Skip to content

Kubernetes Cluster Traffic Management

We are making use of Cilium Gateway API as default means of managing traffic towards Routes defined in a Kubernetes Service, which offers full API lifecycle management, security, and governance.

If you are migrating your service from an Ingress Controller (Nginx, Traefik or any other) a quick comparison of main advantages of using Gateway API:

Feature Ingress API Gateway
Routing Host/path-based HTTP routing Advanced routing, multi-protocol (HTTP, gRPC, WebSockets)
TLS Termination
Auth (OIDC, JWT, API Keys) ❌ Limited (via annotations/plugins) ✅ Built-in
Rate Limiting / Quotas ❌ Not native ✅ Core feature
Observability Basic (via logs/metrics) Detailed API analytics
Kubernetes-native Sometimes (can be external)
Best for Simple cluster ingress Full API management and security

Networking Details

Workload Clusters are deployed on top of OpenStack infrastructure where we orchestrate/harden traffic as follows:

  • OpenStack Security Groups: provides a Stateful virtual firewall applied to cluster nodes as well granular filtering for API access and service ports as with explicit allowlists for Kubernetes control plane and worker node communication.
  • We make use of Load Balancing - Elastic IP to forward traffic to respective Cluster Nodes based on L4 TCP ports: 80/443/6443/50000. Additional ports can be provided on request.
  • The traffic is picked up by services exposed via Cilium Gateway API at ports 80 and 443.

Examples

Gateway API

In the following example we illustrate how to create a Gateway and corresponding HTTP routes, with HTTP redirecting to HTTPS. We create the Gateway cilium-gateway which makes use of the GatewayClass cilium.

---
# Namespace for our application
apiVersion: v1
kind: Namespace
metadata:
  name: cilium-gateway-demo

---
# Sample application deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: demo-app
  namespace: cilium-gateway-demo
spec:
  replicas: 3
  selector:
    matchLabels:
      app: demo-app
  template:
    metadata:
      labels:
        app: demo-app
        version: v1
    spec:
      containers:
      - name: demo-app
        image: nginx:1.25
        ports:
        - containerPort: 80
        volumeMounts:
        - name: html-content
          mountPath: /usr/share/nginx/html
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 200m
            memory: 256Mi
      volumes:
      - name: html-content
        configMap:
          name: demo-html

---
# ConfigMap with Cilium-themed HTML content
apiVersion: v1
kind: ConfigMap
metadata:
  name: demo-html
  namespace: cilium-gateway-demo
data:
  index.html: |
    <!DOCTYPE html>
    <html>
    <head>
        <title>Cilium Gateway API Demo</title>
        <style>
            body { 
                font-family: Arial, sans-serif; 
                margin: 0; 
                background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
                color: white;
            }
            .container { 
                max-width: 800px; 
                margin: 0 auto; 
                padding: 40px;
                text-align: center;
            }
            .logo { font-size: 3em; margin-bottom: 20px; }
            .feature-box { 
                background: rgba(255,255,255,0.1); 
                padding: 20px; 
                margin: 20px 0; 
                border-radius: 10px; 
                backdrop-filter: blur(10px);
            }
            .success { color: #4CAF50; }
            h1 { margin-bottom: 30px; }
            ul { text-align: left; }
        </style>
    </head>
    <body>
        <div class="container">
            <div class="logo">Safespring</div>
            <h1>Cilium Gateway API with TLS</h1>
            <div class="feature-box">
                <h2 class="success">Successfully Connected!</h2>
                <p>This application is running behind Cilium Gateway with TLS termination.</p>
            </div>
            <div class="feature-box">
                <h3>Cilium Features</h3>
                <ul>
                    <li>eBPF-based networking and security</li>
                    <li>Gateway API implementation</li>
                    <li>Advanced load balancing</li>
                    <li>Network policies and observability</li>
                    <li>High-performance TLS termination</li>
                </ul>
            </div>
        </div>
    </body>
    </html>

---
# Service for the demo application
apiVersion: v1
kind: Service
metadata:
  name: demo-app-service
  namespace: cilium-gateway-demo
  labels:
    app: demo-app
spec:
  selector:
    app: demo-app
  ports:
  - name: http
    port: 80
    targetPort: 80
    protocol: TCP
  type: ClusterIP

ClusterIssuer for Let's Encrypt and Certificate

---
# TLS Certificate using cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cilium-demo-tls
  namespace: cilium-gateway-demo
spec:
  secretName: cilium-demo-tls-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - cilium-demo.apps.safesdemo.paas.safedc.net

---

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: notvalid@safespring.com
    privateKeySecretRef:
      name: letsencrypt-prod-private-key
    solvers:
    - http01:
        gatewayHTTPRoute:
          parentRefs:
          - name: cilium-gateway
            namespace: cilium-gateway-demo
            kind: Gateway

Cilium Gateway Configuration

---

apiVersion: gateway.networking.k8s.io/v1beta1
kind: Gateway
metadata:
  name: cilium-gateway
  namespace: cilium-gateway-demo
spec:
  gatewayClassName: cilium
  listeners:
  # HTTPS listener
  - name: https
    hostname: "cilium-demo.apps.safesdemo.paas.safedc.net"
    port: 443
    protocol: HTTPS
    tls:
      mode: Terminate
      certificateRefs:
      - kind: Secret
        name: cilium-demo-tls-secret
        namespace: cilium-gateway-demo
    allowedRoutes:
      namespaces:
        from: Same
  # HTTP listener for redirects
  - name: http
    hostname: "cilium-demo.apps.safesdemo.paas.safedc.net"
    port: 80
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: Same

---
# HTTPRoute for HTTPS traffic
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: demo-https-route
  namespace: cilium-gateway-demo
  labels:
    gateway: cilium-gateway
spec:
  parentRefs:
  - name: cilium-gateway
    namespace: cilium-gateway-demo
    sectionName: https
  hostnames:
  - "cilium-demo.apps.safesdemo.paas.safedc.net"
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: "/"
    backendRefs:
    - name: demo-app-service
      namespace: cilium-gateway-demo
      port: 80
      weight: 100
    filters:
    - type: ResponseHeaderModifier
      responseHeaderModifier:
        add:
        - name: X-Served-By
          value: "Cilium-Gateway"
        - name: X-Gateway-Class
          value: "cilium"

---
# HTTPRoute for HTTP to HTTPS redirect
apiVersion: gateway.networking.k8s.io/v1beta1
kind: HTTPRoute
metadata:
  name: demo-http-redirect
  namespace: cilium-gateway-demo
spec:
  parentRefs:
  - name: cilium-gateway
    namespace: cilium-gateway-demo
    sectionName: http
  hostnames:
  - "cilium-demo.apps.safesdemo.paas.safedc.net"
  rules:
  - filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301