Kubernetes networking is evolving quickly, and with it, the way security integrations are deployed. One change currently affecting many users is the announced deprecation of Ingress-NGINX. Because a large portion of Kubernetes deployments rely on it today, we want to clarify how CrowdSec support will evolve and what users can expect.
Supporting Ingress-NGINX during its final lifecycle
CrowdSec currently integrates with Ingress-NGINX through a dedicated image that embeds CrowdSec remediation capabilities. This integration will remain available for the last supported versions of Ingress-NGINX.
First, we need to underline that CrowdSec requires a dedicated image. CrowdSec remediation in Ingress-NGINX relies on Lua to execute the blocking logic. Lua support was removed from the official Ingress-NGINX image, which means CrowdSec cannot run on the upstream image anymore. As a result, the CrowdSec integration requires an alternate image that restores the Lua capability needed by the remediation engine. This extended support should be viewed as a transitional measure, providing ample time for a smooth migration to more future-proof and robust architectures.
For users evaluating alternatives today, it is also worth noting that CrowdSec already supports Traefik and HAProxy as ingress controllers.
While third parties sometimes provide support for this in an open-source capacity, we remain fully committed to the CrowdSec components and features, ensuring their continued support and the introduction of new functionality over time. We also maintain and develop documentation for the tools used by the community.
The shift from Ingress-NGINX to Gateway API in Kubernetes
The Kubernetes shift toward Gateway API beyond the lifecycle of Ingress-NGINX, Kubernetes itself is signalling a broader shift in how north-south traffic should be handled.
The Kubernetes ecosystem is increasingly converging around the Gateway API specification. This specification introduces the Gateway API as a more flexible and extensible way to manage traffic entering a cluster.
Several implementations of the Gateway API specification already exist, and a number of them are built on technologies that already support CrowdSec remediation mechanisms. Because of this, we see the Gateway API ecosystem as a natural evolution path for CrowdSec users running Kubernetes clusters. Today, solutions such as Traefik, HAProxy, and Envoy can already operate with CrowdSec remediation, meaning that when they are used as Gateway API implementations. They can immediately benefit from CrowdSec to help secure infrastructure.
We are committed to supporting both established and emerging API gateway solutions with meaningful adoption. Traefik and HAProxy are strong examples of this today, and multiple Envoy-based community implementations are also evolving in this space. We closely monitor these projects as they mature toward production readiness, so that CrowdSec users can rely on them with confidence.
Next Steps for Kubernetes: Transitioning to Gateway API with CrowdSec
Our goal is to help users navigate this transition as smoothly as possible.
Several Gateway API integrations already exist, many of them developed by the community. When the underlying technology supports CrowdSec remediation, as is the case with Traefik, integration is straightforward. Our focus is now on validating these solutions and providing the necessary testing and documentation so they can be easily adopted and reliably used by the community.
In parallel, we are committed to producing documentation that will guide users through the transition from traditional ingress controllers to API Gateway-based architectures.
This will include practical migration guidance, configuration examples, and recommendations on which Gateway implementations work well with CrowdSec.
Looking forward
Ingress controllers played a key role in the Kubernetes ecosystem for many years, but the landscape is evolving. As Kubernetes provides a new Gateway API, users can run CrowdSec alongside it.
In the meantime, users relying on Ingress-NGINX can continue using CrowdSec remediation with the latest supported versions. However, teams planning new deployments or long-term architectures are encouraged to start considering alternatives, such as adopting the Gateway API or using another supported ingress controller, since Ingress-NGINX is the only controller being gradually phased out.
We are closely monitoring the Gateway API ecosystem and its evolution. Our goal is to support solutions with a strong, growing user base, ensuring that CrowdSec integrates where it can deliver the most value.
