Kubernetes ingress-nginx retired: what teams must do before the next CVE hits
The Kubernetes SIG Network officially stopped maintaining ingress-nginx as of March 2026, leaving clusters that still run it exposed to unpatched security vulnerabilities and without future feature updates. A CNCF blog post published on July 9 outlines two migration paths: a lateral swap to another Ingress-compatible controller such as Contour, or a fuller move to the Gateway API, the upstream-designated successor to the Ingress spec. The post recommends using the ingress2gateway tool to automate translation and suggests running the new controller in parallel before gradually shifting non-critical workloads. Engineers are cautioned that ingress annotations — covering timeouts, rewrites, TLS settings, and affinity rules — do not translate cleanly between controllers, and mismatches can cause silent traffic regressions on the most critical paths. The risk is not immediate but is tied to the calendar, as the threat grows each time a new CVE emerges against a controller that will no longer receive upstream fixes.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in