Documentation
Traffic management
Integrate kgateway

Integrating with kgateway

Istio includes reference implementations of an ingress gateway and waypoint. However, ambient mode was designed to allow the use of alternative Layer 7 implementations. kgateway can be used as both an ingress gateway and a waypoint.

What is kgateway?

kgateway is a feature-rich, fast, and flexible Kubernetes-native ingress controller and next-generation API gateway that is built on top of Envoy and configured with Gateway API.

kgateway was originally launched in 2018 as Gloo. Since then, the project has steadily evolved to become the most trusted and feature-rich API gateway for Kubernetes, processing billions of API requests for many of the world’s biggest companies. The project was renamed and transferred to the CNCF in 2024.

kgateway includes a number of extensions and features beyond the ingress and waypoint gateway implementations in Istio. It offers first-class APIs for rate limiting, header manipulation, request transformations, external auth and processing, without requiring the use of EnvoyFilters. It also has a large set of features for egress management, including AI prompt guarding, API key management, and data loss prevention.

Using kgateway as an ingress gateway

If the kgateway-system namespace and configured backends are both added to the ambient mesh, traffic between the gateway and the backend will be secured with mTLS.

kubectl label ns kgateway-system istio.io/dataplane-mode=ambient

When configuring your HTTPRoutes, ensure that you are targeting your configured kgateway instance using parentRefs:

  parentRefs:  
    - name: https
      namespace: kgateway-system

Refer to the kgateway ingress documentation for more information.

Use kgateway as a waypoint

A waypoint proxy is deployed using the Gateway resource, and the gatewayClassName field determines which proxy to use. The default class in an ambient mesh is istio-waypoint. To use kgateway, you simply change the gatewayClassName to kgateway-waypoint. Third-party waypoints listen on port 15088 and use the PROXY protocol for transferring identity information from ztunnel.

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: kgateway-waypoint
  namespace: default
spec:
  gatewayClassName: kgateway-waypoint
  listeners:
  - name: proxy
    port: 15088
    protocol: istio.io/PROXY

You can then configure your namespace to use the waypoint as usual. Just like the stock waypoint, kgateway will enforce Istio security policy and routes targeting services that use the waypoint, or the waypoint itself. You can also use kgateway’s custom policies on routes that the waypoint processes.

Refer to the kgateway waypoint documentation for more information.

Controlling mesh egressIntegrate third-party Gateway and Ingress controllers