Actually, I should clarify – I woke up last Tuesday to a Slack channel that looked like a crime scene. Our staging clusters were throwing 503s, the on-call engineer was hyperventilating, and the logs were screaming about invalid annotations. But let’s be honest: half the production Kubernetes clusters in the world run on duct tape and nginx.ingress.kubernetes.io/configuration-snippet. It was the only way to inject those weird little headers, handle complex redirects, or patch specific CORS issues without writing a full-blown custom controller.
Gone. Poof. Just like that.
I get it. The maintainers aren’t doing this to be mean. They’re tired of CVEs. But when you deploy the update and your custom authentication flow breaks because it relied on a three-line Lua script injected via annotation, “security best practices” is not the first phrase that comes to mind.
Option 1: The Gateway API (The “Adult” Solution)
This is where they want us to go. And it’s verbose. It’s YAML-heavy. But it works, and it’s standard. I tested this on our Kubernetes 1.32 cluster running the latest Gateway API controller, and the latency difference was negligible. Actually, because it’s native config rather than injected Lua, I saw a tiny drop in CPU usage on the controller pods—about 4%.
Option 2: The Plugin System (For the desperate)
If you absolutely cannot move to Gateway API—maybe you have logic so twisted that standard filters can’t touch it—you have to look at Nginx plugins. But the documentation is… sparse. Basically, you can mount a ConfigMap containing Lua code into the controller and reference it. It’s safer because the code is static and reviewed, not injected dynamically via annotations on every Ingress object.
Pro tip: If you go this route, pin your controller image. Do not use latest. I accidentally pulled a nightly build while testing plugins and broke SSL termination for twenty minutes. My heart rate still hasn’t recovered.
The “Wait and See” Trap
But I checked the CVE database this morning. There are already two medium-severity vulnerabilities in the older versions related to HTTP/3 handling. By staying behind, you’re trading one security risk for another. Plus, Kubernetes 1.33 is dropping support for the API versions that the old controller relies on later this year. You’re painting yourself into a corner.
Is It Time to Jump Ship?
But here is the thing: Nginx is still the devil I know. I can debug an nginx.conf in my sleep. Moving to a completely different data plane because of a config format change feels like burning down the house to kill a spider.
If you haven’t audited your ingress annotations yet, do it today. Run this command on your cluster:
kubectl get ingress -A -o json | jq '.items[].metadata.annotations | keys[]' | grep snippetIf that returns anything, you have work to do. Better to fix it now than wake up to a 503 error next Tuesday. And if you need help with that, check out our guide on setting up NFS on Ubuntu – it might come in handy.
