18. gateway

Gateway API

Ingress NGINX Retirement
https://kubernetes.io/blog/2025/11/11/ingress-nginx-retirement/

由于 Kubernetes 官方宣布: Ingress NGINX 将在2026 年3 月彻底停止维护。 这里不介绍通过注解实现TLS和 金丝雀的内容。改用gateway API 实现

概念

Gateway API 是 Kubernetes 提供的一组用于网络流量管理的 API 类别,具有:

  • 动态基础设施配置(例如动态创建云 LB)
  • 高级流量路由能力(如 Header 匹配、流量拆分)
  • 可扩展且角色导向
  • 协议感知(HTTP、TLS、TCP、UDP 等)

它不是替代 Ingress,而是提供更强表达能力、可扩展性和更清晰角色划分的下一代流量管理 API。

设计原则

1. 角色导向(Role Oriented)

API 按组织角色设计,拆分为不同可管理的资源:

角色 职责
基础设施提供者 管理 LB、网关设备(如云厂商)
集群操作员 配置策略、安全、监听器、访问控制
应用开发者 创建路由规则(HTTPRoute)

2. 可移植(Portable)

  • 使用 CRD 定义,兼容多种实现(如 Istio、Traefik、NGINX、Kong、Contour)
  • 跨平台一致性更好。

3.表达能力强(Expressive)

提供比传统 Ingress 更丰富的路由能力:

  • Header 匹配
  • Query 匹配
  • 权重转发
  • 请求/响应过滤器(添加 Header 等)

4. 可扩展(Extensible)

在多个层级支持扩展:

  • GatewayClass 可扩展控制器参数
  • Gateway 支持扩展字段
  • Route 支持自定义过滤器和策略

资源模型(Resource Model)

Gateway API 中最核心的三种稳定资源:

GatewayClass → Gateway → Route(HTTPRoute)

1. GatewayClass

描述一类网关(由哪个控制器实现、如何配置)。

示例:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: example-class
spec:
  controllerName: example.com/gateway-controller

2. Gateway

某类流量入口的实例(例如云负载均衡器或集群反向代理)。

示例:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
spec:
  gatewayClassName: example-class
  listeners:
  - name: http
    protocol: HTTP
    port: 80
  • gatewayClassName 表示由哪个控制器管理
  • controller 会为其创建入口地址(IP/DNS)

3. HTTPRoute

定义具体的 HTTP 路由行为,从 Gateway Listener 将流量指向后端 Service。

示例:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: example-httproute
spec:
  parentRefs:
  - name: example-gateway
  hostnames:
  - "www.example.com"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /login
    backendRefs:
    - name: example-svc
      port: 8080

安装

# 使用 Helm OCI 安装(示例版本 v1.6.0)
ubuntu@ubuntu:~$ helm install eg oci://docker.io/envoyproxy/gateway-helm   --version v1.6.0   -n envoy-gateway-system   --create-namespace
Pulled: docker.io/envoyproxy/gateway-helm:v1.6.0
Digest: sha256:905eced000d4b2acb78f802f5d03af32a08d30478808c20d522ffa735476bc5d
NAME: eg
LAST DEPLOYED: Fri Nov 21 17:36:29 2025
NAMESPACE: envoy-gateway-system
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
**************************************************************************
*** PLEASE BE PATIENT: Envoy Gateway may take a few minutes to install ***
**************************************************************************

Envoy Gateway is an open source project for managing Envoy Proxy as a standalone or Kubernetes-based application gateway.

Thank you for installing Envoy Gateway! 🎉

Your release is named: eg. 🎉

Your release is in namespace: envoy-gateway-system. 🎉

To learn more about the release, try:

  $ helm status eg -n envoy-gateway-system
  $ helm get all eg -n envoy-gateway-system

To have a quickstart of Envoy Gateway, please refer to https://gateway.envoyproxy.io/latest/tasks/quickstart.

To get more details, please visit https://gateway.envoyproxy.io and https://github.com/envoyproxy/gateway.
# 等待主要 Deployment 可用
ubuntu@ubuntu:~$ kubectl wait --for=condition=Available deployment/envoy-gateway -n envoy-gateway-system --timeout=300s
deployment.apps/envoy-gateway condition met
# 查看pod
ubuntu@ubuntu:~$ kubectl get pods -n envoy-gateway-system
NAME                             READY   STATUS    RESTARTS   AGE
envoy-gateway-54cd886ccc-glpcp   1/1     Running   0          3m10s

示例1:部署服务

准备一个最小后端

# app-http-echo.yaml
apiVersion: v1
kind: Namespace
metadata:
  name: demo

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: http-echo
  namespace: demo
spec:
  replicas: 2
  selector:
    matchLabels:
      app: http-echo
  template:
    metadata:
      labels:
        app: http-echo
    spec:
      containers:
        - name: http-echo
          image: hashicorp/http-echo:0.2.3
          args: ["-text=hello from http-echo"]
          ports:
            - containerPort: 5678

---
apiVersion: v1
kind: Service
metadata:
  name: http-echo
  namespace: demo
spec:
  selector:
    app: http-echo
  ports:
    - port: 80
      targetPort: 5678
      protocol: TCP
  type: ClusterIP

验证:

# 部署
ubuntu@ubuntu:~/example/gateway$ kubectl apply -f ./app-http-echo.yaml 
namespace/demo created
deployment.apps/http-echo created
service/http-echo created
# 查看状态
ubuntu@ubuntu:~/example/gateway$ kubectl -n demo get pods,svc
NAME                             READY   STATUS    RESTARTS   AGE
pod/http-echo-5df97c497f-lb25d   1/1     Running   0          14s
pod/http-echo-5df97c497f-qtw56   1/1     Running   0          14s

NAME                TYPE        CLUSTER-IP   EXTERNAL-IP   PORT(S)   AGE
service/http-echo   ClusterIP   10.97.7.76   <none>        80/TCP    14s
ubuntu@ubuntu:~/example/gateway$

创建 GatewayClass / Gateway / HTTPRoute(把流量导到 http-echo)

下面的 Gateway 示例监听 HTTP/80,并请求将地址类型留空(由实现/Service 分配 LoadBalancer IP 或由实现决定)。

# gateway-demo.yaml

---
# 1) GatewayClass(全局,连接到 Envoy Gateway controller)
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: envoy-gateway
spec:
  controllerName: gateway.envoyproxy.io/gatewayclass-controller

---
# 2) Gateway (在 envoy-gateway-system 命名空间创建一个监听 80 的 Gateway)
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: example-gateway
  namespace: envoy-gateway-system
spec:
  gatewayClassName: envoy-gateway
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      # 允许所有命名空间的 HTTPRoute 绑定到该 listener
      allowedRoutes:
        namespaces:
          from: All

---
# 3) HTTPRoute (在 demo 命名空间,父引用指向上面创建的 Gateway)
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: http-echo-route
  namespace: demo
spec:
  parentRefs:
    - name: example-gateway
      namespace: envoy-gateway-system
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: http-echo
          namespace: demo
          port: 80

验证:

# 部署
ubuntu@ubuntu:~/example/gateway$ kubectl apply -f ./gateway-demo.yaml 
gatewayclass.gateway.networking.k8s.io/envoy-gateway created
gateway.gateway.networking.k8s.io/example-gateway created
httproute.gateway.networking.k8s.io/http-echo-route created
# 查看状态
ubuntu@ubuntu:~/example/gateway$ kubectl -n envoy-gateway-system get pod
NAME                                                              READY   STATUS    RESTARTS      AGE
envoy-envoy-gateway-system-example-gateway-10348818-58fd84kxrtk   2/2     Running   0             2m14s
envoy-gateway-54cd886ccc-glpcp                                    1/1     Running   3 (10m ago)   2d9h
ubuntu@ubuntu:~/example/gateway$ kubectl -n envoy-gateway-system get svc
NAME                                                  TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)                                                                          AGE
envoy-envoy-gateway-system-example-gateway-10348818   LoadBalancer   10.97.122.116   192.168.236.202   80:31565/TCP                                                                     2m18s
envoy-gateway                                         LoadBalancer   10.105.179.76   192.168.236.201   18000:31899/TCP,18001:31607/TCP,18002:30833/TCP,19001:30187/TCP,9443:31773/TCP   2d9h
# 浏览器直接访问 http://192.168.236.202/
# 显示 hello from http-echo
posted @ 2025-11-24 10:58  beamsoflight  阅读(10)  评论(0)    收藏  举报