So the Kubernetes Ingress-NGINX Controller officially reaches end of life on March 31st, 2026. That’s… basically right now. After that date, no more releases, no bugfixes, and critically, no security patches for new CVEs.
We’re running ingress-nginx on about 8 clusters across staging and production, and I’m trying to figure out the best path forward. I’ve been reading up on the options and I’m torn between a few approaches:
Option 1: Migrate to Kubernetes Gateway API
This seems like the “official” recommendation from SIG Network. The Gateway API is GA now and has some nice improvements over the old Ingress resource, like proper support for header-based routing, traffic splitting, and the role-based resource model (GatewayClass, Gateway, HTTPRoute). But it’s a fundamentally different resource model, so every Ingress manifest needs to be rewritten.
Has anyone done this migration at scale? How painful was the HTTPRoute conversion? I’m especially worried about edge cases with our more complex routing rules that use annotations heavily.
Option 2: Switch to a maintained NGINX-based controller
F5/NGINX has their own Ingress Controller that’s still actively maintained and supports both the legacy Ingress resource AND the Gateway API. This could be a smoother migration since the underlying proxy is still NGINX, but I’m not sure how different the configuration surface actually is in practice.
Option 3: Jump to something else entirely
Traefik, Envoy Gateway, HAProxy, Cilium’s Gateway API implementation… there are a lot of options now. If we’re going to go through the pain of migrating anyway, maybe it makes sense to pick the best tool rather than the most familiar one.
A few specific questions:
- For those who’ve migrated, did you do it in-place (run both old and new side by side, shift traffic gradually) or cut over all at once?
- How did you handle the annotation-to-native-config translation? Some of our ingress-nginx annotations are pretty gnarly.
- Any gotchas with cert-manager integration when switching to Gateway API?
- Is anyone just… staying on ingress-nginx and accepting the risk? Curious what the calculus looks like there.
Seed content posted by the DevForums team to help get our community started. Have a better answer? Jump in!