Cncf Retires The Ingress Nginx Controller For Kubernetes

Running nan Ingress Nginx controller for your Kubernetes clusters? You person until March to migrate to nan Gateway API, aliases immoderate different option, nan Cloud Native Computing Foundation decreed KubeCon+CloudNativeCon North America past week.

It was news that galore knew was coming but were still amazed by, especially the speedy turnaround asked of them.

“So you’ve sewage a batch of group scrambling astir nan convention coming looking for a replacement, because Ingress is nan default ingress controller for Kubernetes,” said HAProxy’s vice president of engineering and operations, Frank Mancina, successful a booth question and reply pinch TNS astatine nan event.

Kubernetes SIG Network and nan Security Response Committee scheme to put Ingress Nginx to remainder successful March 2026. After that, nan package will not beryllium supported: No further releases, nary bugfixes, and nary updates to resoluteness immoderate information vulnerabilities.

The codification will stay connected GitHub for archival purposes, arsenic good arsenic supporting package specified arsenic nan Helm operator.

Those who proceed to run nan controller aft March do truthful astatine their ain risk.

Wondering if your cluster runs Ingress Nginx? At a bid statement pinch cluster management rights, type this:

Networking for Kubernetes

Networking support came precocious for Kubernetes. The CNCF had worked connected nan Gateway API for 4 years, releasing type 1 past year. The Gateway routes postulation connected and disconnected nan cluster, some Layer 4 (the TCP/IP layer) and Layer 7 postulation (for exertion traffic).

The Ingress itself is simply a group of API rules to nonstop outer web postulation accessing a cluster. The Ingress Nginx controller was calved arsenic a Kubernetes project. It utilized nan unfastened root Nginx reverse proxy, now managed by web institution F5 Inc., arsenic nan base. The Ingress Nginx controller went connected to beryllium 1 of a number of controllers that popped up to instrumentality nan Ingress API.

The Kubernetes networking and information groups successful complaint of nan task recovered it a situation to maintain, however. Finding folks to thief support nan codification guidelines was a challenge, particularly aft nan Gateway API task sewage underway. Plus, nan expertise to adhd arbitrary NGINX configuration directives, known arsenic snippets, became a information issue.

Built connected a group of Kubernetes Custom Resource Definitions (CRDs), nan Gateway API was introduced successful 2023, and it has since go CNCF’s preferred and future-proof measurement of doing ingress (inbound) and egress (outbound traffic) for Kubernetes.

“You person overmuch much specification and power pinch Gateway API spec. That’s why group would astir apt migrate to it. And Kubernetes moves very, very quickly, and this seems to beryllium nan specification that’s gaining nan astir traction,” Mancina further explained.

Companies Respond

Reverse proxy package supplier HAProxy Technologies LLC is 1 institution responding to nan Gateway API initiative. It has agelong offered HAProxy Ingress and has expanded its support for Gateway API pinch nan newly-launched HAProxy Unified Gateway — a free, unfastened root merchandise providing Kubernetes-native exertion routing for some Gateway API and Ingress.

“What we’ve seen is that we person customers who person their workflow which is already established pinch Ingress rules, and they don’t want to alteration it,” HAProxy head of merchandise Baptiste Assmann, successful an question and reply pinch TNS.

The Unified Gateway is designed to supply a measurement to easy modulation into nan Gateway API arsenic clip permits. Or tally some side-by-side.

“Instead of having 1 merchandise for Ingress rules and 1 merchandise for Gateway APIs and having group take 1 aliases nan other, nan strategy is to person nan caller merchandise besides support Ingress rules, truthful group tin commencement utilizing Ingress rules and past move to ghetto API erstwhile they are ready,” Assmann said.

Switching from 1 to different whitethorn return immoderate work, he advised, because of their different architectures.

While Ingress runs connected a cardinal controller model, nan Gateway API runs connected nan Kubernetes usability model. “It’s a wholly different measurement to configure things,” he added.

The Gateway API has superior separation of concerns, further explained Mancina. For instance, it distinguishes betwixt objects that tin beryllium controlled by nan level team, those that are controlled by nan operations team, and those by nan applications team.

HA Proxy is besides working, bringing complete a prime number of Nginx annotations complete to nan unified gateway.

Other platforms offering Gateway API support see nan Nginx Gateway Fabric (read TNS study Janakiram MSV’s heavy dive here) arsenic good arsenic Envoy, Istio, Cilium, and CNCF’s ain KGateway.

Group Created pinch Sketch.