Policy routing is the method to steer traffic matching certain criteria to a certain gateway. .....
RouterOS gives you two options to choose from:
firewall mangle - it gives more control over the criteria to be used to steer traffic, for example, per connection or per packet balancing, etc. For more info on how to use mangle marking see Firewall Marking examples......

• change-dscp - change the Differentiated Services Code Point (DSCP) field value specified by the new-dscp parameter
• change-mss - change the Maximum Segment Size field value of the packet to a value specified by the new-mss parameter
• change-ttl - change the Time to Live field value of the packet to a value specified by the new-ttl parameter
• clear-df - clear 'Do Not Fragment' Flag
• fasttrack-connection - shows fasttrack counters, useful for statistics
• mark-connection - place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule
• mark-packet - place a mark specified by the new-packet-mark parameter on a packet that matches the rule
• mark-routing - place a mark specified by the new-routing-mark parameter on a packet. This kind of mark is used for policy routing purposes only. Do not apply any other routing marks besides "main" for the packets processed by FastTrack, since FastTrack can only work in the main routing table.
  route - forces packets to a specific gateway IP by ignoring normal routing decisions (prerouting chain only)
• set-priority - set priority specified by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface). Read more
• sniff-pc - send a packet to a remote RouterOS CALEA server.
• sniff-tzsp - send a packet to a remote TZSP compatible system (such as Wireshark). Set remote target with sniff-target and sniff-target-port parameters (Wireshark recommends port 37008)
• strip-ipv4-options - strip IPv4 option fields from IP header, the action does not actually remove IPv4 options but rather replaces all option octets with NOP, further matcher with ipv4-options=any will still match the packet.

Basically, yes, but for be more "nice" on the point 2: on foreach cycle at the same time you UPDATE the comment if the rule already exist AND add new rules with :timestamp.

This do not delete what already exist (and must be keeped) and do not (temporarly) duplicate rules.

Tip no. 1:

Use route marking. Make a mangle rule ...

Oh no. In fact, I tried to solve my problem first with address-lists + PBR (policy based routing). There are many examples of PBR for Mikrotik in the internet, using the firewall and multiple routing tables.

It worked but (!) TCP worked SO slowly that kubectl and Lens did not tolerate such response times and produced errors. I was never able to find the reason why packets going via PBR were so slow and had to revert to regular routing which works fast.

Note that not all packets of the connection can be FastTracked, so it is likely to see some packets going through a slow path even though the connection is marked for FastTrack. This is the reason why fasttrack-connection is usually followed by an identical "action=accept" rule.

chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark

Tip no. 2:
The list that you prepare should be timebased so when you add an entry to it then you should set timer for the entry for eg. 6 hours if you refresh that list every 6 hours. When you readd the entry during that period you just refresh/reset that timer, if not the entry just vanishes. No need to worry of any leftovers.

Tip no. 3:

Read that "The International Microtik Obsfucated Code Contest" for updating address lists: viewtopic.php?p=606832#p606832

:local AddressList [/ip firewall address-list find comment~"api\\."];
:foreach entry in=$AddressList do={
 :set ipAddress  ([/ip firewall address-list get $entry]->"address");
 ...
 
 

The main question is where the "api*" list come from?

/ip firewall address-list 

api.mycluster.example

api.mycluster2.example

api.mycluster.example

api.mycluster2.example

Seems that the TTL of the dynamic DNS based names is used to feed the list and when it expires the list is refreshed to the actual apiN.example.com
viewtopic.php?t=177324

You can check it easily: make a list based on any noncrucial DNS name and then set local static DNS name with different IP and set the low test TTL for that. Then watch how and when the address list reacts to changes to static entry or disabling it.

/ip/route/remove [find where (comment~"api\\.") and !(comment~"2025/01/24 14:30")]

# extract addresses in the list
:local AddressList [/ip firewall address-list find comment~"api\\."];
:local ipAddress;
:local timeStamp [:timestamp]

:foreach entry in=$AddressList do={
 :set ipAddress  ([/ip firewall address-list get $entry]->"address");
 :put ($ipAddress."/32");
 /ip/route/add comment=([/ip firewall address-list get $entry]->"comment"."_$timeStamp") disabled=no distance=1 dst-address=($ipAddress."/32")  gateway=10.x.x.x routing-table=main;
};

# delete old API routes
/ip/route/remove [find where (comment~"api\\.") and !(comment~".*_$timeStamp")]