Ingress NGINX Retirement: What You Need to Know

Summary

Kubernetes SIG Network and the Security Response Committee have announced the retirement of the Ingress NGINX controller due to unsustainable maintenance and security challenges. Best-effort maintenance will continue until March 2026, after which the project will no longer receive bugfixes, releases, or security updates.

Key Points

• The final date for all maintenance, bugfixes, and security patches is March 2026.
• Post-retirement, GitHub repositories will be transitioned to read-only status.
• Existing deployments will remain functional, and installation artifacts, including Helm charts and container images, will remain available.
• The "snippets" annotation feature, which allows for the injection of arbitrary NGINX configuration directives, is identified as a significant security risk and source of technical debt.
• The proposed successor, InGate, has also been retired due to insufficient development progress.
• Active Ingress NGINX instances can be identified using the following command: kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx.

Technical Details

The retirement is driven by the difficulty of maintaining the controller's extensive feature set and the security implications of its flexible configuration capabilities. Specifically, the ability to use "snippets" annotations to add arbitrary NGINX configuration has become a primary security concern that is difficult to reconcile with modern cloud-native security standards. This flexibility, while originally a core strength, has evolved into significant technical debt that the current small group of maintainers cannot manage.

The project has historically operated with minimal maintainership, often relying on only one or two developers. Efforts to transition to the Gateway API via the development of a replacement controller, InGate, were unsuccessful and have also been abandoned. Consequently, the community is directing users toward the Gateway API as the modern, standardized replacement for managing network traffic in Kubernetes.

Impact / Why It Matters

Developers and infrastructure engineers must migrate to the Gateway API or an alternative Ingress controller before March 2026 to avoid running unpatched infrastructure. After this deadline, any newly discovered vulnerabilities in Ingress NGINX will remain unaddressed, posing a direct risk to cluster security.