Should I migrate from Ingress to Gateway API in 2026?

If you're starting fresh, absolutely use Gateway API — it's the future and Ingress is in maintenance mode. If you have working Ingress configs, migrate only when you hit a concrete limitation (multi-tenancy, typed routing, or policy attachment). Don't migrate for the sake of it.

Does Gateway API replace all Ingress functionality?

For HTTP/HTTPS routing, yes. Gateway API's HTTPRoute covers everything Ingress does plus header manipulation, traffic splitting, and cross-namespace delegation. For TCP/UDP/TLS, Gateway API actually goes beyond Ingress with dedicated route types. The gap is in controller maturity — not every impleme

Can I run Ingress and Gateway API side by side?

Yes, and this is the recommended migration approach. Deploy a GatewayClass alongside your existing Ingress controller, migrate routes one service at a time, and run both in parallel until you've validated everything. Most controllers (Nginx, Envoy, Istio) support both APIs simultaneously.

What's the difference between Gateway API and a service mesh?

Gateway API handles north-south traffic (external clients to your cluster). Service meshes handle east-west traffic (service-to-service inside the cluster). They complement each other — Gateway API for ingress routing, mesh for mTLS and observability between pods. Some controllers (like Istio) bridg

Kubernetes Gateway API vs Ingress vs LoadBalancer: What to Use in 2026

I’ve watched teams “just add an annotation” and accidentally turn their ingress controller into a production API nobody owns.

If you’re choosing between Service type LoadBalancer, Ingress, and Gateway API in 2026, you’re really choosing who gets to change traffic rules, how safely they can do it, and how ugly rollback feels at 2am.

The blunt 2026 rule: pick the layer first

Here’s the thing. Most debates happen at L7, but plenty of outages start at L4 when someone changes the wrong shared object.

So start with the layer you need, then pick the Kubernetes API that matches it.

Expose raw TCP/UDP: Use Service type LoadBalancer. It gives you boring L4 plumbing, usually with the smallest number of moving parts.
Route HTTP(S) in one team’s cluster: Keep Ingress if your controller and annotations already behave like a stable product in your org.
Share one edge across teams and namespaces: Use Gateway API. It gives you a built-in “platform owns the Gateway, app teams own Routes” split.

Decision tree (the one you can actually use)

This bit me when we tried to “standardize ingress.” We ended up with six different annotation dialects and a week of guess-and-check every time we touched timeouts.

Use these triggers as hard requirements, not vibes.

You need multi-tenant delegation: Choose Gateway API when platform owns listeners and app teams need to attach routes without PR wars on one giant Ingress.
You need reusable policy without annotation soup: Start with Gateway API, but verify your controller’s policy CRDs and conformance. Do not assume portability.
You can tolerate one IP per service: Keep Service type LoadBalancer for “single service, single VIP” setups. It isolates blast radius.
You want basic host/path routing and nothing else: Ingress still works. I do not love it, but pretending it is dead will waste your time.

Requirements checklist (what actually forces the choice)

🔔 Never Miss a Breaking Change

Get weekly release intelligence — breaking changes, security patches, and upgrade guides before they break your build.

✅ You're in! Check your inbox for confirmation.

Some folks migrate because Gateway API feels inevitable. I don’t, and I get skeptical when “future-proof” becomes the whole business case.

Migrate when you hit at least one of these constraints, otherwise you’re signing up for work that won’t pay you back.

Multi-tenant routing and cross-namespace delegation

If platform owns the edge and app teams own their routes, Ingress turns into a constant negotiation. One giant shared Ingress creates merge conflicts and shared blast radius, many Ingresses create ownership chaos unless you build guardrails.

Gateway API bakes in the ownership split: platform owns the Gateway, app teams own HTTPRoute and friends. The listener controls which namespaces can attach routes, and cross-namespace references need explicit grants depending on what you reference.

Policy attachment (and how annotation sprawl comes back)

Ingress started thin, and real behavior moved into controller annotations and side CRDs. That’s how you end up with YAML that looks “Kubernetes-y” but only works on one controller.

Gateway API pushes policy attachment into the model, but you still need governance. Otherwise teams will recreate annotation sprawl using a new set of implementation-specific policy objects with a different name.

TLS/SNI and who owns certificates

I’ve seen cert ownership turn into a political problem. Ingress often forces you into “copy secrets into app namespaces” or “centralize everything and block teams.”

Gateway listeners let platform own cert references and let teams attach routes by hostname, but you must design delegation and secret reference rules up front.

Typed routing (HTTPRoute, GRPCRoute, TCPRoute, TLSRoute, UDPRoute)

If you run gRPC seriously, “Ingress supports gRPC” usually means “your controller has conventions.” That can work, but it gets weird fast during migrations.

Gateway API makes routing intent explicit with typed Routes, but controller support varies. Treat “the spec defines it” and “my controller ships it and my SLO survives it” as two separate checkboxes.

Compatibility reality check (spec vs controller vs cloud)

Ignore the GitHub commit count. It’s a vanity metric.

What matters is whether your chosen controller, your cloud load balancer, and your security rules support the features you plan to depend on.

Service (LoadBalancer) portability: Medium. The API stays stable, but cloud-specific annotations and load balancer behavior differ.
Ingress portability: Low to medium. The core API stays small, and production features often live in controller-specific annotations.
Gateway API portability: Medium to high when you stick to what your controller proves in conformance and production tests. It still matures.

Migration that survives production (Ingress to Gateway API)

Do not “big bang” this. I’ve seen that movie and it ends with a rollback and a postmortem full of screenshots.

The safest path changes the control plane objects first, keeps the data plane stable, then shifts traffic with boring knobs.

Phase 0: inventory what you really use

Start by exporting every Ingress and listing every annotation in use. Group them by controller because each controller turns annotations into different behavior.

Then capture baseline signals. Grab 4xx/5xx rates, p95 latency, TLS handshake errors, and upstream resets before you touch anything.

Phase 1: pick a controller and prove support

Gateway API is a spec. Your controller determines how it behaves, how it fails, and what “supported” even means.

Validate conformance level, the exact features you need (TLS modes, header matches, retries, gRPC), and how it maps to your cloud load balancer model.

Phase 2: run Gateway alongside Ingress

Most clusters can run both at once if you isolate them. Use separate namespaces, separate external addresses, and explicit class selection for both stacks.

Keep rollback simple by keeping the old ingress path alive until dashboards show equivalence under real load.

Phase 3: create one platform Gateway, then migrate one service

I prefer one shared Gateway owned by the platform team, at least at the start. App teams then attach HTTPRoutes from their namespaces with explicit hostname ownership.

Here’s a trimmed example, not a full manifest dump.

Platform-owned Gateway: Listener on 443, hostname wildcard you actually own, and allowedRoutes restricted by namespace selector.
App-owned HTTPRoute: Hostname, path matches, backendRefs with weights for controlled cutover testing.

Phase 4: cut traffic with DNS or weights

DNS cutover stays low drama if you manage TTLs and have a rollback plan. Weighted load balancer cutovers work too, but you need cloud support and clean observability.

Either way, keep the old path ready. Roll back the moment error budgets start burning faster than expected.

I don’t trust “known issues: none” from any project. Build your own checks and pick a rollback trigger before you start.

Phase 5: translate annotations into policies without creating a new mess

This is where migrations fail. Teams copy every annotation into a controller-specific policy CRD and then nobody can reason about behavior anymore.

Decide which policies platform owns (timeouts, max body size, TLS floor, WAF), which policies tenants can tune, and how you enforce that boundary with admission and RBAC.

Service (LoadBalancer) to Gateway API: the trade you can’t dodge

You can reduce cloud load balancer sprawl by consolidating entrypoints behind a Gateway. You also create shared fate.

Move HTTP services first. Leave pure L4 services alone unless your Gateway implementation supports the L4 routes you need and you’ve tested performance. It depends on your controller and your traffic shape, and I haven’t seen one rule that fits every shop.

Controller selection (what bites later)

“Gateway API vs Ingress” is never just about YAML. It’s a controller decision with real failure modes.

Check conformance claims, data plane model (Envoy, NGINX, HAProxy, cloud-managed), policy story, and observability. If the controller can’t give you clean metrics and logs, you’ll fly blind during cutover.

Multi-tenancy controls: Restrict who can attach Routes, who can reference Secrets, and who can point at backends across namespaces.
Operational ergonomics: If upgrades feel scary in staging, you will hate this in production because the edge sits on the request path.

Production pitfalls (the 2am list)

Small mistakes here cause loud incidents. Test this twice if you run customer-facing APIs.

If you’re migrating a dev cluster, just yolo it on Friday and learn fast.

Annotation sprawl returns: Set a small supported policy set and block random escape hatches unless on-call owns a runbook.
Delegation foot-guns: Prevent hostname collisions, lock down certificate secret references, and require explicit cross-namespace grants.
Catch-all behavior surprises: Old Ingress default backends often hide broken hostnames. Define explicit hostnames and test negative paths.
Traffic splitting under load: Retries, HTTP/2 multiplexing, and long-lived gRPC streams can skew “weights.” Validate distribution and error amplification.
Upgrades magnify instability: Fix node churn and kubelet weirdness before you move edge traffic onto a new controller.

What changed since 2022 (why 2026 feels different)

Ingress didn’t get worse. Teams outgrew it.

Multi-tenant edges and policy delegation pushed people toward an API designed for that shape, and more controllers started taking Gateway API seriously. Other stuff too: conformance work, more typed route semantics, the usual, probably a few bugs you’ll only find on a Monday. Anyway.

Bottom line

Use Service type LoadBalancer when you need L4 exposure with minimal abstraction and you can afford one load balancer per service.

Use Ingress when your HTTP routing stays basic and your annotation set already behaves like a governed internal standard. Use Gateway API when you need multi-team delegation, typed routes (including gRPC), and policy attachment that doesn’t turn annotations into your real API.

Keep Reading

Frequently Asked Questions

Should I migrate from Ingress to Gateway API in 2026? If you’re starting fresh, absolutely use Gateway API — it’s the future and Ingress is in maintenance mode. If you have working Ingress configs, migrate only when you hit a concrete limitation (multi-tenancy, typed routing, or policy attachment). Don’t migrate for the sake of it.
Does Gateway API replace all Ingress functionality? For HTTP/HTTPS routing, yes. Gateway API’s HTTPRoute covers everything Ingress does plus header manipulation, traffic splitting, and cross-namespace delegation. For TCP/UDP/TLS, Gateway API actually goes beyond Ingress with dedicated route types. The gap is in controller maturity — not every implementation supports every route type yet.
Can I run Ingress and Gateway API side by side? Yes, and this is the recommended migration approach. Deploy a GatewayClass alongside your existing Ingress controller, migrate routes one service at a time, and run both in parallel until you’ve validated everything. Most controllers (Nginx, Envoy, Istio) support both APIs simultaneously.
What’s the difference between Gateway API and a service mesh? Gateway API handles north-south traffic (external clients to your cluster). Service meshes handle east-west traffic (service-to-service inside the cluster). They complement each other — Gateway API for ingress routing, mesh for mTLS and observability between pods. Some controllers (like Istio) bridge both.