Kubernetes Gateway API 面试题
30 道题- 分类
- Kubernetes
- 题目数
- 30 道
已阅读 0 / 30 题
1 Kubernetes Gateway API 与 Ingress 的核心区别是什么?
答案:
Gateway API 是 Kubernetes 下一代入口流量管理 API,相比 Ingress 在角色划分、协议支持和扩展性上有根本性改进。
| 维度 | Ingress (v1) | Gateway API |
|---|---|---|
| 角色划分 | 单一资源 | GatewayClass/Gateway/HTTPRoute 三层分离 |
| 协议支持 | HTTP/HTTPS | HTTP, HTTPS, TCP, UDP, TLS, gRPC |
| 命名空间 | 同命名空间 | 支持跨命名空间路由 |
| 路由规则 | host + path | host + path + header + query param + method |
| 负载均衡 | Annotation 定制 | Weight、Mirror 原生支持 |
| 扩展性 | CRD 自建 | Policy Attachment 机制 |
| 实现厂商 | 无差异 | 标准化接口,多厂商实现 |
角色分离:
- GatewayClass:集群管理员定义(类似于 StorageClass),声明网关的类型和实现
- Gateway:运维/平台团队定义,声明具体的网络入口点(监听器、证书)
- HTTPRoute:应用开发者定义,声明路由规则和转发目标
GatewayClass → Gateway → HTTPRoute 的权限分离使得平台团队和应用团队各司其职,无需互相干预配置。
2 Gateway API 的三层资源模型是怎样的?
答案:
Gateway API 采用关注点分离的三层模型,每层由不同角色管理。
第一层:GatewayClass(集群管理员)
apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
name: eg
spec:
controllerName: gateway.envoyproxy.io/gatewayclass
parametersRef:
group: gateway.envoyproxy.io
kind: EnvoyProxy
name: custom-config
第二层:Gateway(平台团队/运维)
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: prod-gateway
namespace: infra
spec:
gatewayClassName: eg
listeners:
- name: http
protocol: HTTP
port: 80
allowedRoutes: # 控制哪些命名空间可以绑定
namespaces:
from: Selector
selector:
matchLabels:
env: production
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: prod-tls
第三层:HTTPRoute(应用开发者)
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api-route
namespace: production
spec:
parentRefs:
- name: prod-gateway
namespace: infra
sectionName: https
hostnames:
- api.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /v1
backendRefs:
- name: api-svc
port: 8080
weight: 90
- name: api-canary-svc
port: 8080
weight: 10
3 Gateway API 支持哪些路由类型?
答案:
Gateway API 定义四种标准路由类型,覆盖 L4 到 L7 的流量管理。
| 路由类型 | 协议 | 适用范围 | 核心功能 |
|---|---|---|---|
| HTTPRoute | HTTP/HTTPS/gRPC | L7 路由 | Host/Path/Header/Method/QueryParam 匹配 |
| TLSRoute | TLS(SNI) | L4 SNI 路由 | 基于 SNI 的 TLS 透传路由 |
| TCPRoute | TCP | L4 端口路由 | 基于目的端口的 TCP 代理 |
| UDPRoute | UDP | L4 端口路由 | 基于目的端口的 UDP 代理 |
HTTPRoute 高级匹配:
spec:
rules:
- matches:
- path:
type: Exact
value: /healthz
method: GET # 方法匹配
- headers: # 请求头匹配
- type: Exact
name: X-Env
value: canary
queryParams: # 查询参数匹配
- type: Regex
name: version
value: ^v\d+
TLSRoute(SNI 透传):
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: tls-passthrough
spec:
parentRefs:
- name: tls-gateway
rules:
- backendRefs:
- name: internal-svc
port: 443
4 Gateway API 的 Policy Attachment(策略挂载)机制是什么?
答案:
Policy Attachment 是 Gateway API 的扩展机制,允许对 Gateway、路由或后端附加策略。
策略目标:
| 策略类型 | 作用目标 | 说明 |
|---|---|---|
| 网关级策略 | Gateway 资源 | 所有通过该 Gateway 的流量 |
| 路由级策略 | HTTPRoute/TLSRoute | 该路由下的流量 |
| 后端级策略 | Service/Backend | 特定后端流量 |
示例(速率限制策略):
apiVersion: networking.example.io/v1alpha1
kind: RateLimitPolicy
metadata:
name: rate-limit
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: api-route
rules:
- matches:
- path: /api/public
limits:
requests: 100
period: 60s
兼容已有的 K8s 资源: Policy Attachment 可以挂载到 Service、Namespace 甚至 Pod 上,实现跨资源策略继承。
5 Gateway API 如何实现流量灰度(权重路由)?
答案:
Gateway API 原生支持基于权重的流量分发,无需外部系统。
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: rollout-route
spec:
parentRefs:
- name: prod-gateway
hostnames:
- app.example.com
rules:
- backendRefs:
- name: app-stable
port: 80
weight: 90
- name: app-canary
port: 80
weight: 10
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: header-canary
spec:
parentRefs:
- name: prod-gateway
hostnames:
- app.example.com
rules:
- matches:
- headers:
- type: Exact
name: X-Canary
value: enable
backendRefs:
- name: app-canary
port: 80
- backendRefs:
- name: app-stable
port: 80
6 Gateway API 如何处理跨命名空间路由?
答案:
Gateway API 原生支持跨命名空间的流量路由。
ReferenceGrant CRD:
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: allow-prod-gateway
namespace: production
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: infra
to:
- group: ""
kind: Service
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: cross-ns-route
namespace: infra
spec:
parentRefs:
- name: prod-gateway
hostnames:
- app.example.com
rules:
- backendRefs:
- name: api-svc
namespace: production # 跨命名空间引用
port: 8080
7 Gateway API 如何处理 TLS 证书和 HTTPS?
答案:
Gateway API 在 Gateway 层面统一管理 TLS 证书,支持终止(Terminate)和透传(Passthrough)两种模式。
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: tls-gateway
spec:
gatewayClassName: eg
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate # 终止 / Passthrough
certificateRefs:
- name: app-tls # TLS Secret 引用
- name: wildcard-tls
allowedRoutes:
namespaces:
from: All
证书管理:
- Terminate 模式:Gateway 终止 TLS,后端接收 HTTP(传统 SSL 卸载)
- Passthrough 模式:Gateway 不解密,根据 SNI 直接转发 TLS 流量到后端
- 支持证书轮换:Secret 更新后自动生效
8 Gateway API 的 BackendTLSPolicy 的作用是什么?
答案:
BackendTLSPolicy 定义 Gateway 到后端服务之间的 TLS 连接策略,用于后端也启用 HTTPS 的场景。
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: BackendTLSPolicy
metadata:
name: backend-tls
spec:
targetRef:
group: ""
kind: Service
name: secure-svc
tls:
caCertRefs:
- name: backend-ca # 后端 CA 证书
hostname: secure-svc.prod.svc.cluster.local
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: secure-backend
spec:
parentRefs:
- name: prod-gateway
rules:
- backendRefs:
- name: secure-svc
port: 443
9 Gateway API 实现 Traffic Mirroring(流量镜像)?
答案:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: mirror-route
spec:
parentRefs:
- name: prod-gateway
rules:
- backendRefs:
- name: api-prod
port: 8080
filters:
- type: RequestMirror
requestMirror:
backendRef:
name: api-staging
port: 8080
percentage: 10 # 镜像 10% 流量
10 Gateway API 与 Service Mesh(如 Istio)的关系?
答案:
Gateway API 可作为 Service Mesh 的入口网关标准,East-West 方向的网格流量也可使用同样的 API。
| 维度 | Ingress Gateway(南北向) | Mesh Gateway(东西向) |
|---|---|---|
| 流量方向 | 外部→集群内部 | 服务→服务 |
| API | Gateway + HTTPRoute | HTTPRoute(不绑定 Gateway) |
| TLS | Gateway 终止 | mTLS(Sidecar) |
| 典型实现 | Envoy Gateway / Contour | Istio / Linkerd |
作为 Istio Ingress 替代:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: istio-gateway
spec:
gatewayClassName: istio
listeners:
- name: http
port: 80
protocol: HTTP
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: product-route
spec:
parentRefs:
- name: istio-gateway
rules:
- backendRefs:
- name: product-svc
port: 8080
11 Gateway API 如何实现请求头修改?
答案:
HTTPRoute Filter 原生支持请求头和响应头的添加、设置和删除。
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: header-route
spec:
parentRefs:
- name: prod-gateway
rules:
- filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Proto
value: https
add:
- name: X-Request-ID
value: uuid
remove:
- X-Internal-Token
backendRefs:
- name: api-svc
port: 80
12 Gateway API 如何实现 URL 重写(Rewrite)?
答案:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: rewrite-route
spec:
parentRefs:
- name: prod-gateway
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1
filters:
- type: URLRewrite
urlRewrite:
path:
type: ReplacePrefixMatch
replacePrefixMatch: /v2
backendRefs:
- name: api-svc
port: 80
13 Gateway API 如何实现重定向?
答案:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: redirect-route
spec:
parentRefs:
- name: prod-gateway
rules:
- filters:
- type: RequestRedirect
requestRedirect:
scheme: https
statusCode: 301
- matches:
- path:
type: PathPrefix
value: /old
filters:
- type: RequestRedirect
requestRedirect:
path:
type: ReplaceFullPath
replaceFullPath: /new
statusCode: 302
14 Gateway API 实现超时和重试?
答案:
后端超时和重试在 HTTPRoute 中通过 Timeouts 和 Retry 字段定义。
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: resilient-route
spec:
parentRefs:
- name: prod-gateway
rules:
- timeouts:
request: 30s
backendRequest: 5s
backendRefs:
- name: api-svc
port: 80
# 重试策略通过 Policy Attachment 实现
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: retry-policy
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: resilient-route
retry:
count: 3
perTryTimeout: 2s
retryOn:
- connect-failure
- refused-stream
- unavailable
- 5xx
15 Gateway API 的 GRPCRoute 是如何工作的?
答案:
GRPCRoute 是专为 gRPC 流量设计的路由类型,原生支持 method/service 级别的路由。
apiVersion: gateway.networking.k8s.io/v1
kind: GRPCRoute
metadata:
name: grpc-route
spec:
parentRefs:
- name: grpc-gateway
hostnames:
- grpc.example.com
rules:
- matches:
- method:
type: Exact
service: helloworld.Greeter
method: SayHello
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-GRPC-Source
value: gateway
backendRefs:
- name: grpc-svc
port: 50051
16 Gateway API 如何实现 Session Persistence?
答案:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: sticky-route
spec:
parentRefs:
- name: prod-gateway
rules:
- backendRefs:
- name: api-svc
port: 8080
# Session 持久化策略
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SessionState
metadata:
name: session-policy
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: sticky-route
sessionKeys:
- "HEADER: x-session-id"
- "COOKIE: session"
17 Gateway API 如何与 cert-manager 集成?
答案:
虽然 Gateway API 不直接集成 ACME,但 cert-manager 可以通过 Certificate 资源为 Gateway TLS 提供证书。
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: app-cert
spec:
secretName: app-tls
dnsNames:
- app.example.com
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: tls-gateway
spec:
gatewayClassName: eg
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: app-tls # cert-manager 管理的 Secret
18 Gateway API 的实现方案有哪些(Envoy Gateway / Contour / Istio)?
答案:
| 实现 | 控制器 | 核心引擎 | 成熟度 | 特点 |
|---|---|---|---|---|
| Envoy Gateway | envoyproxy.io | Envoy | GA | 官方 Gateway API 实现,功能最完整 |
| Contour | projectcontour.io | Envoy | GA | 最早的 Envoy Ingress 实现之一 |
| Istio | istio.io | Envoy | GA | Service Mesh 集成 |
| HAProxy | haproxy.com | HAProxy | Beta | HAProxy 生态 |
| Nginx | nginx.com | NGINX | GA | Nginx 生态 |
Envoy Gateway 安装:
helm install eg oci://docker.io/envoyproxy/gateway-helm \
--version v1.0.0 -n envoy-gateway-system --create-namespace
19 Gateway API 如何配置健康检查?
答案:
健康检查通过 BackendTrafficPolicy 等实现特定策略附加。
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
name: healthcheck
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: api-route
healthCheck:
active:
timeout: 5s
interval: 30s
unhealthyThreshold: 3
healthyThreshold: 2
path: /healthz
port: 8080
20 Gateway API 的 WebSocket 支持?
答案:
Gateway API 不直接配置 WebSocket,由底层实现(Envoy/Contour)原生支持 WebSocket 升级。
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: ws-route
spec:
parentRefs:
- name: prod-gateway
rules:
- backendRefs:
- name: websocket-svc
port: 8080
# 实现级别可能需要启用 WebSocket(如果是 Contour)
# annotations:
# projectcontour.io/websocket-routes: /
21 Gateway API 如何处理 HTTP/2 和 HTTP/3?
答案:
HTTP/2 和 HTTP/3 支持由 Gateway 实现决定。Gateway API 不限制协议版本。
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: http3-gateway
annotations:
gateway.envoyproxy.io/enable-http3: "true"
spec:
gatewayClassName: eg
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: cert
# HTTP/3 需要额外的 UDP 监听
22 Gateway API 如何实现 Deny/Allow IP 白名单?
答案:
通过 SecurityPolicy 策略实现 IP 访问控制。
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: ip-restriction
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: api-route
ipBlocks:
# 仅允许以下 CIDR 访问
- value: "10.0.0.0/8"
type: Allow
- value: "192.168.0.0/16"
type: Allow
# 黑名单
- value: "10.0.1.100"
type: Deny
23 Gateway API 如何实现 Rate Limiting?
答案:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: rate-limit
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: api-route
rateLimit:
type: Global
default:
requests: 1000
unit: Second
overrides:
- match:
headers:
- name: X-Api-Key
value: premium
requests: 5000
unit: Second
24 Gateway API 如何实现 CORS?
答案:
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: SecurityPolicy
metadata:
name: cors-policy
spec:
targetRef:
group: gateway.networking.k8s.io
kind: HTTPRoute
name: api-route
cors:
allowOrigins:
- "https://app.example.com"
- "https://admin.example.com"
allowMethods:
- GET
- POST
- PUT
- DELETE
allowHeaders:
- Authorization
- Content-Type
exposeHeaders:
- X-Request-Id
maxAge: 86400
25 Gateway API 与 Kubernetes 版本关系?
答案:
| Gateway API 版本 | K8s 最低版本 | CRD 版本 | 状态 |
|---|---|---|---|
| v1.0.0 | 1.26 | v1 | GA |
| v1.1.0 | 1.27 | v1 | GA |
| v1.2.0 | 1.28 | v1 | GA |
| experimental | 1.28+ | v1alpha2/v1alpha3 | Alpha/Beta |
标准 vs Experimental Channel:
- Standard:GA 资源(Gateway, GatewayClass, HTTPRoute, ReferenceGrant)
- Experimental:Beta/Alpha 资源(GRPCRoute, TLSRoute, TCPRoute, BackendTLSPolicy)
26 Gateway API 如何实现 Backend 权重动态调整?
答案:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: weighted-route
spec:
parentRefs:
- name: prod-gateway
rules:
- backendRefs:
- name: app-stable
port: 80
weight: 90
- name: app-canary
port: 80
weight: 10
27 Gateway API 如何配置多个 Listener?
答案:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: multi-listener
spec:
gatewayClassName: eg
listeners:
- name: http
port: 80
protocol: HTTP
hostname: "*.example.com"
- name: api-https
port: 443
protocol: HTTPS
hostname: "api.example.com"
tls:
mode: Terminate
certificateRefs:
- name: api-tls
- name: admin-https
port: 443
protocol: HTTPS
hostname: "admin.example.com"
tls:
mode: Passthrough
28 Gateway API 如何处理服务网格东西向流量?
答案:
在服务网格中,HTTPRoute 可以绑定到服务(而非 Gateway),用于网格内东西向流量控制。
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: mesh-route
spec:
parentRefs:
- group: ""
kind: Service
name: backend-svc
port: 8080
rules:
- matches:
- path:
type: PathPrefix
value: /admin
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Auth
value: internal
backendRefs:
- name: backend-v2
port: 8080
weight: 0 # 预留,不转发(仅用于策略)
29 Gateway API 的 ReferenceGrant 安全机制?
答案:
ReferenceGrant 是跨命名空间引用的安全许可机制,防止未授权的资源引用。
apiVersion: gateway.networking.k8s.io/v1beta1
kind: ReferenceGrant
metadata:
name: grant-all
namespace: production
spec:
from:
- group: gateway.networking.k8s.io
kind: HTTPRoute
namespace: infra
to:
- group: ""
kind: Service
- group: gateway.networking.k8s.io
kind: Secret
安全原则:
- 显式授权:目标命名空间必须明确授权来源命名空间
- 最小权限:只授予必要的
from来源 - 不可继承:一个 ReferenceGrant 只针对一对来源-目标命名空间
30 Gateway API 生产部署最佳实践?
答案:
- GatewayClass 分层:为不同场景创建独立 GatewayClass(如
internal、public、mesh),配置不同的安全策略和资源限制 - 证书管理自动化:使用 cert-manager 自动签发和续期 TLS 证书
- 跨团队权限分离:Gateway 由平台团队管理,HTTPRoute 由应用团队管理
- 配置一致性:使用 GitOps(ArgoCD/Flux)管理 Gateway API 资源
- 监控告警:部署 Envoy Gateway 暴露的 Prometheus 指标
- 灰度发布:利用权重分发逐步切流,配合可观测性验证
- 安全加固:启用 SecurityPolicy 限制来源 IP、速率限制和 CORS
- 资源配额:限制每个命名空间的 HTTPRoute 数量避免资源耗尽