eu.36kr.com
Ingress NGINX to "Retire" in Four Months: Global Users Panic Amid 1
Excerpt
Take a typical example: Ingress NGINX allows users to directly add arbitrary NGINX configurations (snippets) through annotations. This was considered an advantage of flexibility in the past, but now it has become a security black hole. Such features fundamentally undermine the "configuration security boundary," making the NGINX runtime almost uncontrollable. In today's context of increasingly strict cloud-native security standards, this is already an "unacceptable level" of design. And there are more than just one such feature. As the user base has grown, these historical burdens have gradually accumulated into technical debt that is difficult to fix. Of course, if a project is complex but has a 20-person team to maintain it, it can still function. However, Ingress NGINX only has 1 - 2 maintainers, who can only spare time in their free time to do the maintenance.
Related Pain Points
Lua-Based Annotation Parsers Vulnerable to Injection Attacks
9Lua-based annotation parsers in ingress-nginx (e.g., `auth-url`, `auth-tls-match-cn`, mirror UID parsers) fail to properly sanitize user inputs before incorporating them into NGINX/Lua configurations. Attackers can craft malicious Ingress annotations that inject arbitrary directives into the NGINX configuration template via the admission controller's validation logic.
Unsustainable maintenance burden on ingress-nginx community project
8The ingress-nginx project has become too heavy for volunteer-driven community maintenance due to massive operational burden from handling edge cases, feature requests, performance tuning, security hardening, and multi-architecture builds. The project is scheduled to end maintenance by March 2026.