Traefik Labs

Saying goodbye to ingress-nginx is not easy. For years, the common Kubernetes traffic model was: Service → Ingress → NGINX controller → application It was simple, familiar, and it worked. But now that nginx reached retirement in March 2026, it is worth understanding the model many teams are moving toward: Gateway API. First important point: Gateway API is not the controller. Gateway API is the standard/spec. It gives Kubernetes resource types like GatewayClass, Gateway, HTTPRoute, TCPRoute, and TLSRoute. By itself, it does not route traffic. It is like installing the interface. GatewayClass: The cluster-level “which controller should handle this?” object. It is cluster-scoped and points to an implementation like NGINX Gateway Fabric, Traefik, Envoy Gateway, Istio, Azure ALB for Containers, or another cloud-managed controller. Gateway: The actual frontend created from a GatewayClass. This is where traffic enters the cluster. It references the class through gatewayClassName. Listener: The open door on that Gateway. Think HTTP/80, HTTPS/443, hostname, and TLS settings. HTTPRoute: The application rule that connects traffic from the Gateway to a Kubernetes Service. For TLS, the certificate Secret is usually referenced by the Gateway listener and stored in the same namespace as the Gateway. The HTTPRoute does not normally reference the certificate; it only routes traffic to the backend Service. That separation is the big improvement. With ingress-nginx, many teams depended on one controller-specific model. IngressNightmare showed why that layer matters: the traffic controller is not just routing requests; it is part of the cluster security boundary. With Gateway API, the API becomes more standard and the controller becomes more replaceable. K3s for example works out of the box with Traefik Labs for Ingress, and can also use Traefik as a Gateway API controller when you enable that model. AKS can use NGINX Gateway Fabric, Traefik, Envoy Gateway, Istio, Azure ALB for Containers, or another managed implementation depending on the platform design. Same API model. Different implementations. Simple mental model: ClusterIP = internal service only. LoadBalancer = one external cloud load balancer per service. Useful, but costly/noisy if every app gets one. Ingress = one controller, many HTTP routes. Gateway API = shared gateways, app-owned routes, cleaner delegation. Ingress made Kubernetes traffic practical. Gateway API makes it easier to delegate, standardize, and swap implementations without changing the whole mental model. #kubernetes #k8s #gatewayapi #nginxgatewayfabric #nginx #ingress #k3s

Another memory vulnerability just hit ingress NGINX. The only real option here is to shrink or eliminate your attack surface. Traefik is the only memory-safe (written in Go) and drop-in OSS replacement for ingress NGINX. This recent vulnerability made the switch a no-brainer and a priority. IMHO, every CISO should be prioritizing this AND getting ahead of the next vulnerability that hits.

🚨 CRITICAL: NGINX Rift (CVE-2026-42945) is here, and ingress-nginx users are sitting ducks. Disclosed yesterday: an 18-year-old heap buffer overflow in NGINX's rewrite module. CVSS 9.2. Unauthenticated RCE. Public PoC already on GitHub. Fixed in NGINX 1.31.1 / 1.30.1. And there is a catch for Kubernetes teams 👇 ingress-nginx still bundles NGINX 1.27.1. And as the project was archived on March 24, 2026, no fix is coming. No patch. No security update. Ever. If you're running ingress-nginx in production right now, you have an unauthenticated RCE in front of your cluster and no upstream maintainer to ship a fix. The good news: Traefik Proxy 3.7 "Langres" just shipped, and it's the only drop-in replacement on the market. ✅ 85+ ingress-nginx annotations natively supported (the highest coverage of any alternative) ✅ 90%+ of real-world annotation usage covered, prioritized from anonymized production telemetry ✅ Partial support for configuration-snippet, server-snippet, auth-snippet ✅ Keep your existing Ingress manifests. No YAML rewrite. No annotation conversion. ✅ ModSecurity support to preserve WAF behavior through the migration ✅ Full Gateway API v1.5 support on the same cluster, same instance And as a side note: Traefik is written in Go, so the entire class of memory safety bugs that produced NGINX Rift is simply impossible to express in the language. That's where critical infrastructure components need to go in 2026. ⏱️ The clock is not ticking. It already ran out. CVE: https://lnkd.in/d6jtubze Traefik 3.7 announcement: https://lnkd.in/dGhf2-4u #Kubernetes #DevSecOps #CVE #Traefik #IngressNginx #CloudNative

Most Ingress NGINX migrations don't fail at the cutover. They fail in the two seconds between "we need to migrate" and "let's just start moving things." Teams freeze because the scope feels unknowable. Or they rush to uninstall NGINX, install Traefik, same IngressClass, same LoadBalancer IP, and turn a routing change into an all-hands incident. There's a structural reason this keeps happening: the complexity in a typical cluster isn't visible until you look for it. And most teams don't look until they're already mid-migration. Here's what a disciplined approach actually looks like: **The Audit Comes First Before You Install Anything** The open-source ingress-nginx-migration CLI connects to your live cluster (read-only access only) and classifies every Ingress into four buckets: Vanilla, Supported, Unsupported, and Invalid. Vanilla and Supported resources migrate as-is. Unsupported ones get flagged by annotation name and frequency, so you can tell immediately whether you're dealing with an edge case or a load-bearing pattern. It also surfaces the minimum Traefik version required for each annotation, which is critical for sequencing the install. The ConfigMap is the other surface teams routinely miss. proxy-body-size, ssl-ciphers, hsts-max-age, use-proxy-protocol—none of these appear on Ingress resources. All of them affect production behavior. The audit step covers both: Ingress annotations and ConfigMap translation, before a single route moves. **Then Install Traefik Alongside Ingress NGINX** Once the audit is done, Traefik installs alongside Ingress NGINX in its own namespace, watching a new dedicated IngressClass (traefik-nginx). Existing Ingress resources keep their nginx class. They keep flowing through Ingress NGINX, untouched. ConfigMap-derived settings (e.g., timeouts, body sizes, TLS policy) translate into Traefik's static configuration and CRDs. For example, ssl-protocols and ssl-ciphers move into a TLSOption resource named default, which Traefik applies cluster-wide unless overridden per route. HSTS settings become a Headers middleware attached to an entryPoint. PROXY protocol becomes an entryPoint setting. Each concern goes to the right surface, rather than a single monolithic ConfigMap. Validation happens against duplicated test Ingresses pointed at the new IngressClass — same annotations, test host, curl through kubectl port-forward. If the headers land correctly there, they'll land correctly in production. So when you cutover, the result is a migration that's boring by design. No big-bang. No frozen weekend. The third post (not yet published) covers moving resources one at a time. Each Ingress is its own atomic decision, with rollback as simple as flipping the IngressClass back. Lear more here: - Part 1 (Audit): https://bit.ly/4uOX6Qt - Part 2 (Install): https://bit.ly/49toCe4 - Part 3 (Cutover): Coming soon.

At @apidays NYC? Come over to Booth 19 to see how Traefik can unify routing, security, observability, and more for your VMs, containers, and AI.

Modern enterprise defense is built in functional layers. Here are all seven layers you need to consider: 1️⃣ Identity and Access Fabric Establish and enforce who (or what) is acting, what they are authorized to do, and under what conditions. This is the foundation on which every other layer stands. 2️⃣ Perimeter and Edge Reduce the volume and class of traffic that reaches internal systems. Establish the first boundary of trust in network terms. 3️⃣ Traffic Governance Plane Enforce fine-grained policy on every request, call, and action that traverses the environment. This is the layer at which deterministic prevention produces its greatest leverage. 4️⃣ Application and Supply Chain Integrity Ensure that the code, dependencies, and artifacts running in the environment are trusted by construction, not by hope. 5️⃣ Workload Runtime Protection Detect and contain attacks that have bypassed preventive controls and are operating within the environment. 6️⃣ Data Protection Protect data at rest, in transit, and in use, and prevent its unauthorized egress. 7️⃣ Security Operations and Response Correlate signals across layers, detect what individual layers cannot see in isolation, and respond at machine speed. To explore each of these layers in depth, as well as a blueprint for putting them into action, read our blog post here https://bit.ly/4tYEQE6

While everyone is rushing to build AI, very few teams are thinking about how to 𝗴𝗼𝘃𝗲𝗿𝗻 𝗶𝘁 𝗮𝘁 𝗿𝘂𝗻𝘁𝗶𝗺𝗲. That’s where most teams are going to struggle because moving from prototype → production introduces a lot of unforeseen challenges: • Security risks • Unpredictable behavior • Lack of visibility and control And most existing approaches weren’t designed for this. At Traefik Labs, we’ve been looking closely at what changes when AI systems move into workflows. We put together a report that breaks it down: • The challenges of governing AI (and the risks if you don’t) • The 𝟕 𝗰𝗼𝗿𝗲 𝗽𝗿𝗶𝗻𝗰𝗶𝗽𝗹𝗲𝘀 for controlling and scaling AI applications • How to implement them with Traefik’s AI & MCP gateway • How to transition from AI chatbots to more advanced AI systems • Advanced routing strategies and real-world use cases And more. If you’re working on a demo, this report will give you a considerable head start as you move into production. Comment “𝗔𝗜” and I’ll send you the report.

🎉 Traefik Proxy v3.7 and Traefik Hub v3.20 are GA! 🎉 Links to all the details below: 📣 Press Release: https://bwnews.pr/48FM47G 🔍 Traefik Proxy v3.7 Deep Dive: https://bit.ly/4tXY1hy 🗺️ Ingress NGINX Migration Guide (Part 1 of 3): https://bit.ly/4wkKNx4

🎉 Traefik Proxy 3.7 GA and Traefik Hub 3.20 GA are both out as of this morning, and this is one of the most ambitious and coordinated release we have ever shipped. I could not be prouder of what the team pulled off. Platform teams are being asked to solve three runtime problems in parallel: migrate off retired ingress, govern an exploding API surface across clusters, and put guardrails around LLM and agent traffic. The default path is three different gateways, three different policy engines, three different operational stories. That is not a strategy. That is gateway sprawl. This release is built around the opposite premise. One runtime. Three gates. A few specifics worth calling out: 1️⃣ Ingress NGINX replacement is GA. 85 supported annotations, 90%+ coverage. The annotation set was prioritized using anonymized telemetry from real production migrations, because real estates are not blocked by the happy path. They are blocked by the long tail. ModSecurity support is included so WAF parity is not a post-migration project. 2️⃣ Multi-cluster API federation. APIs are distributed across clusters; portals and governance should not be. Uplink resources and Multi-Cluster API Portals consolidate publishing and governance into a single pane. 3️⃣ FIPS 140-3 support, ahead of the September 2026 CMVP Historical List transition for new federal procurements. 4️⃣ Agent-aware AI controls. When a guardrail blocks a prompt and returns a hard HTTP 403, agents crash. Hub 3.20 returns refusals in the message format the client expects, so blocked requests become normal agent control flow rather than an exception path. The Triple Gate Pattern (API, AI, MCP) on a single runtime is the entire point. Today is what that thesis looks like in production. 👏👏 Huge kudos to the engineering, product, and support teams who shipped Ingress NGINX migration coverage, multi-cluster federation, FIPS validation, and agent-aware AI controls in a single coordinated release. This is what extreme ownership looks like in practice. Thank you. 👏👏 To the Traefik Proxy open source community: the 90%+ annotation coverage in 3.7 exists because operators ran the open source migration tool against their real estates and let the telemetry come back. Maintainers, contributors, issue reporters, and the platform teams running Traefik in production every day are why this release looks the way it does. 3.4 billion downloads is not a number we put up. It is a number you put up. Thank you. 🙏🙏 Press Release: https://lnkd.in/dYt6NH9Q Traefik Proxy 3.7 blog: https://lnkd.in/dUTkidmE Ingress NGNIX Migration Guide (1 of 3): https://lnkd.in/dpM8rJHw CISO's 7-Layer Cake Blog: https://lnkd.in/dSn-_pzS