Kubernetes is moving to Gateway API. F5 NGINX Gateway Fabric gives Red Hat OpenShift teams a certified, conformant, open-source implementation on a proven and trusted data plane. F5 WAF adds enterprise layer 7 security to that foundation.
Gateway API is emerging as the standard for Kubernetes networking—an open, role-oriented model developed by the Kubernetes community. It provides platform, application, and security teams with clearer boundaries and greater flexibility than traditional ingress approaches, and is well-suited for modern workloads, including APIs and AI-driven applications, and is becoming the default for new deployments. For Red Hat OpenShift organizations, Gateway API fits naturally with a platform strategy built on open source and portability.
Default Gateway API implementations handle traffic routing, but they do not include application-layer security. Organizations running business-critical or regulated workloads on OpenShift need protection against web application attacks, API abuse, and injection threats at the gateway level.
On OpenShift, F5 NGINX Gateway Fabric stands out as the most feature-complete Gateway API implementation, based on Kubernetes Gateway API conformance data. As a Red Hat-certified, OpenShift-native option, it aligns cleanly with operator-based installation and platform support. It is especially compelling for teams already using NGINX elsewhere, because it delivers a consistent data plane and policy model, while preserving operational simplicity, NGINX familiarity, and strong OpenShift alignment.
F5 WAF for NGINX extends NGINX Gateway Fabric with advanced layer 7 security, covering OWASP Top 10 vulnerabilities, API attacks, and application-specific threats, without requiring teams to change their traffic management approach, abandon the Gateway API standard, or introduce an unfamiliar proxy into the stack.
Together, the F5 solutions enable teams to securely deliver applications, APIs, and AI workloads through a certified Operator for simplified lifecycle management on Red Hat OpenShift.
Organizations running OpenShift Router or an earlier ingress implementation can migrate to the Gateway API standard without losing application security controls. NGINX Gateway Fabric provides a conformant, AI-ready NGINX-backed gateway; F5 WAF ensures protection travels with the migration.
The default Envoy-based Gateway API implementation does not include a WAF. For teams that need application-layer security, including regulated industries and public-facing apps and APIs, F5 WAF on NGINX Gateway Fabric provides that capability in a Kubernetes-native model.
As inference endpoints and AI-backed APIs proliferate in OpenShift clusters, F5 WAF provides consistent layer 7 protection at the gateway for workloads that handle sensitive data and user-facing requests.
Gateway API's role-based resource model, combined with NGINX Gateway Fabric and attached F5 WAF policies, gives platform, application, and security teams clear ownership without coordination overhead.
Declarative WAF policy enables consistent protection profiles across multiple OpenShift clusters. Security teams define policy once; it deploys everywhere through GitOps, reducing manual configuration drift.
Gateway API adoption is accelerating, and OpenShift teams are evaluating their ingress strategy. NGINX Gateway Fabric plus F5 WAF provide a practical model for teams that want an open, standards-based gateway with enterprise application security—without giving up NGINX familiarity or OpenShift supportability.
Learn more at f5.com/products/nginx/nginx-gateway-fabric or visit f5.com/redhat to see our partnership in action.
Built on the open-source Kubernetes Gateway API with clear separation of platform, app, and security team responsibilities.
No new proxy to learn. Runs on the same open-source NGINX foundation teams already use.
Layer 7 protection against OWASP Top 10 and API attacks delivered at the ingress point.
Available via a certified Operator that fits OpenShift governance and supportability requirements.
Security rules managed as code—version-controlled and deployable through GitOps pipelines.
Supports core Gateway API resources (HTTPRoute, ReferenceGrant, policies), enabling portability across conformant implementations.
Preconfigured signatures protect against injection, XSS, broken authentication, and API abuse at the gateway layer.
Security rules defined as Kubernetes-native policy objects, reviewable and deployable through GitOps pipelines.
Deploy in monitoring mode to tune policy before switching to blocking. Reduces false-positive risk during rollout.
Structured event logs feed existing SIEM and observability stacks without custom integrations.
Inference Extension for Gateway API enables model-aware routing, allowing teams to route requests based on model, cost, and performance.