Why Half of All Kubernetes Clusters Are About to Become Vulnerable | Kat Cosgrove & Tabitha Sable

The Kubernetes Steering Committee announced that the Ingress NGINX controller – a core ingress solution for roughly half of cloud‑native deployments – will be officially retired at the end of March, six weeks from the announcement. After that date the project will receive no further bug fixes or security patches, leaving any remaining installations exposed.

Because Ingress NGINX powers traffic entry for about 50 % of production clusters, the shutdown creates an immediate security emergency. Existing deployments will keep running, but any newly discovered vulnerability will remain unpatched. The controller’s extensive configurability, driven by dozens of annotations, makes migration non‑trivial, especially for large enterprises that have heavily customized setups.

The speakers highlighted recent CVE‑2025‑1974 as a concrete example: a configuration‑injection flaw could grant an attacker namespace‑level secrets or, in poorly hardened clusters, full cluster‑admin rights. They also pointed to the community‑built Ingress2Gateway tool and the maturing Gateway API as practical pathways for migration, while stressing that third‑party ingress controllers are now listed in the official docs.

Businesses must begin migration immediately to avoid a potential breach that could compromise data, disrupt services, or even erase production environments. The episode also underscores a broader lesson: contributing resources to critical open‑source projects is no longer a moral choice but a core component of an organization’s security posture.