Challenge, Medium,  on  KubernetesNetworking

Cross-Namespace Gateway and HTTPRoute Binding with Kubernetes Gateway API

Omkar Shelke
by  Omkar Shelke

Scenario

Your organization runs a railway platform with a strict separation between infrastructure and application teams. The infrastructure team owns the japan-railway-gateway namespace and manages all Gateway resources. The application team owns the japan-railway namespace where services run.

Two backend services are already running in the japan-railway namespace:

  • schedule-service — serves train schedule data on port 3000
  • ticket-service — serves ticket booking data on port 5000

Your goal is to expose both services externally through a single Gateway using path-based routing under the domain japan-railway.io.

Task

Create the required Kubernetes Gateway API resources across two namespaces:

  • A Gateway named railway-gateway in namespace japan-railway-gateway that:
    • Listens on HTTP port 80
    • Uses gatewayClassName: nginx
    • Allows HTTPRoutes from the japan-railway namespace via allowedRoutes
  • An HTTPRoute named railway-routes in namespace japan-railway that:
    • Attaches to railway-gateway in namespace japan-railway-gateway via parentRefs with namespace field set
    • Uses hostname japan-railway.io
    • Routes /scheduleschedule-service on port 3000
    • Routes /ticketsticket-service on port 5000

Once the Gateway gets an external IP, verify that both routes respond correctly using japan-railway.io (/etc/hosts is already pre-configured on cplane-01).

curl http://japan-railway.io/schedule | jq

curl http://japan-railway.io/tickets | jq
Cross-namespace Gateway API routing for Japan Railway platform services

Gateway in japan-railway-gateway namespace routing traffic to services in japan-railway namespace.

⏳ Wait 2 minutes for MetalLB and NGINX Gateway API setup.

🚫 Do not change existing Services or Deployments.

Hint

When the Gateway and HTTPRoute are in different namespaces, two things are required. The Gateway listener must explicitly allow routes from the application namespace:

listeners:
- name: http
  port: 80
  protocol: HTTP
  allowedRoutes:
    namespaces:
      from: Selector
      selector:
        matchLabels:
          kubernetes.io/metadata.name: japan-railway

The HTTPRoute parentRefs must include the Gateway namespace:

parentRefs:
- name: railway-gateway
  namespace: japan-railway-gateway

Test Cases

How to Author Challenges on iximiuz Labs

Instead of providing a subpar online editing experience, iximiuz Labs offers a helper CLI tool called labctl, allowing you to use your favorite text editor (or a full-featured IDE) to write content from the comfort of your local machine.

Install labctl CLI

curl -sf https://labs.iximiuz.com/cli/install.sh | sh

This will download and install the latest version of the labctl CLI. You only need to do this once per workstation.

Authorize labctl

labctl auth login

This will open a browser window asking you to authorize labctl to access your account. You need to do it after a fresh install of labctl and repeat it whenever the auth session expires.

Pull challenge content

labctl content pull challenge cross-namespace-gateway-api-routing-2cfcf387

This will create a local copy of the challenge content in a directory named cross-namespace-gateway-api-routing-2cfcf387. You only need to do this once per challenge.

Stream your changes

labctl content push -fw challenge cross-namespace-gateway-api-routing-2cfcf387

Run this command in a separate terminal to continuously upload your changes to the server while editing the challenge in your favorite text editor or IDE.

You can also use labctl to create, list, and delete your content. Learn more about the available commands: labctl content --help

Start challenge