Kubernetes SIG Network announced the retirement of Ingress NGINX controller. The project has 1-2 maintainers working in their spare time. That's not enough for production-grade security response. Best-effort support continues until March 2026. After that: no releases, no bug fixes, no security patches.
You have about 4 months to migrate. Two paths: Gateway API (the modern replacement) or switch to another Ingress controller. We use HAProxy Ingress in our infrastructure. This guide covers your options.
Retirement Timeline
Here are the key dates you need to know:
November 2025
Kubernetes SIG Network announces retirement. The project has been maintained by 1–2 contributors in their spare time, which is insufficient for security response requirements. An attempt to find additional maintainers and develop a replacement (InGate) was unsuccessful.
March 2026 — End of Life
Best-effort maintenance ends. No further releases, bug fixes, or security patches. Existing installations will continue to function, but running unsupported software in production creates significant security and compliance risks.
Now — March 2026
About 4 months to plan and test. Multiple paths: Gateway API or alternative Ingress controllers.
Your Migration Options
Two paths: Gateway API (the modern replacement) or switch to another Ingress controller. Many teams do both—switch controllers now, migrate to Gateway API later.
Option 1: Gateway API (Recommended for New Projects)
Gateway API is the official successor to Ingress. Version 1.4 is GA and production-ready.
Why Gateway API?
- Official successor with active community support
- Advanced routing: weighted traffic splitting, header-based matching, traffic mirroring
- Role-oriented: infrastructure teams manage Gateways, dev teams manage Routes
- Cloud providers adopting it (DigitalOcean ships it pre-installed, Google pushing it on GKE)
- Supports HTTP, gRPC, TCP, UDP—not just HTTP like Ingress
Starting a new project?
Use Gateway API. No reason to adopt Ingress in 2025.
Option 2: Switch to Another Ingress Controller
Not ready for Gateway API? Several actively-maintained controllers can replace NGINX. Many support both Ingress and Gateway API, so you can migrate later.
HAProxy Ingress — What we use. Zero-downtime config reloads, native HTTP/3. Works with both Ingress and Gateway API. Good for high-traffic production where stability matters.
Traefik — Has nginx annotation compatibility plugin. Switch to Traefik, buy time for Gateway API migration. Good for smaller deployments or if you want a nice dashboard.
Kong — Full API gateway. More features but heavier and more complex to operate. Supports Gateway API. Good if you need API management, rate limiting, auth built-in.
Istio/Envoy — Service mesh with Ingress capability. Powerful but adds significant complexity. Consider for large microservices deployments needing mesh features like mTLS.
Controller Comparison
Performance numbers from HAProxy's benchmark tests (note: conducted by HAProxy Technologies, not independent):
| Feature | HAProxy Ingress | Nginx Ingress (EOL) | Traefik | Kong |
|---|---|---|---|---|
| Status | Active Development | Retiring March 2026 | Active | Active |
| Performance (req/sec) | 42,000 | 11,700 | 28,000 | 18,000 |
| Configuration Reloads | Zero-downtime | Brief outage | Zero-downtime | Zero-downtime |
| HTTP/3 Support | Native | Commercial only | Beta | Enterprise only |
| TLS Performance | Multithreaded | Single-threaded | Multithreaded | Single-threaded |
| Memory Footprint | Low (50-100MB) | Medium (100-200MB) | High (200-400MB) | Very High (500MB+) |
| Learning Curve | Low (similar to nginx) | N/A | Medium | High |
| Production Maturity | 20+ years | 10+ years | 8+ years | 10+ years |
Migration Guide
Basic migration is straightforward. Install the new controller, update ingressClassName in your Ingress resources.
# Install HAProxy Ingress
helm repo add haproxytech https://haproxytech.github.io/helm-charts
helm install haproxy-ingress haproxytech/kubernetes-ingress \
--set controller.ingressClass=haproxy
# Patch Ingress resources
kubectl patch ingress my-app -p \
'{"spec":{"ingressClassName":"haproxy"}}'Annotation compatibility: Standard Ingress spec fields (paths, hosts, TLS) work without changes. Controller-specific annotations (rate limiting, rewrites, auth) need translation. See HAProxy Ingress documentation for mapping.
Need help with complex migrations?
Zero-downtime migrations, large clusters, custom configurations—we can help. Get in touch to discuss your setup.
Frequently Asked Questions
Can I keep using nginx Ingress after March 2026?
Technically yes. But no security patches, no bug fixes, no compatibility updates for new Kubernetes versions. Running unsupported software in production is a security and compliance risk.
How long does migration take?
Basic migration: 3–5 hours including testing. Planning 1–2 hours, deployment 30 minutes, rollout 1–2 hours, validation 30 minutes. Complex setups take longer.
Will my existing Ingress manifests work with HAProxy?
Mostly yes. Standard Ingress rules (host, path, backend) and TLS work without changes. Custom nginx annotations need HAProxy equivalents. Main change: update ingressClassName from "nginx" to "haproxy".
Is HAProxy Ingress FIPS 140-2 compliant?
Yes. HAProxy supports FIPS 140-2 validated cryptographic modules. That's one reason we use it in our RKE2 clusters.
Gateway API or another Ingress controller?
New projects: Gateway API. Existing deployments: switching Ingress controllers is often faster and lower risk. Many controllers support both, so you can migrate to Gateway API later.
Running Kubernetes in Production?
We run managed Kubernetes in our own European datacenters. HAProxy Ingress pre-configured on all clusters. RKE2 (FIPS 140-2 compliant). AS215197 infrastructure. Direct access to senior engineers (8x5).