| full article | Kubernetes Ingress | NGINX Ingress | Kong Ingress | Traefik | HAproxy | Voyager | Contour | Istio Ingress | Ambassador | Gloo | Skipper |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Protocols | http/https, http2, grpc, tcp/udp (partial) | http/https, http2, grpc, tcp/udp | http/https, http2, grpc, tcp (l4) | http/https, http2 (h2c), grpc, tcp, tcp+tls | http/https, http2, grpc, tcp, tcp+tls | http/https, http2, grpc, tcp, tcp+tls | http/https, http2, grpc, tcp/udp, tcp+tls | http/https, http2, grpc, tcp/udp, tcp+tls, mongo, mysql, redis | http/https, http2, grpc, tcp/udp, tcp+tls | http/https, http2, grpc, tcp, tcp+tls | http/https |
| Based on | nginx | nginx/nginx plus | nginx | traefik | haproxy | haproxy | envoy | envoy | envoy | envoy | — |
| Traffic routing | host, path (with regex) | host, path, header, method, query param (all with regex expect host) | host, path, method, header* | host (regex), path (regex), headers (regex), query, path prefix, method | host, path | host, path | host, path | host, path, method, header (all with regex) | host, path, method, header (all with regex) | host, path, method, header, query param (all with regex) | host, path, method, header (all with regex) |
| Namespace limitations | All cluster or specified namespaces | All cluster or specified namespaces | Specified namespace | All cluster or specified namespaces | All cluster or specified namespaces | All cluster or specified namespaces | All cluster or specified namespaces | All cluster or specified namespaces | All cluster or specified namespaces | All cluster or specified namespaces | All cluster or specified namespaces |
| Traffic distribution | canary, a/b (cookie balancing) | canary, a/b (routing rules), blue-green (service in the upstream) | canary, acl, blue-green, proxy caching* | canary, blue-green, shadowing | blue-green, shadowing | canary, blue-green, acl | canary, blue-green | canary, a/b, shadowing, http headers, acl, whitelist | canary, a/b, shadowing, http headers, acl, whitelist | canary, shadowing | canary, a/b, blue-green, shadowing, whitelist |
| Upstream probes | retry, timeouts | retry, timeouts, active health checks (based on http probe for pod)* | active, circuit breaker | retry, timeouts, active, circuit breaker | check-uri, check-address, check-port | haproxy healthchecks | timeouts, active | retry, timeouts, active checks, circuit breakers | retry, timeouts, active checks, circuit breakers | retry, timeouts, circuit breakers | retry, timeouts, circuit breaker |
| Load balancing | round-robin, sticky sessions, least-conn, ip-hash, ewma | round-robin, least-conn, ip-hash, hash, random, least-time*, sticky sessions* | weighted-round-robin, sticky sessions | weighted-round-robin, dynamic-round-robin, sticky sessions | round-robin, static-rr, leastconn, first, source, uri, url_param, header, sticky sessions | round-robin, static-rr, leastconn, first, source, uri, url_param, header, sticky sessions | round-robin, sticky sessions, weighted-least-request, ring hash, maglev, random | round-robin, sticky sessions, weighted-least-request, ring hash, maglev, random, limit conn, limit req | round-robin, sticky sessions, weighted-least-request, ring hash, maglev, random | round-robin, sticky sessions, least request, random | round-robin, sticky sessions, random |
| Authentication | Basic, Client cert, external Basic, external OAuth | - | Basic, HMAC, Key, LDAP, OAuth 2.0, PASETO, OpenID Connect** | Basic, auth-url, auth-tls, external auth | Basic, OAuth, Auth TLS | Basic, OAuth, auth-tls, OAuth Google, OAuth GitHub | - | Basic, mutual tls, OpenID, custom auth | Basic, external auth, OAuth, OpenID | Basic*, external auth*, OAuth*, OpenID*, LDAP* | Basic, OAuth, OpenID |
| Paid subscription | - | + | + | + | + | + | - | - | + | + | - |
| GUI | - | + * ** | + * ** | + | - | - | - | - | - | + * | - |
| JWT validation | - | + * | + ** | - | + ** | - | - | + | + * | + * | + |
| Basic DDoS protection | rate limit, limit conn, liimt rps, limit rpm, limit-rate-after, limit-whitelist | max-conns, rate limit, rate-limits (with custom annotations) | advanced rate limit*, rate limit, request size limit, request termination, response rate limit | max-conns, rate limit, ip whitelist | limit-rps, limit-connections, limit-whitelist | max-conns, rate limit, whitelist | max-conns, max-request | acl, whitelist, rate limit | rate limit, load shedding | rate limit* | rate limit |
| Requests tracing | + | + | + | + | - | - | - | + | + | + | + |
| Config customization | + | + | + | + | + | + | - | + | - | - | + |
| WAF | lua-resty-waf, ModSecurity | + * | Wallarm | - | ModSecurity | - | - | ModSecurity | - | ModSecurity* | - |
| GitHub:starscommits (contributors)releases | 89005574 (582)110 | 2900871 (57)44 | 1230791 (71)27 | 314003791 (560)316 | 6641131 (39)101 | 12481323 (64)86 | 25172925 (119)55 | 2490013945 (640)170 | 302415069 (162)547 | 26461414 (67)330 | 23001786 (104)668 |
| 对比维度 | HAProxy Unified Gateway | Ingress | Kubernetes Gateway API |
|---|---|---|---|
| 定位与标准 | Kubernetes原生统一网关,同时兼容Ingress和Gateway API标准 | Kubernetes传统入口API,依赖控制器实现 | Kubernetes官方新一代入口API,替代Ingress的标准化方案 |
| 功能特性 | 统一管理Ingress/Gateway API流量,支持TCP/HTTP/HTTPS,内置HAProxy高性能内核 | 基础HTTP路由,依赖厂商注解扩展功能 | 多协议支持(TCP/UDP/TLS/gRPC),细粒度路由(路径/头/查询参数),权重路由、蓝绿/金丝雀发布 |
| 扩展性 | 通过HAProxy配置深度定制,支持企业级扩展 | 依赖控制器实现,不同厂商实现差异大 | 标准化CRD设计,支持ExtensionPolicy扩展,厂商中立 |
| 多租户与角色分离 | 支持跨命名空间路由,通过GatewayClass/Gateway/Route分层管理 | 弱多租户支持,依赖命名空间隔离 | 强角色分离(基础设施提供商/集群运维/应用开发者),支持ReferenceGrant跨空间授权 |
| 性能与可靠性 | 基于HAProxy高性能内核,支持千万级并发,低延迟 | 性能依赖控制器实现,通常支持高并发 | 性能与控制器实现相关,标准设计优化高并发场景 |
| 部署复杂度 | 统一部署,支持Helm/手动部署,兼容现有Ingress | 需单独部署控制器,配置简单 | 需安装CRD及控制器,配置标准化但需适应新资源模型 |
| 适用场景 | 新老项目迁移过渡,统一管理Ingress/Gateway API流量 | 简单HTTP路由场景,快速部署 | 复杂流量管理(多协议/高级路由/多租户),现代化云原生架构 |
| 生态兼容性 | 兼容主流Kubernetes发行版,支持与HAProxy Fusion集成 | 广泛兼容,但实现差异大 | 官方标准,主流网关(Envoy/Istio/Traefik)及云厂商支持 |
| 版本与演进 | 2025年发布Beta版,2026年规划企业版 | Kubernetes原生API,持续更新 | v1.0稳定版已发布,持续迭代新特性(如UDPRoute) |
https://blog.palark.com/comparing-ingress-controllers-for-kubernetes/
https://docs.google.com/spreadsheets/d/1DnsHtdHbxjvHmxvlu7VhzWcWgLAn_Mc5L1WlhLDA__k/edit?gid=0#gid=0