SYSTEM Cited by 3 sources
Skipper (Zalando HTTP proxy)¶
Definition¶
Skipper (github.com/zalando/skipper) is an HTTP router and reverse-proxy written in Go by Zalando, designed to be composable out of small filters and predicates along a routing DSL. At Zalando it is deployed as the default Kubernetes Ingress proxy across 140+ clusters (Source: sources/2020-06-30-zalando-launching-the-engineering-blog), sitting behind AWS ALBs provisioned by the Kubernetes Ingress Controller for AWS and in front of application pods.
What makes it distinctive¶
-
Eskip routing DSL — routes are declarative, composed as
predicate_chain -> filter_chain -> backend. Filters likecompress(),setPath("/..."),inlineContent(...),setDynamicBackendUrl(...)chain with->before the final backend token. Example from the Zalando blog-launch post:* -> compress() -> setDynamicBackendUrl("http://<BUCKET>.s3-website.<REGION>.amazonaws.com") -> <dynamic>;— this annotation (attached to anIngressaszalando.org/skipper-routes) rewrites every request so the ingress proxies to an S3 static-website endpoint with edgegzipcompression. -
Dynamic backends via
<dynamic>sentinel — backends can be resolved from request headers or from filters at request time (setDynamicBackendUrl), which is how Skipper can front a non-Kubernetes origin (S3 website, a legacy host, etc.) without needing a Service/Endpoints pair. -
Rich filter library for L7 manipulation —
compress()adds gzip encoding that upstreams don't provide;ratelimit(...),oauthTokeninfoAnyScope(...),stripQuery(), header add/remove/set filters, response-body rewriting. Used as the platform-wide policy enforcement point at Zalando. -
Ingress annotation integration — rather than a custom CRD for routes, Skipper reads routes from Kubernetes
Ingressobjects with thezalando.org/skipper-routesannotation containing eskip DSL. This keeps the Kubernetes-native API surface intact while exposing Skipper's full filter capability.
Seen in¶
- sources/2020-06-30-zalando-launching-the-engineering-blog —
reused as the edge proxy for
engineering.zalando.cominstead of standing up CloudFront; single ingress-annotation route proxies to S3 website endpoint withcompress()for gzip. - sources/2021-03-01-zalando-building-an-end-to-end-load-test-automation-system-on-top-of-kubernetes — Skipper's header-based routing is the substrate that lets a single service instance in Zalando Payments' test cluster dynamically switch between the real external dependency and its Hoverfly mock per request, based on whether the request carries a load-test tag. Canonical instance of patterns/header-routed-mock-vs-real-dependency; the tight integration of predicate-filtered eskip routes with existing Ingress deployments is what makes this a zero-new-infrastructure pattern at Zalando.
- sources/2021-06-30-zalando-how-we-use-kotlin-for-backend-services
— Skipper's OAuth token-info filters
(
oauthTokeninfoAnyScope(...), etc.) named as the first of three default AuthN/AuthZ options for new Kotlin backend services at Zalando (the other two: Route Groups and Fabric Gateway). Rationale given: Skipper "is designed to handle a large number of requests and is less likely to be misconfigured than for example Spring security" — a misconfiguration-at-scale argument for the central choke-point gateway over per-service auth libraries.
Comparable systems¶
- nginx / Envoy / HAProxy — general-purpose L7 proxies. Envoy is the dominant K8s ingress in service-mesh contexts; Skipper's differentiator is the eskip DSL and the tight integration with Ingress annotations at Zalando scale.
- Pingora (Cloudflare) — Rust, internal to CF.
- Fly Proxy — Go, runs Fly.io's anycast edge.