Calico Ingress Gateway
Calico Ingress Gateway provides a streamlined solution for managing cluster ingress traffic by using the Kubernetes Gateway API standard.
About Calico Ingress Gateway
Calico Ingress Gateway is a hardened distribution of the open-source Envoy Gateway project. Tigera rebuilds the Envoy Gateway code using hardened base images for robust security and stable performance.
Calico Ingress Gateway provides seamless, deep integration with the Calico environment. This approach ensures that ingress security and networking configurations are unified within the Calico framework.
About Gateway API
The Kubernetes Gateway API is the modern, standardized interface for governing access to services within a cluster, serving as the successor to the original Ingress resource.
Key features and benefits of the Gateway API include:
- Role-Oriented Design: It clearly separates network infrastructure concerns (managed by network teams via Gateway resources) from application-specific routing (managed by developers via routing resources).
- Enhanced Expressiveness: The API natively supports advanced traffic control patterns, such as weighted traffic splitting for canary deployments, header manipulation, and detailed request matching, functionality that often required vendor-specific annotations in the past.
- Portability: As a standard Kubernetes API, configurations are not tied to a single vendor implementation, providing portability and preventing vendor lock-in.
About Envoy Gateway
Gateway API defines the specification, and Envoy Gateway is the primary implementation framework.
Envoy Gateway acts as the control plane that translates Gateway API resources into actionable configuration for its data plane. The data plane utilizes Envoy Proxy, a high-performance, widely adopted proxy used across the cloud-native ecosystem for edge and service mesh functionality. By leveraging Envoy, the Calico Ingress Gateway provides proven reliability, high throughput, and granular observability.
Deployment and management with Calico Ingress Gateway
While the underlying architecture involves multiple layers (Gateway API specification, Envoy Gateway control plane, Envoy Proxy data plane), the Calico Ingress Gateway simplifies deployment and management significantly.
Calico Ingress Gateway is managed entirely by the Tigera Operator. This integration automates the lifecycle of the components—from initial installation to upgrades and scaling—reducing manual configuration overhead. CVEs are addressed as part of the regular Calico patch release cadence. Administrators provision the gateway environment simply by defining a standard Gateway resource.
Images for the gateway resources are
Calico Enterprise and Calico Cloud integration
For commercial deployments, Calico Ingress Gateway extends functionality by integrating directly with the Web Application Firewall (WAF). This feature allows operators to secure their ingress points against the OWASP Top 10 and other common vulnerabilities through simple configuration within the Calico management plane.
Supported Gateway API resources
Calico Ingress Gateway supports the following Gateway API resources.
| Resource | Versions |
|---|---|
| BackendLBPolicy | v1alpha2 |
| BackendTLSPolicy | v1alpha3 |
| GatewayClass | v1, v1beta1 |
| Gateway | v1, v1beta1 |
| GRPCRoute | v1, v1alpha2 |
| HTTPRoute | v1, v1beta1 |
| ReferenceGrant | v1beta1, v1alpha2 |
| TCPRoute | v1alpha2 |
| TLSRoute | v1alpha2 |
| UDPRoute | v1alpha2 |
OpenShift 4.19 introduced restrictions on which Gateway API CRDs can be installed.
-
The available Gateway API resources in OpenShift 4.19 are:
GatewayClass,Gateway,GRPCRoute,HTTPRouteandReferenceGrant. -
Other Gateway API resources, namely
BackendLBPolicy,BackendTLSPolicy,TCPRoute,TLSRouteandUDPRoute, are not available in OpenShift 4.19.
Next steps
- Learn more about Calico Ingress Gateway with the canary deployment tutorial.