Learn By Doing: kgateway

This hands-on course introduces you to kgateway, an open-source CNCF Sandbox project that implements the Kubernetes Gateway API using Envoy as its high-performance data plane proxy.

You will learn how to deploy, configure, and manage cloud-native traffic in Kubernetes — moving beyond the limitations of the legacy Ingress API to embrace a layered, role-oriented model for routing, security, and observability.

Through hands-on labs, you will:

• Install kgateway and the Gateway API CRDs
• Create Gateways and HTTPRoutes to expose applications
• Implement advanced routing and progressive delivery (canary releases)
• Secure traffic with TLS termination, rate limiting, and CORS
• Use TrafficPolicy and DirectResponse for fine-grained traffic control
• Diagnose and troubleshoot Gateway and HTTPRoute issues

Course Highlights

Getting Started with kgateway

This module takes you from installing kgateway on a Kubernetes cluster to running a production-grade, observable Gateway with TLS, policies, and advanced routing rules.

You will learn how the Gateway API separates responsibilities across infrastructure providers, cluster operators, and application developers — and how kgateway extends the standard API with powerful CRDs like TrafficPolicy, DirectResponse, and BackendConfigPolicy to enable production-grade traffic management.

Through progressive labs, you will:

• Install kgateway and explore Gateway API CRDs
• Build routing rules for paths, headers, and weighted backends
• Apply security and traffic policies with TrafficPolicy
• Troubleshoot and observe traffic flow through Envoy proxies

1. Gateway API Foundations

What you'll learn:

• Install the official Kubernetes Gateway API CRDs (v1.4.0)
• Install kgateway CRDs and controller (v2.3.0) using Helm and OCI charts
• Verify the GatewayClass and explore the role-based resource hierarchy: GatewayClass → Gateway → HTTPRoute
• Understand how kgateway extends Gateway API with custom policy CRDs (TrafficPolicy, DirectResponse, BackendConfigPolicy)

2. Routing with HTTPRoute

What you'll learn:

• Deploy a backend application and create your first Gateway with an HTTP listener
• Define HTTPRoutes with parentRefs, hostnames, and backendRefs
• Implement path-based routing (Exact, PathPrefix) and header-based matching
• Combine multiple match conditions in a single rule with ordered fallback logic
• Perform canary releases using weighted backendRefs (90/10 → 50/50 → 0/100)

3. Security and Policy with TrafficPolicy

What you'll learn:

• Configure local rate limiting using the token bucket algorithm at Gateway and route level
• Attach policies to specific HTTPRoute rules using ExtensionRef filters
• Override inherited rate limits per route with rateLimit.local: {}
• Generate self-signed TLS certificates and create kubernetes.io/tls Secrets
• Build an HTTPS Gateway with tls.mode: Terminate for TLS termination

4. Advanced Traffic Management and Observability

What you'll learn:

• Modify request and response headers with HTTPRoute filters and TrafficPolicy
• Configure CORS for cross-origin browser access (origins, methods, headers, max-age)
• Serve static responses without a backend using the DirectResponse CRD
• Apply request/response transformations with Inja templates
• Diagnose issues using Gateway Accepted/Programmed and HTTPRoute ResolvedRefs status conditions
• Read controller and Envoy proxy logs to troubleshoot routing problems