Data Flow: Ingress
Purpose: For platform engineers, explains the ingress data flow from external traffic to application pods.
Flow Summary
Components
| Component | Namespace | Role |
|---|---|---|
| MetalLB | metallb-system | Assigns external IPs via L2/BGP advertisements |
| Gateway API Controller | gateway-system | L7 traffic routing and policy enforcement |
| HTTPRoute | customer-apps | Maps hostnames/paths to backend Services |
| cert-manager | cert-manager | Provisions and renews TLS certificates for Gateway listeners |
Sequence
- Client sends request to an external IP advertised by MetalLB.
- MetalLB forwards the packet to a node running the Gateway API controller (or ).
- The controller terminates TLS using a certificate issued by cert-manager.
- The controller matches the request against HTTPRoute rules (host, path, headers).
- Matched traffic is forwarded to the target Kubernetes Service.
- kube-proxy (or Cilium) load-balances across healthy pods.
Key Configuration
Gatewayresources define listeners (ports, protocols, TLS references).HTTPRouteresources define routing rules and attach to aGateway.ClusterIssuerresources configure cert-manager's CA or ACME endpoint.- MetalLB
IPAddressPoolandL2Advertisementresources control IP allocation.
Related
- Logical Diagram — full cluster architecture
- Gateway & TLS Configuration