The Kubernetes community announced that Ingress NGINX will be retired in March 2026. After that, there won't be any more updates, bugfixes, or security patches. While your existing deployments will keep working, running without security updates is risky and there will be no further feature developments.
Many Kubernetes operators are now evaluating alternatives to the community Ingress NGINX controller. The Pomerium ingress controller offers a compelling migration path that provides the same reverse proxy functionality you're used to, with optional zero trust capabilities (what we do best) that you can adopt incrementally without requiring an immediate overhaul of your existing setup.
While there are several good ingress controller alternatives available, the Pomerium ingress controller provides the same reverse proxy functionality you're used to with Ingress NGINX, but with built-in zero trust features that you can adopt incrementally. Since both Pomerium Core and the ingress controller are open source, you can evaluate and implement without vendor lock-in concerns.
This guide assumes you have:
TLS certificates configured (Pomerium requires HTTPS for all routes)
Basic familiarity with Kubernetes ingress resources
Unlike NGINX, Pomerium has two key requirements:
HTTPS is mandatory - all routes must use TLS
Policies are required - you must specify an access policy (even if it's permissive)
These requirements ensure security by default, but you can configure permissive policies that function exactly like traditional reverse proxies.
Let's look at a typical Ingress NGINX configuration and its Pomerium equivalent:
Ingress NGINX:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-certPomerium Ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
ingress.pomerium.io/policy: |
- allow:
any: true
spec:
ingressClassName: pomerium
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-certThe configuration is nearly identical—just change the ingress class from nginx to pomerium and add a basic policy. The any: true policy tells Pomerium to allow all requests through without applying access restrictions—essentially functioning as a traditional reverse proxy with no additional authentication or authorization layers. Your existing network security, firewall rules, and application-level authentication remain unchanged.
For straightforward migration that matches Ingress NGINX's default behavior, you have several policy options:
# Option 1: Allow any request (most similar to Ingress NGINX default)
ingress.pomerium.io/policy: |
- allow:
any: true
# Option 2: Truly public access (annotation shortcut)
ingress.pomerium.io/allow_public_unauthenticated_access: 'true'
# Option 3: Any authenticated user (if you want basic auth)
ingress.pomerium.io/allow_any_authenticated_user: 'true'Since Pomerium requires HTTPS, consider using cert-manager for automatic certificate provisioning. The Pomerium ingress controller integrates seamlessly with cert-manager:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
ingress.pomerium.io/policy: |
- allow:
any: true
spec:
ingressClassName: pomerium
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-cert # cert-manager will create thisSo if you're looking to migrate from Ingress NGINX, migrating to Pomerium gives you immediate reverse proxy functionality identical to Ingress NGINX. Plus, if you decide to explore zero trust down the road, you can replace the permissive policy with fine-grained rules based on user identity, device status, request context, or other factors:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
annotations:
ingress.pomerium.io/policy: |
- allow:
and:
- domain:
is: example.com
spec:
ingressClassName: pomerium
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-app-service
port:
number: 80
tls:
- hosts:
- app.example.com
secretName: app-tls-certWith the March 2026 retirement deadline, you have time to plan your migration carefully. The Pomerium ingress controller installation is straightforward and well-documented. You can run both controllers side-by-side during migration, gradually moving services over as you validate functionality.
Whether you're looking for a sustainable long-term solution or preparing for a zero trust future, the Pomerium ingress controller offers a natural evolution from traditional reverse proxy patterns. Start with the familiar, add security when you're ready.
Learn more about the Pomerium ingress controller at github.com/pomerium/ingress-controller or check out the deployment documentation.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
