add UDPRoute GEP by zac-nixon · Pull Request #4720 · kubernetes-sigs/gateway-api

zac-nixon · 2026-03-31T01:12:43Z

What type of PR is this?

What this PR does / why we need it:

Which issue(s) this PR fixes:

Fixes #

Does this PR introduce a user-facing change?:

k8s-ci-robot · 2026-03-31T01:12:45Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

rikatz · 2026-03-31T16:27:11Z

+
+// UDPRouteSpec defines the desired state of UDPRoute.
+type UDPRouteSpec struct {
+    CommonRouteSpec `json:",inline"`


I can't remember the full discussion of it, and I guess this also happened during Kubecon/EGADS, but I guess we need a different parentRef semantic for TCP and UDP routes, where we enforce it must be attached to a named listener, so you know which port will be routing to it.

@rostislavbobo @youngnick I need some help here, as I don't know what was the conclusion of TCP and UDPRoute

I'd be interesting to hear why. A common use-case for Layer 4 load balancers is to listen on a range of ports and forward to the same backend.

well, you still need a well defined port for it, right? So it means you need each port defined on the listener today, being named and then you need to select one by one which you want to attach to the same backends.

Makes me think that we also do not quite support port ranges on listeners today, but that's another story

The use-case that we're making hard is that suppose I expose my application on a range of ports, 80-100, I would need to parent ref each individual port. What would be the reason to make this use-case harder?

right, true. But I still have the feeling I am missing a reason why we do not do this, so I will defer to @youngnick because he may remember better than me!

Anyway, given this is provisional and eventually experimental, it is not a hard block but probably a "Must decide" situation for me

anyway, should we consider a support for a port range on a listener and attachment to that listener directly? I am still thinking that for the range case you may need:

one listener per port on your range

then one parentRef for each port

even if we lower the second bar, the first one still is necessary and may be problematic, wdyt?

As it stands today, each Listener supports only one port. We have discussed port range semantics in the past, but nothing moved forward.

I think it's probably fine to say, for now:

UDPRoutes will attach to:

a single listener with a matching name if sectionName is supplied in the parentRef

a single listener with a matching port if port is supplied in the parentRef, and the implementation supports the GatewayParentRefPort feature (I think that's the right feature name)

All Listeners on the Gateway with protocol set to UDP if no sectionName or port is specified.

That handles the multiple ports case for now, until we decide if and how we would add port range support to Listener. (I expect there to be more appetite for that once UDPRoute and TCPRoute move forward). That would make port range on Listener semantic sugar for having that many Listener entries, one for each distinct port. I'd also recommend that port ranges must be contiguous.

But again, we should wait and handle the simpler, single-port case first, and then come back and figure out how to handle the more complex case once we have that done.

I like the semantics you laid out, @youngnick as that matches the correct behavior for listener attachment.

rikatz · 2026-03-31T16:31:15Z

+          port: 53
+```
+
+## Conformance


I would like to have the conformance tests added on a more descriptive way. I know this is a draft for now, so leaving it as a comment for once we decide to move on.

As an example: https://github.com/kubernetes-sigs/gateway-api/blob/main/geps/gep-1713/index.md?plain=1#L989

Yeah, I will add more detail on the conformance tests once we're happy with the UDPRoute requirements. For example, you mentioned removing weighted routing which will be important to finalize before writing conformance tests.

Added more detailed conformance tests.

rikatz · 2026-03-31T16:54:29Z

/cc
/assign

youngnick · 2026-04-01T03:10:20Z

/cc

cnvergence · 2026-04-02T12:33:25Z

+#### Basic UDP Service Routing (DNS)
+
+```yaml
+apiVersion: gateway.networking.k8s.io/v1beta1


we might update it to gateway.networking.k8s.io/v1
opened #4722

Is the GEP for the current state or for the desired state?

I would say both, for the factual state

I don't know how to represent both states. Are you suggesting duplicating the YAMLs?

It is really a nit comment, the gateway resource has been GA since the Gateway API v1.0 release and should use gateway.networking.k8s.io/v1. I have found that the examples in the conformance were outdated, so we have updated them.
Thanks 🙂

we must keep the GEP on the current state. We move the APIs versioning to the right state once the API is promoted.

That said:

Any reference to a Gateway/GatewayClass must use apiVersion v1 (the latest GA)

Any reference to a UDPRoute must use the current apiVersion (v1alpha2)

k8s-ci-robot · 2026-04-03T22:45:51Z

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: zac-nixon
Once this PR has been reviewed and has the lgtm label, please ask for approval from rikatz. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

geps/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

rikatz · 2026-04-17T18:12:14Z

+  parentRefs:
+    - name: dns-gateway
+      sectionName: dns-udp
+  rules:


maybe add some example on how you envision the "port range" case mentioned above

This can probably hold until the discussion of how we handle port ranges on the Listener. I should note here that Service does not have port range support that I can see, so we'll need to manage that somehow as well.

Will hold off on port range

I suppose that the user would need to manually specify the ports in the Gateway, but we can save them the headache of duplicating the parent refs :) ideally -- it would be nice to support a range concept in the Gateway.

rikatz · 2026-04-17T18:13:21Z

+
+UDPRoute will be part of the Gateway API conformance suite with the following requirements:
+
+* Implementations MUST support routing UDP traffic to Kubernetes Service backends


not for now, but between experimental and standard, we may need some better descriptive tests. What means an invalid backendRef for a UDPRoute?

What means multiple backends? What means multiple rules?

No worries for now, but please take a look into TLSRoute Gep and ListenerSet for reference

youngnick · 2026-04-20T06:41:57Z

+## Non-Goals
+
+* Define rich UDP-specific matching semantics such as address matching or payload inspection.
+* Require stateful UDP session tracking or connection management semantics. Implementations are expected to document how they implement such semantics.


This caveat is fine for Provisional, but for Standard, I think we'll probably need an Extended Feature for this, along with a separate Extended Feature for Client IP preservation. Folks who don't need those things don't care if they have them or not, but folks that do need them, really need them, and need to be able to be explicit about it.

youngnick · 2026-04-20T06:51:23Z

This LGTM for Provisional, but I think it would benefit from a TODO list for Experimental. From what I can see, that includes:

Declaring the invalid behaviors, conflict resolution, and so on. Effectively, we need to define the Core conformance tests we want to see here.
Declaring optional behaviors, along with conformance tests there. As it stands, I can see at least two Extended features, Client IP preservation, and UDP pseudo-session management support (basically, light sticky sessions based on the traffic's Layer 3 4-tuple of source IP, source port, destination IP, destination port. This usually includes some config of the timeout settings for these pseudo-connections as well.)
Making sure we record that Port Range support for UDPRoute requires Port Range support for Listener, and for us to figure out how to handle that on the backend, given Service also does not have Port Range support.

I think once we record that, this is good to merge.

rikatz · 2026-04-22T20:56:32Z

+
+   - UDP flows are sent to port 7777 is distributed across backends respecting the configured weights (approximately 70% to `game-server-1` and 30% to `game-server-2`).
+
+Conformance Level: **Core**


I "think" this is extended, given you may want to support Gateway but not UDP, but Nick knows those definitions much much better!

rikatz · 2026-04-22T20:57:41Z

+
+## References
+
+- [TCPRoute Specification](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TCPRoute)


https://gateway-api.sigs.k8s.io/reference/spec/#tcproute is probably the right link

rikatz · 2026-04-22T21:03:41Z

overall this lgtm, thanks @zac-nixon

I will have some sync with Nick on it soon and we will bring back some more feedback.

k8s-ci-robot requested review from arkodg and howardjohn March 31, 2026 01:12

k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Mar 31, 2026