Hardening the Kubernetes Edge
Security belongs at the cluster boundary, not bolted on later.
With the community ingress-nginx project reaching end of life in 2026, the move to the F5 NGINX Ingress Controller is also a chance to push security to the edge of the cluster. I like terminating mTLS at ingress, validating OIDC or JWT per route, enforcing per-client rate limits, and running NGINX App Protect WAF inline as the ingress data plane. Requests get authenticated and inspected before they ever reach a pod.
Operational wins
Canary and blue-green shifts become annotation changes rather than redeploys. VirtualServer and VirtualServerRoute custom resources give platform teams a clean, reviewable API for routing, so ingress stops being a wall of raw config.
Where AI helps
The forward-looking version generates baseline policy from observed traffic, detects anomalies on east-west flows, and auto-tunes rate limits to the real shape of demand. The engineer sets intent and reviews; the system drafts the config.