Kubernetes Retires NGINX Ingress Controller by March 2026

Kubernetes SIG Network and the Security Response Committee announced in November 2025 that NGINX Ingress Controller will be fully retired by March 2026. After that deadline, the project will receive no bug fixes, security patches, or new releases, leaving 41% of internet-facing Kubernetes clusters exposed if teams fail to migrate. Critically, NGINX itself, the popular web server is not being retired; only the Kubernetes ingress-nginx controller is affected.

What’s Being Retired

NGINX Ingress Controller is a Kubernetes ingress controller that routes external HTTP/S traffic into cluster services. It couples NGINX as a data plane with a Kubernetes-native control plane to implement the Ingress API specification. The retirement applies exclusively to the community-maintained kubernetes/ingress-nginx project.

Best-effort maintenance continues until March 2026. After that date:

• No further releases
• No bug fixes
• No security vulnerability patches
• GitHub repositories become read-only

Existing deployments will keep running, and installation artifacts remain available, but without security support, continued use introduces critical risk.

Why Kubernetes Pulled the Plug

The project has operated on life support for years, maintained by just 1–2 developers working nights and weekends. The 2025 IngressNightmare vulnerability (CVE-2025-1974) exposed deep security flaws that arose from the controller’s flexible architecture.

SIG Network exhausted efforts to find sustainable maintainers. The combination of mounting technical debt, serious security issues, and insufficient community resources forced the retirement decision.

Major cloud platforms including IBM Cloud, Alibaba ACK, Azure AKS, DigitalOcean, and Rancher RKE2 either ship NGINX Ingress as default or offer managed add-ons. The retirement ripples across hyperscale production environments, developer laptops running Minikube, and EKS clusters where teams install it manually.

The Gateway API Upgrade Path

Gateway API is Kubernetes’ next-generation traffic management standard, designed to replace the aging Ingress API. It reached v1.0 in late 2023 and solved core Ingress limitations.

Key improvements over Ingress API:

• Role separation for infrastructure providers, cluster operators, and app developers
• Protocol-agnostic support (HTTP, TCP, gRPC, not just web traffic)
• Native advanced routing (canary, blue-green deployments) without annotation hacks
• Standardized extensibility through WebAssembly plugins and service mesh integration
• Independent gateway instances for better isolation

Projects like Higress, Traefik, and Envoy Gateway already support Gateway API v1.4 standards. Migration tools such as ingress2gateway automate conversion of existing Ingress YAML to Gateway API resources.

Alternative Ingress Controllers

Teams not ready for Gateway API can migrate to actively maintained Ingress controllers:

NGINX Inc. (F5) offers a separate, commercially supported NGINX Ingress Controller that will continue receiving updates. This is distinct from the retiring community version.

What DevOps Teams Must Do

Check if you’re affected:

textkubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginx

If ingress-nginx pods appear, you’re running the retiring controller.

Migration timeline:

• Now–February 2026: Test alternatives in staging environments
• Before March 2026: Complete production migration
• Post-March 2026: Zero security support; unpatched CVEs become weaponized

Deploy Gateway API by creating Gateway and HTTPRoute resources that replace Ingress objects. Map existing host and path rules from Ingress to HTTPRoute configurations. Test traffic routing and TLS termination before cutover.

Featured Snippet Boxes