The title of the recent Kubernetes blog post "Ingress NGINX: Statement from the Kubernetes Steering and Security Response Committees" might raise alarm bells. After all, Ingress NGINX has had a rough year. In March 2025, the "IngressNightmare" vulnerability (CVE-2025-1974) was disclosed—a CVSS 9.8 critical flaw enabling unauthenticated remote code execution and complete Kubernetes cluster takeover. Then in November, the Kubernetes SIG Network and Security Response Committee announced Ingress NGINX's upcoming retirement, giving affected organizations four months to migrate away from the technology.
So what's the news this time? Well, the post doesn't really contain news per se. It's more of a wake-up call: Start migrating your Ingress controller now. After March 2026, there will be no further Ingress NGINX releases, no bug fixes, and no updates to resolve any security vulnerabilities. And to be clear, this is not a small thing. As the Kubernetes statement warns, "None of the available alternatives are direct drop-in replacements. This will require planning and engineering time." If you're not starting now, you're going to be behind. The next time an Ingress NGINX vulnerability is discovered, there won't be an official patch and you'll be forced to migrate under pressure—not on your own terms.
The Kubernetes statement estimates that about 50% of cloud native environments rely on Ingress NGINX, a figure drawn from Datadog's telemetry data. That's a significant share—half—and for those affected, it's important to take action immediately.
Are you affected?
How do you know whether you're running Ingress NGINX? To find out, run the following command (requires GET permissions for all pods in the cluster):
kubectl get pods --all-namespaces --selector app.kubernetes.io/name=ingress-nginxDatadog customers can also check by using the Containers Explorer and filtering by image_name:registry.k8s.io/ingress-nginx/controller.
Even if you don't think you're affected, check anyway. As the Kubernetes statement warns, "Existing deployments will continue to work, so unless you proactively check, you may not know you are affected until you are compromised."
If you are affected, consider migrating to a controller that is Gateway API conformant. Gateway API is an official Kubernetes specification focused on L4 and L7 routing in Kubernetes. Gateway API defines purpose-built Custom Resources (CRDs) for gateways and routes, making routing capabilities first-class citizens of your clusters. This is more secure than relying on annotations stretched beyond their original design. Then choose from one of many Gateway API conformant controllers.
A clear warning—and new high-severity CVEs to prove it
The Kubernetes statement ends with this warning: "We issue this statement together to reinforce the scale of this change and the potential for serious risk to a significant percentage of Kubernetes users if this issue is ignored. It is imperative that you check your clusters now. If you are reliant on Ingress NGINX, you must begin planning for migration."
If you need any convincing to take this warning seriously, four new HIGH severity vulnerabilities (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, CVE-2026-24514) were just disclosed on February 2, 2026. While these aren't as critical as IngressNightmare, they underscore the ongoing risk of running unmaintained software.
While you're shoring up your security practices, check out Datadog's State of Cloud Security report for more ways to reduce risk.
