Ubisoft, the global video game company behind franchises like Assassin’s Creed, Rainbow Six, and Far Cry, operates an internal developer platform designed to support teams building and deploying managed services across the organization. To ensure consistency and a unified developer experience, Ubisoft uses Kong as its API gateway and requires each service to expose a REST API based on the OpenAPI specification.

With services developed by many different teams, the company established a dedicated Gateway Admin team to write and manage gateway configurations manually. These configurations were based on the OpenAPI documents provided by developers, enabling a consistent user experience and unified API hostname structure.

While this setup initially worked, it quickly proved difficult to scale. Managing configurations manually introduced human error, delayed onboarding for new services, and made enforcing security and policy standards challenging. Each service team had its own naming conventions, authentication methods, and path structures, making it difficult for the Gateway Admin team to maintain consistency. The lack of automation also led to slow propagation of changes across environments, inefficient collaboration between teams, and a heavy reliance on institutional knowledge to maintain the configuration.

As the number of services grew, Ubisoft needed a scalable, self-service solution that could enforce global policies and security while reducing manual effort and minimizing mistakes.

To address these issues, Ubisoft built a custom Kubernetes operator that serves as a control plane layered on top of their existing control plane. This operator automatically ingests OpenAPI documents, applies standardized rules—like path prefix rewriting—and generates Kong configuration in a way that aligns with company-wide security and policy requirements.

Service developers now provide their OpenAPI specifications either through a config map or via a URL. The Kubernetes operator parses the documents, applies business logic (like rewriting routes and enforcing authentication), merges them with Gateway Admin-defined policies, and pushes the resulting configuration to Kong. Crucially, policies defined by the Gateway Admins always take precedence, ensuring that enforced configurations cannot be overridden by service teams.

Because the operator is built using Kubernetes-native tools and Golang libraries like decK, it enables self-healing, validation, and automated configuration drift detection. It also allows Ubisoft to support new API specification formats like OpenAPI v3 and protobuf, expanding the flexibility and future-proofing of their platform.

With the new operator-based system in place, Ubisoft significantly reduced the operational burden on the Gateway Admin team while improving the developer experience. Service teams can now onboard themselves with minimal support, thanks to self-service configuration and plugin management. The company enforces consistent security and path conventions across services without sacrificing flexibility or control.

By owning their configuration generation logic, Ubisoft can easily adapt to evolving use cases, integrate services using different protocol formats, and ensure robust auditing and observability. The team now manages configuration through a desired-state model, leveraging Kubernetes’ reconciliation loop to maintain accuracy and reliability at scale.

Ubisoft's custom Kubernetes operator turned a complex, error-prone manual process into an automated, scalable, and secure system that supports the company’s internal developer platform and their broader mission to ship games and services efficiently.