Gardener

Appearance

April 29, 2026
By

Ingress NGINX Retirement: How Gardener Migrated to Istio ​

The Kubernetes community retired Ingress NGINX in March 2026. Gardener has completed a full migration of its core components away from Ingress NGINX to Istio's native API — using VirtualService and Gateway resources for all incoming traffic routing.

Background ​

Ingress NGINX was a critical component in Gardener's architecture, used to expose observability tools (Plutono, Prometheus, Alertmanager, Vali), the dashboard, and other services across garden, seed, and shoot control plane namespaces. With upstream support ending, continuing to rely on it meant accepting unpatched security vulnerabilities in a component handling authentication and TLS termination.

Migration Strategy ​

Gardener chose to migrate to Istio's native API (VirtualService, Gateway, EnvoyFilter) rather than the Kubernetes Gateway API. The reasoning:

  • Istio-native API is already used for exposing kube-apiserver in shoot control planes — operators can focus on a single API surface.
  • The Kubernetes Gateway API does not yet cover the full feature set required (e.g., external authorization filters still need Istio-native constructs).
  • Migration to Gateway API can be revisited later without time pressure.

What Changed ​

In Gardener v1.141, all core components have been migrated:

  • Garden runtime cluster — Alertmanager, Gardener Dashboard, discovery server, Plutono, Prometheus (garden + longterm), and Vali now use VirtualService resources.
  • Seed cluster — Plutono, Prometheus (aggregate), and Vali have been migrated.
  • Shoot control planes — Alertmanager, logging/Vali, OpenTelemetry collector, Plutono, and Prometheus all use native Istio exposure.

Basic authentication (previously handled by NGINX auth annotations) is now implemented via a dedicated external authorization server that integrates with Envoy's ext_authz filter.

The network policy controller in gardener-resource-manager was also extended: just as it previously auto-generated network policies for Ingress resources, it now does the same for VirtualService resources backed by a Gateway. See the documentation for further details.

What's Next ​

Ingress NGINX is still deployed in Gardener landscapes — some extensions still depend on it. Multiple Feature gates will allow landscape operators to disable Ingress NGINX in the garden runtime, seed or shoot clusters once all dependent components have migrated. The tracking issue (#13448) lists remaining work for extension migration.

For end users, the change is transparent. Observability endpoints are accessible exactly as before, with the same basic authentication flow — only the underlying routing has changed.

EU and German government funding logos

Funded by the European Union – NextGenerationEU.

The views and opinions expressed are solely those of the author(s) and do not necessarily reflect the views of the European Union or the European Commission. Neither the European Union nor the European Commission can be held responsible for them.

Copyright © Linux Foundation Europe.

Ingress NGINX Retirement: How Gardener Migrated to Istio | Gardener is a project of the Open Component Model Community. For applicable policies including privacy policy, terms of use and trademark usage guidelines, please see https://linuxfoundation.eu. Linux is a registered trademark of Linus Torvalds.

Building this site is powered by
Terms of Use|Privacy Statement|Legal Disclosure