Kubernetes Gateway API Certification Guide 2026

Gateway API graduated to GA in 2024 and replaced Ingress as the de facto Kubernetes traffic standard during 2025-2026. The CKA exam blueprint added Gateway API objectives in early 2026, and CKAD followed mid-year. Engineers who only know Ingress are now studying for an obsolete topic.

Why Gateway API Replaced Ingress

Ingress had three structural problems Gateway API fixes:

1. Vendor extensions everywhere. Annotations differed per controller, breaking portability.
2. Single resource type couldn't model L7 policies, traffic splitting, or cross-namespace routing cleanly.
3. RBAC was awkward — application teams either owned the entire Ingress or nothing.

Gateway API splits the model into three resources owned by different personas: GatewayClass (infra team), Gateway (cluster operator), and HTTPRoute / GRPCRoute / TCPRoute (app team). Clean RBAC, vendor-portable, and extensible without annotations.

The Three Resource Types You Need to Know

Migrating from Ingress

Step 1: Pick a controller

Envoy Gateway, NGINX Gateway Fabric, Cilium, Istio Ambient, or your cloud's managed option (GKE Gateway, AWS Gateway API Controller). All read the same CRDs.

Step 2: Run dual-stack

Keep Ingress and Gateway API objects in parallel during migration. Gateway API supports nearly all Ingress features plus traffic splitting, mirrors, and header rewrites.

Step 3: Convert routes incrementally

ingress2gateway CLI tool (CNCF) generates Gateway API YAML from Ingress YAML for the common cases. Manual cleanup needed for vendor-specific annotations.

Step 4: Cut over and remove Ingress

Update DNS or load balancer to point at the Gateway. Watch metrics for 24-48 hours. Delete Ingress resources.

What the Exams Test

The early-2026 CKA refresh added a Gateway API objective worth ~5-7% of the exam. CKAD followed at ~5%. CKS includes Gateway-level TLS and authentication policies.

• CKA — install/configure a Gateway, attach an HTTPRoute, debug 502s, traffic splitting between two services.
• CKAD — write HTTPRoute YAML for canary deployments and header-based routing. Implement a blue/green using two HTTPRoutes.
• CKS — Gateway listener TLS modes, BackendTLSPolicy for upstream mTLS, and integrating Gateway API with NetworkPolicy.

Controller Comparison

• Envoy Gateway — CNCF, vendor-neutral, the reference implementation most cleanly aligned with the spec.
• NGINX Gateway Fabric — F5/NGINX maintained, familiar to existing NGINX Ingress users.
• Cilium — uses eBPF, integrates Gateway API with NetworkPolicy and service mesh.
• Istio Ambient — Gateway API as the Istio ingress, sidecar-less.
• GKE Gateway / AWS Gateway API Controller / Azure Application Gateway for Containers — cloud-managed.

Frequently Asked Questions

Is Ingress deprecated?

Not officially deprecated, but feature-frozen. New features ship to Gateway API only. Vendors will support Ingress for years, but it's a legacy API path.

Do I have to switch?

No, but new clusters should default to Gateway API. Existing Ingress will keep working. Plan migration on a 12-24 month horizon for production estates.

Is service mesh different from Gateway API?

Gateway API handles north-south (ingress) traffic. Service mesh handles east-west (pod-to-pod). The Gateway API Project's GAMMA initiative extends Gateway API to also model east-west, blurring the line.

Which controller for the CKA exam?

Killer.sh and the official exam use a vanilla in-cluster controller (typically Envoy Gateway or a kindnet-compatible reference). You don't pick — the exam environment does.

ExamCert Team

Certified IT professionals tracking the cloud, AI, and security certification landscape. Content updated as exams and tools evolve.