The Kubernetes community announced that Ingress NGINX will be retired in March 2026. After that, there won't be any more updates, bugfixes, or security patches. While your existing deployments will keep working, running without security updates is risky and there will be no further feature developments.
Many Kubernetes operators are now evaluating alternatives to the community Ingress NGINX controller. The Pomerium ingress controller offers a compelling migration path that provides the same reverse proxy functionality you're used to, with optional zero trust capabilities (what we do best) that you can adopt incrementally without requiring an immediate overhaul of your existing setup.
Why Consider Pomerium?
While there are several good ingress controller alternatives available, the Pomerium ingress controller provides the same reverse proxy functionality you're used to with Ingress NGINX, but with built-in zero trust features that you can adopt incrementally. Since both Pomerium Core and the ingress controller are open source, you can evaluate and implement without vendor lock-in concerns.
Before You Start
This guide assumes you have:
- Pomerium installed
- The Pomerium Ingress Controller installed
- TLS certificates configured (Pomerium requires HTTPS for all routes)
- Basic familiarity with Kubernetes ingress resources
What's Different?
Unlike NGINX, Pomerium has two key requirements:
- HTTPS is mandatory - all routes must use TLS
- Policies are required - you must specify an access policy (even if it's permissive)
These requirements ensure security by default, but you can configure permissive policies that function exactly like traditional reverse proxies.
A Simple Migration Example
Let's look at a typical Ingress NGINX configuration and its Pomerium equivalent:
Ingress NGINX to Pomerium Ingress Controller:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
+ annotations:
+ ingress.pomerium.io/policy:
+ - allow:
+ any: true
spec:
- ingressClassName: nginx
+ ingressClassName: pomerium
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-cert
The configuration is nearly identical—just change the ingress class from nginx to pomerium and add a basic policy. The any: true policy tells Pomerium to allow all requests through without applying access restrictions—essentially functioning as a traditional reverse proxy with no additional authentication or authorization layers. Your existing network security, firewall rules, and application-level authentication remain unchanged.
Policy Options for Basic Reverse Proxy Functionality
For straightforward migration that matches Ingress NGINX's default behavior, you have several policy options:
# Option 1: Allow any request (most similar to Ingress NGINX default)
ingress.pomerium.io/policy: |
- allow:
any: true
# Option 2: Truly public access (annotation shortcut)
ingress.pomerium.io/allow_public_unauthenticated_access: 'true'
# Option 3: Any authenticated user (if you want basic auth)
ingress.pomerium.io/allow_any_authenticated_user: 'true'
TLS Certificate Management
Since Pomerium requires HTTPS, consider using cert-manager for automatic certificate provisioning. The Pomerium ingress controller integrates seamlessly with cert-manager:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingress.pomerium.io/policy: |
- allow:
any: true
spec:
ingressClassName: pomerium
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-cert # cert-manager will create this
Start Simple, Add Zero Trust When Ready
So if you're looking to migrate from Ingress NGINX, migrating to Pomerium gives you immediate reverse proxy functionality identical to Ingress NGINX. Plus, if you decide to explore zero trust down the road, you can replace the permissive policy with fine-grained rules based on user identity, device status, request context, or other factors:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
ingress.pomerium.io/policy: |
- allow:
and:
- domain:
is: example.com
spec:
ingressClassName: pomerium
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-cert
Getting Started
With the March 2026 retirement deadline, you have time to plan your migration carefully. The Pomerium ingress controller installation is straightforward and well-documented. You can run both controllers side-by-side during migration, gradually moving services over as you validate functionality.
Whether you're looking for a sustainable long-term solution or preparing for a zero trust future, the Pomerium ingress controller offers a natural evolution from traditional reverse proxy patterns. Start with the familiar, add security when you're ready.
Learn more about the Pomerium ingress controller at github.com/pomerium/ingress-controller or check out the deployment documentation.
Top comments (0)