- Published on
2026 Ingress Controller Comparison — Benchmarking 8 Options and a Selection Guide
- Authors
- Name
- Youngju Kim
- @fjvbn20031
- Introduction
- Basic Architecture of an Ingress Controller
- Comprehensive Comparison of 8 Options
- Per-Controller Detail
- Selection Criteria
- Recommendations by Workload
- Migration Difficulty
- Total Cost of Ownership (TCO) Perspective
- 2026 Trend: Ingress Frozen → Gateway API
- Decision Flow
- Conclusion
- References
Introduction
One of the first decisions you face when operating a Kubernetes cluster is "which Ingress Controller should we use?" This component, which routes external traffic to internal cluster services, is core infrastructure that you live with for years once chosen. Yet when you actually sit down to compare options, there are too many candidates. ingress-nginx, Traefik, HAProxy, Contour, Envoy Gateway, Kong, APISIX, and Emissary each carry a different data plane and philosophy.
In 2026 this choice is no longer simply "which one is fastest." The Ingress API itself has become frozen — no new features will be added — and the Gateway API has taken hold as the successor standard. As a result, "how mature is this controller's Gateway API support?" has become a key variable that determines future cost. On top of that, ingress-nginx, the most widely used option, has moved into maintenance mode and reported several security issues (CVEs), prompting many organizations to seriously evaluate alternatives.
In this article we compare eight controllers across configuration model, CRD design, TLS automation, performance, observability, Gateway API support, ecosystem, and licensing. Rather than a flat spec dump, the framing is decision-oriented: "in which situations should you pick what?"
Basic Architecture of an Ingress Controller
An Ingress Controller has two parts. One is the control plane, which watches the Kubernetes API, reads changes to Ingress/CRD resources, and generates configuration. The other is the data plane (proxy engine), which actually processes traffic.
External traffic
│
▼
┌───────────────────┐
│ LoadBalancer/ │ (cloud LB or NodePort)
│ Service │
└─────────┬─────────┘
│
▼
┌───────────────────────────────┐
│ Ingress Controller Pod │
│ ┌──────────┐ ┌───────────┐ │
│ │ Control │──▶│ Data │ │
│ │ Plane │ │ Plane │ │
│ │ (watch) │ │ (proxy) │ │
│ └────┬─────┘ └─────┬─────┘ │
└───────┼───────────────┼────────┘
│ │
watch Ingress/CRD ▼
│ route → backend Service/Pod
▼
Kubernetes API
The character of a controller depends heavily on what its data plane is. We can group them into roughly three families.
- nginx family: ingress-nginx. Battle-tested nginx engine. Reload-based configuration.
- Envoy family: Contour, Envoy Gateway, Emissary. xDS-based dynamic configuration, no hot reload needed.
- Custom/other engines: Traefik (its own Go engine), HAProxy (the haproxy engine), Kong (nginx+Lua / OpenResty based), APISIX (nginx+Lua based).
Engine differences directly affect how fast dynamic configuration is applied, memory usage, and how features are extended. For example, nginx-based controllers require a reload on configuration change, which can cause a momentary burden in connection-heavy environments, whereas Envoy-based ones can apply updates dynamically with zero disruption via xDS.
Comprehensive Comparison of 8 Options
First, a one-glance comparison of the key items.
| Controller | Data plane | Config model | Dedicated CRDs | TLS automation | Gateway API |
|---|---|---|---|---|---|
| ingress-nginx | nginx | Ingress + annotations | Almost none | cert-manager integration | Split into separate project (ingate) |
| Traefik | Traefik (Go) | CRD (IngressRoute) + annotations | Rich (Middleware etc.) | Built-in ACME | Mature |
| HAProxy | HAProxy | Ingress + annotations + ConfigMap | Some CRDs | cert-manager integration | Supported (growing) |
| Contour | Envoy | CRD (HTTPProxy) | HTTPProxy | cert-manager integration | Mature |
| Envoy Gateway | Envoy | Gateway API native | Gateway API centric | cert-manager integration | Native (first class) |
| Kong | nginx/OpenResty | CRD + annotations | KongPlugin etc. | cert-manager integration | Supported |
| APISIX | nginx/OpenResty | CRD (ApisixRoute) | ApisixRoute etc. | cert-manager integration | Supported |
| Emissary | Envoy | CRD (Mapping) | Mapping etc. | Built-in ACME | Supported (partial) |
Now performance and operational items.
| Controller | Dynamic reload | Observability | API gateway features | Ecosystem/maturity | License |
|---|---|---|---|---|---|
| ingress-nginx | Reload needed | Prometheus metrics | Limited | Very large (maintenance mode) | Apache 2.0 |
| Traefik | Zero disruption | Dashboard + metrics + tracing | Medium | Large | MIT |
| HAProxy | Partial zero disruption | Rich stats + metrics | Limited | Large | Apache 2.0 |
| Contour | Zero disruption (xDS) | Envoy metrics/tracing | Low | Medium (CNCF) | Apache 2.0 |
| Envoy Gateway | Zero disruption (xDS) | Envoy metrics/tracing | Medium (policy CRDs) | Growing (CNCF) | Apache 2.0 |
| Kong | Partial | Rich (plugins) | Very high | Large | Apache 2.0 + enterprise |
| APISIX | Zero disruption (etcd) | Rich (plugins) | Very high | Medium (ASF) | Apache 2.0 |
| Emissary | Zero disruption (xDS) | Envoy metrics/tracing | High | Medium | Apache 2.0 |
As the tables show, two axes drive the choice the most: "do you need API gateway features?" and "how much do you value Gateway API?"
Per-Controller Detail
ingress-nginx
The most widely used controller. It uses the proven nginx engine, and most tutorials and operational examples are written against it. Configuration is done with Ingress resources plus annotations.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web
annotations:
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "10m"
spec:
ingressClassName: nginx
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
The key 2026 caveat is that ingress-nginx is moving into maintenance mode. Several security issues (CVEs) were reported in the arbitrary configuration-injection (snippet) feature exposed via annotations, and snippets have been trending toward disabled-by-default. Its successor Gateway API implementation is being carried out as a separate project, so long term it is reasonable to evaluate moving to another controller or a Gateway API native implementation.
Traefik
Traefik uses its own engine written in Go, with dynamic configuration and rich CRDs as its strengths. Automatic ACME (Let's Encrypt) certificate issuance is built in, so TLS automation works even without cert-manager. You build expressive routing with CRDs like IngressRoute and Middleware.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: web
spec:
entryPoints:
- websecure
routes:
- match: Host(`app.example.com`) && PathPrefix(`/api`)
kind: Rule
services:
- name: api
port: 80
middlewares:
- name: rate-limit
The dashboard is intuitive and the middleware-chain model is clean. Note, however, that there are feature differences between the free version and the enterprise offering (Traefik Hub), so check where the features you need fall.
HAProxy
Uses the long-proven HAProxy engine. Stability and fine-grained load-balancing control are its strengths, and it offers a rich stats page and metrics. You configure it with a combination of Ingress + annotations + a global ConfigMap.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: web
annotations:
haproxy.org/load-balance: "roundrobin"
haproxy.org/timeout-client: "30s"
spec:
ingressClassName: haproxy
rules:
- host: app.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: web
port:
number: 80
It offers powerful load-balancing algorithms and health checks at both L4 and L7, making it a good fit for environments that need demanding traffic control.
Contour
A CNCF project that uses Envoy as its data plane. Its distinguishing feature is the HTTPProxy CRD, which elegantly expresses delegation-based multitenancy. Being xDS-based, configuration changes are applied dynamically without a reload.
apiVersion: projectcontour.io/v1
kind: HTTPProxy
metadata:
name: web
spec:
virtualhost:
fqdn: app.example.com
tls:
secretName: app-tls
routes:
- conditions:
- prefix: /
services:
- name: web
port: 80
With HTTPProxy's include feature you can build a structure where the platform team manages the root domain and each team manages sub-paths, making it strong for multitenancy.
Envoy Gateway
A project in which the Envoy camp implements the Gateway API as a first-class citizen. Instead of the Ingress-annotation model, it is designed around the Gateway API (GatewayClass, Gateway, HTTPRoute) from the ground up. For a 2026 greenfield design it is one of the most promising choices.
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: web
spec:
parentRefs:
- name: eg
hostnames:
- app.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: web
port: 80
Policies (timeouts, retries, rate limits, etc.) are expressed with the Gateway API's extension policy CRDs. It is the model that best fits the trend of Ingress being frozen.
Kong
Based on OpenResty (nginx+Lua), Kong goes beyond simple Ingress to provide full-fledged API gateway features. You can attach numerous plugins — authentication, rate limiting, transformations — via the KongPlugin CRD.
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
name: rate-limit
plugin: rate-limiting
config:
minute: 100
policy: local
If you need to productize APIs (developer portal, key management, usage-based billing), it is a powerful choice. Note, however, that many full features sit in the enterprise tier.
APISIX
An Apache Foundation project, also nginx+Lua based, that manages dynamic configuration with etcd. It is characterized by the ApisixRoute CRD, a rich plugin set, and an Admin API. Dynamic route updates are fast and the plugin ecosystem is active.
apiVersion: apisix.apache.org/v2
kind: ApisixRoute
metadata:
name: web
spec:
http:
- name: rule1
match:
hosts:
- app.example.com
paths:
- /*
backends:
- serviceName: web
servicePort: 80
plugins:
- name: limit-count
enable: true
config:
count: 100
time_window: 60
An advantage is that you can use a broad set of API gateway features with the open-source edition alone.
Emissary (Ambassador)
One of the early Envoy-based API gateways, Emissary expresses routing with the Mapping CRD. It is characterized by a developer-friendly declarative model and built-in ACME.
apiVersion: getambassador.io/v3alpha1
kind: Mapping
metadata:
name: web
spec:
hostname: app.example.com
prefix: /
service: web:80
Because it exposes Envoy's features through relatively simple CRDs, it suits teams that want Envoy capabilities but find raw Envoy configuration burdensome.
Selection Criteria
It is hard to decide on spec comparison alone. The following axes help.
Scale
- Small/simple routing: ingress-nginx (if you already have assets) or Traefik. Low barrier to entry and plenty of material.
- Medium-to-large/multi-team: Contour (HTTPProxy delegation) or Envoy Gateway (Gateway API role separation) are favorable for multitenancy.
- Large/API productization: Kong or APISIX, when you need plugin-based policies and API management.
Team Capability
Envoy-based options (Contour, Envoy Gateway, Emissary) are powerful once you understand Envoy concepts (xDS, listeners, clusters), but they carry a learning curve. By contrast, ingress-nginx and Traefik are easy to get into. If your team is comfortable with nginx, debugging APISIX/Kong is comparatively smoother.
Need for API Management
If the goal is simply to route traffic, Contour/Envoy Gateway/Traefik are sufficient. If API gateway features like authentication, rate limiting, transformation, a developer portal, and usage billing are central, Kong or APISIX are a fit.
On-Premises Environments
In on-prem environments without a cloud LB, compatibility with an LB implementation like MetalLB and integration with self-managed certificates (cert-manager) matter. Most controllers work well, but HAProxy/ingress-nginx have a long track record on-prem, making reference material easy to find.
Recommendations by Workload
| Workload | Recommendation | Why |
|---|---|---|
| Simple web service | Traefik, ingress-nginx | Quick start, plentiful material |
| Multi-tenant platform | Contour, Envoy Gateway | Role separation / delegation model |
| New greenfield (2026) | Envoy Gateway | Gateway API native |
| API product/portal | Kong, APISIX | Plugin-based API management |
| Demanding L4/L7 control | HAProxy | Fine-grained LB / health checks |
| Envoy features + simple CRDs | Emissary | Envoy through easy CRDs |
Migration Difficulty
When moving from an existing controller to another, difficulty is proportional to "how different the configuration models are."
- Ingress annotations → other Ingress annotations (e.g., ingress-nginx → HAProxy): Relatively easy since you only map annotations. You must still verify differences in rewrite and path-matching behavior.
- Ingress → CRD model (e.g., ingress-nginx → Traefik IngressRoute, Contour HTTPProxy): Large conversion effort because you have to author resources anew.
- Ingress → Gateway API (e.g., ingress-nginx → Envoy Gateway): Conversion tools like ingress2gateway exist, but policy parts require manual mapping.
The key, in every case, is to separate IngressClass so the two controllers coexist, then migrate gradually via DNS or traffic weighting.
Total Cost of Ownership (TCO) Perspective
Beyond the visible container cost, consider the following.
- Load balancer cost: In the cloud, if each controller gets its own LoadBalancer service, LB cost multiplies. A shared LB with a single Ingress entry point is more cost-effective.
- Operational staffing cost: A controller with a steep learning curve has a high initial adoption cost. A controller with abundant material shortens troubleshooting time.
- Enterprise licensing: Some features of Kong/Traefik and others may require a commercial license. Clearly confirm the open-source scope.
- Migration cost: Staying on a maintenance-mode controller means switching cost arrives all at once later. This weighs heavily in long-term TCO.
2026 Trend: Ingress Frozen → Gateway API
The most important trend is that the Ingress API is frozen. No new features will be added to the Ingress API; all new features go into the Gateway API. The Gateway API provides three-tier role separation (GatewayClass/Gateway/HTTPRoute), multiple protocols (HTTP, gRPC, TCP, UDP, TLS), and a standardized policy model.
Past (Ingress) Future (Gateway API)
────────────── ─────────────────────
Ingress + annotations GatewayClass (platform/infra)
(vendor-specific) │
Gateway (cluster operator)
│
HTTPRoute/GRPCRoute (app developer)
Therefore, for a 2026 new adoption, evaluating a controller that supports the Gateway API first-class (such as Envoy Gateway) is the path to lower future cost. Even organizations with large existing Ingress assets should plan a gradual migration path using tools like ingress2gateway.
Decision Flow
Finally, the selection process as a flowchart.
Start: choosing an Ingress Controller
│
┌───────────────┴───────────────┐
│ Are API gateway features │
│ (auth/rate-limit/portal) core? │
└───────────────┬───────────────┘
yes │ │ no
▼ ▼
┌──────────────┐ ┌──────────────────────┐
│ Kong / APISIX │ │ Is multitenancy / │
└──────────────┘ │ role separation key? │
└──────────┬───────────┘
yes │ │ no
▼ ▼
┌────────────────┐ ┌────────────────────┐
│ Want Gateway │ │ Are quick start / │
│ API native? │ │ rich material key? │
└───────┬────────┘ └─────────┬──────────┘
yes│ │no yes │
▼ ▼ ▼
┌──────────┐ ┌─────────┐ ┌───────────────────┐
│ Envoy │ │ Contour │ │ Traefik / │
│ Gateway │ │ │ │ ingress-nginx │
└──────────┘ └─────────┘ └───────────────────┘
Conclusion
There is no single right answer for choosing an Ingress Controller. But in 2026 you must weigh two big trends. First, the Ingress API is frozen and the Gateway API is the standard future. Second, as ingress-nginx moves into maintenance mode, evaluating alternatives has become necessary from a stability and security standpoint.
If your existing assets are large and you only need simple routing, Traefik or your existing ingress-nginx is enough. But for a new greenfield deployment, I recommend evaluating a Gateway API native implementation such as Envoy Gateway first. If multitenancy matters, Contour; if API productization is central, Kong or APISIX is the answer. Whatever you choose, learning the coexistence strategy via IngressClass separation in advance will be a great help when you migrate later.
References
- Kubernetes Ingress official docs: https://kubernetes.io/docs/concepts/services-networking/ingress/
- Kubernetes Ingress Controllers: https://kubernetes.io/docs/concepts/services-networking/ingress-controllers/
- ingress-nginx official docs: https://kubernetes.github.io/ingress-nginx/
- Traefik official docs: https://doc.traefik.io/traefik/
- HAProxy Kubernetes Ingress docs: https://www.haproxy.com/documentation/kubernetes-ingress/
- Project Contour official docs: https://projectcontour.io/docs/
- Envoy Gateway official docs: https://gateway.envoyproxy.io/docs/
- Kong Ingress Controller docs: https://docs.konghq.com/kubernetes-ingress-controller/
- Apache APISIX Ingress docs: https://apisix.apache.org/docs/ingress-controller/getting-started/
- Gateway API official site: https://gateway-api.sigs.k8s.io/
- cert-manager official docs: https://cert-manager.io/docs/
- Emissary-ingress official docs: https://www.getambassador.io/docs/emissary/