Understand Gateway API concepts — GatewayClass, route resources, cross-namespace references, and backend TLS.
0 / 5 completed
1 / 5
In a design review on migrating from Ingress, a colleague asks about the role of GatewayClass. What is correct?
GatewayClass is a cluster-scoped resource — analogous to IngressClass — that identifies the controller implementation (such as Envoy Gateway or Istio) responsible for managing Gateways of that class. Different GatewayClasses can coexist, each served by a different controller binary.
2 / 5
During a PR review, a reviewer asks what the parentRefs field in an HTTPRoute does. What is the correct answer?
parentRefs is how an HTTPRoute attaches itself to a Gateway. Each entry specifies the name and namespace of the target Gateway, and optionally a sectionName to bind to a specific listener (e.g. only the HTTPS listener on port 443). Without a matching parentRef, the route is not active.
3 / 5
At standup, you're asked to explain the purpose of ReferenceGrant. Which answer is correct?
ReferenceGrant solves cross-namespace reference security. If an HTTPRoute in namespace A wants to reference a Service in namespace B, namespace B's owner must create a ReferenceGrant permitting that specific cross-namespace reference. This prevents namespace A from routing to services it doesn't own without explicit consent.
4 / 5
An incident involves migrating gRPC services to Gateway API. A teammate suggests using GRPCRoute instead of HTTPRoute. What is the correct rationale?
GRPCRoute provides native gRPC semantics: you can match on GRPCService (the protobuf service name) and GRPCMethod, and apply header-based routing that understands gRPC's HTTP/2 framing. Using HTTPRoute for gRPC requires awkward path-prefix matching and doesn't model the gRPC service/method structure naturally.
5 / 5
In a code review, the team examines backend TLS configuration in Gateway API. What is the correct approach?
BackendTLSPolicy is a separate Gateway API resource that instructs the Gateway to originate TLS connections to backend Services. It specifies the CA certificate (as a ConfigMap reference) used to verify the backend's certificate and an optional SNI hostname. This is distinct from the frontend TLS termination configured on the Gateway's listeners.