Opinion There were lots of announcements about Kubernetes at KubeCon North America in Atlanta. I should know, I was there from beginning to end. But the biggest Kubernetes story of all didn't get much attention. Kubernetes is retiring its popular Ingress NGINX controller. Ingress NGINX goes to that big bit farm in the sky in March 2026. After that, "there will be no further releases, no bugfixes, and no updates to resolve any security vulnerabilities that may be discovered."
Ingress NGINX, for those who don't know it, is an ingress controller in Kubernetes clusters that manages and routes external HTTP and HTTPS traffic to the cluster's internal services based on configurable Ingress rules. It acts as a reverse proxy, ensuring that requests from clients outside the cluster are forwarded to the correct backend services within the cluster according to path, domain, and TLS configuration. As such, it's vital for network traffic management and load balancing. You know, the important stuff.
Now this longstanding project, once celebrated for its flexibility and breadth of features, will soon be "abandonware." So what? After all, it won't be the first time a once-popular program shuffled off the stage. Off the top of my head, dBase, Lotus 1-2-3, and VisiCalc spring to my mind.
What's different is that there are still thousands of Ingress NGINX controllers in use.
Why is it being put down, then, if it's so popular? Well, there is a good reason. As Tabitha Sable, a staff engineer at Datadog who is also co-chair of the Kubernetes special interest group for security, pointed out: "Ingress NGINX has always struggled with insufficient or barely sufficient maintainership. For years, the project has had only one or two people doing development work, on their own time, after work hours, and on weekends. Last year, the Ingress NGINX maintainers announced their plans to wind down Ingress NGINX and develop a replacement controller together with the Gateway API community. Unfortunately, even that announcement failed to generate additional interest in helping maintain Ingress NGINX or develop InGate to replace it."
The final nail in the coffin was when security company Wix found a killer Ingress NGINX security hole. How bad was it? Wix declared: "Exploiting this flaw allows an attacker to execute arbitrary code and access all cluster secrets across namespaces, which could lead to complete cluster takeover."
What's upsetting people is, as one Reddit Kubernetes user cried: "Retirement of a service of this magnitude should be at minimum of a year. Hell, it's going to take longer than four months to get all the documentation rewritten." He's not wrong.
However, Kubernetes maintainer Tim Hockin replied: "I understand your feelings here. But I am going to ask you once to please drop the entitlement. The people who currently work on ingress-nginx do so FOR FREE. They have been doing it largely because they feel a sense of duty. They do not need to be berated. In the two years this has been a topic, almost nobody has stepped up to help. There are no new maintainers in the pipeline. Shuttering this project is necessary." He's right too.
You see, the real problem isn't that Ingress NGINX has a major security problem. Heck, hardly a month goes by without another stop-the-presses Windows bug being uncovered. No, the real issue is that here we have yet another example of a mission-critical open source program no one pays to support.
William Morgan, CEO of Buoyant, creators of Linkerd, nailed it in his LinkedIn post: "The CNCF ecosystem does not really allow for volunteer work. This community has a very specific relationship to open source, and it's one of consumption, not contribution."
This is no way for a corporate community to work with open source. Morgan has two proposed solutions: "1. Be funded by a company that is making money by directly selling the project, e.g., Buoyant selling Linkerd. 2. Be funded by a company that is making money by indirectly selling the project, e.g., Google funding Kubernetes to sell GCP." The bottom-line answer is simple: "Pay the maintainers."
This is not a unique problem. Just take the kerfuffle between FFmpeg's volunteer developers and Google. There, the maintainers and programmers are being buried by demands for security fixes that no one is paying for.
Now, some of you may be wondering what the big deal is. Most of you have probably never heard of FFmpeg. That's a pity because every last one of you reading this article has used this program today. It's the video format converter that all of you use to watch videos on all web browsers, all video streaming services, and televisions. It's everywhere, it's vital, and, at the moment, there's no organized support for its maintenance.
This can't continue. We've all seen the xkcd cartoon of the entire internet depending on a single programmer in Nebraska. It's not a joke, it's reality, and that person is getting older, more tired, and, oh yeah, he'd like to make a living too. It's time for open source consumers to get serious about paying open source builders. If we don't, you can kiss the open source free ride goodbye. ®
Source: The register