Navigating the Ingress NGINX Sunset: Four Migration Strategies and How to Choose
March 2026 marked a turning point for Kubernetes networking. The Ingress NGINX Controller, one of the most widely deployed components in the ecosystem, has officially entered end of life. No new releases, no bug fixes, no security patches. For platform teams running production workloads, the question is no longer whether to migrate, but how.
Over the past months, the community has converged around four distinct migration strategies. Each comes with real trade-offs. Understanding them is critical to making the right choice for your organization.
Strategy 1: Migrate to Another Ingress Controller
The most straightforward option on paper is to pick a different ingress controller and follow its migration guide. Every major vendor has published one.
The challenge is that “migration guide” is often a euphemism for “rewrite everything.” Ingress NGINX annotations are a proprietary configuration contract. No other controller speaks that language natively. Migrating means converting every annotation and every customization to a completely different syntax, whether that’s another vendor’s annotation set, custom CRDs, or an entirely different configuration model.
For clusters with a handful of Ingresses, this is manageable. For organizations running hundreds or thousands of Ingress resources refined over years, it’s a multi-month project with a significant risk of misconfiguration. Under deadline pressure, the risk multiplies.
Strategy 2: Adopt a Fork of Ingress NGINX
Shortly after the retirement announcement, a community fork appeared, promising to maintain the project with ongoing security patches. For teams under time pressure, this is the path of least resistance: just swap the container image.
But the core issue isn’t maintenance staffing. The #IngressNightmare vulnerabilities revealed fundamental architectural weaknesses, including template-based configuration rendering that enables injection attacks and memory safety risks inherent to C/C++ codebases. A fork inherits all of this. It patches symptoms without addressing causes. And if the original maintainers, who understood this codebase better than anyone, concluded that it could not be made safe and chose to walk away, why should we expect a third-party vendor with less context to succeed where they didn’t?
There’s also a strategic concern. Forks of deprecated projects tend to lose momentum over time. Building a long-term infrastructure strategy on a fork means betting that a new, smaller team will sustain the effort indefinitely, while the rest of the ecosystem moves toward Gateway API.
Strategy 3: Migrate Directly to Gateway API
Gateway API is the official successor to Kubernetes Ingress resources. It’s more expressive, more secure, role-oriented, and better designed for multi-tenant environments. It’s unambiguously the future.
The question is whether the future needs to happen this month.
Migrating from Ingress NGINX directly to Gateway API means changing two things simultaneously: the controller and the configuration model. Every Ingress resource must be rewritten as a combination of Gateway, HTTPRoute, and related resources. Teams must learn a new abstraction, new tooling, and new debugging patterns, all while maintaining production stability.
For organizations already investing in Gateway API, accelerating the transition makes sense. For everyone else, coupling an urgent security migration with a major architectural shift introduces unnecessary risk. The two concerns, “decommission Ingress NGINX” and “modernize your networking model,” are better addressed separately.
Strategy 4: Use a Controller that Supports Both Ingress NGINX Annotations and Gateway API Natively
A fourth approach has emerged that decouples the urgency from the architecture decision: Controllers that understand Ingress NGINX annotations natively, translating them into their own internal configuration without templates, without injection risks, and without requiring any changes to existing Ingress manifests.
This approach treats migration as a two-step process rather than a single leap. First, replace the controller while keeping your existing configuration intact. Then, when the pressure is off, progressively adopt Gateway API at your own pace, route by route, with both models running side by side.
The key requirement is that the replacement controller must genuinely support the Ingress NGINX annotation contract as a first-class input, not through a shim or conversion script. It must also be a production-grade Gateway API implementation, so that the second phase of migration doesn’t require yet another controller swap.
Traefik’s Ingress NGINX Provider is currently the only implementation of this approach, supporting 60+ Ingress NGINX annotations natively (covering over 90% of real-world usage patterns) while simultaneously offering full Gateway API support on the same instance.
A Three-Phase Migration
Regardless of which strategy you choose, the healthiest migration follows three phases.
Phase 1: Assess Your Situation
Before changing anything, audit your cluster. Tools like ingress-nginx-migration can inventory your Ingress resources, identify which annotations you’re actually using, and flag compatibility gaps. This turns an abstract problem into a concrete, scoped project.
Phase 2: Decommission Ingress NGINX with Zero Downtime
Deploy the new controller alongside Ingress NGINX. Both serve the same Ingresses simultaneously. Shift traffic progressively, one Ingress at a time, validating behavior at each step. Remove Ingress NGINX only once everything is verified. No big-bang cutover.
Phase 3: Modernize Progressively
With the immediate security risk resolved, adopt Gateway API on your own timeline. Convert routes one by one. Keep both models running in parallel. Roll back if something breaks. This is an architectural evolution, not an emergency.
The Bigger Picture
The Ingress NGINX retirement isn’t just a migration problem. It’s a signal. The Kubernetes ecosystem is moving from loosely-specified Ingress resources toward the richer, more standardized Gateway API model. Every organization will make this transition eventually.
The question is whether you make it under duress or on your own terms. The best migration strategies separate the urgent (replacing unmaintained software) from the important (adopting modern networking patterns), and give teams the space to do both well.
The deadline is here. But with the right approach, it doesn’t have to be a crisis.
