Fast-Tracking Your Migration From Ingress to Gateway API

As cloud-native platforms continue to scale, networking must evolve to keep up with increasing complexity. Kubernetes Ingress has long been the standard for managing external traffic, but it is limited in flexibility, multi-protocol support, and portability. This is where Gateway API comes in, a next-generation networking standard that removes reliance on vendor-specific annotations, enables advanced traffic control, and supports both north-south and east-west traffic.

At Isovalent many of us are heavily involved in Gateway API’s upstream project and we are excited to showcase the work that they’ve put into the upstream project. A core pillar of our values is our open source engagement. We do not only contribute widely to projects including Cilium, the Linux Kernel, and more, we are proud that our Isonauts (Isovalent team members) participate directly in various boards, committees, and organizations, showing their dedication to continually advancing open source communities.

In this blog, we’ll explore why Gateway API is the future of Kubernetes networking, its advantages over Ingress, and how the community-written tool ingress2gateway can help you migrating to Gateway API.

Learn more about Gateway API

Learn more about Gateway API and how the Isovalent enterprise solutions can help you in our self-guided hands-on lab.

Start the Gateway API lab

ingress2gateway is a tool written and maintained by the community. If you are looking for Enterprise solutions Isovalent’s experts are ready to support you in your journey migrating business workloads from Ingress to Gateway API with Isovalent Networking for Kubernetes. Isovalent Networking for Kubernetes, powered by Cilium, gives organizations deep observability and seamless scalability for modern cloud-native environments. In addition, native add-ons can further enhance your Cilium environment, such as Hubble for network flows and observability, and Isovalent Runtime Security, powered by Tetragon. Whether you’re looking to improve security, simplify network policies, or future-proof your platform, Isovalent Kubernetes Networking also delivers a fully supported, high-performance Gateway API solution.

Why Kubernetes Ingress Required a Successor

The Kubernetes Ingress API was introduced to standardize how external traffic reaches services inside a cluster. It provided a simple way to define routing rules but quickly ran into limitations as cloud-native applications evolved:

• Limited Protocol Support – Ingress primarily supports HTTP and HTTPS, requiring workarounds for TCP, UDP, and gRPC.
• Vendor-Specific Annotations – Different controllers (NGINX, Traefik, HAProxy, Cilium) use unique annotations, making migrations difficult.
• Basic Traffic Management – Features like traffic splitting, header-based routing, and canary deployments need additional tools.
• Lack of Role Separation – Ingress forces both infrastructure and application teams to work with the same resource, leading to operational complexity.
• North-South Only – Ingress focuses on external traffic but doesn’t handle east-west (service-to-service) communication.

These challenges drove the need for a more flexible and extensible solution, leading to the development of Kubernetes Gateway API. Curious? Take a look at our deep dive into Cilium’s Gateway API!

Gateway API: The Next Generation of Kubernetes Networking

The Gateway API is the successor to Kubernetes Ingress, designed to address its limitations while providing a standardized, extensible framework for modern networking. But choosing the right Gateway API implementation is just as important as the API itself. Cilium, the de facto Kubernetes CNI and the only CNCF-graduated CNI, brings unmatched performance, security, and observability to Gateway API through its eBPF-powered networking stack.

With Cilium’s implementation of Gateway API, you get:

• Multi-Protocol Support – Works natively with HTTP, HTTPS, and gRPC, eliminating the need for complex workarounds.
• eBPF-Powered Performance – Unlike traditional proxies that add latency, Cilium’s eBPF-based data path ensures high-performance, low-overhead packet processing for all Gateway API traffic.
• Advanced Traffic Control – Supports traffic splitting, mirroring, retries, timeouts, and progressive rollouts, enabling fine-grained application networking.
• Seamless Security & Observability – Cilium’s deep network visibility, transparent encryption, and identity-aware policies provide unparalleled security without impacting performance.
• North-South & East-West Networking – Cilium’s Gateway API implementation supports both ingress (north-south) and service-to-service (east-west) traffic thanks to the GAMMA initative, simplifying your networking stack.
• Cloud-Native & Portable – Avoid vendor lock-in with a truly cloud-native networking solution, seamlessly integrated with Kubernetes, service meshes, and cloud providers.

By combining Gateway API’s powerful networking model with Cilium’s eBPF-driven performance, security, and observability, organizations gain a future-proof, scalable networking solution, without the complexity of legacy approaches.

Up next, let’s explore how migrating from Ingress to Gateway API can be simplified with Cilium and the ingress2gateway tool. 

Migrating to Gateway API Made Easy

Luckily, with Cilium’s Gateway API implementation and the community ingress2gateway project, you can easily see how your existing Ingress resources translate into Gateway API configurations, making migration smoother and more predictable.

In this walk-through section, we’ll walk through an example of how ingress2gateway works:

1. Deploy an example workload named httpbin and an associated ingress
2. Run the ingress2gateway tooling against the ingress configuration
3. Observe and apply the generated Gateway API CRDs

One of the standout features that the ingress2gateway tooling can help with is Ingress annotations. For those of you who aren’t familiar with annotations, the Kubernetes ingress uses this form of metadata to configure implementation specific options. The issue arises when different implementations have different annotations – making it extremely difficult to switch between implementations. Gateway API addresses this problem of portability; creating an API for common use cases (for example, percent based routing, header matching).

Let’s say you have an annotation on your Kubernetes Ingress. As we know, Gateway API was designed to be portable – meaning that each implementation’s annotations are put into the Gateway CRD, versus annotations being over-stuffed with them. It could be a nightmare if you wanted to translate your Ingress with annotations (especially if there is more than one) correctly to Gateway API. Here’s where ingress2gateway can also help!

For example, let’s say your Cilium Ingress has the force-https annotation. This annotation enables Cilium to enforce HTTPS redirects for this Ingress.

In this blog, we will walk through an example of having an existing cluster with a Cilium Ingress, then use ingress2gateway to translate that Ingress resource into its respective Gateway and HTTPRoute CRD! 

Prerequisite

• A deployed Kubernetes cluster with Cilium’s ingress enabled. The below commands enable the Ingress Controller in a Cilium deployment. 

$ helm upgrade cilium cilium/cilium \
    --namespace kube-system \
    --reuse-values \
    --set ingressController.enabled=true \
    --set ingressController.loadbalancerMode=dedicated

• If you would like to apply the generated YAML for Gateway API to your Kubernetes cluster, ensure you have the correct Gateway API CRDs installed aligned to your Cilium version and the Gateway API feature enabled in your Cilium installation

$ helm upgrade cilium cilium/cilium \
    --namespace kube-system \
    --reuse-values \
    --set ingressController.enabled=true \
    --set ingressController.loadbalancerMode=dedicated
    --set kubeProxyReplacement=true \
    --set gatewayAPI.enabled=true

Using Ingress2Gateway to Migrate to Gateway API

1. Deploy ingress setup
   1. Have a cluster with Cilium and Ingress enabled, along with a TLS Certificate and private key for your cluster (follow Create TLS Certificate and Private Key step)
   2. Deploy our sample application, the well-known httpbin sample application

apiVersion: v1
kind: ServiceAccount
metadata:
  name: httpbin-v1
---
apiVersion: v1
kind: Service
metadata:
  name: httpbin-v1
  labels:
    app: httpbin-v1
    service: httpbin-v1
spec:
  ports:
  - name: http
    port: 8000
    targetPort: 80
  selector:
    app: httpbin
    version: v1
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: httpbin-v1
spec:
  replicas: 1
  selector:
    matchLabels:
      app: httpbin
  template:
    metadata:
      labels:
        app: httpbin
        version: v1
    spec:
      serviceAccountName: httpbin-v1
      containers:
      - image: docker.io/kennethreitz/httpbin
        imagePullPolicy: IfNotPresent
        name: httpbin
        ports:
        - containerPort: 80

2. Create an Ingress resource for the HTTP Bin application deployment

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: basic-ingress
  namespace: default
  annotations:
    ingress.cilium.io/force-https: "enabled"
spec:
  ingressClassName: cilium
  rules:
  - host: httpbin.cilium.com
    http:
      paths:
      - backend:
          service:
            name: httpbin-v1
            port:
              number: 8000
        path: /
        pathType: Prefix
  tls:
  - hosts:
    - httpbin.cilium.com
    secretName: demo-cert

3. Install and run ingress2gateway. This will install the binary to provide you the ability to translate your resources to Gateway API.

• Follow the installation documentation for Ingress 2 Gateway

4. Inspect or apply generated Gateway API CRDs. The –print flag will output the generated YAML to your terminal, where you can inspect it and see how the Cilium ingress translates to Gateway API

• ./ingress2gateway print –providers cilium
• The output will resemble the following:

Notifications from CILIUM:
+--------------+----------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------+
| MESSAGE TYPE |                                                  NOTIFICATION                                                  |                      CALLING OBJECT                       |
+--------------+----------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------+
| INFO         | parsed "ingress.cilium.io/force-https" annotation of ingress and patched httproute.spec.rules[].filters fields | HTTPRoute: default/basic-ingress-https-httpbin-cilium-com |
+--------------+----------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------+

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  annotations:
    gateway.networking.k8s.io/generator: ingress2gateway-0.4.0
  creationTimestamp: null
  name: cilium
  namespace: default
spec:
  gatewayClassName: cilium
  listeners:
  - hostname: httpbin.cilium.com
    name: httpbin-cilium-com-http
    port: 80
    protocol: HTTP
  - hostname: httpbin.cilium.com
    name: httpbin-cilium-com-https
    port: 443
    protocol: HTTPS
    tls:
      certificateRefs:
      - group: null
        kind: null
        name: demo-cert
status: {}
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  annotations:
    gateway.networking.k8s.io/generator: ingress2gateway-0.4.0
  creationTimestamp: null
  name: basic-ingress-https-httpbin-cilium-com
  namespace: default
spec:
  hostnames:
  - httpbin.cilium.com
  parentRefs:
  - name: cilium
  rules:
  - filters:
    - requestRedirect:
        scheme: https
        statusCode: 301
      type: RequestRedirect
    matches:
    - path:
        type: PathPrefix
        value: /
status:
  parents: []

Ingress2gateway is a great way to get started exploring Gateway API resources. Ensure that you review the generated resources before attempting to apply them in your production environment.

Exploring Cilium’s Gateway API Implementation further

Cilium fully supports Gateway API and GAMMA, enabling both North-South (N-S) and East-West (E-W) traffic management within Kubernetes. This means that Cilium’s Gateway API implementation is not just for external ingress but also provides advanced service-to-service communication, making it a powerful choice for secure, scalable, and observable networking in Kubernetes.

If you’re currently using another Ingress or Gateway API provider, but want to explore what Cilium’s eBPF-powered implementation can offer, the transition is simple:

1. Run ingress2gateway on your existing provider to generate Gateway API configurations.
2. Deploy Cilium in a test cluster with Gateway API enabled.
3. Apply the generated Gateway API CRDs and explore how Cilium enhances observability, security, and performance.

With Gateway API as the next-generation networking standard and Cilium as the de facto Kubernetes CNI, now is the perfect time to experience a more powerful, efficient, and portable networking model.

Want to get hands on? You don’t even need to spin up Cilium in your own environment, you can can dive straight in using the Isovalent free Hands-on-Labs. 

• Cilium Gateway API
• Advanced Gateway API Use Cases

Future-Proof Your Kubernetes Networking With Isovalent and Gateway API

The Gateway API is the next-generation standard for Kubernetes networking, solving many of the limitations of Ingress with multi-protocol support, standardized configuration, and advanced traffic control. But, to fully unlock its potential, choosing the right implementation matters. Cilium, the de facto Kubernetes CNI and the only CNCF-graduated CNI, brings eBPF-powered performance, security, and deep observability to Gateway API—ensuring efficient, scalable, and secure networking for modern cloud-native environments.

If you’re looking to move beyond the constraints of Ingress, now is the time to explore Cilium’s Gateway API implementation. With tools like ingress2gateway developed and maintained by the community, migrating your existing Ingress resources is easier than ever, allowing you to embrace the future of Kubernetes networking with minimal effort.

Outside of the community, if you’re ready to simplify your Kubernetes networking with Cilium’s Gateway API implementation but need enterprise guidance on strategy, deployment, or migration, our experts are here to help. Contact us to explore how we from Isovalent can support your platform transformation and ensure your infrastructure is secure, scalable, and ready for the future!