How to Deploy Kubernetes Gateway API on AWS EKS?

adil
4 min readNov 2, 2023

Part 2: How to Establish Connection Between Multiple EKS Clusters Using Gateway API and VPC Lattice?

Gateway API is a Kubernetes interface that handles ingress/egress traffic in the cluster.

Photo by Growtika on Unsplash

Ingress or Gateway API?

Each Ingress implementation has a different implementation. The main difference between ingress and the Gateway API is that the Gateway API provides a universal standard to handle network traffic.

AWS provides a component to use on EKS: AWS Gateway API Controller

AWS is leveraging VPC Lattice to use the Gateway API on EKS

(See: How to use VPC Lattice in AWS?)

You may benefit from the official page of the AWS Gateway API Controller.
You may benefit from the official page of the Kubernetes Gateway API.

How to enable the Gateway API in an EKS Cluster?

Since VPC Lattice is used for the Gateway API, we must allow VPC Lattice’s IP range in the EKS Cluster’s security group.

VPC Lattice’s default IPv4 range is 169.254.171.0/24 and IPv6 is fd00:ec2:80::/64

To confirm this, go to VPC Console, and click “Managed prefix lists”:

Find the VPC Lattice entries:

Check the IP range:

We found the VPC Lattice’s IP range.

Go to the EKS Cluster’s overview page and click Networking.

Find the cluster’s primary security group and click:

Add the VPC Lattice’s IP range to the inbound rules:

Connection between IAM and EKS

We need an IAM policy and an OIDC provider to establish the IAM authentications.

Either you can add the OIDC url via Web Console or eksctl :

eksctl utils associate-iam-oidc-provider --region=<YOUR-REGION> --cluster=<YOUR-CLUSTER> --approve

Go to the EKS Cluster’s overview page and copy the Cluster’s “OpenID Connect provider URL”:

Go to the IAM Dashboard and click “Identity providers”:

Click “Add Provider” on the next page. Paste the OIDC URL, add “sts.amazonaws.com” to the audience field, and click “Get thumbprint

It should look like this:

Click “Add provider”.

Create an IAM Policy

Go to the IAM Dashboard and click Policies. Click “Create policy”:

Click JSON and add this JSON:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"vpc-lattice:*",
"iam:CreateServiceLinkedRole",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeTags"
],
"Resource": "*"
}
]
}

Click “Next”. Add a policy name:

Click “Create policy”

Copy the policy’s ARN:

Create the required namespace

A particular namespace for the Gateway API Controller is required:

Create the namespace: aws-application-networking-system

Here’s the YAML file: https://github.com/aws/aws-application-networking-k8s/blob/v0.0.17/examples/deploy-namesystem.yaml

Apply:

➜  ~ kubectl apply -f deploy-namesystem.yaml
namespace/aws-application-networking-system created

We need a service account for the VPC Lattice

(See: Kubernetes Core Concepts: Service Account)

eksctl create iamserviceaccount \
--cluster=<YOUR_CLUSTER_NAME> \
--namespace=aws-application-networking-system \
--name=gateway-api-controller \
--attach-policy-arn=arn:aws:iam::<ACCOUNT_ID>:policy/VPCLatticeControllerIAMPolicy \
--override-existing-serviceaccounts \
--region <YOUR_REGION> \
--approve

Deploy the Gateway API Controller CRDs

Go to the official GitHub repository and find the latest deploy.yaml file. The latest version was deploy-v0.0.17.yaml when this article was posted.

Apply:

➜  ~ kubectl apply -f examples/deploy-v0.0.17.yaml
namespace/aws-application-networking-system unchanged
customresourcedefinition.apiextensions.k8s.io/dnsendpoints.externaldns.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gatewayclasses.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/gateways.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/grpcroutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/httproutes.gateway.networking.k8s.io created
customresourcedefinition.apiextensions.k8s.io/serviceexports.multicluster.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/serviceimports.multicluster.x-k8s.io created
customresourcedefinition.apiextensions.k8s.io/targetgrouppolicies.application-networking.k8s.aws created
customresourcedefinition.apiextensions.k8s.io/vpcassociationpolicies.application-networking.k8s.aws created
Warning: resource serviceaccounts/gateway-api-controller is missing the kubectl.kubernetes.io/last-applied-configuration annotation which is required by kubectl apply. kubectl apply should only be used on resources created declaratively by either kubectl create --save-config or kubectl apply. The missing annotation will be patched automatically.
serviceaccount/gateway-api-controller configured
clusterrole.rbac.authorization.k8s.io/aws-application-networking-controller created
clusterrole.rbac.authorization.k8s.io/metrics-reader created
clusterrole.rbac.authorization.k8s.io/proxy-role created
clusterrolebinding.rbac.authorization.k8s.io/aws-application-networking-controller created
clusterrolebinding.rbac.authorization.k8s.io/proxy-rolebinding created
configmap/manager-config created
service/gateway-api-controller-metrics-service created
deployment.apps/gateway-api-controller created

Create required the GatewayClass: amazon-vpc-lattice

Here’s the YAML file: https://github.com/aws/aws-application-networking-k8s/blob/v0.0.17/examples/gatewayclass.yaml

➜  ~ kubectl apply -f examples/gatewayclass.yaml
gatewayclass.gateway.networking.k8s.io/amazon-vpc-lattice created

You can validate the installation:

--

--