TL;DR: Ingress-nginx migrations often fail on controller-specific annotations, hidden dependencies, and cutover mechanics, according to Pomerium. The real issue is not missing features but fragile access and routing assumptions that become visible only when identity, policy, and blast radius are translated into a new control plane.
At a glance
What this is: This is an analysis of why ingress-nginx migrations get messy, with the key finding that controller-specific behavior, hidden dependencies, and cutover complexity create governance and operational risk.
Why it matters: It matters because ingress is now part of identity enforcement for many applications, and IAM, NHI, and platform teams need a repeatable way to preserve access intent during controller changes.
By the numbers:
- Only 5.7% of organisations have full visibility into their service accounts.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.
👉 Read Pomerium's analysis of ingress-nginx migration pain points
Context
Ingress-nginx migrations are rarely just a platform swap. The practical problem is that access behaviour often lives in annotations, snippets, and controller-specific extensions, so the security model changes even when the manifest still looks familiar. In identity terms, this is a governance translation problem, not only an infrastructure one.
For IAM and platform teams, the risk is that routing, authentication, and authorisation intent become harder to prove during cutover. That is why ingress changes should be treated as policy migrations with blast-radius management, not as a simple controller replacement.
Teams that already struggle to inventory service accounts and secrets tend to see the same pattern here: the control plane may change faster than the organisation can map what depends on it. That makes discovery, rollback, and auditability the real migration work.
Key questions
Q: How should teams migrate ingress-nginx without breaking access policies?
A: Treat the migration as a policy translation exercise. First, inventory every annotation, snippet, and custom extension that affects access, routing, or identity propagation. Then validate those behaviours in parallel with the new controller before cutover. The goal is to preserve access intent, not merely reproduce traffic flow.
Q: Why do ingress controller changes create security risk in Kubernetes?
A: Because the same manifest can mean different things in different controllers. When auth logic, rewrites, or timeouts live in controller-specific fields, behaviour can drift even if the deployment succeeds. That makes access review, audit, and rollback harder unless teams map the hidden policy surface in advance.
Q: What breaks when controller-specific ingress configuration is not inventoried?
A: Teams discover dependencies only during cutover, when DNS, load balancers, and upstream assumptions start to fail together. Without a full inventory, rollback becomes guesswork and route behaviour can change unexpectedly. This is how a routine migration turns into an avoidable incident.
Q: How do you know an ingress migration is actually safe?
A: A migration is safe when the old and new paths behave the same for routing, identity propagation, observability, and rollback. If the team can prove who can reach each endpoint before and after the change, and can fail back without ambiguity, the migration is operationally defensible.
Technical breakdown
Controller-specific annotations create policy drift
Ingress-nginx migrations often fail because the practical behaviour of a route is not captured in the core Ingress object. Teams push timeouts, rewrites, auth logic, buffering, and rate limiting into annotations or snippets, which means the controller becomes part of the security policy. When another controller interprets those same fields differently, the route can still deploy cleanly while behaving differently under load or during authentication. The problem is not feature absence alone. It is semantic drift between controllers, where the same label no longer guarantees the same access outcome.
Practical implication: Audit every annotation and snippet as policy, not configuration, before switching controllers.
Identity propagation must remain consistent across the data path
Ingress controllers do more than forward traffic. They frequently pass identity context to upstream services, and that identity chain is part of the trust model for application access decisions. If the controller change alters which headers are set, when they are injected, or how upstream TLS is handled, downstream services may lose the identity signals they rely on. That can break logging, policy enforcement, and application-level authorisation even if the front door still works. Identity-aware ingress is therefore a trust-chain problem, not just an L7 routing problem.
Practical implication: Verify identity header handling and upstream trust behaviour in the new controller before any cutover.
Cutover mechanics are where hidden dependencies surface
Controller migration is usually where load balancer changes, DNS updates, parallel run, and rollback planning become visible. The risk is not only downtime. It is that dependencies spread across many Ingress objects are not discovered until the old path is already half retired. At that point, rollback is harder because the old and new control planes may not be functionally equivalent. Safer migrations use coexistence and staged service-by-service changes so the organisation can prove behaviour before removing the old path.
Practical implication: Run the old and new controllers in parallel long enough to validate routing, identity flow, and rollback behaviour.
Breaches seen in the wild
- Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
- DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.
Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.
NHI Mgmt Group analysis
Ingress migrations expose identity governance debt, not just controller complexity. The article describes a common enterprise pattern: control intent scattered across annotations, snippets, and extensions that are easy to forget during change. That is the same governance debt seen in service-account sprawl and secret leakage, where the system still functions while accountability becomes opaque. Practitioners should treat the migration as a governance inventory exercise, not an infrastructure swap.
Controller-specific config creep is a named governance failure mode. Once the security logic lives outside the core spec, the organisation no longer has one portable definition of access. The same route can mean different things across controllers, which undermines reviewability and change assurance. The practical conclusion is that portable policy must be separated from controller quirks before the cutover begins.
Identity-aware ingress is a control-plane boundary, not a convenience layer. When ingress forwards identity context, it becomes part of how downstream services decide trust. That means a migration can change authorisation semantics even when network connectivity looks intact. Teams should regard the ingress path as an access policy surface that needs explicit governance and testing.
Blast-radius visibility is the real prerequisite for safe migration. The article correctly points to distributed usage patterns as the source of surprise during cutover. In NHI terms, this mirrors the difference between knowing a control exists and knowing where it is actually consumed. The practitioner takeaway is that migration readiness depends on full dependency mapping, not on feature parity alone.
Access intent must stay auditable through the migration window. If the organisation cannot answer who can reach what before, during, and after the controller change, the migration is already under-governed. That is why the change record, the route policy, and the runtime path all need to align. Practitioners should insist on that alignment as the definition of a successful cutover.
From our research:
- Only 5.7% of organisations have full visibility into their service accounts, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- When migration work touches access policy and secret handling, the Ultimate Guide to NHIs is the right reference point for lifecycle, visibility, and rotation.
What this signals
Controller migration is becoming an identity programme issue, not only a platform upgrade. As more access decisions move into ingress policy and identity-aware routing, teams will need to map route-level intent with the same discipline they apply to privileged access. The organisations most exposed are the ones that cannot yet see service-account and secret dependencies clearly enough to translate them safely.
Identity blast radius is the concept to watch. Ingress changes are easier to manage when teams can prove which services, headers, and upstream trust relationships are affected by a controller swap. Where that map is missing, the organisation is forced to discover access dependencies during cutover, which is the least forgiving point in any migration.
Teams preparing for controller consolidation should align migration controls to the NIST Cybersecurity Framework 2.0 functions for identify, protect, detect, respond, and recover. That gives the programme a shared language for inventory, validation, and rollback rather than relying on one-off platform knowledge.
For practitioners
- Map controller-specific policy before changing ingress classes Inventory every annotation, snippet, and custom extension that affects auth, rewrites, timeouts, buffering, or rate limits. Treat each one as policy logic that must be translated or retired, not as harmless metadata.
- Validate identity propagation end to end Test the exact headers, upstream TLS settings, and service trust assumptions that applications use for access decisions. Compare old and new controller behaviour in a staging path before production cutover.
- Run parallel ingress paths with rollback proven Keep both controllers active under distinct ingress classes long enough to confirm routing, observability, and failback. Do not retire the original path until the new path has been exercised under normal and failure conditions.
- Build a dependency map around every exposed route Document which services, teams, and external dependencies consume each ingress object so surprises do not appear during DNS or load balancer changes. This is the practical way to reduce cutover blast radius.
Key takeaways
- Ingress-nginx migration pain is usually policy drift disguised as infrastructure change.
- Hidden annotations, identity propagation, and rollback planning determine whether the cutover is safe.
- Teams that cannot inventory dependencies and access intent before the switch are already behind the curve.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Ingress policies and secrets handling affect NHI visibility and governance. |
| NIST CSF 2.0 | PR.AC-4 | Ingress access decisions and identity propagation sit within access management. |
| NIST Zero Trust (SP 800-207) | AC-4 | Identity-aware ingress aligns with continuous verification at the application edge. |
Treat ingress controllers as enforcement points and test policy continuity across the new path.
Key terms
- Ingress controller: A Kubernetes component that manages how external traffic reaches services inside the cluster. In practice, it often carries policy logic through annotations and extensions, so a controller change can alter both routing and access behaviour, not just network entry points.
- Controller-specific config creep: The accumulation of non-portable behaviour in annotations, snippets, and custom controller features. It matters because the effective policy no longer lives in the portable spec, which makes migration, review, and audit harder when the environment changes.
- Identity propagation: The passing of user or workload identity context from the ingress layer to upstream applications. When done consistently, it supports authorisation and logging. When it drifts, downstream services may make decisions on incomplete or inconsistent trust signals.
- Blast radius: The amount of application behaviour or trust exposure affected by a change. For ingress migrations, blast radius is not only about downtime. It also includes identity loss, routing surprises, and hidden dependencies that emerge during cutover.
Deepen your knowledge
Ingress controller migration, access policy translation, and identity-aware routing are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are trying to govern infrastructure changes that affect access semantics, it is worth exploring.
This post draws on content published by Pomerium: Top Ingress NGINX Controller Migration Pain Points. Read the original.
Published by the NHIMG editorial team on 2026-03-05.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
