Ingress-nginx replacement for Kubernetes access: what changes now?

TL;DR: Ingress-NGINX is still effective at routing and TLS, but it was never designed to enforce identity-based access control for internal Kubernetes services, according to Pomerium. The operational shift is from network trust to policy-driven authorization, where every request is evaluated in context rather than admitted by perimeter assumptions.

NHIMG editorial — based on content published by Pomerium: Replacing ingress-nginx with a modern approach to secure Kubernetes access

Questions worth separating out

Q: How should teams govern internal Kubernetes access without relying on ingress-nginx alone?

A: Teams should keep ingress-nginx focused on traffic routing and move authorization to an identity-aware control point in front of internal services.

Q: Why do internal Kubernetes services need identity-based access control?

A: Internal services are often reached by a mix of employees, contractors, automation, and non-human identities, so network location no longer tells you enough about trust.

Q: What breaks when access policy is scattered across apps and ingress rules?

A: Policy fragmentation creates inconsistent decisions, brittle configuration, and duplicated security logic.

Practitioner guidance

• Separate routing from authorization Keep ingress-nginx for public traffic flow and place identity-aware policy enforcement in front of internal services so access decisions are not scattered across annotations, apps, and VPN rules.
• Restrict internal services to the policy layer only Ensure internal Kubernetes services are reachable only through the access proxy, so identity, context, and policy are evaluated before a request reaches a backend service.
• Replace app-by-app auth with centralized policy Remove duplicated authentication logic from individual services where possible and express access decisions once at the edge using claims, groups, and contextual policy.

What's in the full article

Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:

• The exact ingress annotation changes shown in the migration example from ingress-nginx to Pomerium.
• The hybrid deployment pattern that keeps ingress-nginx on public traffic while restricting internal services to the access proxy.
• The practical policy language considerations for teams replacing VPN-based access with centralized identity-aware enforcement.
• The product context for Pomerium Zero for teams that want a managed GUI option.

👉 Read Pomerium's analysis of replacing ingress-nginx for secure Kubernetes access →

Ingress-nginx replacement for Kubernetes access: what changes now?

Explore further

View Full Forum →  |  NHI Foundation Course →