Cilium Gateway API in Managed Kubernetes

Managed Kubernetes is using Cilium currently. I hope it allows us to use Cilium Gateway API.

Note based on here:

One of the biggest differences between Cilium’s Ingress and Gateway API support and other Ingress controllers is how closely tied the implementation is to the CNI. For Cilium, Ingress and Gateway API are part of the networking stack, and so behave in a different way to other Ingress or Gateway API controllers (even other Ingress or Gateway API controllers running in a Cilium cluster).

Other Ingress or Gateway API controllers are generally installed as a Deployment or Daemonset in the cluster, and exposed via a Loadbalancer Service or similar (which Cilium can, of course, enable).

Cilium’s Ingress and Gateway API config is exposed with a Loadbalancer or NodePort service, or optionally can be exposed on the Host network also. But in all of these cases, when traffic arrives at the Service’s port, eBPF code intercepts the traffic and transparently forwards it to Envoy (using the TPROXY kernel facility).

This affects things like client IP visibility, which works differently for Cilium’s Ingress and Gateway API support to other Ingress controllers.

It also allows Cilium’s Network Policy engine to apply CiliumNetworkPolicy to traffic bound for and traffic coming from an Ingress.

Nebius support informed me that customizing add-ons is not currently supported, but they plan to enable it in the future. For now, I can modify the cilium-config ConfigMap as described in https://docs.nebius.com/kubernetes/networking/add-ons#cilium and try enabling the Gateway API, with the understanding that these changes might be reverted during Nebius upgrades.

It would be great to

1. officially support customization of add-ons

2. expose as a parameter at OpenTofu/Terraform https://docs.nebius.com/terraform-provider/reference/resources/mk8s_v1_cluster so we can have choice and also controls in the code

Thanks! 😃