pods -n envoy-gateway-systemConfiguration
Section titled “Configuration”Envoy Gateway is controlled by the addons.envoyGateway field:
apiVersion: kind.x-k8s.io/v1alpha4kind: Clusteraddons: envoyGateway: true # defaultSee the Configuration Reference for all available addon fields.
How to disable
Section titled “How to disable”apiVersion: kind.x-k8s.io/v1alpha4kind: Clusteraddons: envoyGateway: falsePractical examples
Section titled “Practical examples”Path-based routing
Section titled “Path-based routing”Route /api requests to one service and /web requests to another using a single HTTPRoute:
apiVersion: gateway.networking.k8s.io/v1kind: HTTPRoutemetadata: name: path-routespec: parentRefs: - name: my-gateway rules: - matches: - path: type: PathPrefix value: /api backendRefs: - name: api-service port: 8080 - matches: - path: type: PathPrefix value: /web backendRefs: - name: web-service port: 80Header-based routing
Section titled “Header-based routing”Route requests to a canary deployment based on a request header:
apiVersion: gateway.networking.k8s.io/v1kind: HTTPRoutemetadata: name: header-routingspec: parentRefs: - name: my-gateway rules: - matches: - headers: - name: X-Environment value: canary backendRefs: - name: canary-service port: 80 - backendRefs: - name: stable-service port: 80Test canary routing with curl:
# Route to canarycurl -H "X-Environment: canary" http://<gateway-ip>/
# Route to stable (no header)curl http://<gateway-ip>/Troubleshooting
Section titled “Troubleshooting”Gateway stuck in Pending
Section titled “Gateway stuck in Pending”Symptom: kubectl get gateway shows the gateway status is not Programmed — it remains Pending or shows no PROGRAMMED column value.
Cause: Either the Envoy Gateway controller is not running, or MetalLB is unavailable to assign an external IP to the gateway’s backing service.
Fix:
Check that the Envoy Gateway controller pod is running:
kubectl get pods -n envoy-gateway-systemIf the pod is not Running, describe it for error details.
Verify that MetalLB is enabled and its pods are healthy:
kubectl get pods -n metallb-systemIf MetalLB is disabled or unhealthy, the gateway’s LoadBalancer service will stay in <pending> and the gateway will not become Programmed.