F5 NGINX Ingress Controller 5.3.0 arrives at a pivotal moment. With the Kubernetes community announcing at KubeCon North America 2025 that the community-maintained ingress-nginx project will be retired in March 2026, users everywhere are rethinking their ingress strategies. For those looking for a familiar, production-grade open source replacement, F5 NGINX Ingress Controller offers a solution maintained by the NGINX team. This release focuses on improving existing capabilities, delivering key customer-requested features, and making migration from ingress-nginx easier than ever.
Across this release, we’re focused on:
- Migration support with compatibility annotations for users transitioning from ingress-nginx
- Expanded caching capabilities with production-grade CRD support for most caching directives
- Cross-namespace routing for VirtualServer resources that simplifies multi-tenant operations
- OpenID Connect enhancements for token timeouts, front channel logout, and identity provider TLS validation
Together, these updates make it easier for platform teams, security engineers, and developers to build robust, long-term ingress strategies with both NGINX Ingress Controller and NGINX Gateway Fabric, our implementation for the Gateway API using NGINX as the data plane.
Migration Support for ingress-nginx
We’ve added support for several popular ingress-nginx annotations to help users migrate to the official F5 NGINX Ingress Controller, with more compatibility features coming in future releases.
Supported annotations:
- nginx.org/client-body-buffer-size mirrors nginx.ingress.kubernetes.io/client-body-buffer-size (sets the maximum size of the client request body buffer). Also available in VirtualServer and ConfigMap.
- nginx.org/rewrite-target mirrors nginx.ingress.kubernetes.io/rewrite-target (sets a replacement path for URI rewrites)
- nginx.org/ssl-ciphers mirrors nginx.ingress.kubernetes.io/ssl-ciphers (configures enabled TLS cipher suites)
- nginx.org/ssl-prefer-server-cipher mirrors nginx.ingress.kubernetes.io/ssl-prefer-server-ciphers (controls server-side cipher preference during the TLS handshake)
Why it matters: These compatibility annotations reduce migration friction, allowing teams to transition incrementally without rewriting all their Ingress configurations at once.
Who it helps:
- Teams planning migration from ingress-nginx before March 2026
- Organizations evaluating long-term ingress strategies
- Platform engineers maintaining backward compatibility during transitions
Expanded NGINX Cache CRD
Based on strong feedback from customers and open source users, we’ve extended the cache policy to support more configurable parameters, enabling powerful, production-grade caching with F5 NGINX Ingress Controller. This expansion brings enterprise-level cache control directly into your Kubernetes configurations.
Why it matters: Full caching support reduces backend load, improves response times, and gives teams fine-grained control over cache behavior without managing separate infrastructure or complex ConfigMaps.
Who it helps:
- Platform teams optimizing application performance at scale
- SREs managing high-traffic services with strict latency requirements
- Developers building APIs that benefit from edge caching
Cross-Namespace Support for VirtualServer
You can now reference upstream services in different Kubernetes namespaces directly from a VirtualServer. This simplifies multi-tenant operations and reduces the coupling and maintenance overhead previously required across VirtualServer and VirtualServerRouteresources.
Why it matters: Cross-namespace routing eliminates the need for duplicate route definitions and reduces configuration drift across teams. It makes shared infrastructure patterns practical without sacrificing namespace isolation.
Who it helps:
- Platform engineers managing shared ingress infrastructure
- Teams running multi-tenant Kubernetes clusters
- Organizations consolidating microservices across namespaces
OpenID Connect Improvements
This release adds several OIDC policy enhancements: configurable token timeouts via ConfigMap, front channel logout support, and SSL verification controls for identity provider connections. Additionally, you can now configure SSL verification for JWKS URI endpoints.
Why it matters: These controls give teams the flexibility to tune authentication behavior for their specific identity providers and compliance requirements, while TLS validation ensures secure communication with identity providers.
Who it helps:
- Security teams implementing zero-trust architectures
- Developers integrating with enterprise identity providers
- Operations engineers troubleshooting authentication configurations
Other Notable Enhancements
- Upgraded to NGINX Open Source 1.29.3, NGINX Plus R36, NGINX Agent 3.5, and F5 WAF for NGINX 5.10.0
- Stability improvements: Added startup logic to clean up stale .sock files when they aren’t removed properly, improving recovery after unexpected termination (thank you @sigv in our NGINX community for the suggestion)
Wrapping Up
F5 NGINX Ingress Controller 5.3.0 continues our commitment to making secure, high-performance ingress easier to manage. Whether you’re expanding caching capabilities, simplifying multi-tenant routing, or planning your migration from ingress-nginx, this release adds practical tools that show up in day-to-day operations.
For customers evaluating their path forward, F5 offers excellent options with both NGINX Ingress Controller (NIC) and NGINX Gateway Fabric (NGF) for full Gateway API implementation. We’re excited to help customers build robust, long-term ingress strategies.
You can find more details at:
- GitHub release page: https://github.com/nginx/kubernetes-ingress/releases
- Public release documentation: https://docs.nginx.com/nginx-ingress-controller/