SYSTEM Cited by 1 source
Fabric Gateway (Zalando)¶
Definition¶
Fabric Gateway (zalando-incubator.github.io/fabric-gateway) is Zalando's open-source declarative API gateway for Kubernetes. It composes a Kubernetes Custom Resource Definition for API-gateway configuration with Skipper as the underlying HTTP routing and filter engine. Teams declare their gateway policy (routes, OAuth scopes, rate limits, CORS, request/response transforms) in a single Fabric Gateway custom resource; the operator materialises the corresponding Skipper routes and Route Groups in-cluster.
Role in the Zalando stack¶
- One of three Skipper-backed auth options for Kotlin
backend services — the
Kotlin
adoption post names three ways to handle AuthN/AuthZ at
the ingress: (1) direct Skipper filters like
oauthTokeninfoAnyScope(...), (2) Skipper Route Groups, (3) Fabric Gateway. Fabric Gateway is the highest-abstraction option — teams declare intent, not filter chains. - Declarative > filter-chain — the argument for using Fabric Gateway over hand-written Skipper filters is the same argument Zalando makes for Skipper over per-service auth libraries (Spring Security etc.): "less likely to be misconfigured" at scale because the config surface is smaller and more uniform.
What makes it distinctive¶
- Kubernetes-native API gateway built on Skipper, not Envoy — unlike most K8s API gateways (Kong, Ambassador, Emissary, Contour) which build on Envoy or Nginx, Fabric Gateway leverages Zalando's existing Skipper fleet. This keeps the runtime data plane identical to Zalando's Ingress data plane — the same proxy serves both generic ingress and API-gateway routes.
- One CRD captures the full gateway policy — routes, OAuth scopes per route, rate limiting, header manipulation, CORS — all in a single declarative resource.
- Ships as Zalando-incubator — not a mature open-source project with broad external adoption, but production-used inside Zalando.
Seen in¶
- sources/2021-06-30-zalando-how-we-use-kotlin-for-backend-services — named as the third of three recommended AuthN/AuthZ paths for new Kotlin backend services, alongside direct Skipper filters and Route Groups.
Comparable systems¶
- Kong / Ambassador / Emissary / Contour — more widely adopted K8s API gateways, all Envoy- or Nginx-backed. Fabric Gateway's distinction is Skipper-backed and Zalando-tailored.
- Ambassador Edge Stack (Envoy) — closest analogue for declarative K8s-native gateway with AuthN/AuthZ built in.
- Skipper Route Groups — the lower-abstraction option at Zalando; Fabric Gateway sits one layer above.
Related¶
- systems/skipper-proxy — underlying HTTP routing + filter engine.
- systems/kubernetes
- companies/zalando