Tools

Tools: Ingress-NGINX Is Officially Retired — Complete Gateway API Migration Guide With ingress2gateway 1.0

2026-03-31 0 views admin
Tools: Ingress-NGINX Is Officially Retired — Complete Gateway API Migration Guide With ingress2gateway 1.0

Ingress-NGINX Is Officially Retired — A Complete Gateway API Migration Guide (With ingress2gateway 1.0)

1. Ingress-NGINX Retirement — What Happened

The Security Background

What Changes After Retirement

2. Gateway API — The True Successor to Ingress

Ingress vs Gateway API — Key Differences

Gateway API v1.4 Key Features

3. ingress2gateway 1.0 — The Automated Migration Tool

Supported Annotation Categories

Installation and Basic Usage

Emitter Architecture

4. Production Migration Guide — Zero-Downtime Strategy

Step 1: Install Gateway API CRDs

Step 2: Analyze and Convert Existing Ingress

Step 3: Deploy Gateway API Controller

Step 4: Parallel Deploy and Traffic Shift

5. Troubleshooting — Common Migration Issues

Issue 1: CRD Version and Controller Compatibility Conflicts

Issue 2: Unsupported Annotation Conversion

Issue 3: Cross-Namespace Reference Permission Missing

6. Choosing a Gateway API Implementation

7. Conclusion — Act Now On March 24, 2026, kubernetes/ingress-nginx — the most widely used Ingress controller in the Kubernetes ecosystem — officially reached End-of-Life (EOL). The repository is now read-only. There will be no new features, no bug fixes, and critically, no more CVE patches. For any team running production workloads behind ingress-nginx, this demands immediate action. Fortunately, Kubernetes SIG-Network has been maturing the Gateway API as the next-generation networking standard, and on March 20, 2026, they released ingress2gateway 1.0 — a stable migration tool supporting 30+ annotations. This guide covers the security implications, Gateway API fundamentals, and a step-by-step zero-downtime migration strategy. In November 2025, the Kubernetes project announced the retirement plan for ingress-nginx. On January 29, 2026, the Kubernetes Steering Committee and Security Response Committee issued a joint statement emphasizing security concerns. On March 24, 2026, the repository was archived to read-only. Repeated security vulnerabilities drove the retirement decision. CVE-2025-1974 (IngressNightmare) in March 2025 was a critical unauthenticated RCE via exposed admission webhooks. Then on February 2, 2026, four HIGH-severity CVEs (CVE-2026-1580, CVE-2026-24512, CVE-2026-24513, CVE-2026-24514) were disclosed simultaneously. Compliance Impact: EOL software in the L7 data path triggers automatic findings in SOC 2, PCI-DSS, ISO 27001, and HIPAA audits. Some organizations are already seeing production deployments blocked. The Kubernetes Ingress API itself is not removed. The Ingress resource spec remains part of the Kubernetes core. If you're using third-party Ingress controllers (Traefik, HAProxy, Kong), there's no immediate impact. The retirement only affects the kubernetes/ingress-nginx controller project. However, if you're running ingress-nginx, the situation is different. With the repository archived, no patches will be released for newly discovered vulnerabilities. Some managed Kubernetes services like Azure AKS Application Routing have committed to vendor-extended support until November 2026, but this is a temporary measure. Gateway API is the next-generation service networking standard designed by Kubernetes SIG-Network to address Ingress's fundamental limitations. Since reaching v1.0 GA in October 2023, it has matured rapidly to v1.4, with 20+ conformant implementations. Gateway API's most significant design innovation is role-based resource separation. Infrastructure admins, cluster operators, and application developers each work within their own permission scope. Released in October 2025, Gateway API v1.4 adds production-critical capabilities: BackendTLSPolicy (GA) for fine-grained gateway-to-backend TLS management; TLSRoute (GA) for SNI-based TLS passthrough routing; client certificate validation for per-Listener mTLS policies; and SupportedFeatures conformance testing graduated to Standard channel. On March 20, 2026, Kubernetes SIG-Network released ingress2gateway 1.0. The previous version supported only 3 ingress-nginx annotations; v1.0 supports 30+ common annotations and introduces a pluggable emitter architecture for vendor-specific output. The 1.0 release introduces pluggable emitters for generating vendor-specific extension resources beyond standard Gateway API CRDs: For production migrations, the recommended approach is Parallel Run: deploy both Ingress and Gateway API resources simultaneously, then gradually shift DNS weights. The most reported issue in early 2026 is the Istio 1.28/1.29 incompatibility with Gateway API CRD v1.5.x. Installing v1.5.x CRDs causes istiod to crash due to API field mismatches. While ingress2gateway 1.0 supports 30+ annotations, custom or non-standard configurations won't convert automatically. Always check WARNING logs. Gateway API requires explicit ReferenceGrant for cross-namespace references. Without it, routing fails silently with a RefNotPermitted condition. Selection Criteria: If you already run Istio, use Istio Gateway — no additional controller needed. For greenfield environments, Envoy Gateway offers the best conformance and extensibility. For a minimal-change transition from ingress-nginx, NGINX Gateway Fabric is the natural fit. The retirement of Ingress-NGINX formalizes a paradigm shift in Kubernetes networking: from non-standard annotation-based configuration to typed CRDs, from single-role management to a 3-layer separation model, and from HTTP-only to multi-protocol support. The compliance implications cannot be ignored. EOL software in the L7 data path triggers automatic findings in SOC 2, PCI-DSS, and ISO 27001 audits. Delaying migration is not technical debt — it's business risk. With ingress2gateway 1.0, the technical barrier to migration has been significantly lowered. The tools are ready. It's time to execute. Three immediate actions: The future of Kubernetes networking is Gateway API. Start your migration today. Templates let you quickly answer FAQs or store snippets for re-use. Hide child comments as well For further actions, you may consider blocking this person and/or reporting abuse

Command

Copy

# 1. GatewayClass — Defined by infrastructure admin # Determines which controller manages Gateways of this class apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: production-gateway spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller description: "Production traffic gateway managed by Envoy Gateway" --- # 2. Gateway — Defined by cluster operator # Provisions the actual load balancer instance apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: main-gateway namespace: gateway-infra spec: gatewayClassName: production-gateway listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret name: wildcard-tls namespace: cert-manager allowedRoutes: namespaces: from: Selector selector: matchLabels: gateway-access: "true" - name: http protocol: HTTP port: 80 allowedRoutes: namespaces: from: Same # 1. GatewayClass — Defined by infrastructure admin # Determines which controller manages Gateways of this class apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: production-gateway spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller description: "Production traffic gateway managed by Envoy Gateway" --- # 2. Gateway — Defined by cluster operator # Provisions the actual load balancer instance apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: main-gateway namespace: gateway-infra spec: gatewayClassName: production-gateway listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret name: wildcard-tls namespace: cert-manager allowedRoutes: namespaces: from: Selector selector: matchLabels: gateway-access: "true" - name: http protocol: HTTP port: 80 allowedRoutes: namespaces: from: Same # 1. GatewayClass — Defined by infrastructure admin # Determines which controller manages Gateways of this class apiVersion: gateway.networking.k8s.io/v1 kind: GatewayClass metadata: name: production-gateway spec: controllerName: gateway.envoyproxy.io/gatewayclass-controller description: "Production traffic gateway managed by Envoy Gateway" --- # 2. Gateway — Defined by cluster operator # Provisions the actual load balancer instance apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: main-gateway namespace: gateway-infra spec: gatewayClassName: production-gateway listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret name: wildcard-tls namespace: cert-manager allowedRoutes: namespaces: from: Selector selector: matchLabels: gateway-access: "true" - name: http protocol: HTTP port: 80 allowedRoutes: namespaces: from: Same # 3. HTTPRoute — Defined by application developer # Routing rules to their own services apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: api-routes namespace: app-production spec: parentRefs: - name: main-gateway namespace: gateway-infra sectionName: https hostnames: - "api.example.com" rules: # /api/v1/users -> user--weight: 500;">service - matches: - path: type: PathPrefix value: /api/v1/users backendRefs: - name: user--weight: 500;">service port: 8080 weight: 100 # /api/v1/courses -> course--weight: 500;">service (canary deployment) - matches: - path: type: PathPrefix value: /api/v1/courses backendRefs: - name: course--weight: 500;">service port: 8080 weight: 90 - name: course--weight: 500;">service-canary port: 8080 weight: 10 # Header-based routing - matches: - path: type: PathPrefix value: /api/v1/ headers: - name: X-Environment value: staging backendRefs: - name: staging--weight: 500;">service port: 8080 # 3. HTTPRoute — Defined by application developer # Routing rules to their own services apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: api-routes namespace: app-production spec: parentRefs: - name: main-gateway namespace: gateway-infra sectionName: https hostnames: - "api.example.com" rules: # /api/v1/users -> user--weight: 500;">service - matches: - path: type: PathPrefix value: /api/v1/users backendRefs: - name: user--weight: 500;">service port: 8080 weight: 100 # /api/v1/courses -> course--weight: 500;">service (canary deployment) - matches: - path: type: PathPrefix value: /api/v1/courses backendRefs: - name: course--weight: 500;">service port: 8080 weight: 90 - name: course--weight: 500;">service-canary port: 8080 weight: 10 # Header-based routing - matches: - path: type: PathPrefix value: /api/v1/ headers: - name: X-Environment value: staging backendRefs: - name: staging--weight: 500;">service port: 8080 # 3. HTTPRoute — Defined by application developer # Routing rules to their own services apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: api-routes namespace: app-production spec: parentRefs: - name: main-gateway namespace: gateway-infra sectionName: https hostnames: - "api.example.com" rules: # /api/v1/users -> user--weight: 500;">service - matches: - path: type: PathPrefix value: /api/v1/users backendRefs: - name: user--weight: 500;">service port: 8080 weight: 100 # /api/v1/courses -> course--weight: 500;">service (canary deployment) - matches: - path: type: PathPrefix value: /api/v1/courses backendRefs: - name: course--weight: 500;">service port: 8080 weight: 90 - name: course--weight: 500;">service-canary port: 8080 weight: 10 # Header-based routing - matches: - path: type: PathPrefix value: /api/v1/ headers: - name: X-Environment value: staging backendRefs: - name: staging--weight: 500;">service port: 8080 # BackendTLSPolicy — Gateway to backend TLS configuration apiVersion: gateway.networking.k8s.io/v1alpha3 kind: BackendTLSPolicy metadata: name: backend-tls namespace: app-production spec: targetRefs: - group: "" kind: Service name: secure-backend validation: caCertificateRefs: - name: backend-ca-cert group: "" kind: ConfigMap hostname: secure-backend.app-production.svc.cluster.local # BackendTLSPolicy — Gateway to backend TLS configuration apiVersion: gateway.networking.k8s.io/v1alpha3 kind: BackendTLSPolicy metadata: name: backend-tls namespace: app-production spec: targetRefs: - group: "" kind: Service name: secure-backend validation: caCertificateRefs: - name: backend-ca-cert group: "" kind: ConfigMap hostname: secure-backend.app-production.svc.cluster.local # BackendTLSPolicy — Gateway to backend TLS configuration apiVersion: gateway.networking.k8s.io/v1alpha3 kind: BackendTLSPolicy metadata: name: backend-tls namespace: app-production spec: targetRefs: - group: "" kind: Service name: secure-backend validation: caCertificateRefs: - name: backend-ca-cert group: "" kind: ConfigMap hostname: secure-backend.app-production.svc.cluster.local # Install ingress2gateway (Go 1.22+) go -weight: 500;">install github.com/kubernetes-sigs/[email protected] # Or download release binary -weight: 500;">curl -LO https://github.com/kubernetes-sigs/ingress2gateway/releases/download/v1.0.0/ingress2gateway-linux-amd64 chmod +x ingress2gateway-linux-amd64 -weight: 600;">sudo mv ingress2gateway-linux-amd64 /usr/local/bin/ingress2gateway # Convert all Ingress resources to Gateway API (dry-run) ingress2gateway print --providers ingress-nginx # Specific namespace ingress2gateway print --providers ingress-nginx --namespace production # Save to file ingress2gateway print --providers ingress-nginx --namespace production > gateway-resources.yaml # Vendor-specific emitter (Envoy Gateway extensions) ingress2gateway print --providers ingress-nginx --emitter envoy-gateway > envoy-gateway-resources.yaml # Install ingress2gateway (Go 1.22+) go -weight: 500;">install github.com/kubernetes-sigs/[email protected] # Or download release binary -weight: 500;">curl -LO https://github.com/kubernetes-sigs/ingress2gateway/releases/download/v1.0.0/ingress2gateway-linux-amd64 chmod +x ingress2gateway-linux-amd64 -weight: 600;">sudo mv ingress2gateway-linux-amd64 /usr/local/bin/ingress2gateway # Convert all Ingress resources to Gateway API (dry-run) ingress2gateway print --providers ingress-nginx # Specific namespace ingress2gateway print --providers ingress-nginx --namespace production # Save to file ingress2gateway print --providers ingress-nginx --namespace production > gateway-resources.yaml # Vendor-specific emitter (Envoy Gateway extensions) ingress2gateway print --providers ingress-nginx --emitter envoy-gateway > envoy-gateway-resources.yaml # Install ingress2gateway (Go 1.22+) go -weight: 500;">install github.com/kubernetes-sigs/[email protected] # Or download release binary -weight: 500;">curl -LO https://github.com/kubernetes-sigs/ingress2gateway/releases/download/v1.0.0/ingress2gateway-linux-amd64 chmod +x ingress2gateway-linux-amd64 -weight: 600;">sudo mv ingress2gateway-linux-amd64 /usr/local/bin/ingress2gateway # Convert all Ingress resources to Gateway API (dry-run) ingress2gateway print --providers ingress-nginx # Specific namespace ingress2gateway print --providers ingress-nginx --namespace production # Save to file ingress2gateway print --providers ingress-nginx --namespace production > gateway-resources.yaml # Vendor-specific emitter (Envoy Gateway extensions) ingress2gateway print --providers ingress-nginx --emitter envoy-gateway > envoy-gateway-resources.yaml # Install Gateway API CRDs (v1.4.0) # WARNING: v1.5.x causes istiod crash with Istio 1.28/1.29 -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard--weight: 500;">install.yaml # Verify CRD installation -weight: 500;">kubectl get crd | grep gateway # For experimental channel (TCPRoute, UDPRoute) -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental--weight: 500;">install.yaml # Install Gateway API CRDs (v1.4.0) # WARNING: v1.5.x causes istiod crash with Istio 1.28/1.29 -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard--weight: 500;">install.yaml # Verify CRD installation -weight: 500;">kubectl get crd | grep gateway # For experimental channel (TCPRoute, UDPRoute) -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental--weight: 500;">install.yaml # Install Gateway API CRDs (v1.4.0) # WARNING: v1.5.x causes istiod crash with Istio 1.28/1.29 -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard--weight: 500;">install.yaml # Verify CRD installation -weight: 500;">kubectl get crd | grep gateway # For experimental channel (TCPRoute, UDPRoute) -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/experimental--weight: 500;">install.yaml # Inventory all Ingress resources -weight: 500;">kubectl get ingress --all-namespaces -o wide # Analyze annotation usage patterns -weight: 500;">kubectl get ingress --all-namespaces -o json | \ jq -r '.items[].metadata.annotations // {} | keys[]' | \ sort | uniq -c | sort -rn # Preview conversion ingress2gateway print --providers ingress-nginx --all-namespaces 2>&1 | tee migration-preview.yaml # Check for unsupported annotations ingress2gateway print --providers ingress-nginx --all-namespaces 2>&1 | grep "WARNING" # Inventory all Ingress resources -weight: 500;">kubectl get ingress --all-namespaces -o wide # Analyze annotation usage patterns -weight: 500;">kubectl get ingress --all-namespaces -o json | \ jq -r '.items[].metadata.annotations // {} | keys[]' | \ sort | uniq -c | sort -rn # Preview conversion ingress2gateway print --providers ingress-nginx --all-namespaces 2>&1 | tee migration-preview.yaml # Check for unsupported annotations ingress2gateway print --providers ingress-nginx --all-namespaces 2>&1 | grep "WARNING" # Inventory all Ingress resources -weight: 500;">kubectl get ingress --all-namespaces -o wide # Analyze annotation usage patterns -weight: 500;">kubectl get ingress --all-namespaces -o json | \ jq -r '.items[].metadata.annotations // {} | keys[]' | \ sort | uniq -c | sort -rn # Preview conversion ingress2gateway print --providers ingress-nginx --all-namespaces 2>&1 | tee migration-preview.yaml # Check for unsupported annotations ingress2gateway print --providers ingress-nginx --all-namespaces 2>&1 | grep "WARNING" # Install Envoy Gateway (Helm) helm -weight: 500;">install envoy-gateway oci://-weight: 500;">docker.io/envoyproxy/gateway-helm \ --version v1.3.0 \ --namespace envoy-gateway-system \ --create-namespace # Verify GatewayClass -weight: 500;">kubectl get gatewayclass # Install Envoy Gateway (Helm) helm -weight: 500;">install envoy-gateway oci://-weight: 500;">docker.io/envoyproxy/gateway-helm \ --version v1.3.0 \ --namespace envoy-gateway-system \ --create-namespace # Verify GatewayClass -weight: 500;">kubectl get gatewayclass # Install Envoy Gateway (Helm) helm -weight: 500;">install envoy-gateway oci://-weight: 500;">docker.io/envoyproxy/gateway-helm \ --version v1.3.0 \ --namespace envoy-gateway-system \ --create-namespace # Verify GatewayClass -weight: 500;">kubectl get gatewayclass # Gateway + ReferenceGrant for parallel deployment apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: migration-gateway namespace: gateway-infra spec: gatewayClassName: eg listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret name: api-tls-cert allowedRoutes: namespaces: from: All --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-gateway-refs namespace: app-production spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: app-production to: - group: "" kind: Service # Gateway + ReferenceGrant for parallel deployment apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: migration-gateway namespace: gateway-infra spec: gatewayClassName: eg listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret name: api-tls-cert allowedRoutes: namespaces: from: All --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-gateway-refs namespace: app-production spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: app-production to: - group: "" kind: Service # Gateway + ReferenceGrant for parallel deployment apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: migration-gateway namespace: gateway-infra spec: gatewayClassName: eg listeners: - name: https protocol: HTTPS port: 443 tls: mode: Terminate certificateRefs: - kind: Secret name: api-tls-cert allowedRoutes: namespaces: from: All --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-gateway-refs namespace: app-production spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: app-production to: - group: "" kind: Service # 1. Deploy Gateway API resources (parallel with existing Ingress) -weight: 500;">kubectl apply -f gateway-resources.yaml # 2. Get external IP assigned to Gateway -weight: 500;">kubectl get gateway migration-gateway -n gateway-infra -o jsonpath='{.-weight: 500;">status.addresses[0].value}' # 3. Gradually shift DNS weights # ingress-nginx LB: 90 -> 50 -> 10 -> 0 # gateway API LB: 10 -> 50 -> 90 -> 100 # 4. Verify traffic -weight: 500;">curl -H "Host: api.example.com" https://<GATEWAY_IP>/api/v1/health # 5. Cleanup after full transition -weight: 500;">kubectl delete ingress --all -n app-production helm uninstall ingress-nginx -n ingress-nginx # 1. Deploy Gateway API resources (parallel with existing Ingress) -weight: 500;">kubectl apply -f gateway-resources.yaml # 2. Get external IP assigned to Gateway -weight: 500;">kubectl get gateway migration-gateway -n gateway-infra -o jsonpath='{.-weight: 500;">status.addresses[0].value}' # 3. Gradually shift DNS weights # ingress-nginx LB: 90 -> 50 -> 10 -> 0 # gateway API LB: 10 -> 50 -> 90 -> 100 # 4. Verify traffic -weight: 500;">curl -H "Host: api.example.com" https://<GATEWAY_IP>/api/v1/health # 5. Cleanup after full transition -weight: 500;">kubectl delete ingress --all -n app-production helm uninstall ingress-nginx -n ingress-nginx # 1. Deploy Gateway API resources (parallel with existing Ingress) -weight: 500;">kubectl apply -f gateway-resources.yaml # 2. Get external IP assigned to Gateway -weight: 500;">kubectl get gateway migration-gateway -n gateway-infra -o jsonpath='{.-weight: 500;">status.addresses[0].value}' # 3. Gradually shift DNS weights # ingress-nginx LB: 90 -> 50 -> 10 -> 0 # gateway API LB: 10 -> 50 -> 90 -> 100 # 4. Verify traffic -weight: 500;">curl -H "Host: api.example.com" https://<GATEWAY_IP>/api/v1/health # 5. Cleanup after full transition -weight: 500;">kubectl delete ingress --all -n app-production helm uninstall ingress-nginx -n ingress-nginx # Symptom: istiod CrashLoopBackOff -weight: 500;">kubectl logs -n istio-system deployment/istiod | grep "gateway" # Fix: Downgrade CRDs -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard--weight: 500;">install.yaml -weight: 500;">kubectl rollout -weight: 500;">restart deployment/istiod -n istio-system # Symptom: istiod CrashLoopBackOff -weight: 500;">kubectl logs -n istio-system deployment/istiod | grep "gateway" # Fix: Downgrade CRDs -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard--weight: 500;">install.yaml -weight: 500;">kubectl rollout -weight: 500;">restart deployment/istiod -n istio-system # Symptom: istiod CrashLoopBackOff -weight: 500;">kubectl logs -n istio-system deployment/istiod | grep "gateway" # Fix: Downgrade CRDs -weight: 500;">kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.4.0/standard--weight: 500;">install.yaml -weight: 500;">kubectl rollout -weight: 500;">restart deployment/istiod -n istio-system # Extract unsupported annotations ingress2gateway print --providers ingress-nginx 2>&1 | \ grep "WARNING.*annotation" | \ sed 's/.*annotation "\(.*\)" is not.*/\1/' | \ sort -u > unsupported-annotations.txt # Common manual mappings: # limit-rps -> Envoy Gateway RateLimitPolicy # auth-url -> Envoy Gateway SecurityPolicy (ExtAuth) # modsecurity-* -> Separate WAF solution required # Extract unsupported annotations ingress2gateway print --providers ingress-nginx 2>&1 | \ grep "WARNING.*annotation" | \ sed 's/.*annotation "\(.*\)" is not.*/\1/' | \ sort -u > unsupported-annotations.txt # Common manual mappings: # limit-rps -> Envoy Gateway RateLimitPolicy # auth-url -> Envoy Gateway SecurityPolicy (ExtAuth) # modsecurity-* -> Separate WAF solution required # Extract unsupported annotations ingress2gateway print --providers ingress-nginx 2>&1 | \ grep "WARNING.*annotation" | \ sed 's/.*annotation "\(.*\)" is not.*/\1/' | \ sort -u > unsupported-annotations.txt # Common manual mappings: # limit-rps -> Envoy Gateway RateLimitPolicy # auth-url -> Envoy Gateway SecurityPolicy (ExtAuth) # modsecurity-* -> Separate WAF solution required # Fix: Create ReferenceGrant in the target namespace apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-from-app-ns namespace: shared-services spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: app-production to: - group: "" kind: Service # Fix: Create ReferenceGrant in the target namespace apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-from-app-ns namespace: shared-services spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: app-production to: - group: "" kind: Service # Fix: Create ReferenceGrant in the target namespace apiVersion: gateway.networking.k8s.io/v1beta1 kind: ReferenceGrant metadata: name: allow-from-app-ns namespace: shared-services spec: from: - group: gateway.networking.k8s.io kind: HTTPRoute namespace: app-production to: - group: "" kind: Service - Run -weight: 500;">kubectl get ingress --all-namespaces to inventory your current Ingress resources - Run ingress2gateway print to assess automatic conversion coverage and identify manual mapping needs - Deploy a Gateway API controller in staging and validate converted resources

🏷️ Tags

toolsutilitiessecurity toolsingressnginxofficiallyretiredcompletegatewaymigration

More from Tools

Tools: How to Tweak Linux Kernel Settings for Maximum Throughput on 10G Links (2026)

Tools: How to Tweak Linux Kernel Settings for Maximum Throughput on 10G Links (2026)

2026-03-31 0
Tools: How to Set Up Free Home Network Monitoring (Before Something Breaks) (2026)

Tools: How to Set Up Free Home Network Monitoring (Before Something Breaks) (2026)

2026-03-31 0
Tools: Update: Turn Your Home Server into a NAS — Access Files from Any Device with Samba

Tools: Update: Turn Your Home Server into a NAS — Access Files from Any Device with Samba

2026-03-31 0
Tools: Who killed my service: collecting kernel kill logs with OTEL (2026)

Tools: Who killed my service: collecting kernel kill logs with OTEL (2026)

2026-03-31 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views