Ingress-nginx migration pain points: what IAM teams need to watch

TL;DR: Ingress-nginx migrations often fail on controller-specific annotations, hidden dependencies, and cutover mechanics, according to Pomerium. The real issue is not missing features but fragile access and routing assumptions that become visible only when identity, policy, and blast radius are translated into a new control plane.

NHIMG editorial — based on content published by Pomerium: Top Ingress NGINX Controller Migration Pain Points

By the numbers:

• Only 5.7% of organisations have full visibility into their service accounts.
• 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
• 79% of organisations have experienced secrets leaks, with 77% of these incidents resulting in tangible damage.

Questions worth separating out

Q: How should teams migrate ingress-nginx without breaking access policies?

A: Treat the migration as a policy translation exercise.

Q: Why do ingress controller changes create security risk in Kubernetes?

A: Because the same manifest can mean different things in different controllers.

Q: What breaks when controller-specific ingress configuration is not inventoried?

A: Teams discover dependencies only during cutover, when DNS, load balancers, and upstream assumptions start to fail together.

Practitioner guidance

• Map controller-specific policy before changing ingress classes Inventory every annotation, snippet, and custom extension that affects auth, rewrites, timeouts, buffering, or rate limits.
• Validate identity propagation end to end Test the exact headers, upstream TLS settings, and service trust assumptions that applications use for access decisions.
• Run parallel ingress paths with rollback proven Keep both controllers active under distinct ingress classes long enough to confirm routing, observability, and failback.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• Side-by-side examples of ingress-nginx pain points and how they surface in real migrations
• Practical notes on running Pomerium alongside an existing ingress controller during coexistence
• Examples of how first-class policy and identity propagation change the migration model
• Operational guidance on where Pomerium fits when teams need access control more than proxy tuning

👉 Read Pomerium's analysis of ingress-nginx migration pain points →

Ingress-nginx migration pain points: what IAM teams need to watch?

Explore further

View Full Forum →  |  NHI Foundation Course →