This Member Weblog was initially printed on the Isovalent weblog and is republished right here with permission.
For those who’re working Kubernetes, there’s a great probability you depend on ingress-nginx to route exterior visitors to your workloads. For years, ingress-nginx has been the go-to open supply ingress controller, valued for its reliability and broad neighborhood assist. Knowledge collected from a current State of Kubernetes Networking Report exhibits that fifty% of respondents use Ingress-nginx at the moment. However that’s about to alter.
Archival of Ingress-nginx: What Does This Imply for You?
The maintainers of ingress-nginx have introduced that the undertaking is being archived at the beginning of 2026. This implies it’ll not obtain energetic upkeep, safety patches, or bug fixes. The information, unveiled throughout KubeCon, marks a big turning level for hundreds of Kubernetes customers and organizations which have constructed their ingress technique round it.
What Are Your Choices?
With ingress-nginx coming into retirement, platform groups face a alternative: preserve a important control-plane part with out upstream upkeep, or transfer to an actively supported various.
The Kubernetes neighborhood has aligned on the Gateway API because the long-term normal for visitors administration. That path shapes your two major migration paths:
- Transfer to a different ingress controller (similar to Cilium Ingress, Traefik, or HAProxy Ingress).
- Undertake the Kubernetes Gateway API, the next-generation normal for ingress and visitors administration, utilizing a controller like Cilium Gateway API.
Cilium provides each. You can begin with Cilium Ingress for a drop-in substitute and later transition to the Gateway API with out switching distributors, controllers, or datapaths.
Choice 1 – Quickest: Shifting to Cilium Ingress
Cilium Ingress is a drop-in ingress controller that helps normal Kubernetes Ingress sources. It runs on Cilium’s eBPF-powered datapath, which offers glorious efficiency, deep visibility, and seamless integration with Cilium Community Insurance policies.
Why Groups Select This Path
- Minimal adjustments to utility manifests and CI/CD pipelines.
- Continuity in utilizing an actively maintained product and a clear path away from NGINX-specific annotations.
- Constructed-in observability and stronger safety by means of Cilium’s tooling.
What to Watch Out For
- NGINX-only annotations and customized directives is not going to translate immediately.
- For those who depend on complicated rewrites or superior NGINX behaviours, plan a validation part to map these options to Cilium equivalents, or contemplate the Gateway API for richer routing capabilities.
The way to Migrate from ingress-nginx to Cilium Ingress:
1. Stock present Ingress utilization: Document hosts, paths, TLS settings, annotations, rewrite guidelines, and fee limits.
2. Set up or confirm Cilium: Observe the Cilium Getting Began information
3. Allow Cilium Ingress: See Cilium Ingress documentation.
4. Replace manifests to focus on Cilium’s ingress class: Swap ingressClassName to cilium and take away NGINX-specific annotations the place applicable.
apiVersion: networking.k8s.io/v1
type: Ingress
metadata:
identify: my-app
namespace: apps
spec:
ingressClassName: cilium
guidelines:
- host: my-app.instance.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
identify: my-app-svc
port:
quantity: 805. Validate and reduce over: Check TLS, path routing, and community insurance policies in staging earlier than switching manufacturing visitors.
Choice 2 – Advisable: Upgrading to Cilium’s Gateway API Implementation
Whereas switching to Cilium Ingress is the quickest option to transfer off ingress-nginx, the Kubernetes ecosystem is shifting in the direction of the Gateway API.
A subproject of SIG-Community, Gateway API is the successor to Ingress, overlaying not simply north-south visitors but additionally east-west and service-mesh entry factors by means of a constant, extensible mannequin.
Cilium’s implementation helps all Core Gateway API sources and options, along with most Prolonged (or elective) options, and enhances them with eBPF-powered efficiency, observability, and coverage integration.
Why Select Cilium’s Gateway API Implementation?
Cilium’s Gateway API implementation isn’t only a substitute; it’s an improve that brings a number of advantages, from enhanced visitors management to streamlined operations.
- Superior visitors administration: Native assist for header-based routing, visitors splitting, and cross-namespace routes.
- Unified visitors administration (GAMMA): Leverage a single, constant API (Gateway API) to handle each exterior (north-south) ingress visitors and inside (east-west) service mesh visitors, simplifying operations and coverage enforcement.
- Position separation: Decouple infrastructure from utility routing for higher safety and multi-tenancy.
- Wealthy coverage integration: Mix L7 routing with Cilium Community Insurance policies and Hubble observability.
- Future alignment: Gateway API is the endorsed normal by Kubernetes SIG-Community and main cloud suppliers.
What Are the Key Options Over Ingress?
Whereas Ingress has served us properly, its design inherently limits superior visitors administration. The Gateway API, particularly with Cilium’s implementation, unlocks a brand new degree of management and suppleness. This desk highlights some key areas the place Gateway API goes past what conventional Ingress can supply, offering extra strong and granular management over your visitors flows.
| Function | Ingress-nginx | Cilium Ingress | Cilium Gateway API |
| Primary HTTP routing | ✔️ | ✔️ | ✔️ |
| Path-based routing | ✔️ | ✔️ | ✔️ |
| Header-based routing | ❌ | ❌ | ✔️ |
| Site visitors splitting | ❌ | ❌ | ✔️ |
| Cross-namespace assist | ❌ | ❌ | ✔️ |
| East-West Site visitors Administration (GAMMA) | ❌ | ❌ | ✔️ |
| Position/useful resource separation | ❌ | ❌ | ✔️ |
| Enhanced observability | ❌ | ✔️ | ✔️ |
| Superior safety insurance policies | ❌ | ✔️ | ✔️ |
Migrating to Cilium’s Gateway API Implementation:
- Guarantee Cilium is put in and configured for Gateway API: Cilium Gateway API Docs
- Set up Gateway API CRDs: In case your Kubernetes distribution doesn’t ship with Gateway API, set up CRDs as per the Gateway API Set up Information.
- Outline GatewayClass and Gateway sources: It is a easy instance, however you will discover extra detailed examples on this tutorial weblog put up for Gateway API:
apiVersion: gateway.networking.k8s.io/v1beta1
type: GatewayClass
metadata:
identify: cilium
spec:
controllerName: io.cilium/gateway-controller
---
apiVersion: gateway.networking.k8s.io/v1beta1
type: Gateway
metadata:
identify: my-gateway
namespace: default
spec:
gatewayClassName: cilium
listeners:
- identify: http
protocol: HTTP
port: 804. Translate Ingress guidelines into HTTPRoute objects: The brand new mannequin supplied by Gateway API permits Software groups to outline routes and backends, optionally with cross-namespace references. Eradicating this process from the accountability of the platform proprietor.
apiVersion: gateway.networking.k8s.io/v1beta1
type: HTTPRoute
metadata:
identify: my-app
namespace: apps
spec:
parentRefs:
- identify: shared-gw
namespace: infra
guidelines:
- matches:
- path:
sort: PathPrefix
worth: /
headers:
- identify: X-Canary
worth: "true"
backendRefs:
- identify: my-app-svc
port: 805. Check superior options: Strive options similar to header-based routing, visitors splitting, and cross-namespace situations as wanted in staging/improvement, and promote into manufacturing as wanted. These are capabilities not beforehand out there with Kubernetes Ingress.
Use the Ingress-to-Gateway Migration Device
For groups with many Ingress sources, guide translation will be tedious.
In an effort to maintain migration easy, here’s a information, The way to Migrate from Kubernetes Ingress to Gateway API, that introduces a migration utility to automate a lot of the conversion course of.
For giant estates, manually translating each Ingress is sluggish and error-prone. The Kubernetes SIG Community utility ingress2gateway converts present Ingress sources into Gateway API sources, both by studying out of your present kubeconfig or from enter information. This offers you a strong place to begin you can assessment and apply with Cilium Gateway API enabled.
Beneath is an instance of working the software, specifying Cilium because the vacation spot output.
ingress2gateway print
--providers=cilium
Notifications from CILIUM:
+--------------+----------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------+
| MESSAGE TYPE | NOTIFICATION | CALLING OBJECT |
+--------------+----------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------+
| INFO | parsed "ingress.cilium.io/force-https" annotation of ingress and patched httproute.spec.guidelines[].filters fields | HTTPRoute: default/basic-ingress-https-httpbin-cilium-com |
+--------------+----------------------------------------------------------------------------------------------------------------+-----------------------------------------------------------+
apiVersion: gateway.networking.k8s.io/v1
type: Gateway
metadata:
annotations:
gateway.networking.k8s.io/generator: ingress2gateway-0.4.0
creationTimestamp: null
identify: cilium
namespace: default
spec:
gatewayClassName: cilium
listeners:
- hostname: httpbin.cilium.com
identify: httpbin-cilium-com-http
port: 80
protocol: HTTP
- hostname: httpbin.cilium.com
identify: httpbin-cilium-com-https
port: 443
protocol: HTTPS
tls:
certificateRefs:
- group: null
type: null
identify: demo-cert
standing: {}
---
apiVersion: gateway.networking.k8s.io/v1
type: HTTPRoute
metadata:
annotations:
gateway.networking.k8s.io/generator: ingress2gateway-0.4.0
creationTimestamp: null
identify: basic-ingress-https-httpbin-cilium-com
namespace: default
spec:
hostnames:
- httpbin.cilium.com
parentRefs:
- identify: cilium
guidelines:
- filters:
- requestRedirect:
scheme: https
statusCode: 301
sort: RequestRedirect
matches:
- path:
sort: PathPrefix
worth: /
standing:
dad and mom: []The software can even run in opposition to a cluster and print equal Gateways and HTTPRoutes, which you’ll be able to pipe to information for model management.
There are alternatives to check the software with a hands-on Cilium Ingress Controller lab, the place you’ll learn the way you should utilize Cilium to deploy Ingress sources and migrate to Gateway API.
Which Path Ought to You Take First?
Most groups begin with Cilium Ingress to take away the upkeep threat instantly, then transfer to the Gateway API as their routing and organizational wants evolve.
In case your platform already separates infrastructure and utility groups, Gateway API will really feel pure from the beginning. In case your atmosphere is smaller or much less complicated, Cilium Ingress provides the quickest path to exchange ingress-nginx with minimal change.
A sensible migration plan:
- Doc present behaviour: Seize hosts, paths, TLS, well being checks, and any NGINX annotations.
- Choose a goal: Select Cilium Ingress for fast substitute, or Gateway API for long-term flexibility.
- Deploy and take a look at: Set up Cilium, configure DNS and certificates, and allow Hubble for visibility.
- Run side-by-side: Mirror visitors and validate behaviour earlier than chopping over.
- Swap manufacturing: Redirect DNS or load balancer targets, monitor carefully, and preserve a rollback plan.
- Iterate: As soon as secure, determine companies that may profit from Gateway API options and migrate them subsequent.
Why Cilium Is a Smart Default: Making ready for the Future
The deprecation of ingress-nginx is a pivotal second for Kubernetes networking. Slightly than patching collectively level options, that is your alternative to undertake a unified, eBPF-powered platform constructed for efficiency, visibility, and safety.
Cilium provides you:
- A drop-in Ingress substitute: Minimal migration ache, most reliability.
- A best-in-class Gateway API implementation: Unlock highly effective new options and future-proof your stack.
- Unified observability and safety: Deep insights and fine-grained controls out of the field.
- Lively assist and fast innovation: Cilium is trusted by main cloud suppliers and neighborhood leaders.
