From 2aed7250ee30b20c27493f41357c01224b35059c Mon Sep 17 00:00:00 2001 From: Seth Malaki Date: Fri, 26 Jun 2026 11:17:10 +0100 Subject: [PATCH] docs(gateway): fix default-deny step for namespaced mode Gateway API namespaced mode (https://github.com/tigera/operator/pull/4690) moved the data-plane proxies into each Gateway's own namespace, not tigera-gateway. The default-deny step still told users to exclude the tigera-gateway namespace, which no longer covers the proxies. With https://github.com/tigera/operator/pull/4970 the operator allows the proxy's own traffic through the calico-system tier, so users only need to allow the proxy to reach their backends. --- .../networking/ingress-gateway/create-ingress-gateway.mdx | 7 +++++-- .../networking/ingress-gateway/create-ingress-gateway.mdx | 7 +++++-- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx b/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx index f3316997c6..9bd528eb7f 100644 --- a/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx +++ b/calico-enterprise/networking/ingress-gateway/create-ingress-gateway.mdx @@ -30,8 +30,11 @@ You need to do the following: ## Create an ingress gateway 1. If you are using a [global default deny policy](../../network-policy/beginners/kubernetes-default-deny.mdx), - allow traffic through the gateway by adding the `tigera-gateway` namespace to the list of excluded namespaces in the - `namespaceSelector` field. + you do not need to allow the gateway proxy's own traffic. The Tigera Operator allows it through a + policy in the `calico-system` tier. You do need to allow the gateway proxy to reach your backend + workloads. The proxy pods carry the label `gateway.envoyproxy.io/owning-gateway-name`, so you can + select them in an egress rule. Without that rule, the gateway is reachable but returns `503` because + the proxy cannot connect to the backend. 1. To enable Gateway API support, create a `GatewayAPI` resource with the name `tigera-secure`: diff --git a/calico/networking/ingress-gateway/create-ingress-gateway.mdx b/calico/networking/ingress-gateway/create-ingress-gateway.mdx index b0712ec29b..1b4199ba15 100644 --- a/calico/networking/ingress-gateway/create-ingress-gateway.mdx +++ b/calico/networking/ingress-gateway/create-ingress-gateway.mdx @@ -30,8 +30,11 @@ You need to do the following: ## Create an ingress gateway 1. If you are using a [global default deny policy](../../network-policy/get-started/kubernetes-default-deny.mdx), - allow traffic through the gateway by adding the `tigera-gateway` namespace to the list of excluded namespaces in the - `namespaceSelector` field. + you do not need to allow the gateway proxy's own traffic. The Tigera Operator allows it through a + policy in the `calico-system` tier. You do need to allow the gateway proxy to reach your backend + workloads. The proxy pods carry the label `gateway.envoyproxy.io/owning-gateway-name`, so you can + select them in an egress rule. Without that rule, the gateway is reachable but returns `503` because + the proxy cannot connect to the backend. 1. To enable Gateway API support, create a `GatewayAPI` resource with the name `default`: