Kubernetes ingress controllers: what IAM teams need to know

TL;DR: Kubernetes ingress controllers increasingly determine whether access is governed by network path alone or by user identity and context, according to Pomerium’s comparison of seven options for 2025. The security choice is no longer just routing performance, but whether ingress becomes part of a zero-trust access model that IAM teams can actually enforce.

NHIMG editorial — based on content published by Pomerium: 7 Best Ingress Controllers for Kubernetes for 2025

By the numbers:

• NHIs outnumber human identities by 25x to 50x in modern enterprises.
• Only 5.7% of organisations have full visibility into their service accounts.
• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.

Questions worth separating out

Q: How should teams choose a Kubernetes ingress controller for identity-based access?

A: Start with the access model, not the routing feature list.

Q: Why do zero-trust programmes depend on ingress policy in Kubernetes?

A: Because ingress is often the first place a request can be authenticated and authorised before reaching internal services.

Q: What breaks when Kubernetes ingress is treated as a networking-only control?

A: Security teams lose the ability to enforce access by identity and context at the point where external requests enter the cluster.

Practitioner guidance

• Define ingress as an access control boundary Document which applications require identity-aware admission at the Kubernetes edge, and separate those from services that only need basic routing.
• Map ingress policy to trust boundaries For regulated or sensitive services, require explicit policy decisions at Layer 7, including authentication, context checks, and encrypted transport.
• Review identity provider dependencies early If ingress depends on external identity providers, confirm session handling, policy fail-closed behaviour, and operational ownership before rollout.

What's in the full article

Pomerium's full blog post covers the practical comparison details this analysis intentionally leaves at the strategic level:

• The feature-by-feature breakdown of each Kubernetes ingress controller, including routing, SSL handling, and observability trade-offs.
• The article’s commentary on which controllers fit stable, dynamic, high-performance, or service-mesh environments.
• The specific security-oriented rationale behind Pomerium’s identity-aware access model compared with other ingress options.
• The deployment notes and use-case guidance that help teams move from shortlisting to implementation.

👉 Read Pomerium’s comparison of seven Kubernetes ingress controllers →

Kubernetes ingress controllers: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →