// the find
kgateway-dev/kgateway
The Cloud-Native API Gateway and AI Gateway
kgateway is a Kubernetes Gateway API-conformant control plane built on top of Envoy, originally shipped as Gloo by Solo.io in 2018. It handles north-south API traffic — auth, rate limiting, routing, TLS termination — and is aimed at teams running Kubernetes who want a production-grade gateway without writing raw Envoy config. CNCF sandbox status and 7+ years of production lineage make it one of the more credible options in a crowded space.
1. Gateway API conformance is first-class, not bolted on — using the upstream Kubernetes Gateway API means you're not locked into proprietary CRDs for core routing logic. 2. The custom Envoy filter layer (under internal/envoy_modules) is written in Rust using the Envoy WASM/module ABI — request/response transformations run in-process without a sidecar round-trip. 3. Route delegation design (documented in design/10943-route-delegation.md) lets platform and app teams own different slices of the config without stepping on each other, which is rare in this category. 4. The test infrastructure is unusually thorough for an OSS gateway — nightly e2e runs across min/max Kubernetes versions, Gateway API conformance suite, and load tests, all as committed GitHub Actions workflows.
1. The AI gateway features that were a key selling point in 2.x have been spun out to a separate repo (agentgateway) as of 2.3.0 — the README buries this in a callout box, and if you installed kgateway for LLM proxy features, you now have two control planes to operate. 2. The Go module layout is being actively refactored (design/10498-deflate-repository-into-idiomatic-go-layout.md) — internal package boundaries are in flux, which makes vendoring or forking risky right now. 3. Policy merging semantics are genuinely complex (there's a whole design doc and a devel/policy_merging directory) — if you attach a TrafficPolicy at both the Gateway and HTTPRoute level, the merge behavior is non-obvious and has historically had bugs. 4. Helm chart customization is broad but the values.yaml surface area is large and underdocumented; there's no schema validation, so misconfigured values fail silently at deploy time rather than at helm install.