Gateway API with Traefik
The Gateway API is the successor to Kubernetes Ingress, providing a more expressive, extensible, and role-oriented approach to managing traffic routing. It introduces resources like Gateway and HTTPRoute that offer finer control over how traffic enters and flows through your cluster.
Key Benefits
- Role-oriented: Separates concerns between infrastructure providers, cluster operators, and application developers
- Expressive: Native support for header-based routing, traffic splitting, and request manipulation
- Extensible: Custom resources can extend functionality without modifying core APIs
- Portable: Standard API works across multiple implementations (Traefik, Cilium, Envoy, Istio, Kong, and more)
Prerequisites
- An Exoscale SKS cluster with kubectl access
- Helm installed
- Basic Kubernetes knowledge
If you don’t have access to an SKS cluster, follow the Quick Start Guide.
Install Gateway API CRDs
First, install the Gateway API Custom Resource Definitions (CRDs):
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yamlNote
Check the Gateway API releases for the latest version.
Install Traefik with Gateway API Provider
Add the Traefik Helm repository and install Traefik with the Gateway API provider enabled:
helm repo add traefik https://traefik.github.io/charts
helm repo update
helm install traefik traefik/traefik -n traefik --create-namespace \
--set providers.kubernetesGateway.enabled=true \
--set providers.kubernetesCRD.enabled=false \
--set providers.kubernetesIngress.enabled=falseNote
This configuration enables Gateway API support while disabling traditional Ingress.
If you need both Gateway API and Ingress support, omit the kubernetesCRD and
kubernetesIngress flags, or set them to true.
This installation creates a LoadBalancer service, which automatically provisions an Exoscale Network Load Balancer through the CCM.
Verify the installation:
kubectl get pods -n traefik -l app.kubernetes.io/name=traefik
kubectl get svc -n traefik traefikNote
The commands above assume Traefik is installed in the traefik namespace, as shown in the Helm command.
How Traffic Flows on Exoscale
When you create the Traefik Service of type LoadBalancer, Exoscale provisions a Network Load Balancer (NLB) through the CCM. Traffic then follows this path:
- Client -> Exoscale NLB (Service
LoadBalancer) - NLB -> NodePort on cluster nodes
- NodePort -> Traefik pod
- Traefik ->
Gateway->HTTPRoute-> Service -> Pods
This is why you must allow NodePort traffic in the node security group.
Configure Security Group for NodePort Traffic
The Network Load Balancer routes traffic to NodePorts on your cluster nodes. You need to allow this traffic through a security group.
Create a security group and add a rule for the NodePort range:
exo compute security-group create traefik-nodeports
exo compute security-group rule add traefik-nodeports \
--protocol tcp \
--port 30000-32767 \
--network 0.0.0.0/0Attach the security group to your nodepool. You can do this via the Portal or CLI:
exo compute sks nodepool update <cluster-name> <nodepool-name> \
--security-group traefik-nodeports \
--security-group <existing-security-group>Important
The --security-group flag replaces all security groups on the nodepool. Make sure to include any existing security groups in the command to avoid removing them.
Create Gateway API Resources
Gateway API separates concerns across different roles:
GatewayClass: Defined by the infrastructure provider (e.g., Traefik). Typically set up once per cluster.Gateway: Managed by platform or cluster operators. Defines entry points, ports, and TLS configuration.HTTPRoute: Owned by application developers. Defines routing rules and can be bundled alongside applications in Helm charts.
GatewayClass
The GatewayClass defines which controller handles Gateways. Create a file named gatewayclass.yaml:
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: traefik
spec:
controllerName: traefik.io/gateway-controllerApply it:
kubectl apply -f gatewayclass.yamlGateway
The Gateway resource defines the entry point for traffic. Create a file named gateway.yaml:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: traefik-gateway
spec:
gatewayClassName: traefik
listeners:
- name: http
protocol: HTTP
port: 8000Note
Traefik uses port 8000 for its web entryPoint by default. The external LoadBalancer maps port 80 to this internal port, so the Gateway listener must match the Traefik entryPoint port (8000 unless you override Helm values). If you set ports.web.port=80, update the Gateway listener to port: 80.
Apply it:
kubectl apply -f gateway.yamlExample Application
Deploy a simple application to test the setup. Create a file named app.yaml:
apiVersion: apps/v1
kind: Deployment
metadata:
name: hello
labels:
app: hello
spec:
replicas: 3
selector:
matchLabels:
app: hello
template:
metadata:
labels:
app: hello
spec:
containers:
- name: hello
image: nginxdemos/hello:plain-text
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: hello
spec:
selector:
app: hello
ports:
- port: 80
targetPort: 80Apply it:
kubectl apply -f app.yamlHTTPRoute
The HTTPRoute defines how traffic is routed to your services. It only becomes active when it is attached to a Gateway via parentRefs. Create a file named httproute.yaml:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: hello-route
spec:
parentRefs:
- name: traefik-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: hello
port: 80Apply it:
kubectl apply -f httproute.yamlVerify the Setup
Check that the Gateway is ready:
kubectl get gateway traefik-gatewayGet the external IP of the LoadBalancer:
kubectl get svc -n traefik traefik -o jsonpath='{.status.loadBalancer.ingress[0].ip}'Test the route:
curl http://<EXTERNAL-IP>/You should see the nginx hello response.
Gateway API vs Ingress
Gateway API is a good fit when you need advanced routing, multi-team ownership boundaries, or a consistent policy model across teams and clusters. Ingress remains a good choice for simple routing and legacy setups.
Note
Gateway API is still evolving, and feature support varies by controller. Always check your controller’s Gateway API support matrix.
Tip
You can run Ingress and Gateway API side by side in Traefik by enabling both providers. This can help with gradual migration, but increases operational complexity.
Important
Gateway API does not natively support Traefik’s TLSOption CRD. If you need to customize TLS settings (such as minimum TLS version, cipher suites, or mTLS policies), use Ingress with IngressRoute instead, where TLSOption references work as expected.
| Feature | Ingress | Gateway API |
|---|---|---|
| Role separation | Single resource | GatewayClass, Gateway, HTTPRoute |
| Header routing | Annotation-dependent | Native support |
| Traffic splitting | Not supported | Native support |
| Request/response manipulation | Controller-specific | Standardized filters |
| Multi-tenancy | Limited | Built-in support |
| Extensibility | Annotations | Custom resources |
When to use Ingress: Simple routing needs, existing configurations, controller-specific features.
When to use Gateway API: Complex routing, multi-team environments, portability requirements, new deployments.
Cleanup
When deleting resources, follow this order to avoid orphaned cloud resources:
Caution
Always delete the LoadBalancer service before deleting the nodepool or cluster. Otherwise, the NLB may not be automatically cleaned up.
# Delete Gateway API resources
kubectl delete httproute hello-route
kubectl delete gateway traefik-gateway
kubectl delete gatewayclass traefik
# Delete the application
kubectl delete -f app.yaml
# Uninstall Traefik (this deletes the LoadBalancer service)
helm uninstall traefik
# Delete Gateway API CRDs
kubectl delete -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml
# Remove security group (after cluster deletion)
exo compute security-group delete traefik-nodeportsOther Gateway API Controllers
While this guide uses Traefik, the Gateway API is supported by many controllers:
- Cilium Gateway API: eBPF-based networking with Gateway API support
- Envoy Gateway: Managed Envoy proxy for Kubernetes
- Istio: Service mesh with Gateway API integration
- Kong: API gateway with Gateway API support
The concepts in this guide apply to other controllers with minor configuration differences.
See Also
- For traditional load balancing and ingress, see SKS Load Balancer and Ingress Controller
- Official Gateway API documentation
- Traefik Gateway API documentation
- Gateway API implementations
- For details on SKS service levels and shared responsibility, see SKS Overview