Solo.io

More Than Envoy: A Kubernetes-Native Gateway Platform

Kgateway is built on Envoy, adding the Kubernetes Gateway API, a declarative control plane, and policy CRDs so platform teams get a full gateway platform instead of raw Envoy config to maintain by hand.

What Envoy gives you, and what kgateway adds

Kgateway is built on Envoy, not a replacement for it

“Envoy handles our data plane, but every team is hand-writing its own xDS config and bootstrap.”

Kgateway adds a Kubernetes-native control plane on top of Envoy, so routes, listeners, and policy are declared as Kubernetes Gateway API resources instead of hand-rolled Envoy config.

“We need consistent authentication, rate limiting, and WAF policy across every Envoy deployment, not per-team config.”

Kgateway layers policy CRDs for auth, rate limiting, and WAF on top of Envoy, so every team gets the same enforced defaults instead of reimplementing policy in raw Envoy config.

“Raw Envoy is a great proxy, but we still need someone to support the whole stack in production.”

Kgateway is CNCF-hosted and backed by Solo's enterprise support, so you get production hardening and a support contract for the full gateway, not just the proxy underneath it.

Why Teams Choose Us

“We standardized on Envoy, but every team configures it differently and nobody wants to own the YAML.”

Kgateway gives every team the same Kubernetes Gateway API surface for routes and listeners, so Envoy config stays declarative and consistent instead of a one-off per team.

“Security has to be built into our gateway from day one, not bolted on after launch.”

Get authentication, rate limiting, and WAF policy as Kubernetes-native CRDs on top of Envoy, so every team inherits the same enforced controls by default.

“We rely on Envoy in production and need a support contract for the whole stack, not just the proxy.”

Kgateway is CNCF-hosted and backed by Solo's enterprise support, so you get one accountable vendor for the control plane, policy layer, and the Envoy data plane underneath it.

Customer proof

"In the last two years, I have never woken up to issues related to kgateway. It just works."
"We evaluated multiple vendors... but kgateway was basically a match made in heaven because it had Kubernetes-native support and allowed teams to control their own silos."

Trust & compliance

SOC 2

SOC 2

Certification supports security and procurement review for regulated Kubernetes environments

OSS roots

OSS roots

Build on Envoy, Istio, Cilium, and Gateway API foundations for open source service mesh adoption.

CNCF maintainer status

CNCF maintainer status

keeps Solo.io engineers close to the projects shaping cloud native mesh standards.

FIPS builds

FIPS builds

provide FIPS 140-2 validated options for service mesh security requirements.

Published SLAs

Published SLAs

Define support expectations for enterprise service mesh operations.

Customer references

Customer references

include production outcomes from teams running large-scale Kubernetes networking.

Frequently Asked Questions

What is an API gateway platform, and why do I need one?

An API gateway platform is the single entry point that manages, secures, and routes traffic between API consumers and your backend services. As API and microservice footprints grow, a platform centralizes authentication, rate limiting, and observability instead of leaving each service to handle it independently.

Is there an open source API gateway option?

Yes. Kgateway is open source and CNCF-hosted, free to run on your own, with enterprise support and advanced policy on top when you need them.

Isn’t kgateway just Envoy? What does it actually add?

Envoy is the data plane proxy that moves traffic; kgateway adds the Kubernetes Gateway API, a declarative control plane, and policy CRDs for auth, rate limiting, and WAF on top of it. You get everything Envoy does at the data plane, plus a Kubernetes-native way to configure and support it.

Is it a secure, cloud-native API gateway?

Yes. It’s a cloud-native, Kubernetes-native API gateway with authentication, rate limiting, and WAF policy built in at the Envoy layer, so security travels with the gateway instead of being added per service.

What does an enterprise API gateway cost?

Cost depends on your traffic, cluster count, and support tier. A demo is the fastest way to get a number scoped to your environment rather than a generic estimate.

See What Kgateway Adds on Top of Envoy

Request a demo to see how kgateway's control plane, policy CRDs, and enterprise support extend Envoy for your Kubernetes environment.