Knative: Operator’s Handbook

Internal and External Ingress Gateways

By default, Knative ships with a single ingress gateway. However, some installations (such as Google Cloud Run on GKE) ships with two separate gateways: one for internal traffic, one for external traffic.

This is designed to separate internal (cluster-local traffic and public traffic, and prevent accidental exposure.

This “cluster-local gateway” isn't installed by default, but you can self-install it with custom Istio template.

Internal domains are registered for routing only on cluster-local gateway, and external domains are only registered on external gateway. If a request with an unrecognized domain go to the wrong gateway, the gateway respond with 404 Not Found.

In Google Cloud Run on GKE, these gateways are deployed as Kubernetes Services in gke-system namespace named: