Gateways and GatewayClasses
Use sync.fromHost.gatewayClasses and sync.fromHost.gateways when platform administrators own Gateway API infrastructure in the Control Plane Cluster. Tenant clusters can then see approved Gateway resources.
Imported Gateway API resources are read-only inside the tenant cluster. Tenants can reference them from Routes, but changes to imported GatewayClass or Gateway resources do not sync back to the Control Plane Cluster.
Configure admin-owned shared gateways​
In a shared Gateway model:
- Platform administrators install the Gateway API CRDs and Gateway controller.
- Platform administrators create the
GatewayClassand one or moreGatewayresources in the Control Plane Cluster. - vCluster imports the approved
GatewayClassandGatewayresources into tenant clusters. - Tenants create
HTTPRouteorTLSRouteresources that attach to the imported Gateway.
This lets platform teams own DNS, certificates, listener policy, and controller lifecycle while tenants own their application routes.
Route attachment policy​
Imported Gateways can expose tenant-facing allowedRoutes policy. Use this to make the allowed route attachment model visible to tenants and enforce which tenant namespaces or hostnames can attach to a shared Gateway.
If tenants need to route to a backend in another namespace, the selected Gateway API topology may also require a ReferenceGrant.
Status and metadata visibility​
Gateway status can be mirrored into the tenant cluster so tenants can see whether a Gateway has addresses or listener status. Metadata controls can expose source Gateway information when that helps tenants understand which Control Plane Cluster Gateway they are using.
Keep this information scoped to what tenants need. Shared Gateway infrastructure often carries operational details that should remain platform-owned.
Config reference​
See the generated sync.fromHost.gatewayClasses and sync.fromHost.gateways config reference for exact YAML fields, including imported Gateways, allowedRoutes, status, metadata, and sanitization options.