Kubernetes Integration Guide - FluxGate

Control Plane & Data Plane Topology

FluxGate operates as a lightweight, sidecarless routing engine deployed directly into your cluster. The control plane runs as a Deployment with three replicas, maintaining a hot-warm informer cache that syncs with the etcd API server every 500ms. Data plane pods scale independently via HPA, leveraging shared memory rings for zero-copy routing.

When deployed to production namespaces, the FluxGate operator automatically injects network policies and configures CNI plugins to enforce strict mTLS between gateway pods and upstream services. All configuration drift is detected through the built-in audit webhook, which triggers a rolling restart if checksums deviate from the declared state.

Custom Resource Definitions

FluxGate extends the Kubernetes API with three primary CRDs: FluxGateRoute, FluxGatePolicy, and FluxGateAuth. Each resource is validated against a JSON Schema hosted in the fluxgate-crd-validator webhook, ensuring strict type checking before admission.

FluxGateRoute objects define path-based matching, weighted canary deployments, and header transformations. FluxGatePolicy attaches cross-cutting concerns like rate limiting configured in requests per second per client IP, JWT validation, and request response body mutation. FluxGateAuth manages OIDC provider bindings and scopes. All CRDs are versioned under fluxgate.io/v1alpha3 and support server-side apply for declarative GitOps workflows.

Native Ingress & Gateway API Support

The FluxGate controller natively implements the networking.k8s.io/v1 Ingress spec and the gateway.networking.k8s.io/v1beta1 Gateway API. It watches for annotation changes and reconciles upstream endpoints without requiring pod restarts.

TLS termination handles SNI routing and automatic certificate provisioning via cert-manager integration. When paired with Istio or Linkerd, FluxGate exposes a unified control plane that respects service mesh traffic policies while offloading L7 routing decisions to the gateway node. Metrics are exported to Prometheus on port 9090, exposing fluxgate_request_duration_seconds and fluxgate_upstream_connection_errors with 99th percentile latency tracking.

Debugging & Observability

When routing behavior deviates from expected outcomes, FluxGate provides structured logging, distributed tracing via OpenTelemetry, and a built-in debug endpoint for live configuration inspection.