Add scs-0219-v2: recommends Gateway API, dropping any mention of Ingress#1195
Draft
mbuechse wants to merge 1 commit into
Draft
Add scs-0219-v2: recommends Gateway API, dropping any mention of Ingress#1195mbuechse wants to merge 1 commit into
mbuechse wants to merge 1 commit into
Conversation
… Ingress. This is copied from https://github.com/lucasrattz/standards/blob/a9715ea0e07c07cede513fb0420676ca8c2986c6/Standards/scs-0219-v1-kaas-networking.md Thanks @lucasrattz! Signed-off-by: Matthias Büchse <matthias.buechse@alasca.cloud>
Contributor
Author
|
@jklare I'm pretty sure now that this is not quite correct. We do not indeed drop any mention of Ingress as there is a whole section on Ingress. Now I'm confused. Can you spell out the intention of the SIG Std/Cert discussion on May 7? |
jklare
reviewed
Jun 5, 2026
| ## Design Considerations | ||
|
|
||
| The Kubernetes API can be extended arbitrarily. | ||
| Many CNI plugins will define custom resources to enable functionality that is not covered in the official [API specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/). |
Contributor
There was a problem hiding this comment.
Suggested change
| Many CNI plugins will define custom resources to enable functionality that is not covered in the official [API specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.31/). | |
| Many CNI plugins will define custom resources to enable functionality that is not covered in the official [API specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.36/). |
Contributor
There was a problem hiding this comment.
In case there is no specific reason to put 1.31 here, we could as well use 1.36
| Basic network policies are namespaced resources, and can only filter traffic to and from pods in their own namespace. | ||
| In a newly created namespace without policies the default behavior will apply, which is to not restrict traffic at all. | ||
|
|
||
| It can be desirable to automatically create default network policies in new namespaces, using a policy operator such as Kyverno. |
Contributor
There was a problem hiding this comment.
Suggested change
| It can be desirable to automatically create default network policies in new namespaces, using a policy operator such as Kyverno. | |
| It can be desirable to automatically create default network policies in new namespaces, using a policy operator such as [Kyverno](https://kyverno.io/) or [Open Policy Agent](https://www.openpolicyagent.org/). |
| An alternative to automatically created default network policies are API extensions that allow cluster-wide networking rules. | ||
| Some CNI plugins have implemented such extensions, e.g. Calico's `GlobalNetworkPolicy` and Cilium's `CiliumClusterwideNetworkPolicy`. | ||
|
|
||
| The Kubernetes Network Special Interest Group is currently working on an [official API extension](https://network-policy-api.sigs.k8s.io/api-overview/) to cover this functionality. |
Contributor
There was a problem hiding this comment.
Suggested change
| The Kubernetes Network Special Interest Group is currently working on an [official API extension](https://network-policy-api.sigs.k8s.io/api-overview/) to cover this functionality. | |
| The Kubernetes Network Special Interest Group is currently (as of June 2026) working on an [official API extension](https://network-policy-api.sigs.k8s.io/api-overview/) to cover this functionality. |
| This API extension introduces the new `AdminNetworkPolicy` and `BaselineAdminNetworkPolicy` resources, which represent cluster-wide network policies with respectively higher or lower precedence than namespaced network policies. | ||
|
|
||
| This API is also a good candidate for standardization because it consolidates a number of vendor-specific workarounds to limitations of the NetworkPolicy API. | ||
| It has not been stabilized yet, so currently we can at most recommend CNI plugins where there is ongoing work to support these features. |
Contributor
There was a problem hiding this comment.
Suggested change
| It has not been stabilized yet, so currently we can at most recommend CNI plugins where there is ongoing work to support these features. | |
| It has not been stabilized yet (v1alpha2 status as of June 2026), so currently we can at most recommend CNI plugins where there is ongoing work to support these features. |
| This separation allows for safer multi-tenancy and clearer ownership boundaries, which are particularly relevant in managed Kubernetes environments. | ||
|
|
||
| The Gateway API is designed to be implementation-agnostic but requires a controller to reconcile its resources, similar to Ingress. | ||
| Support for the Gateway API is growing across multiple projects, including implementations based on Envoy, HAProxy, and CNI-integrated solutions such as Cilium. |
Contributor
There was a problem hiding this comment.
Suggested change
| Support for the Gateway API is growing across multiple projects, including implementations based on Envoy, HAProxy, and CNI-integrated solutions such as Cilium. | |
| Support for the Gateway API is growing across multiple projects, including implementations based on Envoy, HAProxy, and CNI-integrated solutions such as Cilium. Some Ingress providers like Taefik have also implemented the needed interfaces to fully support Gateway API to enable users to migrate from one to the other. |
Comment on lines
+111
to
+113
| CSPs SHOULD offer the option for a managed, `networking.k8s.io/v1`-compliant Ingress controller and a default `IngressClass` resource for this controller. | ||
|
|
||
| CSPs SHOULD offer support for the Gateway API (`gateway.networking.k8s.io`), including at least the `GatewayClass`, `Gateway`, and `HTTPRoute` resources, either as a managed offering or as an installable option. |
Contributor
There was a problem hiding this comment.
Suggested change
| CSPs SHOULD offer the option for a managed, `networking.k8s.io/v1`-compliant Ingress controller and a default `IngressClass` resource for this controller. | |
| CSPs SHOULD offer support for the Gateway API (`gateway.networking.k8s.io`), including at least the `GatewayClass`, `Gateway`, and `HTTPRoute` resources, either as a managed offering or as an installable option. | |
| CSPs MUST either offer the option for a managed, `networking.k8s.io/v1`-compliant Ingress controller and a default `IngressClass` resource for this controller, or support for the Gateway API (`gateway.networking.k8s.io`), including at least the `GatewayClass`, `Gateway`, and `HTTPRoute` resources, either as a managed offering or as an installable option. They MAY also offer both of them. |
|
|
||
| ### Version history | ||
|
|
||
| This is version 2.0. It adds the recommendation of the Gateway API and drops any mention of Ingress API. |
Contributor
There was a problem hiding this comment.
Suggested change
| This is version 2.0. It adds the recommendation of the Gateway API and drops any mention of Ingress API. | |
| This is version 2.0. It adds the recommendation of the Gateway API in addition to the Ingress API. |
| ### Version history | ||
|
|
||
| This is version 2.0. It adds the recommendation of the Gateway API and drops any mention of Ingress API. | ||
| These APIs address overlapping use cases, they will continue to coexist, and we opted to recommend Gateway only. |
Contributor
There was a problem hiding this comment.
Suggested change
| These APIs address overlapping use cases, they will continue to coexist, and we opted to recommend Gateway only. | |
| These APIs address overlapping use cases. Although they will continue to coexist, we recommend the usage of Gateway API. |
Contributor
|
@mbuechse to move this forward, I added a couple of suggestions to align with what I recall from our previous discussions. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is copied from https://github.com/lucasrattz/standards/blob/a9715ea0e07c07cede513fb0420676ca8c2986c6/Standards/scs-0219-v1-kaas-networking.md
Thanks @lucasrattz!
Supersedes #1166
Resolves #1097