For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Gateway proxies
Learn more about the gateway proxies that the kgateway control planeControl PlaneComponents that manage and distribute configuration and policies to the data plane. supports.
About gateway proxies
Gateway proxies are the data planeData PlaneProxies (Envoy or agentgateway) that process live network traffic per configuration from the control plane. in your kgateway setup. The data plane handles traffic between clients and servers, or backend applications.
The type of gateway proxy that you want to use depends on your use case, which is often related to the backend applications and the “direction” of the traffic.
Backend applications are commonly accessed by clients through application programming interfaces (APIs). Hence, an “API gateway” is a common use case for a gateway proxy. For more information, see the API gateway overview topic. If the client is outside your cluster, you need an ingress gateway to handle this “north-south” traffic. If the client is within the cluster or service mesh, you need an “east-west” gateway. To control traffic that leaves your environment, you need an egress gateway.
Increasingly, gateway proxies are designed to meet the challenges that are specific to artificial intelligence (AI) networking. In these scenarios, your backend applications might be cloud provider large language models (LLMs), your own LLMs and inferences, model context protocol (MCP) servers, agent-to-agent (A2A) servers, and similar AI use cases. For AI, MCP, LLM, and agent connectivity, use agentgateway, which has its own documentation and installation.
The best gateway proxies offer you ways to configure advanced routing, load balancing, security enforcement, protocol translation, and more. They also generate metrics and logs that you can use to monitor and troubleshoot your traffic.
Architecture
Kgateway is a control plane that manages the lifecycle of gateway proxies that adhere to the Kubernetes Gateway API spec.
When you install kgateway, you automatically get GatewayClasses out of the box. When you create a Gateway resource based on one of these GatewayClasses, kgateway automatically spins up a gateway proxy for you. The gateway proxy controls the data plane that routes traffic to the backend services. Kgateway then configures the data plane based on the Gateway API and kgateway custom resources that you configure, such as HTTPRoutes and TrafficPolicies. This way, you can standardize the configuration of your gateway proxies with the same set of open source resources.
For more information, see the other docs in this About section.
Reserved ports
The following ports are reserved by Kgateway and cannot be used when configuring your gateway proxy.
| Port | Description |
|---|---|
| 19000 | The Envoy admin port. Gateway proxies expose an admin interface on this port that you can use to access important proxy information, such as the config dump, heap dump, healthchecks, and memory allocation. |
| 8082 | The readiness port. This port can be used to determine if the gateway proxy is ready to receive traffic. |
| 9091 | The Prometheus scraping port. Gateway proxies expose all metrics on this port so that Prometheus can scrape them. |
Note that if you configure one of these ports, the gateway proxy still deploys. However, you see error messages, such as the following in the logs.
err="failed to apply object apps/v1, Kind=Deployment example-gateway: failed to create typed patch object
(gwtest/example-gateway; apps/v1, Kind=Deployment): .spec.template.spec.containers[name=\"kgateway-proxy\"].
ports: duplicate entries for key [containerPort=9091,protocol=\"TCP\"]"