Contour is a high-performance Ingress controller for Kubernetes that serves as the control plane for the Envoy edge and service proxy. Within the VMware Cloud Foundation (VCF) 9.0 and vSphere Kubernetes Service (VKS) architecture, Contour is a critical component used to manage how external traffic reaches services running inside a cluster. It functions specifically at the application layer (Layer 7 of the OSI model), enabling sophisticated routing based on HTTP paths, hostnames, and headers.

By utilizing the Envoy proxy, Contour provides a scalable and maintainable way to handle standard Kubernetes Ingress resources as well as the more advanced HTTPProxy custom resource definitions (CRDs). In a VKS environment, once the Supervisor is configured and a workload cluster is deployed, Contour is typically installed as a managed package to provide ingress services. It handles essential tasks such as SSL/TLS termination, which offloads the encryption overhead from individual application pods, and supports advanced traffic management patterns like canary deployments or blue-green updates. Unlike traditional load balancers that may operate only at Layer 4, Contour’s deep integration with the Kubernetes API allows it to dynamically update routing rules as pods scale or fail, ensuring high availability and fine-grained control for containerized applications. This makes it the standard solution for application-layer ingress management across the VMware Tanzu and VKS ecosystem.