Migrate from Ingress NGINX to Kubernetes Gateway API Now
Ingress NGINX reached end-of-life (EOL) in March 2026. Since then, migrating has become a security imperative, not just a best practice. Vulnerabilities like IngressNightmare and more recent CVEs including CVE-2026-24512 and CVE-2026-3288 have demonstrated that ingress vulnerabilities can have cluster-wide impact. With the controller now EOL, future vulnerabilities will receive no supported fixes.
The Kubernetes project recommends moving to Kubernetes Gateway API, a feature-rich and actively maintained successor supported by multiple controller implementations.
To migrate from Ingress NGINX to Kubernetes Gateway API safely, teams should follow an incremental, structured approach. First, choose a Gateway API controller. Common production options include NGINX Gateway Fabric, Istio, Envoy Gateway, and cloud-managed implementations like GKE Gateway and AWS Load Balancer Controller. Controller choice matters, especially for teams planning to use Gateway API Inference Extension for LLM inference routing, which currently requires Envoy Gateway or Istio.
Before any changes go live, capture a performance baseline. Track metrics like request rate, latency, and error rate from Ingress NGINX. A Datadog Notebook works well here, letting teams compare baseline NGINX telemetry against live Gateway API metrics throughout the migration.
Next, install the Gateway API controller and CRDs alongside Ingress NGINX. Both can coexist during the transition. After installation, translate existing Ingress configuration into Gateway and Route resources. The Kubernetes project’s Ingress2Gateway tool can automate much of this translation and flag configuration that cannot be converted automatically.
Once resources are deployed, verify that Routes have been accepted by the Gateway and that referenced backends resolve correctly. Then validate routing behavior by sending test traffic directly to the Gateway’s assigned address before any DNS changes.
When validation passes, shift production traffic by updating DNS records to point to the new Gateway API endpoint. Lower your DNS TTL ahead of time and monitor closely during the transition window. Use Datadog SLOs, Watchdog, APM, and the Network Map to catch regressions quickly and roll back if needed.
Beyond the technical steps, this migration also involves organizational change. Gateway API separates responsibility across roles, infrastructure providers manage Gateway Class, cluster operators manage Gateway, and application developers manage Routes. Teams should plan for RBAC updates and cross-team coordination accordingly.
