Ingress and Gateway API Support
This document outlines the Kubernetes Gateway API and Ingress API resources supported by the API7 Ingress Controller. Use this as a reference to understand which resources are currently implemented.
See the configuration examples to learn when and how to use these resources.
Gateway API
Packages
Resource Support Levels
The table below outlines the support levels for Kubernetes Gateway API resources in the current implementation. Each resource is categorized by its level of core, extended, and implementation-specific support, along with the corresponding API version.
| Resource | Core | Extended | Implementation-Specific | API Version |
|---|---|---|---|---|
| GatewayClass | Supported | N/A | Not supported | v1 |
| Gateway | Partially supported | Partially supported | Not supported | v1 |
| HTTPRoute | Supported | Partially supported | Not supported | v1 |
| GRPCRoute | Not supported | Not supported | Not supported | v1 |
| ReferenceGrant | Not supported | Not supported | Not supported | v1beta1 |
| TLSRoute | Not supported | Not supported | Not supported | v1alpha2 |
| TCPRoute | Not supported | Not supported | Not supported | v1alpha2 |
| UDPRoute | Not supported | Not supported | Not supported | v1alpha2 |
| BackendTLSPolicy | Not supported | Not supported | Not supported | v1alpha3 |
For a complete list of configuration options, refer to the Gateway API Reference. Be aware that some fields are not supported, or partially supported.
Unsupported / Partially Supported Fields
The fields below are specified in the Gateway API specification but are either partially implemented or not yet supported in the APISIX Ingress Controller.
HTTPRoute
| Fields | Status | Notes |
|---|---|---|
spec.timeouts | Not supported | The field is unsupported because ADC provides finer-grained timeout configuration (connect, read, write), whereas spec.timeouts only allows a general total timeout and upstream timeout, so it cannot be directly mapped. To configure route timeouts, you can use BackendTrafficPolicy. |
spec.retries | Not supported | The field is unsupported because APISIX does not support the features in retries. To configure route retries, you can use BackendTrafficPolicy. |
spec.sessionPersistence | Not supported | APISIX does not support the configuration of cookie lifetimes. As an alternative, you can use chash load balancer. |
spec.rules[].backendRefs[].filters[] | Not supported | BackendRef-level filters are not implemented as data plane does not support filtering at this level; only rule-level filters (spec.rules[].filters[]) are supported. |
Gateway
| Fields | Status | Notes |
|---|---|---|
spec.listeners[].port | Not supported* | The configuration is required but ignored. This is due to limitations in the data plane: it cannot dynamically open new ports. Since the Ingress Controller does not manage the data plane deployment, it cannot automatically update the configuration or restart the data plane to apply port changes. |
spec.listeners[].allowedRoutes.kinds | Partially supported | Only HTTPRoute (group gateway.networking.k8s.io) is accepted; other kinds are rejected. |
spec.listeners[].tls.certificateRefs[].group | Partially supported | Only "" is supported; other group values cause validation failure. |
spec.listeners[].tls.certificateRefs[].kind | Partially supported | Only Secret is supported. |
spec.listeners[].tls.mode | Partially supported | Terminate is implemented; Passthrough is effectively unsupported for Gateway listeners. |
spec.addresses | Not supported | Controller does not read or act on spec.addresses. |
Ingress
Package
- networking.k8s.io/v1
Supported Resources
The controller supports the standard Kubernetes Ingress API, including:
Basic host- and path-based routing is supported. Advanced annotations or non-standard extensions may not be implemented.
The following Ingress annotations are not supported in the current version but will be supported in a future release:
| Annotation |
|---|
k8s.apisix.apache.org/use-regex |
k8s.apisix.apache.org/enable-websocket |
k8s.apisix.apache.org/plugin-config-name |
k8s.apisix.apache.org/upstream-scheme |
k8s.apisix.apache.org/upstream-retries |
k8s.apisix.apache.org/upstream-connect-timeout |
k8s.apisix.apache.org/upstream-read-timeout |
k8s.apisix.apache.org/upstream-send-timeout |
k8s.apisix.apache.org/enable-cors |
k8s.apisix.apache.org/cors-allow-origin |
k8s.apisix.apache.org/cors-allow-headers |
k8s.apisix.apache.org/cors-allow-methods |
k8s.apisix.apache.org/enable-csrf |
k8s.apisix.apache.org/csrf-key |
k8s.apisix.apache.org/http-to-https |
k8s.apisix.apache.org/http-redirect |
k8s.apisix.apache.org/http-redirect-code |
k8s.apisix.apache.org/rewrite-target |
k8s.apisix.apache.org/rewrite-target-regex |
k8s.apisix.apache.org/rewrite-target-regex-template |
k8s.apisix.apache.org/enable-response-rewrite |
k8s.apisix.apache.org/response-rewrite-status-code |
k8s.apisix.apache.org/response-rewrite-body |
k8s.apisix.apache.org/response-rewrite-body-base64 |
k8s.apisix.apache.org/response-rewrite-add-header |
k8s.apisix.apache.org/response-rewrite-set-header |
k8s.apisix.apache.org/response-rewrite-remove-header |
k8s.apisix.apache.org/auth-uri |
k8s.apisix.apache.org/auth-ssl-verify |
k8s.apisix.apache.org/auth-request-headers |
k8s.apisix.apache.org/auth-upstream-headers |
k8s.apisix.apache.org/auth-client-headers |
k8s.apisix.apache.org/allowlist-source-range |
k8s.apisix.apache.org/blocklist-source-range |
k8s.apisix.apache.org/http-allow-methods |
k8s.apisix.apache.org/http-block-methods |
k8s.apisix.apache.org/auth-type |
k8s.apisix.apache.org/svc-namespace |