Kubernetes overlords decide Ingress NGINX isn’t worth saving
(2025/11/14)
- Reference: 1763082765
- News link: https://www.theregister.co.uk/2025/11/14/nginx_retirement/
- Source link:
Kubernetes maintainers have decided it’s not worth trying to save Ingress NGINX and will instead stop work on the project and retire it in March 2026.
Ingress NGINX is an ingress controller – a class of tool that allows external HTTP/S access to Kubernetes clusters and the applications they run.
Yesterday’s flexibility has become today’s insurmountable technical debt
According to Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, “It became very popular due to its tremendous flexibility, breadth of features, and independence from any particular cloud or infrastructure provider.”
While developers have created alternatives, Sable feels “Ingress NGINX has continued to be one of the most popular, deployed as part of many hosted Kubernetes platforms and within innumerable independent users’ clusters.”
While popular, the tool is also problematic.
[1]
In March 2025, researchers at Wiz [2]found Ingress NGINX had serious vulnerabilities that could allow complete takeover of Kubernetes clusters.
[3]
[4]
The project was already in trouble before that revelation. Researchers had previously found and fixed several major security flaws. Its maintainers last year [5]announced they would stop adding core features and focus their efforts on a project called “InGate” that aimed to create a new ingress controller that also acted as a Gateway API controller – another means of connecting K8s clusters to the world.
[6]Don't want your Kubernetes Windows nodes hijacked? Patch this hole now
[7]Alibaba Cloud claims K8s service meshes can require more resources than the apps they run
[8]Red Hat backs CNCF project, spills TEE support over Kubernetes
[9]OpenInfra has only gone and joined the Linux Foundation
On Wednesday, the Kubernetes Security Response Committee (SRC) decided to pull the plug on Ingress NGINX.
“The breadth and flexibility of Ingress NGINX has caused maintenance challenges,” Sable [10]wrote . “Changing expectations about cloud native software have also added complications. What were once considered helpful options have sometimes come to be considered serious security flaws … Yesterday’s flexibility has become today’s insurmountable technical debt.”
Sable also wrote that Ingress NGINX “has always struggled with insufficient or barely-sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours and on weekends.”
[11]
When Wiz revealed its findings on Ingress NGINX flaws, it could find around 6,000 implementations of the tool. Come March 2026, any remaining instances will continue to work but developers will not deliver any updates.
So hop to it, K8s admins: You have a short period of time in which to consider if it’s possible to develop compensating controls that allow you to run abandonware, or pick an alternative and plan a migration. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://kccncna2024.sched.com/event/1hoxW/securing-the-future-of-ingress-nginx-james-strong-isovalent-marco-ebert-giant-swarm
[6] https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/
[7] https://www.theregister.com/2024/08/12/alibaba_microservices_mesh_canal/
[8] https://www.theregister.com/2022/10/10/confidential_containers_encrypted_k8s/
[9] https://www.theregister.com/2025/03/12/openinfra_joins_the_linux_foundation/
[10] https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Ingress NGINX is an ingress controller – a class of tool that allows external HTTP/S access to Kubernetes clusters and the applications they run.
Yesterday’s flexibility has become today’s insurmountable technical debt
According to Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, “It became very popular due to its tremendous flexibility, breadth of features, and independence from any particular cloud or infrastructure provider.”
While developers have created alternatives, Sable feels “Ingress NGINX has continued to be one of the most popular, deployed as part of many hosted Kubernetes platforms and within innumerable independent users’ clusters.”
While popular, the tool is also problematic.
[1]
In March 2025, researchers at Wiz [2]found Ingress NGINX had serious vulnerabilities that could allow complete takeover of Kubernetes clusters.
[3]
[4]
The project was already in trouble before that revelation. Researchers had previously found and fixed several major security flaws. Its maintainers last year [5]announced they would stop adding core features and focus their efforts on a project called “InGate” that aimed to create a new ingress controller that also acted as a Gateway API controller – another means of connecting K8s clusters to the world.
[6]Don't want your Kubernetes Windows nodes hijacked? Patch this hole now
[7]Alibaba Cloud claims K8s service meshes can require more resources than the apps they run
[8]Red Hat backs CNCF project, spills TEE support over Kubernetes
[9]OpenInfra has only gone and joined the Linux Foundation
On Wednesday, the Kubernetes Security Response Committee (SRC) decided to pull the plug on Ingress NGINX.
“The breadth and flexibility of Ingress NGINX has caused maintenance challenges,” Sable [10]wrote . “Changing expectations about cloud native software have also added complications. What were once considered helpful options have sometimes come to be considered serious security flaws … Yesterday’s flexibility has become today’s insurmountable technical debt.”
Sable also wrote that Ingress NGINX “has always struggled with insufficient or barely-sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours and on weekends.”
[11]
When Wiz revealed its findings on Ingress NGINX flaws, it could find around 6,000 implementations of the tool. Come March 2026, any remaining instances will continue to work but developers will not deliver any updates.
So hop to it, K8s admins: You have a short period of time in which to consider if it’s possible to develop compensating controls that allow you to run abandonware, or pick an alternative and plan a migration. ®
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://www.theregister.com/2025/03/25/kubernetes_flaw_rce_risk/
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://kccncna2024.sched.com/event/1hoxW/securing-the-future-of-ingress-nginx-james-strong-isovalent-marco-ebert-giant-swarm
[6] https://www.theregister.com/2025/01/24/kubernetes_windows_nodes_bug/
[7] https://www.theregister.com/2024/08/12/alibaba_microservices_mesh_canal/
[8] https://www.theregister.com/2022/10/10/confidential_containers_encrypted_k8s/
[9] https://www.theregister.com/2025/03/12/openinfra_joins_the_linux_foundation/
[10] https://www.kubernetes.dev/blog/2025/11/12/ingress-nginx-retirement/
[11] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/front&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aRa3aj1V_92EvQB8faCR1QAAAYc&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[12] https://whitepapers.theregister.com/
Shutdown without a plan or vaccine
Inginx ingresscontoller is used in so many k8s projects this is not even funny.
I'm surprised cncf would just abandonware such a prevalent piece of the k8s landscape without some kind of transition to another perhaps an Apache project ? Or one of the istio project ingresscontoller ?