Docs
HomeGitHubSign Up
Start typing to search…

C-0292 - NGINX Ingress Controller End of Life

Prerequisites

Run Kubescape with host sensor (seehere)

Framework

ArmoBest

Severity

Medium

Description of the the issue

The community Kubernetes NGINX Ingress Controller project is scheduled to reach End of Life (EOL) in March 2026. After this date, the project will no longer receive security patches, bug fixes, or functional updates, increasing the risk of unpatched vulnerabilities and operational incompatibilities for workloads that continue using it.

Ingress controllers are critical components that manage external traffic into Kubernetes clusters. Running a controller that is no longer supported exposes clusters to potential security risks, reduced stability, and compatibility issues with newer Kubernetes releases.

This control identifies workloads using the community NGINX Ingress Controller to allow planning and migration to supported alternatives before the EOL date.

Related resources

Ingress, Service, Deployment, DaemonSet

What does this control test

This control scans Kubernetes clusters to detect the presence of the community Kubernetes NGINX Ingress Controller and flags workloads that use it. The detection focuses on deployments using known NGINX Ingress Controller images or manifests that match community ingress-nginx project patterns.

Remediation

To ensure continued security, support, and compatibility, migrate away from the community NGINX Ingress Controller to a supported ingress solution before March 2026.

Recommended alternatives include:

  • F5 NGINX Ingress Controller – a commercially supported NGINX-based ingress solution with security and support guarantees. https://docs.nginx.com/nginx-ingress-controller/
  • Kubernetes Gateway API – a cloud-native standard offering more flexible and extensible API models.
  • HAProxy Ingress Controller – an open-source, high-performance ingress controller.
  • Traefik – a dynamic ingress controller with built-in routing features.
  • Cloud-native ingress solutions:
    • AWS ALB Ingress Controller
    • GKE Ingress
    • Azure Application Gateway Ingress Controller

Migration Guidance:

  • Assess current ingress configurations, annotations, and routing features.
  • Test alternative controllers in a staging environment prior to production migration.
  • Update manifests and annotations to be compatible with the chosen controller.
  • Validate TLS termination, routing rules, and other advanced features after migration.

Example

A Kubernetes cluster has a deployment annotated for the community NGINX Ingress Controller (k8s.gcr.io/ingress-nginx/*). This control flags the deployment as using the soon-to-be EOL controller and recommends migration planning.

Updated about 3 hours ago