If you run Kubernetes, there’s a coin-flip chance you’re running a component that will stop receiving security patches in two months. Roughly 50% of cloud native environments use Ingress NGINX.
Ingress NGINX, the most widely deployed ingress controller in the cloud native ecosystem, is being retired at the end of March 2026. I interviewed two members of the Kubernetes Steering and Security Response Committees to understand why. The answer says more about open source sustainability than it does about NGINX.
The Scale of the Problem
How many clusters are affected? “I work at Datadog, and internal research there puts it at approximately half of cloud native environments are using Ingress NGINX to some extent or another,” Tabitha Sable, co-chair of Kubernetes SIG Security, told me.
Half. Of all cloud native environments.
Ingress NGINX ships by default in platforms like RKE2, IBM Cloud Kubernetes Service, and Alibaba ACK. Many teams don’t even know they’re running it.
What Ingress NGINX Does
Kubernetes pods get internal IP addresses that mean nothing to the outside world. An ingress controller is what exposes your applications to external traffic. Ingress NGINX does this by configuring NGINX as a reverse proxy, routing requests to your pods based on rules you define.
Unlike cloud-provider-specific solutions, it has no external dependencies on load balancer appliances or cloud services. It works anywhere, which is exactly why it became so popular. And exactly why its retirement affects so many teams.
The Story Behind the Retirement
Despite massive adoption, Ingress NGINX has always struggled with maintainer burnout. Kat Cosgrove, member of the Kubernetes Steering Committee, put it bluntly:
“The oldest ask for additional contributors or maintainers I could find was from 2022. That’s pushing four years of publicly begging for help and not getting any. So at some point, like, what are we supposed to do?”
The project has been running on fumes: one or two volunteers working nights and weekends. Features that once seemed clever became security liabilities. The Kubernetes team made the responsible choice: acknowledge reality rather than maintain the illusion that this software is well-supported.
The Migration Challenge
There is no drop-in replacement.
CNCF recommendation is Gateway API. But switching isn’t a one-liner. “Every option requires some degree of planning and engineering work,” Kat explained. In practice, many teams are taking a different path. “Many companies I have spoken to are switching to Traefik or similar solutions for the time being because it is easier,” shares Artem Lajko, Head of Platform Engineering at iits-consulting.
Some migrations will be quick. Others, depending on how deeply you’ve customized your setup, will be significant projects.
Tabitha’s advice: “You will be much happier in August if you start doing this now rather than waiting until your compliance team comes and says, ‘hey, what are we going to do about this?'”
Are You Running Ingress NGINX?
The simple check: if your cluster has a namespace called ingress-nginx, you’re almost certainly running it.
kubectl get namespace ingress-nginxThe Kubernetes blog post includes a more detailed command that catches customized installations. The ingress-nginx repository has a deprecation notice at the top of the README with migration guidance.
The caveat? Some organizations have done deeply clever integrations that won’t show up with standard checks. As Tabitha noted, “I hope that nobody is doing anything terrifically clever by accident.”
What This Says About Open Source
Writing this article, I kept coming back to one thing: Ingress NGINX powers roughly half the internet-facing Kubernetes clusters on the planet, yet no company stepped up to sponsor meaningful maintenance. Volunteers asked for help for four years. The community didn’t respond.
We celebrate open source as the foundation of modern infrastructure, but we’ve built that foundation on the assumption that someone else will maintain it. That model works until it doesn’t. And when it fails, it fails at scale. Half of Kubernetes clusters simultaneously discover they’re running unsupported edge software.
If you’re running Ingress NGINX, you have 2 months to get it done. Start today.
This article was sponsored by Rootly – a leading AI-powered on-call and incident response. Trusted by leading companies like NVIDIA, Squarespace, Canva, Figma, and more.