Gateway API Compatibility
Learn which Gateway API resources NGINX Gateway Fabric supports and to which level.
Summary
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
GatewayClass | Supported | Not supported | Supported | v1 |
Gateway | Supported | Partially supported | Not supported | v1 |
HTTPRoute | Supported | Partially supported | Not supported | v1 |
ReferenceGrant | Supported | N/A | Not supported | v1beta1 |
GRPCRoute | Supported | Partially supported | Not supported | v1 |
TLSRoute | Supported | Not supported | Not supported | v1alpha2 |
TCPRoute | Not supported | Not supported | Not supported | N/A |
UDPRoute | Not supported | Not supported | Not supported | N/A |
BackendTLSPolicy | Supported | Supported | Not supported | v1alpha3 |
Custom policies | N/A | N/A | Supported | N/A |
Terminology
Gateway API features has three support levels: Core, Extended and Implementation-specific. We use the following terms to describe the support status for each level and resource field:
- Supported. The resource or field is fully supported.
- Partially supported. The resource or field is supported partially, with limitations. It will become fully supported in future releases.
- Not supported. The resource or field is not yet supported. It will become partially or fully supported in future releases.
Note:
It’s possible that NGINX Gateway Fabric will never support some resources or fields of the Gateway API. They will be documented on a case by case basis. NGINX Gateway Fabric doesn’t support any features from the experimental release channel.
Resources
Each resource below includes the support status of their corresponding fields.
For a description of each field, visit the Gateway API documentation.
GatewayClass
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
GatewayClass | Supported | Not supported | Supported | v1 |
NGINX Gateway Fabric supports a single GatewayClass resource configured with the --gatewayclass
flag of the static-mode command.
Fields:
spec
controllerName
- supported.parametersRef
- NginxProxy resource supported.description
- supported.
status
conditions
- supported (Condition/Status/Reason):Accepted/True/Accepted
Accepted/False/InvalidParameters
Accepted/False/UnsupportedVersion
Accepted/False/GatewayClassConflict
: Custom reason for when the GatewayClass references this controller, but a different GatewayClass name is provided to the controller via the command-line argument.SupportedVersion/True/SupportedVersion
SupportedVersion/False/UnsupportedVersion
Gateway
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
Gateway | Supported | Partially supported | Not supported | v1 |
NGINX Gateway Fabric supports a single Gateway resource. The Gateway resource must reference NGINX Gateway Fabric’s corresponding GatewayClass.
See the static-mode command for more information.
Fields:
spec
gatewayClassName
: Supported.listeners
name
: Supported.hostname
: Supported.port
: Supported.protocol
: Partially supported. Allowed values:HTTP
,HTTPS
.tls
mode
: Partially supported. Allowed value:Terminate
.certificateRefs
- The TLS certificate and key must be stored in a Secret resource of typekubernetes.io/tls
. Only a single reference is supported.options
: Not supported.
allowedRoutes
: Supported.
addresses
: Not supported.
status
addresses
: Partially supported (LoadBalancer and Pod IP).conditions
: Supported (Condition/Status/Reason):Accepted/True/Accepted
Accepted/True/ListenersNotValid
Accepted/False/ListenersNotValid
Accepted/False/Invalid
Accepted/False/UnsupportedValue
: Custom reason for when a value of a field in a Gateway is invalid or not supported.Accepted/False/GatewayConflict
: Custom reason for when the Gateway is ignored due to a conflicting Gateway. NGINX Gateway Fabric only supports a single Gateway.Programmed/True/Programmed
Programmed/False/Invalid
Programmed/False/GatewayConflict
: Custom reason for when the Gateway is ignored due to a conflicting Gateway. NGINX Gateway Fabric only supports a single Gateway.
listeners
name
: Supported.supportedKinds
: Supported.attachedRoutes
: Supported.conditions
: Supported (Condition/Status/Reason):Accepted/True/Accepted
Accepted/False/UnsupportedProtocol
Accepted/False/InvalidCertificateRef
Accepted/False/ProtocolConflict
Accpeted/False/HostnameConflict
Accepted/False/UnsupportedValue
: Custom reason for when a value of a field in a Listener is invalid or not supported.Accepted/False/GatewayConflict
: Custom reason for when the Gateway is ignored due to a conflicting Gateway. NGINX Gateway Fabric only supports a single Gateway.Programmed/True/Programmed
Programmed/False/Invalid
ResolvedRefs/True/ResolvedRefs
ResolvedRefs/False/InvalidCertificateRef
ResolvedRefs/False/InvalidRouteKinds
Conflicted/True/ProtocolConflict
Conflicted/True/HostnameConflict
Conflicted/False/NoConflicts
HTTPRoute
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
HTTPRoute | Supported | Partially supported | Not supported | v1 |
Fields:
spec
parentRefs
: Partially supported. Port not supported.hostnames
: Supported.rules
matches
path
: Partially supported. OnlyPathPrefix
andExact
types.headers
: Partially supported. OnlyExact
type.queryParams
: Partially supported. OnlyExact
type.method
: Supported.
filters
type
: Supported.requestRedirect
: Supported except for the experimentalpath
field. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest. Incompatible withurlRewrite
.requestHeaderModifier
: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest.urlRewrite
: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest. Incompatible withrequestRedirect
.responseHeaderModifier
: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest.requestMirror
,extensionRef
: Not supported.
backendRefs
: Partially supported. Backend reffilters
are not supported.
status
parents
parentRef
: Supported.controllerName
: Supported.conditions
: Partially supported. Supported (Condition/Status/Reason):Accepted/True/Accepted
Accepted/False/NoMatchingListenerHostname
Accepted/False/NoMatchingParent
Accepted/False/NotAllowedByListeners
Accepted/False/UnsupportedValue
: Custom reason for when the HTTPRoute includes an invalid or unsupported value.Accepted/False/InvalidListener
: Custom reason for when the HTTPRoute references an invalid listener.Accepted/False/GatewayNotProgrammed
: Custom reason for when the Gateway is not Programmed. HTTPRoute can be valid and configured, but will maintain this status as long as the Gateway is not Programmed.Accepted/False/GatewayIgnored
: Custom reason for when the Gateway is ignored by NGINX Gateway Fabric. NGINX Gateway Fabric only supports one Gateway.ResolvedRefs/True/ResolvedRefs
ResolvedRefs/False/InvalidKind
ResolvedRefs/False/RefNotPermitted
ResolvedRefs/False/BackendNotFound
ResolvedRefs/False/UnsupportedValue
: Custom reason for when one of the HTTPRoute rules has a backendRef with an unsupported value.ResolvedRefs/False/InvalidIPFamily
: Custom reason for when one of the HTTPRoute rules has a backendRef that has an invalid IPFamily.PartiallyInvalid/True/UnsupportedValue
GRPCRoute
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
GRPCRoute | Supported | Partially supported | Not supported | v1 |
Fields:
spec
parentRefs
: Partially supported. Port not supported.hostnames
: Supported.rules
matches
method
: Partially supported. OnlyExact
type with bothmethod.service
andmethod.method
specified.headers
: Partially supported. OnlyExact
type.
filters
type
: Supported.requestHeaderModifier
: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest.responseHeaderModifier
: Supported. If multiple filters are configured, NGINX Gateway Fabric will choose the first and ignore the rest.requestMirror
,extensionRef
: Not supported.
backendRefs
: Partially supported. Backend reffilters
are not supported.
status
parents
parentRef
: Supported.controllerName
: Supported.conditions
: Partially supported. Supported (Condition/Status/Reason):Accepted/True/Accepted
Accepted/False/NoMatchingListenerHostname
Accepted/False/NoMatchingParent
Accepted/False/NotAllowedByListeners
Accepted/False/UnsupportedValue
: Custom reason for when the GRPCRoute includes an invalid or unsupported value.Accepted/False/InvalidListener
: Custom reason for when the GRPCRoute references an invalid listener.Accepted/False/GatewayNotProgrammed
: Custom reason for when the Gateway is not Programmed. GRPCRoute can be valid and configured, but will maintain this status as long as the Gateway is not Programmed.ResolvedRefs/True/ResolvedRefs
ResolvedRefs/False/InvalidKind
ResolvedRefs/False/RefNotPermitted
ResolvedRefs/False/BackendNotFound
ResolvedRefs/False/UnsupportedValue
: Custom reason for when one of the GRPCRoute rules has a backendRef with an unsupported value.PartiallyInvalid/True/UnsupportedValue
ReferenceGrant
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
ReferenceGrant | Supported | N/A | Not supported | v1beta1 |
Fields:
spec
to
group
- supported.kind
- supportsSecret
andService
.name
- supported.
from
group
- supported.kind
- supportsGateway
andHTTPRoute
.namespace
- supported.
TLSRoute
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
TLSRoute | Supported | Not supported | Not supported | v1alpha2 |
Fields:
spec
parentRefs
: Partially supported. Port not supported.hostnames
: Supported.rules
backendRefs
: Partially supported. Only one backend ref allowed.weight
: Not supported.
status
parents
parentRef
: Supported.controllerName
: Supported.conditions
: Supported (Condition/Status/Reason):Accepted/True/Accepted
Accepted/False/NoMatchingListenerHostname
Accepted/False/NoMatchingParent
Accepted/False/NotAllowedByListeners
Accepted/False/UnsupportedValue
: Custom reason for when the TLSRoute includes an invalid or unsupported value.Accepted/False/InvalidListener
: Custom reason for when the TLSRoute references an invalid listener.Accepted/False/GatewayNotProgrammed
: Custom reason for when the Gateway is not Programmed. TLSRoute can be valid and configured, but will maintain this status as long as the Gateway is not Programmed.Accepted/False/HostnameConflict
: Custom reason for when the TLSRoute has a hostname that conflicts with another TLSRoute on the same port.ResolvedRefs/True/ResolvedRefs
ResolvedRefs/False/InvalidKind
ResolvedRefs/False/RefNotPermitted
ResolvedRefs/False/BackendNotFound
ResolvedRefs/False/UnsupportedValue
: Custom reason for when one of the TLSRoute rules has a backendRef with an unsupported value.PartiallyInvalid/True/UnsupportedValue
TCPRoute
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
TCPRoute | Not supported | Not supported | Not supported | N/A |
UDPRoute
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
UDPRoute | Not supported | Not supported | Not supported | N/A |
BackendTLSPolicy
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
BackendTLSPolicy | Supported | Supported | Not supported | v1alpha3 |
Fields:
spec
targetRefs
group
- supported.kind
- supportsService
.name
- supported.
validation
caCertificateRefs
- supports single reference to aConfigMap
, with the CA certificate in a key namedca.crt
.name
- supported.group
- supported.kind
- supportsConfigMap
.
hostname
- supported.wellKnownCertificates
- supportsSystem
. This will set the CA certificate to the Alpine system root CA path/etc/ssl/cert.pem
. NB: This option will only work if the NGINX image used is Alpine based. The NGF NGINX images are Alpine based by default.
status
ancestors
ancestorRef
- supported.controllerName
: supported.conditions
: Partially supported. Supported (Condition/Status/Reason):Accepted/True/PolicyReasonAccepted
Accepted/False/PolicyReasonInvalid
Note:
If multiplebackendRefs
are defined for a HTTPRoute rule, all the referenced Services must have matching BackendTLSPolicy configuration. BackendTLSPolicy configuration is considered to be matching if 1. CACertRefs reference the same ConfigMap, or 2. WellKnownCACerts are the same, and 3. Hostname is the same.
Custom Policies
Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version |
---|---|---|---|---|
Custom policies | N/A | N/A | Supported | N/A |
Custom policies are NGINX Gateway Fabric-specific CRDs (Custom Resource Definitions) that support features such as tracing, and client connection settings. These important data-plane features are not part of the Gateway API specifications. While these CRDs are not part of the Gateway API, the mechanism to attach them to Gateway API resources is part of the Gateway API. See the Policy Attachment documentation.
See the custom policies document for more information.