Kubernetes Ingress NGINX Goes EOL in March 2026: The Canary in the Coal Mine

General
1

I need to talk about something that’s been keeping me up at night. Last week, the Kubernetes Ingress NGINX team announced they’re going EOL in March 2026 - less than a month from now. No more security patches. No more updates. Just… done.

This is running in production at my Fortune 500 financial services company right now. And at thousands of other companies. We’re talking about critical infrastructure that routes traffic for a massive chunk of the internet, maintained by volunteers who’ve reached their breaking point.

If this doesn’t wake us up to the OSS funding crisis, I don’t know what will.

The Scope of the Problem

Let me put this in perspective from where I sit in financial services:

  • We have 40+ microservices depending on Ingress NGINX
  • Replacing it will take 6-9 months and cost an estimated $3-4M (engineering time, testing, deployment)
  • Our regulators require us to maintain supported, patchable infrastructure
  • We’ve been using this FOR FREE for five years

And we’re not alone. External Secrets Operator, another critical Kubernetes tool, just froze all updates because four maintainers burned out, leaving only one active contributor. These aren’t edge cases. This is systemic collapse.

The Disconnect Is Stunning

Here’s what makes this absurd: My company generates billions in revenue annually. We depend on open source infrastructure that saves us millions in licensing costs. But until this crisis hit, we hadn’t contributed a single dollar to Kubernetes ecosystem projects.

Not one dollar.

We had a line item for Oracle licenses ($2M/year), for Microsoft licenses ($5M/year), for Salesforce ($3M/year). But for the open source tools that actually run our critical infrastructure? Zero.

The math is insane. We’re willing to pay millions to vendors who aggressively license their software, but we treat volunteer maintainers like an infinite free resource.

Why This Matters in Regulated Industries

In financial services, we can’t just YOLO it with unsupported software. We have:

  • SOX compliance requirements
  • PCI-DSS mandates
  • Federal banking regulations
  • Security audit requirements

All of these require that we run supported, patchable software with SLAs. When Ingress NGINX goes EOL, we’re technically non-compliant. We’ll have to either:

  1. Pay for commercial support (if someone offers it)
  2. Fork and maintain it ourselves (expensive and risky)
  3. Migrate to a commercial alternative (months of work)
  4. Accept the compliance risk (not really an option)

Every option is costly. And every option could have been avoided if we’d invested in sustainability from the start.

What Corporate Sponsorship Should Actually Look Like

I’ve spent the last three months pushing leadership on this, and here’s what I’m proposing internally:

Mandatory OSS Budget: 0.5% of our infrastructure spend allocated to OSS sponsorship. For us, that’s about $500K/year. Sounds like a lot? It’s less than we spend on coffee.

Dependency Mapping: Identify our top 50 critical dependencies and their maintainer health. Are they well-funded? Do they have multiple active maintainers? What’s their bus factor?

Tiered Support Model:

  • Tier 1 (Critical): $50K/year + dedicated engineering time
  • Tier 2 (Important): $10K/year + code contributions
  • Tier 3 (Used): $1K/year recognition

Long-term Commitments: Not one-time donations. Multi-year commitments so maintainers can plan.

The Hard Questions

But I’m wrestling with some tough questions:

  1. Who Decides? Do we sponsor based on what we use? What’s most at risk? What’s most critical to the ecosystem?

  2. How Do We Verify Impact? How do we know our money is actually helping vs. just disappearing into a maintainer’s personal finances? (Not that I blame them, but CFOs will ask)

  3. What About Competition? If my company sponsors a project, and our competitors use it for free, are we subsidizing their cost savings?

  4. What’s the Mechanism? Direct sponsorship? Open Collective? Commercial support contracts? Foundation membership?

This Isn’t Just About Money

Here’s what I keep coming back to: Money helps, but it’s not the complete solution. We also need:

  • Engineering Time: Letting our developers contribute back, not just take
  • Expertise Sharing: Providing security reviews, performance testing, compliance guidance
  • Advocacy: Using our voice to encourage other enterprises to invest
  • Patience: Understanding that OSS projects move differently than vendors

The Ingress NGINX situation should be a wake-up call. But I’m worried it won’t be. I’m worried companies will just quietly migrate to commercial alternatives and go back to treating OSS as free and infinite.

My Ask to This Community

For those of you at companies using OSS (which is everyone):

  • Do you have an OSS sponsorship budget? What does it look like?
  • How do you decide which projects to support?
  • Have you convinced leadership that this is worth investing in?

For maintainers:

  • What kind of corporate sponsorship is actually helpful?
  • What would have prevented burnout in projects like Ingress NGINX?

We’re at an inflection point. Billion-dollar companies are built on the unpaid labor of volunteers, and those volunteers are walking away. We can either invest in sustainability now, or we can pay 10x more to rebuild everything commercially later.

Which would you choose?

2

Luis, this is exactly the conversation we need to be having. And I want to share what we’re actually doing at my company because I think it’s proof that this is both feasible and valuable.

We Have a $500K/Year OSS Budget - Here’s How It Works

Six months ago, I pitched our CFO on exactly what you’re describing. The pitch was simple: “We’re running $50M worth of infrastructure on open source tools. If even 5% of them disappeared tomorrow, we’d be looking at millions in emergency replacement costs. Can we invest $500K to protect a $50M asset?”

She said yes in about 10 minutes.

Here’s our actual breakdown:

Direct Project Sponsorships: $240K/year

  • 12 critical dependencies at $20K/year each
  • We pick based on: dependency depth, maintainer health, and strategic importance
  • These are 2-year commitments with annual reviews

Foundation Memberships: $100K/year

  • CNCF, Python Software Foundation, Apache, Linux Foundation
  • Gets us a seat at the table and helps sustain the broader ecosystem

Engineering Time: $120K/year (equivalent cost)

  • 20% time policy for engineers to maintain OSS projects we depend on
  • That’s roughly 3 FTEs worth of time distributed across our 60-person team
  • Includes code contributions, security reviews, and issue triage

Emergency Fund: $40K/year

  • For projects that suddenly need help (like Ingress NGINX)
  • Fast approval process - engineering directors can allocate up to $10K without CFO sign-off

How We Decide What to Sponsor

Your question about “who decides” is critical. Here’s our process:

  1. Dependency Analysis: We ran a tool to map our entire dependency tree. Found we depend on 2,847 open source packages. Most are transitive dependencies we didn’t even know about.

  2. Risk Assessment: For each dependency, we evaluate:

    • How many maintainers? (Bus factor)
    • When was the last commit? (Activity level)
    • Are there known security issues? (Security posture)
    • Is there commercial support available? (Backup options)
    • How deeply embedded is it? (Migration cost)

  3. Strategic Prioritization: We focus on:

    • Infrastructure (Kubernetes ecosystem, databases, build tools)
    • Security tools (auth libraries, encryption, scanning)
    • Languages and runtimes (Node, Python, etc.)

  4. Human Judgment: The final call involves engineering directors who understand our architecture and can make trade-offs.

The ROI Is Real

After six months, here’s what we’re seeing:

Tangible Benefits:

  • Faster bug fixes on critical dependencies (because we have relationships)
  • Better security response (maintainers alert us to issues proactively)
  • Reduced vendor risk (we’re less locked into commercial alternatives)
  • Easier recruiting (engineers love that we support OSS)

Intangible Benefits:

  • Better engineering culture (people feel good about giving back)
  • Stronger relationships with the OSS community
  • More influence over project direction for tools we depend on

The Ingress NGINX situation? We were already sponsoring the CNCF and had relationships with Kubernetes maintainers. When the EOL was announced, we were in the room for discussions about forks and commercial support options. That early warning was worth the entire sponsorship cost.

Answers to Your Hard Questions

Who Decides?

Engineering leadership with input from security and architecture teams. We have a quarterly review process.

How Do We Verify Impact?

We don’t micromanage. If a project is active, shipping releases, and addressing security issues, that’s success. We’re not paying for features - we’re paying for sustainability.

What About Competition?

This used to bother me. Now I see it differently: If our competitors also sponsor, the ecosystem gets stronger and everyone benefits. If they don’t, we have better relationships and early warning systems. Either way, we win.

What’s the Mechanism?

We use multiple approaches:

  • GitHub Sponsors for individual maintainers
  • Open Collective for projects with teams
  • Foundation memberships for ecosystem support
  • Direct contracts for critical infrastructure (where available)

What We’re Still Learning

Not everything is perfect. Challenges we’re facing:

  • Communication: How do we maintain relationships with 12 sponsored projects? We’re experimenting with quarterly check-ins.
  • Measurement: Our CFO wants metrics. We’re tracking maintainer retention and release velocity, but it’s imperfect.
  • Alignment: Some projects don’t want sponsorship without strings. Others want too many strings. Finding the right balance is hard.
  • Scale: $500K sounds like a lot, but spread across the ecosystem, it’s a drop in the bucket. We need more companies doing this.

My Challenge to Other Engineering Leaders

Luis, you’re fighting the good fight at your company. Here’s my challenge to everyone else reading this:

If your company uses open source (and it does), you have three options:

  1. Invest now in sustainability ($500K-1M/year depending on size)
  2. Pay later in emergency migrations when critical tools fail ($5-10M+ per incident)
  3. Freeload forever and hope someone else solves it (not a strategy)

The math is clear. The ethics are clear. The only question is whether we’ll act before the next crisis.

And to Luis’s point about the Ingress NGINX wake-up call: I’m worried too. But every company that steps up makes it easier for the next one. We need to make OSS sponsorship the norm, not the exception.

Our industry has been taking from the commons for decades. It’s time we started giving back.

3

Let me be brutally honest here: This is a supply chain security crisis disguised as a funding problem.

Unmaintained Code = Attack Surface

When Ingress NGINX goes EOL in March, here’s what actually happens from a security perspective:

  1. Day 1-30: Nothing visible. Everything works fine. People relax.
  2. Day 31: Security researcher finds a critical vulnerability. CVE gets published.
  3. Day 32: Exploit code appears on GitHub. Automated scanners start looking for vulnerable versions.
  4. Day 33: Your security team is screaming because you’re running unpatched, exploitable infrastructure in production.

And there’s no patch. There will never be a patch. You’re just… vulnerable.

The Economics Are Insane

Luis, you mentioned your company would pay millions for Oracle licenses but $0 for Kubernetes tools. Let me add another angle: Companies will pay MILLIONS for zero-day exploits, but $0 for the maintenance that prevents them.

The going rate for a Kubernetes privilege escalation exploit on the black market? $100K-500K.
The cost to sponsor Kubernetes ecosystem projects adequately? Probably $10M/year total across all enterprises.

We’re literally choosing to fund the exploit market rather than fund prevention. The math doesn’t just fail - it’s actively harmful.

The Compliance Time Bomb

You mentioned PCI-DSS and SOX compliance, but let me make this even more concrete. I consult with African fintech startups, and they’re in an impossible position:

  • They can’t afford expensive commercial infrastructure
  • They build on free OSS to stay competitive
  • Then the OSS maintainers burn out
  • Now they’re non-compliant with international banking standards
  • They can’t get insurance or partnerships
  • Their business model collapses

This isn’t just a Fortune 500 problem. It’s killing startups in emerging markets who depended on OSS as the great equalizer.

What “Security Sponsorship” Should Look Like

Keisha’s $500K budget is great, but I’d structure it differently from a security perspective:

Critical Infrastructure Audit: $100K/year

  • Pay security researchers to audit the top 50 OSS dependencies
  • Public disclosure of findings
  • Fund the fixes

Security Maintainer Support: $150K/year

  • Many projects need dedicated security maintainers
  • Fund them specifically for security triage, disclosure coordination, patching
  • This is different from feature development

EOL Transition Fund: $150K/year

  • When a project announces EOL, fund a graceful transition
  • Documentation, migration tools, knowledge transfer
  • Don’t let critical infrastructure just disappear

Emergency Response: $100K/year

  • Fast response for critical vulnerabilities
  • Sometimes a maintainer just needs $5K to take a week off work and ship a patch

The Hidden Cost Everyone Ignores

Here’s what drives me crazy: Companies have entire teams dedicated to vendor management, license compliance, and contract negotiation for commercial software. Those teams cost $500K-1M+/year just in salaries.

But for open source? Nothing. No process, no relationships, no contracts, no commitments.

We treat our most critical dependencies like they don’t exist until they break.

A Modest Proposal

Every company should be legally required to maintain a Software Bill of Materials (SBOM) that includes:

  • All OSS dependencies (including transitive)
  • Maintainer health metrics for each
  • Your company’s contribution/sponsorship level
  • Risk assessment for each dependency

Then, during security audits, auditors should ask: “What’s your plan if this maintainer quits tomorrow?”

If the answer is “I don’t know” or “We’ll figure it out,” that’s a failed audit.

Make it a compliance requirement, and suddenly CFOs will find budget for OSS sustainability. Because the alternative is failing audits and losing customers.

The Ingress NGINX Lesson

This situation is entirely predictable and entirely preventable. The warning signs were there:

  • Small maintainer team
  • Increasing complexity
  • Growing user base
  • No commercial support model
  • Burnout indicators

Every security-conscious company should have seen this coming. The fact that we didn’t means our processes are broken.

Luis, your proposal for dependency mapping and maintainer health monitoring? That should be mandatory for every company handling sensitive data. Not a nice-to-have. A requirement.

The Hard Reality

Enterprises will pay millions for:

  • Penetration testing to find vulnerabilities
  • Incident response when breaches happen
  • Insurance to cover breach costs
  • Lawyers to manage disclosure

But won’t pay thousands to:

  • Fund the maintainers who prevent vulnerabilities
  • Support the infrastructure they depend on
  • Build relationships that enable fast fixes

We’re optimizing for crisis response instead of crisis prevention. And that’s not just bad economics - it’s bad security.

If your company is running Ingress NGINX in production right now, you have about three weeks to figure out your plan. After March, you’re just hoping nobody finds the next vulnerability.

Hope is not a security strategy.

4

Reading this thread hits close to home. I maintain a small open source library that has about 8K stars, and honestly, seeing what’s happening with Ingress NGINX is making me question if I want to keep doing this at all.

The Maintainer Perspective Nobody Talks About

Luis, you’re asking great questions about what corporate sponsorship should look like. Let me tell you what it looks like from the other side - from someone who might be the next person to announce they’re walking away.

I spend about 10-15 hours per week maintaining my library. That’s time I could be:

  • Working on paid consulting (worth $150-200/hour)
  • Building side projects that might generate income
  • Spending time with family
  • Literally anything else

The current sponsorship I get? About $300/month total, mostly from individual developers. That’s $20/hour for skilled engineering work. I make more as a barista.

Why Money Alone Isn’t Enough

Keisha’s $500K budget is amazing, and I’m genuinely inspired by it. But here’s what I wish more companies understood:

The Review Burden: I don’t need help writing code. I need help reviewing the 50+ PRs sitting in my queue. Money doesn’t directly solve that unless I can hire someone (I can’t - finding and onboarding someone who understands the project well enough to review takes months).

The Interrupt Cost: Every issue notification, every security report, every “hey quick question” is a context switch. Companies have entire support teams to handle this. I have me, at 11 PM after my day job.

The Responsibility Weight: When 100+ companies depend on my library in production, every change I make carries enormous risk. One bad merge and I could take down production systems. That stress is… heavy.

What Would Actually Help

Since people are asking, here’s what would have kept Ingress NGINX maintainers around (and what would keep me around):

  1. Dedicated Support Contracts: Not just “here’s $20K thanks.” More like “We’ll pay $50K/year and in exchange you get:”

    • Direct Slack/email access for our engineers
    • Priority on issues affecting us
    • Quarterly planning calls
    • We’ll contribute engineering time on features we need

  2. Maintenance Consortiums: What if 10 companies who all depend on a project each put in $50K and collectively hired a full-time maintainer? That’s a $500K salary for someone who can actually sustain the project.

  3. Time, Not Just Money: Your engineers contributing code is great, but what I really need is PR review help, documentation updates, and issue triage. The unglamorous stuff.

  4. Clear Expectations: The worst is when a company sponsors at $10K/year and then treats you like you’re their vendor. I don’t have an SLA. I don’t have a support team. I’m a human doing this in my spare time.

The Decision I’m Facing

Here’s my reality: My library is used by several Fortune 500 companies (I can see the download patterns from corporate networks). They’re saving thousands of engineer-hours by using my work.

But I got a job offer last week that would require me to work more hours. I’d have to either:

  • Give up OSS maintenance
  • Turn down a $40K raise
  • Keep trying to do both and probably burn out

Guess what I’m leaning toward?

And when I announce I’m stepping down, companies will scramble. They’ll look for alternatives, maybe fork the project, possibly even offer me money then. But by then it’s too late - I’ll be gone.

The Question for Companies

Luis asked maintainers: “What would have prevented burnout in projects like Ingress NGINX?”

Here’s my answer: If even ONE of those Fortune 500 companies using it had offered to:

  • Pay $100K/year for dedicated support
  • Contribute a full-time engineer to help with maintenance
  • Fund a security-focused maintainer position
  • Sponsor the project at a level that lets maintainers work on it full-time

…the project wouldn’t be dying.

Instead, they used it free for years, took the value, gave nothing back, and now they’re surprised it’s ending?

I’m Not Trying to Be Bitter

I love open source. I’ve learned so much, met amazing people, built things I’m proud of. But the model is broken.

We’ve built an entire industry on the assumption that volunteers will maintain critical infrastructure forever. That assumption is proving false, one burned-out maintainer at a time.

Sam’s point about this being a security crisis is dead-on. Keisha’s point about needing systemic change is right. But from where I sit, I’m just tired.

And I’m starting to think: Maybe companies SHOULD pay $3-4M to migrate to commercial alternatives. Maybe that’s the only way they’ll learn to value the open source they depend on.

Or maybe next time, they’ll sponsor early enough that the maintainers don’t leave.

I really hope it’s the latter.

5

This thread is hitting on something I’ve been worried about from an identity and security perspective - unmaintained projects become perfect targets for account takeovers and supply chain attacks.

The Attack Vector Nobody’s Discussing

When a maintainer announces they’re stepping down or a project goes EOL, here’s what often happens in the shadows:

  1. Attackers identify abandoned but still-used packages
  2. They approach the burned-out maintainer with offers to “help maintain” or “take over”
  3. Sometimes they just wait for the maintainer to abandon their npm/PyPI account
  4. They push a “security update” that actually includes malware
  5. Thousands of companies auto-update because it’s a “trusted” package

I saw this pattern repeatedly at Auth0. Abandoned OSS packages are goldmines for supply chain attacks because:

  • They still have large user bases
  • Nobody’s watching for malicious updates
  • Companies trust them due to historical use
  • Auto-update pipelines pull them in without review

The Ingress NGINX Scenario

With Ingress NGINX going EOL, here’s what I worry about:

  • Maintainers will abandon their accounts or hand off credentials
  • Someone will eventually publish a “community fork” or “security patch”
  • Companies desperate for updates will trust it
  • By the time anyone notices malicious code, it’s running in production at thousands of companies

This isn’t theoretical. This is the EXACT pattern we saw with event-stream, ua-parser-js, and dozens of other packages.

What Makes This Worse

Alex’s point about maintainer burnout creating this crisis is spot-on. But from an identity perspective, burned-out maintainers are also security risks:

  • They’re exhausted and less vigilant about account security
  • They might hand off access too casually to “helpful” volunteers
  • They’re vulnerable to social engineering (“Let me help you, I have a team ready”)
  • When they quit, their 2FA keys and account access often just… sit there

We need proper sunset processes for OSS projects:

  1. Account Security Audit: Before maintainer leaves, secure all credentials
  2. Transparent Succession: Public announcement of new maintainers with verification
  3. Read-Only Archive: If no successor, make the repo read-only, don’t just abandon it
  4. Namespace Protection: Lock the package name so nobody can typosquat or take over
  5. Sunset Documentation: Clear guidance on migration paths for users

The Enterprise Responsibility Angle

Luis mentioned compliance requirements, and I want to add: Your company needs to be tracking maintainer identity changes for dependencies.

If the maintainer of a critical package changes, that’s a security event that should trigger review, just like a new vendor would require security assessment.

But most companies have no process for this. They don’t even know when maintainer changes happen, let alone review them.

A Practical Suggestion

Companies sponsoring OSS projects should include in their contracts:

  • Succession Planning: Agreement on how maintainer transitions will be handled
  • Identity Verification: Clear process for verifying new maintainers
  • Security Notification: Maintainers agree to notify sponsors before leaving
  • Account Security Requirements: 2FA, hardware keys, secure credential storage

This protects both the maintainers (clear expectations) and the companies (security guarantees).

Why This Matters Now

With 60% of maintainers considering quitting and burnout at 44%, we’re looking at a MASSIVE wave of abandoned packages in the next 1-2 years.

Attackers know this. They’re already positioning themselves as “helpful community members” in struggling projects. The supply chain attack surface is about to explode.

Keisha’s OSS budget should include a line item for “succession and identity security” - helping projects handle transitions safely when maintainers need to step away.

Because the alternative is watching critical infrastructure get compromised one abandoned project at a time.

And Alex, if you do step down from your project, please do it safely. Public announcement, clear succession plan, and if there’s no successor, archive it read-only. Don’t let your exhaustion become someone else’s security breach.

We need better processes for letting maintainers retire gracefully. Right now, we’re making them choose between burnout or creating security risks. That’s not okay.