Prerequisites

Skew protection requires a Kubernetes Gateway API controller in the cluster. This page covers the setup requirements.

Enable Skew Protection

Skew protection is disabled by default. Enable it via the PLT_FEATURE_SKEW_PROTECTION environment variable or the Helm value services.icc.features.skew_protection.enable:

PLT_FEATURE_SKEW_PROTECTION=true

When disabled, ICC does not interact with the Gateway API at all. No Gateway controller is required and ICC behaves exactly as it does today.

Gateway API CRDs

The Gateway API is not built into Kubernetes. The Custom Resource Definitions (CRDs) must be installed separately:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.1/standard-install.yaml

This installs the CRDs only (GatewayClass, Gateway, HTTPRoute) — no controller is deployed.

Gateway API Controller

A Gateway API-compliant controller must be deployed in the cluster to process Gateway and HTTPRoute resources.

The controller must support the following features:

Feature	Conformance Level	Required For
`HTTPRoute` with `backendRefs`	Core	Routing to versioned Services
`headers` match with `Exact` type	Core	`x-deployment-id` header matching
`ResponseHeaderModifier` filter	Core	Setting `Set-Cookie` on responses
`headers` match with `RegularExpression` type	Extended	Cookie-based version pinning

Compatible Controllers

Skew protection has been verified with Envoy Gateway. Any Gateway API controller that supports RegularExpression header matching will work. The following controllers are known to support it:

Controller	License	Regex Header Match	Notes
Envoy Gateway	Apache 2.0	Supported	CNCF project, Envoy-based. Lightweight, purpose-built for Gateway API.
Istio	Apache 2.0	Supported	Full service mesh with Gateway API support.
Contour	Apache 2.0	Supported since v1.25.0	Envoy-based ingress controller.
Cilium	Apache 2.0	Supported	eBPF-based networking with Envoy data plane.
Traefik	MIT	Supported	Cloud-native reverse proxy.
kgateway	Apache 2.0	Supported	Envoy-based, CNCF project (formerly Gloo Gateway OSS).
Kong	Apache 2.0	Supported	Kong-based ingress controller.
NGINX Gateway Fabric	Apache 2.0	Supported since v2.0.0	NGINX-based.

Gateway and GatewayClass Resources

The cluster operator must create a GatewayClass and Gateway resource before ICC can manage HTTPRoute resources. This is standard Gateway API setup:

apiVersion: gateway.networking.k8s.io/v1
kind: GatewayClass
metadata:
  name: platformatic
spec:
  # controllerName varies by controller — this example uses Envoy Gateway
  controllerName: gateway.envoyproxy.io/gatewayclass-controller
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: platform-gateway
  namespace: platformatic
spec:
  gatewayClassName: platformatic
  listeners:
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        mode: Terminate
        certificateRefs:
          - name: platform-tls
    - name: http
      protocol: HTTP
      port: 80

ICC references this Gateway in the parentRefs of each managed HTTPRoute. The Gateway resource is auto-discovered — no additional configuration is needed unless your cluster has multiple Gateways.

Machinist RBAC

Machinist’s Kubernetes service account must have permissions to manage HTTPRoute resources. If you are using the Platformatic Helm chart, these permissions are included automatically. For manual installations, add the following to Machinist’s ClusterRole:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: machinist-gateway-api
rules:
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["httproutes"]
    verbs: ["get", "list", "create", "update", "patch", "delete"]
  - apiGroups: ["gateway.networking.k8s.io"]
    resources: ["gateways"]
    verbs: ["get", "list"]

Kubernetes Version

Each Gateway API release supports the 5 most recent Kubernetes minor versions. For the current Gateway API v1.4.1 release, this means Kubernetes 1.27 or later.