kGateway — Cloud-Native API Gateway Built on Envoy

Introduction

kGateway is a feature-rich, Kubernetes-native API gateway that implements the Kubernetes Gateway API specification on top of Envoy Proxy. It handles ingress traffic routing, TLS termination, rate limiting, and authentication while providing extensibility through custom policies and integrations.

What kGateway Does

• Routes external and internal traffic to Kubernetes services using Gateway API resources
• Terminates TLS and manages certificates via integration with cert-manager
• Applies rate limiting, retries, timeouts, and circuit breaking at the gateway level
• Supports external authentication and authorization via OIDC, API keys, and OPA
• Provides AI gateway features for proxying and managing LLM API traffic

Architecture Overview

kGateway deploys a control plane that watches Kubernetes Gateway API resources (Gateway, HTTPRoute, GRPCRoute) and translates them into Envoy xDS configuration. Data-plane Envoy pods handle the actual traffic. Custom policies are expressed as Kubernetes CRDs and merged into the Envoy configuration by the control plane.

Self-Hosting & Configuration

• Install via Helm chart on any Kubernetes 1.25+ cluster
• Requires the Gateway API CRDs to be installed in the cluster
• Configure listeners, routes, and policies through standard Gateway API resources
• Enable external auth by deploying an ExtAuth server and referencing it in policy CRDs
• Monitor via Prometheus metrics and Grafana dashboards included in the Helm chart

Key Features

• Full Kubernetes Gateway API conformance for portable ingress configuration
• Built on Envoy Proxy for proven performance and protocol support
• Extensible policy framework for auth, rate limiting, and transformations
• AI gateway mode for routing, caching, and rate-limiting LLM API calls
• Delegated routing that lets teams manage their own HTTPRoutes in separate namespaces

Comparison with Similar Tools

• NGINX Ingress — Uses the older Ingress API; kGateway implements the newer Gateway API
• Traefik — General-purpose proxy; kGateway provides deeper Envoy-based policy extensibility
• Kong — Plugin-based architecture on NGINX/OpenResty; kGateway uses Envoy and Kubernetes CRDs
• Istio Gateway — Requires a full service mesh; kGateway operates as a standalone gateway

FAQ

Q: Is kGateway the same as Gloo Gateway? A: Yes. The project was renamed from Gloo Gateway to kGateway to reflect its community-driven, Kubernetes-native focus.

Q: Does kGateway require Istio? A: No. kGateway runs independently as a standalone API gateway without a service mesh.

Q: Can kGateway handle gRPC traffic? A: Yes. It supports GRPCRoute resources from the Gateway API specification.

Q: Is kGateway free? A: The open-source version is free under Apache 2.0. Solo.io offers an enterprise edition with additional features.

Sources

• https://github.com/kgateway-dev/kgateway
• https://kgateway.dev/docs