Skip to main content

Contour

Contour is an open source

Kubernetes ingress controller (ingress and traffic management) that uses Envoy Proxy to provide advanced L7 routing, observability, and configuration for north-south traffic into Kubernetes clusters.

  • Kubernetes-native ingress controller and Hypertext Transfer Protocol (HTTP) proxy (ingress and traffic management) built on Envoy.
  • Supports Ingress and HTTPProxy custom resources for routing configuration (API and traffic management).
  • Enables Transport Layer Security (TLS) termination, SNI-based routing, and certificate integration (security and encryption).
  • Provides traffic splitting, path- and header-based routing, and retry policies (service traffic steering).
  • Designed for multi-team and multi-tenant ingress configuration with delegation and separation of concerns (platform operations).

More About Contour

Contour is a Kubernetes ingress controller (ingress and traffic management) that configures Envoy Proxy as the data-plane for HTTP and HTTPS traffic into Kubernetes clusters. It targets north-south traffic management, giving platform and application teams a way to define external access to services using Kubernetes-native APIs.

The project centers on two configuration models: the standard Kubernetes Ingress resource (API and traffic management) and a custom HTTPProxy resource (traffic management and policy control). HTTPProxy is designed to express more detailed routing, delegation, and policy behavior than the baseline Ingress specification, while still integrating with Kubernetes declarative configuration workflows and GitOps practices (configuration management).

Contour programs Envoy as an L7 reverse proxy (proxy and load balancing), enabling capabilities such as virtual hosts, TLS termination, Server Name Indication-based routing, and path- or header-based routing (security and traffic steering). It supports features such as traffic splitting across multiple service backends, timeouts, retries, health checking, and upstream connection settings (resilience and reliability). Contour runs as a control-plane component inside the cluster, watching Kubernetes resources and translating them into Envoy configuration through xDS APIs (service proxy configuration).

For enterprises, Contour is deployed as part of the cluster networking stack (cluster networking) to expose HTTP and HTTPS workloads to users, partners, or edge networks. Platform teams commonly install Contour in a dedicated namespace and run Envoy as a DaemonSet or Deployment (cluster operations), integrating it with external load balancers for incoming traffic. Multi-team scenarios use HTTPProxy delegation (multi-tenancy and governance) so that cluster administrators define top-level domains and security policies, while application teams manage application-specific routes within constrained scopes.

Contour integrates with Kubernetes Service and Endpoint resources (service discovery) and fits into environments that use Git-based workflows, Continuous Integration and Continuous Deployment (CI/CD) pipelines, and policy tooling to manage YAML manifests (platform automation). It aligns with CNCF ecosystem practices as a project under the Cloud Native Computing Foundation, and is categorized as an ingress controller and Envoy-based control-plane within the broader cloud-native networking and service proxy domain (cloud-native networking).