On March 24, 2026, Kubernetes SIG Network retired ingress-nginx: repositories frozen, no further releases, no security patches, ever. (Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees) The final patches for CVE-2026-4342 — v1.13.9, v1.14.5, and v1.15.1 — shipped March 19, the same day the CVE was disclosed and five days before retirement. (ingress-nginx GitHub releases) As of April 22, 2026 — the day Kubernetes 1.36 shipped — any cluster still running ingress-nginx is one zero-day away from an unpatched CVSS 8.8 remote code execution vector. (Kubernetes 1.36: The Release That Said Goodbye to Ingress NGINX) The question is no longer whether to migrate. It’s which migration is survivable on your timeline.
What “Retired” Actually Means
“Deprecated” implies a successor and a grace period. “Retired” means the project is over. As of March 24, 2026, the ingress-nginx GitHub repositories are read-only. (Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees) There will be no new releases or CVE patches. If a critical vulnerability is discovered — and one effectively was — the project will not respond.
The project reached this state after years of structural fragility. Despite routing what the Kubernetes Steering and Security Response Committees described as “billions of requests,” ingress-nginx was maintained by only 1–2 people in their spare time. (Ingress NGINX Retirement: What You Need to Know) Repeated calls for additional maintainers went unanswered. The maintainers retired the project rather than abandon it.
On April 22, 2026, Kubernetes 1.36 shipped — the first release since retirement, leaving ingress-nginx behind the supported curve with no path forward. (Kubernetes 1.36: The Release That Said Goodbye to Ingress NGINX)
The CVE Clock Is Already Running
Three CVSS 8.8-rated vulnerabilities surfaced in the months before retirement. All three involve configuration injection that can result in RCE and Kubernetes Secret disclosure.
CVE-2026-24512 — Fixed in February 2026, this vulnerability exploited the rules.http.paths.path field to inject arbitrary nginx configuration. (Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes)
CVE-2026-3288 — Fixed March 9, 2026, fifteen days before retirement, in v1.13.8, v1.14.4, and v1.15.0. The root cause was an incomplete fix for CVE-2026-24512: sanitizeQuotedRegex() was applied to buildLocation() but not buildProxyPass(), leaving rewrite-target exploitable. (Detecting CVE-2026-3288 & CVE-2026-24512: Ingress-nginx configuration injection vulnerabilities for Kubernetes)
CVE-2026-4342 — Disclosed March 19, 2026, five days before retirement. It uses comment-based nginx configuration injection to achieve the same RCE and Secret disclosure primitives. (CVE-2026-4342: ingress-nginx comment-based nginx configuration injection (GitHub issue #137893)) The patched versions — v1.13.9, v1.14.5, and v1.15.1 — were released the same day. (ingress-nginx GitHub releases) These are the last patches that will ever ship for ingress-nginx.
The pattern: each fix in the CVE-2026-24512 / CVE-2026-3288 lineage was incomplete, and the third vulnerability arrived five days before the project froze. (ingress-nginx GitHub releases) There is no basis for assuming the annotation injection surface is exhausted.
Who Is Exposed
According to Datadog research cited in the Kubernetes Steering and Security Response Committees’ January 2026 joint statement, approximately 50% of cloud-native environments run ingress-nginx. (Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees) That figure warrants caution: cloud-managed Kubernetes services often abstract the underlying ingress implementation, and the version distribution within that 50% is unknown. Even a substantially smaller fraction of the Kubernetes installed base represents a large unpatched attack surface.
To check whether your clusters are affected:
kubectl get pods -A -l app.kubernetes.io/name=ingress-nginx -o wideFor version confirmation:
kubectl get pods -A -l app.kubernetes.io/name=ingress-nginx \ -o jsonpath='{range .items[*]}{.spec.containers[*].image}{"\n"}{end}'Any version below v1.13.8 / v1.14.4 / v1.15.0 is vulnerable to CVE-2026-3288 and CVE-2026-24512. Versions below v1.13.9 / v1.14.5 / v1.15.1 are vulnerable to CVE-2026-4342. Every version remains exposed to any future CVE — because no additional patches will ever ship.
Migration Path 1: Gateway API
The officially endorsed migration path leads to Gateway API, and it is not a lift-and-shift operation.
Gateway API replaces Ingress’s single-resource model with a hierarchy: GatewayClass (infrastructure provider), Gateway (listener configuration), and HTTPRoute (routing rules). Cross-namespace references require a ReferenceGrant. (Migrating from Ingress NGINX — Kubernetes Gateway API official docs) Teams accustomed to writing a single Ingress manifest must restructure routing expression entirely.
The official migration tool — ingress2gateway 1.0, released March 20, 2026, four days before retirement — translates more than 30 ingress-nginx annotations into Gateway API equivalents. (Announcing Ingress2Gateway 1.0: Your Path to Gateway API) The project itself describes the process as “not a one-click affair.” (Announcing Ingress2Gateway 1.0: Your Path to Gateway API) Critically, ingress2gateway 1.0 only generates output for three implementations: agentgateway, envoy-gateway, and kgateway. If your organization has standardized on a different implementation, the tooling does not apply.
The more fundamental constraint: custom Lua scripts and nginx.ingress.kubernetes.io/configuration-snippet annotations have no automated migration path and require manual rewriting into whatever equivalent your target implementation offers — if one exists. (Migrating from Ingress NGINX — Kubernetes Gateway API official docs)
AWS guidance adds friction for AWS-hosted clusters: migrating to the AWS Load Balancer Controller moves certificate management out of Kubernetes Secrets and into ACM, NGINX regex escaping differs from ALB behavior, and Lua scripting has no direct equivalent. (Navigating the NGINX Ingress retirement: A practical guide to migration on AWS)
Migration Path 2: Drop-In Ingress Controller Replacement
The second path replaces ingress-nginx with a controller that still speaks the networking.k8s.io/v1 Ingress API, deferring or skipping the Gateway API shift entirely. The most commonly cited alternatives include Traefik v3, F5’s NGINX Ingress Controller (the commercial product, distinct from the retired community project), and HAProxy Ingress.
All three preserve Ingress API compatibility, letting existing manifests continue functioning without structural rewriting. The critical caveat: “Ingress-compatible” refers to the API object model, not ingress-nginx’s annotation vocabulary. Annotation compatibility varies significantly and requires per-annotation verification against each target’s documentation.
| Gateway API migration | Drop-in Ingress controller | |
|---|---|---|
| API compatibility | Requires full manifest restructure | Preserves existing Ingress manifests |
| Annotation handling | ingress2gateway translates 30+ annotations; 3 target implementations only | Varies by controller; vendor claims require independent verification |
| Custom Lua / config snippets | No automated migration path | No automated migration path |
| Long-term trajectory | Kubernetes-endorsed direction | Depends on vendor roadmap |
| Complexity ceiling | High for annotation-heavy clusters | Medium; annotation inventory determines actual effort |
How to Triage
Before committing to a migration path, audit what your clusters actually use. Risk clusters around three categories:
1. Annotations — Inventory every annotation in use across namespaces:
kubectl get ingress -A -o json \ | jq '[.items[].metadata.annotations | keys] | flatten | unique | sort'Annotations with native equivalents in your target controller are lower-risk. Those without equivalents are migration blockers requiring manual rewrites or architectural decisions.
2. Lua scripts and configuration snippets — The nginx.ingress.kubernetes.io/configuration-snippet and nginx.ingress.kubernetes.io/server-snippet annotations represent arbitrary nginx configuration. These require manual translation on any migration path.
3. Compliance deadlines — If your organization’s security policy requires patching CVSS 8.8+ vulnerabilities within a defined SLA, that clock started March 19, 2026, when CVE-2026-4342 was disclosed. The patch exists, but it is the last one. Any future CVE in ingress-nginx will arrive with no fix path. The SLA countdown now applies to an unfixable vulnerability class.
What Platform Teams Should Do This Week
The retirement means no future CVE will ever receive a patch, removing the option of waiting for upstream. A triage-first sequence:
-
Confirm which controller you’re running. Verify it is the community
kubernetes/ingress-nginxproject, not a vendor variant, before assuming the retirement applies. -
Identify your version. Anything below v1.13.8 / v1.14.4 / v1.15.0 is additionally exposed to CVE-2026-3288 and CVE-2026-24512. Versions below v1.13.9 / v1.14.5 / v1.15.1 are exposed to CVE-2026-4342.
-
Apply the available patch. Upgrade to v1.13.9, v1.14.5, or v1.15.1 immediately if you are on an affected version. This closes the known RCE vector, but it is the last patch the project will ever ship. Use it as a short-term bridge while you plan migration.
-
Run the annotation inventory. A cluster with minimal annotations and no Lua scripting is a candidate for drop-in replacement on a weeks-long timeline. A cluster with heavy annotation customization or configuration snippets faces a multi-quarter Gateway API migration regardless of tooling.
-
Check your managed provider’s position. If you’re on a managed Kubernetes service, check whether your provider has published a response to the retirement and their migration timeline before building a custom plan.
-
Do not wait for a future patched ingress-nginx. One is not coming. The repositories are frozen.
Frequently Asked Questions
Is the F5 NGINX Ingress Controller affected by the ingress-nginx retirement?
No. “ingress-nginx” refers specifically to the Kubernetes SIG Network community project, now retired. The NGINX Ingress Controller maintained by F5/NGINX Inc. is a separate product with its own release cycle, support contracts, and annotation syntax. If your cluster runs nginx/nginx-ingress rather than kubernetes/ingress-nginx, the March 24, 2026 retirement does not directly apply. That said, the annotation syntax differences between the two projects mean F5’s product is not a zero-friction migration target — annotation translation still requires review.
What if my managed Kubernetes service bundles ingress-nginx under the hood?
Managed services that bundle ingress-nginx are in the same structural position as self-managed clusters: the upstream project has shipped its final patch and will not patch any future vulnerability. Some providers may maintain internal forks or have announced migration timelines for their managed ingress offerings. If your provider has not published a specific response to the retirement, treat your exposure identically to a self-managed cluster and factor the provider’s migration readiness into your own planning timeline.
Should I patch CVE-2026-4342 before migrating?
Yes. Upgrade to v1.13.9, v1.14.5, or v1.15.1 immediately if you are on an affected version. These patches close the known RCE vector, but they are the final patches the retired project will ever ship. Treat them as a short-term mitigation while you execute your migration to a supported controller.