ZenoIngress Logo

Sovereign, Memory-Safe Kubernetes Ingress

Built in 100% safe Rust. Sovereign by design, secure by construction. Ready for regulated production.

ZenoIngress is a Kubernetes Gateway API controller built from the ground up in 100% safe Rust. Keep your front door in your own jurisdiction — an inside-out edge tunnel terminates TLS on infrastructure you control, not a third party's network. Post-quantum TLS, a built-in WAF, zero-trust mTLS + Cedar authorization, and a hybrid edge for air-gapped and sovereign clusters — the security frontier, in a single memory-safe binary.

Free for 1 production cluster — every feature, no card · Enterprise €5,000/year (unlimited clusters, support & SLA)

Tiny Footprint, Safe by Construction

Built with Rust, hyper, and tokio. Zero-cost abstractions, no garbage-collection pauses, and zero unsafe code.

~5 MB
Runtime Memory

resident under load

~17 MB
Container Image

static, multi-stage build

0
unsafe Blocks

workspace-wide #![forbid(unsafe_code)]

X25519MLKEM768
Post-Quantum TLS

hybrid key exchange, by default

Footprint & safety facts from internal measurements — not a competitive benchmark. A head-to-head latency/throughput comparison vs NGINX/Envoy is in progress and will be published when the methodology is sound.

At the Security Frontier

The capabilities competitors bolt on with sidecars and external services — post-quantum crypto, a WAF, zero-trust identity, and policy authorization — built in, in memory-safe Rust.

Post-Quantum TLS

Quantum-safe by default. TLS 1.3 handshakes prefer the hybrid X25519MLKEM768 group (ML-KEM-768 / NIST FIPS 203), defeating "harvest-now-decrypt-later" — downstream and re-originated upstream.

  • ML-KEM-768 + X25519 hybrid
  • aws-lc-rs provider · FIPS-ready
  • Per-listener crypto policy

Built-in WAF

Run Coraza + the OWASP Core Rule Set in a sandboxed proxy-wasm filter — SQLi, XSS, path-traversal and scanner blocking inside the ingress. No external WAF appliance.

  • proxy-wasm host (wasmtime + WASI)
  • Header, URI & request-body inspection
  • Detection-only or enforce

Zero-Trust Identity & Authz

End-to-end mTLS with SPIFFE/SVID workload identity, plus an in-process Cedar authorization engine — fine-grained allow/deny with no external OPA sidecar.

  • SPIFFE mTLS, frontend & backend
  • Cedar PDP (formally verified)
  • Deny-by-default, microsecond eval

Memory-Safe by Construction

100% safe Rust under a workspace-wide #![forbid(unsafe_code)] — whole classes of CVEs that plague C/C++ proxies simply cannot occur. Exactly what CISA/NSA asked vendors to commit to.

  • No buffer overflows / use-after-free
  • No GC pauses, predictable latency
  • Supply-chain hardened

Native Gateway API

Built for the Kubernetes Gateway API from day one—not retrofitted from legacy Ingress. Modern, expressive, and future-proof.

  • GatewayClass, Gateway, HTTPRoute
  • TLS termination with SNI
  • Traffic splitting & canary deployments
  • Request/response header modification
  • URL rewrites and redirects

Observable

Comprehensive observability with Prometheus metrics, structured JSON logging, and OpenTelemetry distributed tracing out of the box.

  • Prometheus metrics endpoint
  • Structured JSON logging
  • OpenTelemetry distributed tracing
  • Real-time health checks

Hybrid Ingress Mode

Run ingress anywhere—even behind NAT or firewalls. Proxies connect outbound to our edge servers, enabling ingress without inbound network access.

  • Outbound tunnel connections (no port forwarding)
  • Yamux multiplexing for efficient streaming
  • Automatic reconnection with backoff
  • Edge server for global distribution
  • Works with restrictive firewalls

External Authentication

Enterprise-grade authentication with OAuth2-Proxy compatible ExtAuth. Secure your APIs with external identity providers.

  • OAuth2-Proxy / Authelia compatible
  • L1/L2 caching (local + Redis)
  • Browser redirect flow support
  • Configurable failure modes (allow/deny)
  • ExtAuthFilter CRD for K8s-native config

Session Affinity

Sticky sessions for stateful applications. Route users to the same backend consistently with cookie, header, or IP-based affinity.

  • Cookie-based affinity (configurable attributes)
  • Header-based affinity (X-Session-ID)
  • Client IP affinity for non-browser clients
  • Distributed storage via Redis
  • BackendLBPolicy CRD for K8s-native config

HTTP/2 & Backend TLS

Modern protocol support for maximum performance. HTTP/2 multiplexing reduces latency. Secure backend connections with TLS.

  • HTTP/2 server with ALPN negotiation
  • HTTP/2 client with multiplexed connections
  • Backend TLS with custom CA support
  • System CA and skip-verify options
  • Per-backend protocol configuration

Clean Architecture

Clear separation between control plane and data plane. Proven pattern used by Envoy, Linkerd, and modern proxies.

Control Plane

The controller watches Gateway API resources and generates configuration for the proxy.

  • GatewayClass reconciler
  • Gateway reconciler
  • HTTPRoute reconciler
  • Config publisher (ConfigMap)
  • Leader election for HA

Data Plane

The proxy handles all traffic, routing requests to backend services with minimal overhead.

  • O(1) hostname matching
  • Prefix-tree path matching
  • Weighted round-robin load balancing
  • Connection pooling (32 conns/endpoint)
  • Circuit breakers & health checks

Edge Server

Global edge infrastructure for hybrid mode deployments. Terminates TLS and routes to origin proxies.

  • Control plane for tunnel registration (port 7844)
  • Data plane for HTTPS traffic (port 443)
  • Yamux multiplexing for efficient streams
  • DashMap session registry (O(1) lookup)
  • Token-based authentication

Tunnel Mode

Proxies behind firewalls connect outbound to edge servers. No inbound ports required.

  • Outbound-only connections (NAT-friendly)
  • Automatic reconnection with exponential backoff
  • Graceful shutdown with connection draining
  • Transport abstraction layer
  • Works through restrictive firewalls

Get Started in Minutes

Three simple steps to a sovereign, memory-safe ingress.

# Step 1: Install Gateway API CRDs kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml # Step 2: Install ZenoIngress — contact [email protected] for registry access helm install zenoingress oci://<your-registry>/zenoingress-ingress # Step 3: Create your first Gateway kubectl apply -f - <<EOF apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: my-gateway spec: gatewayClassName: zenoingress listeners: - name: http port: 80 protocol: HTTP EOF # That's it! You're running a sovereign, memory-safe ingress.
View Pricing Contact Sales

Ready for sovereign, memory-safe ingress?

Deploy ZenoIngress today and run a sovereign, memory-safe data plane in your Kubernetes cluster.

View Pricing Contact Sales