Kubernetes Podcast from Google: Episode Summary

Title: Kubernetes Ingress & Gateway API Updates, with Lior Lieberman
Hosts: Mofi Rahman, Kazan Fields
Guest: Lior Lieberman, Software Engineer Lead at Google Cloud
Release Date: March 11, 2025

1. Introduction and News Highlights

Hosts: Mofi Rahman and Kazan Fields kick off the episode with a roundup of the latest developments in the Kubernetes ecosystem.

• NFTables Mode for Kube Proxy:

  • Kazan Fields announces the introduction of a new nftables mode for Kube Proxy, which was debuted as an alpha feature in Kubernetes 1.29. Currently in beta, it's slated for general availability (GA) in version 1.33.
  • Quote: "The new mode fixes long-standing performance problems with the iptables mode in Kubernetes. If you're running a newer Linux kernel, you're encouraged to try it out and share feedback." [00:55]

• Cubescape Joins CNCF:

  • Mofi Rahman introduces Cubescape, an incubating project within the Cloud Native Computing Foundation (CNCF) Sandbox launched in November 2022. Cubescape aims to enhance Kubernetes security by offering comprehensive coverage throughout the development and deployment lifecycle, including posture and vulnerability management and automatic hardening policies.

• OpenTelemetry Go Auto Instrumentation:

  • Kazan Fields shares news about the beta release of the OpenTelemetry Go Auto Instrumentation project. This tool allows developers to collect traces from their Go applications without manual code modifications, leveraging eBPF for dynamic instrumentation.
  • Quote: "This project hopes to lower the barrier to adopting observability best practices and provide deep insights into your application's behavior." [01:27]

• CNCF Guidelines for Phippy and Friends Books:

  • Mofi Rahman discusses the CNCF's new guidelines for creating "Phippy and Friends" books, which feature Phippy, the Giraffe PHP app from the Children's Illustrated Guide to Kubernetes. The guidelines categorize books into Project Related Books and Kids Day Books, encouraging maintainers to engage the community through book signings at KubeCon events.

2. In-Depth Interview with Lior Lieberman

Guest Introduction:

• Mofi Rahman welcomes Lior Lieberman, a Software Engineer Lead at Google Cloud specializing in GCE, Kubernetes, and Service Mesh. Lior is a leading contributor to the Gateway API and the maintainer of Ingress to Gateway.

a. Lior's Journey with Kubernetes Networking

• Background and Motivation:

  • Lior Lieberman shares his initial challenges with Kubernetes, citing frustration with its complexity and overcomplication, especially in debugging and knowledge sharing. His experience at a gaming company highlighted the limitations of existing DevOps processes, leading him to appreciate Kubernetes' solutions.
  • Quote: "I remember starting working for a gaming company and I experienced some of these painful challenges which Kubernetes happened to solve." [03:21]

• Deep Dive into Kubernetes:

  • At Riskified, Lior led the migration of 400 services to Kubernetes, gaining intricate knowledge of the system and its powerful community support. His involvement in projects like Argo CD Application Controller underscored the collaborative spirit of the Kubernetes ecosystem.
  • Quote: "We saw so many people eager to just solve it or contribute their view of how they get a workaround or something." [05:00]

b. Navigating Kubernetes Networking SIG

• Complexity of Kubernetes Networking:

  • Lior emphasizes that Kubernetes networking is one of the more complex areas due to its extensive integration with various system components. Understanding where to contribute within the vast Kubernetes codebase can be daunting without prior expertise.
  • Quote: "Networking is probably one of the more complex because it just touches so much surface area of the project." [06:11]

• In-Tree vs. Out-of-Tree Development:

  • Kazan Fields observes that migrating features out of the Kubernetes core (out-of-tree) allows for faster iteration and easier contributions. Lior agrees, noting that projects like Gateway API and Network Policy API benefit from this modular approach.
  • Quote: "Out-of-tree contributions provide more flexibility and allow projects to iterate without the constraints of merging into the Kubernetes core." [07:28]

c. Ingress API: Overview and Limitations

• Functionality of Ingress API:

  • Lior provides an overview of the Ingress API, explaining its role in exposing and controlling external traffic to services within a Kubernetes cluster. Features include host-based routing, path-based routing, and SSL termination.
  • Quote: "Ingress lets you define rules like HTTP and HTTPS traffic. It can handle things like host-based routing, path-based routing, SSL termination." [08:48]

• Limitations Leading to Gateway API:

  • Lior outlines the shortcomings of the Ingress API, such as limited core features, reliance on messy provider-specific annotations, lack of protocol diversity (e.g., no support for TCP or gRPC), and an insufficient permission model.
  • Quote: "Ingress lacked a lot of core features, leading to a lot of provider implementations putting custom extensions everywhere, usually in the form of annotations, which are very messy and not portable." [09:38]

d. Gateway API: Introduction and Design Philosophy

• Evolution from Ingress:

  • Gateway API is presented as the next-generation solution for Kubernetes ingress, load balancing, and service mesh APIs. Its design emphasizes composability and a persona-focused model to address permissions more effectively.
  • Quote: "Gateway API is the newer generation of Kubernetes ingress, load balancing, and service mesh APIs." [11:04]

• Design Philosophy:

  • The API is built to be more extensible and modular, allowing different components to be combined efficiently. This approach facilitates better permission segregation and aligns with the needs of various stakeholders within an organization.
  • Quote: "The composability of different pieces in the API and the persona-focused model address the insufficient permission model that Ingress had." [11:04]

• Community and Development:

  • Lior references previous discussions and talks on Gateway API, highlighting its five to six-year development journey since its initial announcement in 2019.
  • Quote: "Gateway API have been in work actually for a while. In 2019 is one of the first times in one of the KubeCons they announced the whole Gateway API." [12:26]

e. Migrating from Ingress to Gateway API

• Ingress to Gateway Tool:

  • Lior introduces the Ingress to Gateway tool, designed to assist users in migrating their existing Ingress configurations to Gateway API. While not a magic solution, it provides a solid starting point by converting simple Ingress resources to Gateway API equivalents.
  • Quote: "Ingress to Gateway is designed to provide a good starting point to migrate. It's not a comprehensive, magic tool, but it makes the migration less intimidating." [14:01]

• Extensibility and Implementation Support:

  • The tool accommodates custom annotations and CRDs by allowing providers to plug in their conversion logic. Major implementations like Istio, GKE, Cilium, and Kong already support the tool, facilitating broader adoption.
  • Quote: "Providers can just plug their conversion logic into the tool, converting annotations and CRDs to the core Gateway API features we support." [15:00]

• Ingress NGINX and Future Support:

  • Lior mentions that Ingress NGINX is the most adopted Ingress implementation and is developing its own Gateway API implementation, "ingate," to better support its extensive use of annotations.
  • Quote: "Ingress NGINX has announced their intention to start a repository for a new implementation of Gateway API called InGate." [17:48]

f. Gateway API and Service Mesh

• Overlapping Features:

  • Gateway API extends beyond Ingress by supporting Service Mesh APIs, addressing traffic management needs such as canary deployments, request mirroring, and rate limiting without altering application code.
  • Quote: "Gateway is definitely more than an ingress replacement. It also supports Service Mesh APIs." [19:29]

• Integrating with Service Mesh:

  • While Gateway API handles external traffic routing, Service Meshs like Istio manage internal service-to-service communication, providing advanced networking capabilities and observability.
  • Quote: "Service Mesh becomes useful when managing a decent amount of microservices, offering advanced networking capabilities without changing application code." [21:24]

g. Addressing Misconceptions about Gateway API

• Core Kubernetes API:

  • Lior clarifies that Gateway API is indeed a core Kubernetes API, despite not being installed by default. It is managed as a set of CRDs, allowing for faster iteration and easier contributions.
  • Quote: "Gateway API is a core Kubernetes API. It's managed in a CRD way out of tree to allow faster iteration and flexibility." [23:32]

• Complexity Perception:

  • Some users perceive Gateway API as overly complex compared to Ingress. Lior counters this by emphasizing its extensibility and the potential for evolving use cases that Ingress cannot accommodate.
  • Quote: "People think Gateway API is too complicated, but often their needs evolve to require features Ingress cannot support." [23:32]

h. Recommendations and Future Outlook

• Adopting Gateway API for New Applications:

  • Lior strongly recommends adopting Gateway API for new Kubernetes applications, citing its comprehensive feature set and growing support across implementations.
  • Quote: "If you're building any new application in 2025 today, choosing Gateway as the first choice is probably the way to go." [25:23]

• Gateway API’s Readiness:

  • Lior asserts that Gateway API is production-ready, with thousands of users already leveraging it. Ongoing contributions and upcoming features will continue to enhance its capabilities.
  • Quote: "Gateway API is ready for primetime. Many thousands of users already use Gateway in production." [25:58]

• Future Developments:

  • Looking ahead, Lior envisions Gateway API becoming an integral part of Kubernetes networking, potentially replacing the traditional Service API with innovations like Cluster IP Gateways. He anticipates broader adoption and more streamlined installation processes, including CRDs being bundled with Kubernetes distributions.
  • Quote: "Gateway API will fit into future Kubernetes networking iterations, unlocking limitations of the current Service API and becoming the default networking solution." [30:04]

• Gateway API’s Extensibility:

  • Lior highlights ongoing projects like the Gateway API Inference extension, which aims to optimize traffic routing for machine learning workloads, demonstrating Gateway API's adaptability to emerging technologies.
  • Quote: "The Gateway API Inference extension addresses inference needs on Kubernetes, optimizing traffic routing for ML models." [27:09]

3. Conclusion and Key Takeaways

• Migration Tools and Community Support:

  • The hosts emphasize the importance of tools like Ingress to Gateway for easing the transition and encourage listeners to engage with maintainers and contribute feedback.
  • Quote: "The Ingress to Gateway tool is adding features to help migrate any types of ingress configurations, and maintainers like Lior are open to your feedback." [38:35]

• Adoption Encouraged:

  • Listeners are encouraged to adopt Gateway API for new projects and consider it as the primary solution for Kubernetes networking due to its extensibility, comprehensive feature set, and community backing.
  • Quote: "For majority of the people, Gateway is probably the right first call." [40:39]

• Future of Kubernetes Networking:

  • The episode concludes with optimism about Gateway API's role in the evolving landscape of Kubernetes networking, highlighting its potential to unify ingress and service mesh functionalities while maintaining flexibility and scalability.
  • Quote: "I’m excited for the evolution of Gateway and seeing more adoption. Hopefully, in a couple of years, Gateway API will be feature complete and the default choice for networking." [32:11]

Final Thoughts: This episode provides a comprehensive overview of the current state and future trajectory of Kubernetes networking, focusing on the transition from Ingress to Gateway API. With insights from a key contributor like Lior Lieberman, listeners gain valuable perspectives on the advantages of Gateway API, migration strategies, and its critical role in the Kubernetes ecosystem moving forward.