Skip to main content
Version: main 🚧

Gateway API

Supported Configurations
Running the control plane as a container with:

Use sync.toHost.gatewayApi when tenants create Gateway API resources inside a tenant cluster. vCluster syncs those resources to the Control Plane Cluster.

This is different from exposing the tenant cluster API server with controlPlane.tlsRoute. For API server exposure, see Access and expose vCluster.

Resources​

Gateway API sync can cover:

  • HTTPRoute resources for HTTP application routing.
  • Gateway resources when tenants are allowed to create Gateway infrastructure objects.
  • TLSRoute resources for TLS passthrough routing.
  • BackendTLSPolicy and ReferenceGrant resources when required by the selected Gateway controller and route topology.

The Control Plane Cluster must have the corresponding Gateway API CRDs installed. The Gateway controller must support the resource kinds and filters that tenants use.

Tenant-created routes​

For the common shared-infrastructure model, platform administrators create a Gateway in the Control Plane Cluster. Tenants create HTTPRoute resources that attach to that Gateway.

In that model, use Imported Gateways and GatewayClasses so the approved Gateway is visible inside the tenant cluster as a read-only resource.

If tenants are allowed to create their own Gateway resources, enable Gateway sync for tenant-created Gateways and apply policy through templates, RBAC, admission control, and Gateway controller configuration.

Auto sleep​

Gateway-backed auto sleep for HTTP traffic depends on HTTPRoute request mirroring support. A controller can serve HTTPRoute traffic without supporting the request mirror filter that Platform needs for automatic wakeup. For details, see Gateway API HTTPRoute activity detection.

Config reference​

See the generated sync.toHost.gatewayApi config reference for exact YAML fields, including httpRoutes, gateways, tlsRoutes, backendTlsPolicies, and referenceGrants.