Merge branch 'kubernetes-sigs:main' into main

aleksanderaleksic · web-flow · commit 276eff323c60 · 2026-03-03T08:19:51.000+01:00
diff --git a/docs/guide/gateway/gateway.md b/docs/guide/gateway/gateway.md
@@ -24,14 +24,17 @@ The LBC is built for Gateway API version v1.3.0.
 
 ## Configuration
 
-By default, the LBC will _not_ listen to Gateway API CRDs. To enable support, specify the following feature flag(s) in the LBC deployment:
+The Load Balancer Controller (LBC) will attempt to detect Gateway CRDs. 
+If they are present, the respective controller will be enabled. 
+To explicitly disable these controllers, use the following feature gates:
 
-* `NLBGatewayAPI`: For enabling L4 Routing
-* `ALBGatewayAPI`: For enabling L7 Routing
+```--feature-gates=NLBGatewayAPI=false,ALBGatewayAPI=false```
 
-```
-- --feature-gates=NLBGatewayAPI=true,ALBGatewayAPI=true
-```
+For the NLB Gateway controller (Layer 4) to be enabled, ensure the following CRDs are installed:
+`Gateway`, `GatewayClass`, `TCPRoute`, `UDPRoute`, and `TLSRoute`
+
+For the ALB Gateway controller (Layer 7) to be enabled, ensure the following CRDs are installed:
+`Gateway`, `GatewayClass`, `HTTPRoute`, and `GRPCRoute`
 
 ## Subnet tagging requirements
 See [Subnet Discovery](../../deploy/subnet_discovery.md) for details on configuring Elastic Load Balancing for public or private placement.
diff --git a/go.mod b/go.mod
@@ -33,7 +33,7 @@ require (
 	github.com/spf13/pflag v1.0.7
 	github.com/stretchr/testify v1.10.0
 	go.uber.org/zap v1.27.0
-	golang.org/x/net v0.42.0
+	golang.org/x/net v0.51.0
 	golang.org/x/time v0.12.0
 	gomodules.xyz/jsonpatch/v2 v2.4.0
 	google.golang.org/grpc v1.71.1
@@ -163,14 +163,14 @@ require (
 	go.uber.org/multierr v1.11.0 // indirect
 	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	go.yaml.in/yaml/v3 v3.0.3 // indirect
-	golang.org/x/crypto v0.40.0 // indirect
-	golang.org/x/mod v0.26.0 // indirect
+	golang.org/x/crypto v0.48.0 // indirect
+	golang.org/x/mod v0.32.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/term v0.33.0 // indirect
-	golang.org/x/text v0.27.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	golang.org/x/sync v0.19.0 // indirect
+	golang.org/x/sys v0.41.0 // indirect
+	golang.org/x/term v0.40.0 // indirect
+	golang.org/x/text v0.34.0 // indirect
+	golang.org/x/tools v0.41.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250115164207-1a7da9e5054f // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
diff --git a/go.sum b/go.sum
@@ -485,14 +485,14 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20210513164829-c07d793c2f9a/go.mod h1:P+XmwS30IXTQdn5tA2iutPOUgjI07+tq3H3K9MVA1s8=
 golang.org/x/crypto v0.0.0-20220214200702-86341886e292/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.40.0 h1:r4x+VvoG5Fm+eJcxMaY8CQM7Lb0l1lsmjGBQ6s8BfKM=
-golang.org/x/crypto v0.40.0/go.mod h1:Qr1vMER5WyS2dfPHAlsOj01wgLbsyWtFn/aY+5+ZdxY=
+golang.org/x/crypto v0.48.0 h1:/VRzVqiRSggnhY7gNRxPauEQ5Drw9haKdM0jqfcCFts=
+golang.org/x/crypto v0.48.0/go.mod h1:r0kV5h3qnFPlQnBSrULhlsRfryS2pmewsg+XfMgkVos=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.26.0 h1:EGMPT//Ezu+ylkCijjPc+f4Aih7sZvaAr+O3EHBxvZg=
-golang.org/x/mod v0.26.0/go.mod h1:/j6NAhSk8iQ723BGAUyoAcn7SlD7s15Dp9Nd/SfeaFQ=
+golang.org/x/mod v0.32.0 h1:9F4d3PHLljb6x//jOyokMv3eX+YDeepZSEo3mFJy93c=
+golang.org/x/mod v0.32.0/go.mod h1:SgipZ/3h2Ci89DlEtEXWUk/HteuRin+HHhN+WbNhguU=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
@@ -504,17 +504,17 @@ golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96b
 golang.org/x/net v0.0.0-20210510120150-4163338589ed/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220225172249-27dd8689420f/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk=
-golang.org/x/net v0.42.0 h1:jzkYrhi3YQWD6MLBJcsklgQsoAcw89EcZbJw8Z614hs=
-golang.org/x/net v0.42.0/go.mod h1:FF1RA5d3u7nAYA4z2TkclSCKh68eSXtiFwcWQpPXdt8=
+golang.org/x/net v0.51.0 h1:94R/GTO7mt3/4wIKpcR5gkGmRLOuE/2hNGeWq/GBIFo=
+golang.org/x/net v0.51.0/go.mod h1:aamm+2QF5ogm02fjy5Bb7CQ0WMt1/WVM7FtyaTLlA9Y=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.16.0 h1:ycBJEhp9p4vXvUZNszeOq0kGTPghopOL8q0fq3vstxw=
-golang.org/x/sync v0.16.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
+golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -536,18 +536,18 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220227234510-4e6760a101f9/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.34.0 h1:H5Y5sJ2L2JRdyv7ROF1he/lPdvFsd0mJHFw2ThKHxLA=
-golang.org/x/sys v0.34.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=
+golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.33.0 h1:NuFncQrRcaRvVmgRkvM3j/F00gWIAlcmlB8ACEKmGIg=
-golang.org/x/term v0.33.0/go.mod h1:s18+ql9tYWp1IfpV9DmCtQDDSRBUjKaw9M1eAv5UeF0=
+golang.org/x/term v0.40.0 h1:36e4zGLqU4yhjlmxEaagx2KuYbJq3EwY8K943ZsHcvg=
+golang.org/x/term v0.40.0/go.mod h1:w2P8uVp06p2iyKKuvXIm7N/y0UCRt3UfJTfZ7oOpglM=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.27.0 h1:4fGWRpyh641NLlecmyl4LOe6yDdfaYNrGb2zdfo4JV4=
-golang.org/x/text v0.27.0/go.mod h1:1D28KMCvyooCX9hBiosv5Tz/+YLxj0j7XhWjpSUF7CU=
+golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=
+golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=
 golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
 golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -557,8 +557,8 @@ golang.org/x/tools v0.0.0-20201211185031-d93e913c1a58/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
-golang.org/x/tools v0.34.0 h1:qIpSLOxeCYGg9TrcJokLBG4KFA6d795g0xkBkiESGlo=
-golang.org/x/tools v0.34.0/go.mod h1:pAP9OwEaY1CAW3HOmg3hLZC5Z0CCmzjAF2UQMSqNARg=
+golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc=
+golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
diff --git a/main.go b/main.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"fmt"
 	"os"
+
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aga"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/certs"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/shared_utils"
@@ -33,6 +34,7 @@ import (
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/deploy"
 	gatewaypkg "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway"
 	gateway_constants "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/constants"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/crddetect"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/referencecounter"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/gateway/routeutils"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/inject/pod_readiness"
@@ -180,6 +182,10 @@ func main() {
 		os.Exit(1)
 	}
 
+	// Gateway API CRD auto-detection: check which CRDs are installed and disable
+	// feature flags for missing CRDs before any controller setup reads them.
+	crddetect.ApplyGatewayCRDDetection(clientSet.Discovery(), controllerCFG.FeatureGates, setupLog)
+
 	nlbGatewayEnabled := controllerCFG.FeatureGates.Enabled(config.NLBGatewayAPI)
 	albGatewayEnabled := controllerCFG.FeatureGates.Enabled(config.ALBGatewayAPI)
 	podInfoRepo := k8s.NewDefaultPodInfoRepo(clientSet.CoreV1().RESTClient(), controllerCFG.RuntimeConfig.WatchNamespace, controllerCFG.ServerIDInjectionConfig.EnvironmentVariableName, ctrl.Log)
diff --git a/pkg/config/feature_gates.go b/pkg/config/feature_gates.go
@@ -71,8 +71,8 @@ func NewFeatureGates() FeatureGates {
 			ALBSingleSubnet:               false,
 			SubnetDiscoveryByReachability: true,
 			LBCapacityReservation:         true,
-			NLBGatewayAPI:                 false,
-			ALBGatewayAPI:                 false,
+			NLBGatewayAPI:                 true,
+			ALBGatewayAPI:                 true,
 			GlobalAcceleratorController:   false,
 			EnableTCPUDPListenerType:      false,
 			EnhancedDefaultBehavior:       false,
diff --git a/pkg/gateway/crddetect/gateway_feature_flags.go b/pkg/gateway/crddetect/gateway_feature_flags.go
@@ -0,0 +1,57 @@
+package crddetect
+
+import (
+	"github.com/go-logr/logr"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
+)
+
+const (
+	// GatewayV1GroupVersion is the stable Gateway API group version.
+	GatewayV1GroupVersion = "gateway.networking.k8s.io/v1"
+	// GatewayV1Alpha2GroupVersion is the experimental Gateway API group version.
+	GatewayV1Alpha2GroupVersion = "gateway.networking.k8s.io/v1alpha2"
+)
+
+var (
+	// StandardCRDKinds lists the CRD kinds required for ALB Gateway API support.
+	StandardCRDKinds = []string{"Gateway", "GatewayClass", "HTTPRoute", "GRPCRoute"}
+	// ExperimentalCRDKinds lists the CRD kinds required for NLB Gateway API support.
+	ExperimentalCRDKinds = []string{"TCPRoute", "UDPRoute", "TLSRoute"}
+)
+
+// ApplyGatewayCRDDetection checks for the presence of Gateway API CRDs and
+// disables the corresponding feature flags when required CRDs are missing.
+// It is called from main() after the k8s client is ready and before any
+// controller reads the feature flags.
+func ApplyGatewayCRDDetection(client k8s.DiscoveryClient, featureGates config.FeatureGates, logger logr.Logger) {
+	standardResult := k8s.DetectCRDs(client, GatewayV1GroupVersion, StandardCRDKinds)
+	experimentalResult := k8s.DetectCRDs(client, GatewayV1Alpha2GroupVersion, ExperimentalCRDKinds)
+
+	ApplyGatewayFeatureFlags(standardResult, experimentalResult, featureGates, logger)
+}
+
+// ApplyGatewayFeatureFlags applies the Gateway CRD detection results to the
+// feature gates. Extracted for testability — accepts pre-computed results.
+func ApplyGatewayFeatureFlags(standardResult, experimentalResult k8s.CRDGroupResult, featureGates config.FeatureGates, logger logr.Logger) {
+	if !standardResult.AllPresent {
+		logger.Info("Disabling ALBGatewayAPI: missing standard Gateway API CRDs",
+			"groupVersion", standardResult.GroupVersion,
+			"missing", standardResult.MissingKinds)
+		featureGates.Disable(config.ALBGatewayAPI)
+	} else {
+		logger.Info("All standard Gateway API CRDs detected, ALBGatewayAPI remains enabled",
+			"groupVersion", standardResult.GroupVersion)
+	}
+
+	if !standardResult.AllPresent || !experimentalResult.AllPresent {
+		logger.Info("Disabling NLBGatewayAPI: missing required Gateway API CRDs",
+			"missingStandard", standardResult.MissingKinds,
+			"missingExperimental", experimentalResult.MissingKinds)
+		featureGates.Disable(config.NLBGatewayAPI)
+	} else {
+		logger.Info("All required Gateway API CRDs detected, NLBGatewayAPI remains enabled",
+			"standardGroupVersion", standardResult.GroupVersion,
+			"experimentalGroupVersion", experimentalResult.GroupVersion)
+	}
+}
diff --git a/pkg/gateway/crddetect/gateway_feature_flags_test.go b/pkg/gateway/crddetect/gateway_feature_flags_test.go
@@ -0,0 +1,110 @@
+package crddetect
+
+import (
+	"testing"
+
+	"github.com/go-logr/logr"
+	"github.com/stretchr/testify/assert"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
+)
+
+func TestApplyGatewayFeatureFlags_StandardMissing(t *testing.T) {
+	fg := config.NewFeatureGates()
+	assert.True(t, fg.Enabled(config.ALBGatewayAPI), "precondition: ALBGatewayAPI should default to true")
+	assert.True(t, fg.Enabled(config.NLBGatewayAPI), "precondition: NLBGatewayAPI should default to true")
+
+	standardResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1",
+		AllPresent:   false,
+		MissingKinds: []string{"HTTPRoute"},
+	}
+	experimentalResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1alpha2",
+		AllPresent:   true,
+	}
+
+	ApplyGatewayFeatureFlags(standardResult, experimentalResult, fg, logr.Discard())
+
+	assert.False(t, fg.Enabled(config.ALBGatewayAPI), "ALBGatewayAPI should be disabled when standard CRDs are missing")
+	assert.False(t, fg.Enabled(config.NLBGatewayAPI), "NLBGatewayAPI should be disabled when standard CRDs are missing")
+}
+
+func TestApplyGatewayFeatureFlags_ExperimentalMissing_StandardPresent(t *testing.T) {
+	fg := config.NewFeatureGates()
+
+	standardResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1",
+		AllPresent:   true,
+	}
+	experimentalResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1alpha2",
+		AllPresent:   false,
+		MissingKinds: []string{"TCPRoute"},
+	}
+
+	ApplyGatewayFeatureFlags(standardResult, experimentalResult, fg, logr.Discard())
+
+	assert.True(t, fg.Enabled(config.ALBGatewayAPI), "ALBGatewayAPI should remain enabled when standard CRDs are present")
+	assert.False(t, fg.Enabled(config.NLBGatewayAPI), "NLBGatewayAPI should be disabled when experimental CRDs are missing")
+}
+
+func TestApplyGatewayFeatureFlags_BothPresent(t *testing.T) {
+	fg := config.NewFeatureGates()
+
+	standardResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1",
+		AllPresent:   true,
+	}
+	experimentalResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1alpha2",
+		AllPresent:   true,
+	}
+
+	ApplyGatewayFeatureFlags(standardResult, experimentalResult, fg, logr.Discard())
+
+	assert.True(t, fg.Enabled(config.ALBGatewayAPI), "ALBGatewayAPI should remain enabled")
+	assert.True(t, fg.Enabled(config.NLBGatewayAPI), "NLBGatewayAPI should remain enabled")
+}
+
+func TestApplyGatewayFeatureFlags_BothMissing(t *testing.T) {
+	fg := config.NewFeatureGates()
+
+	standardResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1",
+		AllPresent:   false,
+		MissingKinds: []string{"Gateway", "GatewayClass"},
+	}
+	experimentalResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1alpha2",
+		AllPresent:   false,
+		MissingKinds: []string{"TCPRoute", "UDPRoute"},
+	}
+
+	ApplyGatewayFeatureFlags(standardResult, experimentalResult, fg, logr.Discard())
+
+	assert.False(t, fg.Enabled(config.ALBGatewayAPI), "ALBGatewayAPI should be disabled")
+	assert.False(t, fg.Enabled(config.NLBGatewayAPI), "NLBGatewayAPI should be disabled")
+}
+
+func TestApplyGatewayFeatureFlags_ExplicitlyEnabledStillDisabledWhenCRDsMissing(t *testing.T) {
+	fg := config.NewFeatureGates()
+	// Simulate explicit --feature-gates ALBGatewayAPI=true,NLBGatewayAPI=true
+	fg.Enable(config.ALBGatewayAPI)
+	fg.Enable(config.NLBGatewayAPI)
+
+	standardResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1",
+		AllPresent:   false,
+		MissingKinds: []string{"GRPCRoute"},
+	}
+	experimentalResult := k8s.CRDGroupResult{
+		GroupVersion: "gateway.networking.k8s.io/v1alpha2",
+		AllPresent:   true,
+	}
+
+	ApplyGatewayFeatureFlags(standardResult, experimentalResult, fg, logr.Discard())
+
+	assert.False(t, fg.Enabled(config.ALBGatewayAPI), "ALBGatewayAPI should be force-disabled even when explicitly enabled")
+	assert.False(t, fg.Enabled(config.NLBGatewayAPI), "NLBGatewayAPI should be force-disabled even when explicitly enabled")
+}
diff --git a/pkg/k8s/crd_detector.go b/pkg/k8s/crd_detector.go
@@ -0,0 +1,52 @@
+package k8s
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// DiscoveryClient is the interface for querying available API resources.
+// Satisfied by kubernetes.Clientset (via its Discovery().ServerResourcesForGroupVersion method).
+type DiscoveryClient interface {
+	ServerResourcesForGroupVersion(groupVersion string) (*metav1.APIResourceList, error)
+}
+
+// CRDGroupResult holds the detection result for a single API group version.
+type CRDGroupResult struct {
+	// GroupVersion is the API group version that was queried (e.g. "gateway.networking.k8s.io/v1").
+	GroupVersion string
+	// AllPresent is true when all required kinds were found.
+	AllPresent bool
+	// MissingKinds lists the resource kinds that were expected but not found.
+	MissingKinds []string
+}
+
+// DetectCRDs queries the Kubernetes API server for the specified resource kinds
+// in the given group version and reports which are present and which are missing.
+// On API error, it returns AllPresent: false with all required kinds as missing (fail-closed).
+func DetectCRDs(client DiscoveryClient, groupVersion string, requiredKinds []string) CRDGroupResult {
+	result := CRDGroupResult{
+		GroupVersion: groupVersion,
+	}
+
+	resList, err := client.ServerResourcesForGroupVersion(groupVersion)
+	if err != nil {
+		result.AllPresent = false
+		result.MissingKinds = make([]string, len(requiredKinds))
+		copy(result.MissingKinds, requiredKinds)
+		return result
+	}
+
+	presentKinds := make(map[string]bool, len(resList.APIResources))
+	for _, res := range resList.APIResources {
+		presentKinds[res.Kind] = true
+	}
+
+	for _, kind := range requiredKinds {
+		if !presentKinds[kind] {
+			result.MissingKinds = append(result.MissingKinds, kind)
+		}
+	}
+
+	result.AllPresent = len(result.MissingKinds) == 0
+	return result
+}
diff --git a/pkg/k8s/crd_detector_test.go b/pkg/k8s/crd_detector_test.go
