Kubernetes Ingress → Gateway API Migration (Production Playbook)

Date: 2026-03-24
Category: knowledge
Scope: Practical migration pattern for teams moving from Ingress to Gateway API with minimal outage risk and predictable rollback.

1) Why migrate now

Kubernetes documents Ingress as stable but frozen and recommends Gateway API for new work. In practice, this means:

• Ingress is still supported and not being removed.
• But new networking capabilities are increasingly designed around Gateway API.

Gateway API gives three big operational wins:

1. Role separation (infra/operator/app responsibilities are explicit).
2. Portable features (less provider annotation lock-in).
3. Richer routing model (header matching, weighting, mirrors, policy attachment patterns).

2) The model shift (mental rewrite from Ingress)

Think in layers:

• GatewayClass = implementation contract (which controller, behavior family).
• Gateway = actual entry points/listeners (ports, hostnames, TLS termination).
• Routes (HTTPRoute/GRPCRoute/TLSRoute...) = app-level routing intent.

This is the key migration mindset:

• Ingress often mixed infra + app config in one object.
• Gateway API intentionally splits them so shared clusters are safer by design.

3) Pre-migration checks (don’t skip)

3.1 Controller conformance reality check

Before any manifest conversion, verify your chosen controller’s supported features/profile. Gateway API has:

• Core (expected broad portability)
• Extended (portable but optional)
• Implementation-specific (vendor-specific behavior)

If your current Ingress depends on controller annotations, map each one to:

• standard Gateway field,
• policy CRD of your implementation,
• or “cannot migrate 1:1”.

3.2 CRD/channel strategy

Use Standard channel CRDs for production default unless you explicitly need experimental features. Read release notes before bumping and avoid downgrading CRDs.

3.3 Inventory risky Ingress patterns

Flag these early:

• heavy annotation usage (timeouts/retries/auth/custom rewrites),
• cross-namespace backend or certificate refs,
• regex/path semantics tightly coupled to one controller,
• canary logic implemented via proprietary annotations.

4) Safe migration plan (waves)

Wave A — Install and prove control plane

1. Install Gateway API CRDs and controller.
2. Create GatewayClass + baseline Gateway listeners.
3. Confirm status conditions become Accepted/Programmed (controller-specific wording may vary).

No production traffic shift yet.

Wave B — Shadow convert manifests

Use ingress2gateway as a starting point, not final truth:

• Convert existing Ingress resources.
• Manually review every generated Route/Gateway.
• Remove obsolete annotation thinking; encode intent in structured fields or policy resources.

Wave C — Canary host/path cutover

• Migrate one low-blast-radius hostname/path first.
• Keep old Ingress path available for instant rollback.
• Compare SLI deltas: 4xx/5xx, p95/p99 latency, TLS handshake errors, backend saturation.

Wave D — Bulk migration by risk tier

Order recommendation:

1. stateless internal tools,
2. low-revenue external endpoints,
3. critical public APIs,
4. last: weird legacy routes with annotation debt.

Wave E — Decommission Ingress objects

Only after steady-state burn-in (e.g., 7+ days, incident-free), delete retired Ingress resources and legacy annotation policies.

5) High-impact pitfalls and fixes

5.1 Cross-namespace references break unexpectedly

Gateway API requires explicit trust for cross-namespace references via ReferenceGrant in the target namespace (for example cert Secret refs or backend refs). Without this, references stay unresolved.

5.2 “It applied” does not mean “it routes”

Always check status conditions (ResolvedRefs, Accepted, implementation conditions). A syntactically valid object can still be non-functional due to unsupported kinds/features.

5.3 TLS assumptions from Ingress carry over incorrectly

Gateway API separates:

• Downstream TLS (client → gateway listener)
• Upstream TLS (gateway → backend, via BackendTLSPolicy)

Treat terminate/re-encrypt explicitly; do not assume old controller defaults still apply.

5.4 Multi-team RBAC not redesigned

If you keep broad write access to Gateway objects, you lose much of the role-oriented safety model. Split ownership:

• platform team owns GatewayClass/Gateway baseline,
• app teams own Routes within bounded namespaces.

5.5 Experimental creep in production

Experimental channel fields can change incompatibly in minor updates. If you must use them, isolate by environment and document upgrade runbooks.

6) Minimal conversion example

Ingress-era intent:

• host: api.example.com
• path /v1 → service api-v1:8080
• path /v2 → service api-v2:8080
• TLS termination with existing cert

Gateway API shape:

1. Gateway listener on HTTPS:443 with hostname: api.example.com and certificateRefs.
2. HTTPRoute with rules matching /v1 and /v2, each backendRef to respective Service.

The important operational difference: listener infra and route logic are independently governable.

7) Observability acceptance checklist

Before declaring migration complete:

• Route attach rate is 100% for target namespaces (no unresolved refs).
• TLS error budget unchanged (or better) vs Ingress baseline.
• p95/p99 latency regression within agreed threshold.
• 4xx/5xx and retry behavior validated against expected route filters/policies.
• Rollback tested in staging and once in prod canary window.
• RBAC boundary validated by attempting forbidden writes from app-team role.

8) Opinionated defaults

• Standard channel CRDs by default.
• Start with HTTPRoute on a single HTTPS listener.
• Keep old Ingress live until canary SLOs pass for multiple days.
• Introduce policy attachments only when needed; avoid re-creating annotation sprawl under new names.

9) Bottom line

Gateway API migration is easiest when treated as a governance + operability upgrade, not a YAML syntax rewrite.

If you only auto-convert manifests, you’ll keep legacy coupling. If you redesign ownership boundaries and reference safety (ReferenceGrant, RBAC, status checks), you get the real payoff: cleaner multi-team traffic ops with fewer controller-specific surprises.

References

• Kubernetes Ingress docs (Ingress is frozen; Gateway recommended): https://kubernetes.io/docs/concepts/services-networking/ingress/
• Gateway API introduction: https://gateway-api.sigs.k8s.io/
• API overview (GatewayClass/Gateway/Route model): https://gateway-api.sigs.k8s.io/concepts/api-overview/
• Migrating from Ingress guide: https://gateway-api.sigs.k8s.io/guides/getting-started/migrating-from-ingress/
• Versioning / release channels: https://gateway-api.sigs.k8s.io/concepts/versioning/
• Conformance / support levels: https://gateway-api.sigs.k8s.io/concepts/conformance/
• TLS guide (downstream/upstream, BackendTLSPolicy): https://gateway-api.sigs.k8s.io/guides/tls/
• CRD management guide: https://gateway-api.sigs.k8s.io/guides/crd-management/
• ingress2gateway project: https://github.com/kubernetes-sigs/ingress2gateway
• Kubernetes blog (ingress2gateway announcement): https://kubernetes.io/blog/2023/10/25/introducing-ingress2gateway/