← Back to home

Hardening the Kubernetes Edge

Security belongs at the cluster boundary, not bolted on later.

NGINX Ingress Controller · Kubernetes

With the community ingress-nginx project reaching end of life in 2026, the move to the F5 NGINX Ingress Controller is also a chance to push security to the edge of the cluster. I like terminating mTLS at ingress, validating OIDC or JWT per route, enforcing per-client rate limits, and running NGINX App Protect WAF inline as the ingress data plane. Requests get authenticated and inspected before they ever reach a pod.

Operational wins

Canary and blue-green shifts become annotation changes rather than redeploys. VirtualServer and VirtualServerRoute custom resources give platform teams a clean, reviewable API for routing, so ingress stops being a wall of raw config.

Where AI helps

The forward-looking version generates baseline policy from observed traffic, detects anomalies on east-west flows, and auto-tunes rate limits to the real shape of demand. The engineer sets intent and reviews; the system drafts the config.