The Kubernetes ecosystem is undergoing a major transition.
Last November, the Kubernetes community announced the retirement of the Ingress NGINX controller (kubernetes/ingress-nginx). Per the announcement, best-effort maintenance will continue until March 2026. Afterward, there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered.
For many organizations running Kubernetes, including Fastly Security customers who deploy agents using the Kubernetes + Ingress Controller + Module, this change introduces important questions about security, maintainability, and long-term architecture.
Ingress NGINX Controller Retirement: What It Means for Kubernetes Users
After the Ingress NGINX maintenance retires, there will no longer be maintenance releases, but existing deployments will continue to function. Bugfixes and, more importantly, newly discovered security vulnerabilities will not be addressed, leaving your deployments increasingly vulnerable to attack.
While the last release from the NGINX community will have some holding power for a period of time, it is important to stay ahead in your protection, whether that means finding new ways to keep the existing Ingress NGINX controller updated or transitioning to alternative solutions.
Let’s review your options and where you can go from here.
What Fastly Security Customers Should Do About the Ingress NGINX Retirement
Fastly understands that this migration may be complex and require interdisciplinary teams working together, and stands ready to help with short-term as well as long-term solutions. Short-term solutions can be implemented while the Ingress NGINX deployment remains in place and longer-term solutions are developed.
Short-Term Mitigation Options Before the March 2026 Deadline
There is at least one and probably more short-term solutions possible for this migration.
Option 1: Deploy a Commercial Kubernetes Ingress Controller
Ingress-NGINX is deprecated, but the Ingress API is not. Several commercial vendors offer supported implementations of the Ingress API. Migrating to a commercial solution allows you to maintain your current Ingress resources while shifting the maintenance and security burden to a paid vendor.
However, even in this case, swapping your ingress controller still requires engineering effort and may encounter, for example, unsupported annotations.
Pros:
Security: Provides a fully supported environment with active CVE mitigation.
API Continuity: Allows you to continue using the familiar Kubernetes Ingress API.
Cons:
Operational Disruption: Requires coordinated effort across teams to migrate traffic and test functionality.
Technical Debt: You will still likely need to execute a second migration to the Gateway API in the future.
Cost: Requires purchasing a commercial license.
Option 2: Use the Chainguard Maintained Fork of ingress-nginx
In response to the retirement notice, supply chain security company Chainguard stepped up to maintain a fork of the latest ingress-nginx release through their EmeritOSS program. This is a maintenance-only fork designed specifically to buy engineering teams time — they are not adding new features, but they are committed to patching CVEs and updating underlying libraries.
Fastly is actively monitoring this fork. As it matures and tags stable releases, our team is validating it as a secure alternative. Once this due diligence is complete, Fastly intends to wrap our Security agent with Chainguard’s solution. Our goal is to provide a seamless, behind-the-scenes drop-in replacement so your current setup can continue as-is without requiring an immediate migration. We will provide updates on our progress and validation efforts here and within our technical documentation.
Pros:
No Disruption: Intended to be a seamless, drop-in replacement requiring no immediate migration effort.
Maintained Security: Benefits from Chainguard’s commitment to patching vulnerabilities and updating libraries.
Cons:
Temporary Fix: This is a stopgap measure; because the fork is feature-frozen, you will still need to plan a future migration to the Gateway API or an alternative proxy.
Pending Validation: Fastly's integration is currently undergoing rigorous testing to ensure it will not negatively impact customer deployments.
Will need eventual migration to long-term supported architecture
Long-Term Strategy: Replacing Ingress NGINX in Kubernetes
When looking past the March 2026 deadline, your long-term replacement strategy will likely fall into one of two paths:
Transitioning to the Gateway API (Envoy/Istio): For most environments, the recommended path involves migrating away from the feature-frozen Ingress API and adopting the Kubernetes Gateway API. This standard aligns with current industry trends and provides a more robust, role-based approach to traffic management. Fastly provides seamless support for leading data planes in this ecosystem, including:
Envoy: A highly performant, modern edge and service proxy.
Istio: The ideal choice if your architecture utilizes a comprehensive service mesh.
Migrating to an Alternative Proxy: If the Gateway API does not fit your current engineering roadmap, you can replace NGINX with an alternative, actively maintained proxy. HAProxy is a proven, high-reliability load balancer. Fastly fully supports HAProxy as a module for our Next-Gen WAF, making it a secure and highly effective long-term replacement.
Regardless of which path you choose, architectural migrations are complex, and achieving operational maturity, validating your new configurations, and executing a safe cutover takes time — especially given the complexities of the Gateway API. It is completely expected that these long-term solutions will land after the March deadline, which is why establishing short-term mitigations in the interim is so crucial.
Preparing for the Future After Ingress NGINX
Fastly is dedicated to keeping your web application working as you intended. Even in the presence of threats, misuse, and in this case, technology shutdowns. As technology enthusiasts ourselves, it is sad to see one of the oldest and most widely deployed ingress controllers for Kubernetes end a ten-plus-year run. We understand the decision and stand next to them and all those who chose to adopt them.
As you choose your next adventure, Fastly is happy to work with you and provide all the support you need. Reach out to our team of experts if you need assistance in choosing where to go from here.