Security & Networking
Ingress-NGINX Retirement:
What the March 2026 Shutdown Means
for Half the World’s Kubernetes Clusters
On March 13 2026, the most widely deployed Kubernetes ingress controller reached end-of-life. No more patches. No more CVE fixes. Learn why the ingress-nginx retirement happened, security implications, and how to migrate.
Ingress-NGINX did not fail. It succeeded so comprehensively that the two unpaid engineers who maintained it in their spare time could no longer bear the weight of the responsibility it had accumulated. On March 13, 2026, after years of managing traffic routing for approximately half of all production Kubernetes deployments globally, the ingress-NGINX retirement was formally executed. No further patches. No further CVE fixes. No further maintenance of any kind. The gatekeeper has left the building — and tens of thousands of clusters are still relying on deprecated ingress-nginx infrastructure.
This is not a deprecation notice with a comfortable multi-year runway. The ingress-nginx retirement represents a hard stop, announced in November 2025 and executed in March 2026 — a window of approximately four months that proved wholly inadequate for organisations whose change management processes, regulatory compliance obligations, or operational complexity placed migration well beyond a quarterly sprint. Moreover, for those organisations, the architecture that manages every byte of inbound HTTP and HTTPS traffic to their production workloads is now running on software that will never receive another security update.
Understanding what the ingress-nginx retirement means — and for whom — requires moving beyond the headline and into the architectural and security realities that the CNCF’s retirement announcement surfaced. The ingress-NGINX story is simultaneously a case study in the structural fragility of open source infrastructure maintenance, a live security incident playing out in slow motion across thousands of production environments, and the most consequential Kubernetes migration event since the container ecosystem reached enterprise maturity.
The Architecture That Made It Indispensable Also Made It Indefensible
The ingress-nginx retirement did not occur because it stopped working. It happened because the architectural decisions that made ingress-NGINX the default choice for Kubernetes ingress over a decade created a security and maintainability burden that its community of contributors — never adequately resourced relative to its deployment footprint — could no longer sustain.
The Snippet Annotation Vulnerability Surface
The fundamental vulnerability in ingress-NGINX lies in what the CNCF called its “inherent vulnerabilities” — specifically, its use of snippet annotations. These are arbitrary NGINX configuration fragments that can be injected into the running controller via Kubernetes Ingress resource annotations. The flexibility this offered was precisely what drove adoption: teams could customise NGINX behaviour without forking the controller or maintaining separate configuration infrastructure. However, that same flexibility created a persistent code injection attack surface that proved impossible to secure comprehensively. The feature that powered billions of requests was structurally incompatible with the security model required for production infrastructure at enterprise scale.
Cluster-Wide Blast Radius From Ingress-NGINX Compromise
Compounding this vulnerability, the ingress-NGINX controller’s default configuration grants access to all Kubernetes secrets across namespaces — a privilege level appropriate for a trusted platform component, but catastrophic if that component is compromised. When vulnerabilities in the annotation processing pipeline were discovered in ingress-NGINX, as they repeatedly were, the blast radius was not confined to the ingress layer. It extended to the entire cluster. This architectural flaw made the ingress-nginx retirement inevitable.
IngressNightmare and the CVE Trail Leading to Ingress-NGINX Retirement
The ingress-nginx retirement did not occur in a security vacuum. The project’s final years were marked by a succession of critical and high-severity vulnerabilities that collectively described a component operating at the outer limits of maintainability. The most significant of these — the IngressNightmare chain disclosed in March 2025 — established beyond reasonable dispute that ingress-NGINX’s admission controller architecture created a cluster-wide attack surface of extraordinary severity.
Ingress-NGINX CVE Record — Key Vulnerabilities 2025–2026
CVE-2025-1974 deserves particular attention. Wiz Research, which discovered and responsibly disclosed the IngressNightmare chain, characterised the attack surface with clinical precision: an unauthenticated attacker with access to the pod network — which in many cloud VPC configurations means any workload in the account, not merely within the cluster — could chain the admission controller vulnerability with annotation injection flaws to achieve remote code execution and full cluster takeover. The ingress-NGINX controller’s default privilege to access all Kubernetes secrets across namespaces meant that a successful exploit was not a partial compromise. It was total.
“This cannot be ignored, brushed off or left until the last minute to address. We cannot overstate the severity of this situation or the importance of beginning migration to alternatives like Gateway API immediately.”
CNCF Kubernetes Steering Committee — January 2026 StatementWhy Regulated Industries Got Left Behind by Ingress-NGINX Retirement Timeline
The CNCF’s four-month window from ingress-nginx retirement announcement to final release was not malicious — it reflected the maintainers’ assessment of what was operationally viable for the majority of the project’s users. For organisations with mature platform engineering practices, the ingress-NGINX retirement decline had been visible for years. Many had already migrated to Gateway API implementations or alternative controllers well before the November 2025 announcement.
However, for organisations operating in regulated environments — US FDA device compliance, EU Medical Device Regulation, financial services infrastructure subject to change management frameworks — the migration timeline for an ingress-nginx retirement operates on a fundamentally different clock. Heinan Cabouly, a DevOps team lead and architect at a medical device company operating under both FDA and EU MDR compliance requirements, estimated his migration would require approximately nine months. The CNCF gave him six from announcement to final ingress-NGINX retirement release — and he did not hear about the retirement until two months after the announcement, having encountered it only when upgrading to Kubernetes 1.35.
The Regulated Industry Problem
For FDA-regulated medical device software, EU MDR-compliant environments, and financial services infrastructure subject to formal change management, a six-month migration window for a component that touches all inbound production traffic is not a timeline — it is a liability. The ingress-NGINX retirement announcement did not reach organisations whose change velocity is institutionally constrained. They will be running unpatched ingress infrastructure in production environments handling clinical data and financial transactions for months or years to come.
The broader pattern resonated beyond regulatory constraints. A Reddit survey conducted after the November 2025 ingress-nginx retirement announcement found that 44% of Ingress-NGINX users had no migration plan in place. The Kubernetes Steering Committee issued a second, more urgent statement in January 2026 specifically because the community was not moving quickly enough. The situation on the day of ingress-NGINX retirement — March 13, 2026 — likely represents the most widespread instance of known-vulnerable, unmaintained infrastructure in active production use in the Kubernetes ecosystem’s history.
The Deeper Failure: Open Source Infrastructure Maintenance
The most important lesson from the ingress-NGINX retirement is not about ingress controllers. It is about the structural model through which the cloud-native ecosystem has allowed critical infrastructure to be maintained — or more precisely, to go under-maintained — by a handful of volunteers whose commitment exceeded any reasonable expectation of what unpaid contribution should bear.
The Structural Failure of Open Source Maintenance
Ingress-NGINX’s final years saw two unpaid maintainers responsible for the security of approximately half of all production Kubernetes clusters globally. Those maintainers — Marco Ebert and James Strong — worked on patches and bug fixes in their personal time, evenings and weekends, while the project’s corporate beneficiaries — the hyperscalers, the ISVs, the platform engineering teams shipping Kubernetes-backed SaaS products — captured the economic value of the ingress-nginx infrastructure without proportionate investment in its sustainability. Furthermore, this is not unique to ingress-NGINX—it is the structural condition of much of the open source infrastructure that underpins the modern cloud.
The Log4Shell Pattern Repeats
The same dynamic that produced the Log4Shell crisis — a ubiquitous library maintained by a small number of volunteers, exploited catastrophically because organisations whose revenue depended on it had not invested in its security — produced the ingress-nginx retirement situation. The difference is that ingress-NGINX’s maintainers had the visibility and authority to call the situation what it was and retire the project before it became a crisis of exploitation rather than a crisis of migration.
“A lot of organizations aren’t going to shift away from it — even though it’s got known vulnerabilities that are being exploited — for the same reason they didn’t shut it off two or three years ago, which is that it worked two or three years ago, and it still works now.”
Nigel Douglas, Head of Developer Relations, Cloudsmith — March 2026What Comes After Ingress-NGINX Retirement: Six Proven Alternatives
Nevertheless, there is no drop-in replacement for ingress-NGINX. The Gateway API — the CNCF’s designated successor to the Kubernetes Ingress API, stable since 2023 — is not a new version of Ingress. It is a fundamentally different resource model with a role-oriented architecture that separates infrastructure concerns (GatewayClass, Gateway) from application routing concerns (HTTPRoute). Post-ingress-nginx retirement, the migration is not a configuration update. It is an architecture change.
| Alternative | Data Plane | Gateway API | Best For | Effort After Ingress-NGINX Retirement |
|---|---|---|---|---|
| Envoy Gateway | Envoy Proxy | Full (v1.4.0) | Standard-compliant ingress, mTLS, JWT, rate limiting without service mesh | Medium |
| Cilium Gateway | eBPF + Envoy | Full (v1.4.0) | Teams already using Cilium CNI — zero additional controller deployment | Medium (requires Cilium CNI) |
| Traefik v3 | Traefik | Supported | Ease of use, small-to-medium clusters, developer-centric platforms, k3s | Low |
| kgateway (formerly Gloo) | Envoy Proxy | Full (v1.4.0) | Migration tooling, AI workloads, microservices; best ingress-nginx to gateway API compatibility | Low–Medium |
| NGINX Gateway Fabric | NGINX (F5) | Full | Teams wanting NGINX familiarity with Gateway API compliance post-ingress-nginx retirement | Low (annotation mapping available) |
| HAProxy Kubernetes Gateway | HAProxy | Supported | Latency-sensitive environments; raw performance as primary requirement | Medium |
| Kong Ingress Controller | Kong / Envoy | Supported | API gateway features needed: auth, rate limiting, OPA, plugin ecosystem | Medium |
| Chainguard Fork | NGINX | No | Temporary bridge — security patches only, no feature development post-retirement | Very Low (drop-in) |
Additionally, for teams who cannot migrate immediately after the ingress-NGINX retirement, Chainguard — a software supply chain security vendor — is maintaining a security-focused open source fork of ingress-NGINX. This is explicitly a bridge, not a destination: Chainguard will patch CVEs but will not add features or fundamental architectural changes. It buys time for organisations whose change management processes make immediate migration infeasible following the ingress-NGINX retirement, but it does not eliminate the underlying risk of running an architecturally compromised ingress controller.
Managed Kubernetes Provider Support After Ingress-NGINX Retirement
For cloud-managed Kubernetes, the picture varies by provider. EKS clusters running manual ingress-NGINX installations are now exposed post-retirement; AWS Load Balancer Controller is the recommended path. GKE clusters face the same calculus, with transition to GKE Gateway API or a supported ingress controller recommended. Some managed Kubernetes providers have extended support commitments for specific CVE patches into late 2026 following the ingress-NGINX retirement, but these cover disclosed vulnerabilities only — not the broader exposure of running unsupported software in perpetuity.
Migration Tool for Ingress-NGINX Retirement
The ingress2gateway project — a CNCF migration utility — automates the translation of Ingress manifests to Gateway API resources. kgateway maintains a fork with expanded support for ingress-NGINX-specific annotations. For teams with large existing ingress-NGINX configurations, this tool substantially reduces the mechanical burden of migration post-retirement, though it cannot automate the architectural decision-making or compliance validation that regulated environments require.
What the Ingress-NGINX Retirement Tells Us About Cloud Infrastructure
Ultimately, the ingress-NGINX retirement is a security event, but it is more consequentially an institutional event. It reveals the gap between the organisations that treat cloud-native infrastructure as a strategic capability — investing in platform engineering, maintaining current versions, tracking CNCF project lifecycles — and those that treat it as a commodity, deploying it once and trusting that the ecosystem will sustain it indefinitely.
The former group had already migrated before the ingress-NGINX retirement in March 2026. The Kubernetes Steering Committee’s January statement confirmed this: teams with strong platform engineering practices were already on Gateway API or evaluated alternatives long before the final ingress-NGINX release. The migration pressure from the ingress-NGINX retirement fell almost entirely on organisations whose platform maturity lagged their operational dependency on the component.
The open source sustainability dimension deserves more than a footnote following the ingress-NGINX retirement. The CNCF has over 170 member organisations — hyperscalers, cloud providers, platform vendors — many of whom built products and services generating hundreds of millions in revenue on the back of infrastructure maintained by two engineers working in their spare time. The ingress-NGINX retirement should be the catalyst for a serious conversation about what adequate investment in critical open source infrastructure actually looks like, because the same structural vulnerability exists in dozens of other projects that are quietly bearing the same weight.
For enterprise technology leaders post-ingress-NGINX retirement, the immediate question is simple: run kubectl get pods –all-namespaces –selector app.kubernetes.io/name=ingress-nginx against every cluster in your inventory. If it returns results, you have a decision to make — and the clock started on March 13, 2026.
Sources & References
- CNCF / Kubernetes Steering Committee — “Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees”, January 2026: kubernetes.io
- Kubernetes SIG Network — “Ingress NGINX Retirement”, November 2025: kubernetes.io
- Wiz Research — “IngressNightmare: CVE-2025-1974 and related vulnerabilities”, March 2025: wiz.io
- Datadog Security Labs — “The IngressNightmare vulnerabilities: overview, detection and remediation”, March 2025: securitylabs.datadoghq.com
- Datadog Security Labs — “Kubernetes Ingress-NGINX retirement warning”, February 2026: securitylabs.datadoghq.com
- TechTarget / Informa — “CNCF Ingress Nginx retirement could leave some users at risk”, Beth Pariseau, March 25 2026
- Redeploy — “Ingress-NGINX is retired. What your Kubernetes team needs to do”: redeploy.com
- Heinan Cabouly — “Kubernetes just told 50% of its users: your help came too late”, Medium, February 2026
- NETWAYS Web Services — “What comes after ingress-nginx?”, March 2026: nws.netways.de
- Kubernetes Gateway API — Official implementations list: gateway-api.sigs.k8s.io
- CVE-2025-1974, CVE-2026-24512, CVE-2026-4342 — GitHub Kubernetes Security Advisories