Streamline Kubernetes Ingress with Plural

Managing the sprawling ecosystem of third-party controllers within Kubernetes can feel like playing a never-ending game of whack-a-mole. Just when you think everything is stable, a critical vulnerability like the recent one in ingress-nginx pops up, forcing you to scramble for a fix. Upgrading these controllers is often a risky proposition, fraught with compatibility issues between the controller version and your specific Kubernetes version. This post explores how Plural's unique approach to managing ingress plural, using the Observer resource, automates the upgrade process for ingress-nginx and other critical components. We'll demonstrate how Plural checks for compatibility, generates precise pull requests, and triggers your deployment pipeline, ensuring seamless and safe upgrades. We'll also discuss how Plural simplifies the initial setup and ongoing management of edge networking components, including Ingress, DNS, and SSL certificates, through runtime charts and GlobalServices.

Let's face it - securing Kubernetes isn't getting any easier. Just last week, ingress-nginx (one of the most widely deployed Kubernetes ingress controllers) was hit with a series of critical vulnerabilities. The most severe of these (CVE-2025-1974) could potentially allow any workload in your cluster's internal pod network to exploit its admission webhook, ultimately revealing cluster secrets by leveraging flaws in how annotations are configured.

If you're running ingress-nginx in production right now, you're probably frantically trying to upgrade the controller. And you’ve probably encountered the dependency challenges that follow.

Streamlining Third-Party Controller Upgrades

Kubernetes itself is rarely deployed alone - it's usually surrounded by a sprawling ecosystem of third-party components that vary wildly in quality and security posture. Upgrading these components isn't straightforward because they're tightly coupled with specific Kubernetes versions.

So for example, each version of ingress-nginx is designed to work with particular Kubernetes API versions. This means that right now, you might be caught between two bad options:

• Upgrade ingress-nginx to patch the vulnerability, but risk breaking changes if your Kubernetes version is lagging behind
• Force a Kubernetes upgrade first, potentially breaking other critical components in your cluster

Key Takeaways

• Automated upgrade pipelines are crucial for Kubernetes security: The recent ingress-nginx vulnerability demonstrates the risk of relying on manual updates for critical components.
• Plural simplifies Kubernetes dependency management: The Observer resource automatically checks compatibility and creates pull requests for seamless upgrades of third-party controllers.
• Simplify Kubernetes operations with Plural: Features like runtime charts and GlobalServices streamline the setup and management of essential Kubernetes components, reducing manual effort and ensuring consistency.

What is an Ingress?

Definition and Meaning

“Ingress” simply means the act of entering or the right to enter. Think of a doorway—a way to get *in*. It comes from the Latin word “ingressus,” meaning “to go in” or “to enter.” Outside of tech, you might see “ingress” used in astronomy, referring to a celestial body entering a shadow or a particular sign. Merriam-Webster offers more general definitions.

Kubernetes Usage

In Kubernetes, an Ingress is a resource that manages external access to the services within your cluster. It acts as a reverse proxy and load balancer for incoming traffic, routing requests based on rules you define. It's the entry point for outside requests to reach your applications running inside the cluster. For teams using Plural, managing and upgrading Ingress controllers is simplified through our platform.

Other Meanings and Usages

“Ingress” isn’t limited to Kubernetes or astronomy. It appears in various fields, from military operations to literature (often with a more poetic meaning) and even legal discussions of property rights. Wiktionary provides a good overview of these different contexts.

Plural of Ingress: Ingresses

The plural of "ingress" is "ingresses." In Kubernetes, this refers to multiple Ingress resources, each potentially managing traffic for different services or using different routing rules. See Simple English Wiktionary for a simple explanation.

Ingress, Egress, and Regress in Legal Contexts

Property Law and Access Rights

In property law, "ingress" refers specifically to the right to enter a property. It’s often paired with "egress" (the right to exit) and sometimes "regress" (the right to return). These terms are essential for defining access rights and easements, ensuring individuals can legally access and leave properties. Wikipedia offers more detail on these legal concepts.

Historical Context

Historically, "ingress" and "egress" carried significant weight, especially regarding the movement of people and goods. For example, the Ingress into India Ordinance of 1914 controlled the movement of individuals returning to India, demonstrating the historical use of these terms in regulating access. Wikipedia provides further historical context.

Understanding Ingression

Definition and Different Meanings

“Ingression” is the noun form of “ingress,” referring to the *act* of entering. While often used interchangeably with "ingress," "ingression" sometimes appears in specialized fields like metaphysics and biology to describe the process of entering or the start of a process. Wiktionary offers a more nuanced explanation.

Relationship to Ingress

“Ingression” is derived from "ingress." "Ingress" is the doorway; "ingression" is walking through it. Both relate to entering, but "ingression" emphasizes the process or action.

Ingress in Swedish

In Swedish, "ingress" means the introductory paragraph of a newspaper article. This shows how a word can evolve and take on unique meanings in different languages. Wiktionary notes this distinct usage.

Past Tense of Ingress: Ingressed

The past tense of "ingress" is "ingressed." So, if something has already entered, you might say it "ingressed" into a specific area. Your Dictionary confirms this past tense usage.

Effortless Upgrades with Plural: A How-To

Plural cuts this gordian knot. Our Observer resource does the following things:

• Regularly checks our internally maintained compatibility matrices to identify when new versions of components like ingress-nginx are released.
• Only suggests upgrades that are confirmed compatible with your specific Kubernetes versions.

This means that when a critical security patch like the recent ingress-nginx fix becomes available, the Observer automatically:

• Verifies the patch is compatible with your current Kubernetes versions
• Generates a precise pull request with the exact version changes needed
• Triggers your deployment pipeline to apply the changes safely

Here's a concrete example of how you'd configure this for the ingress-nginx vulnerability:

apiVersion: deployments.plural.sh/v1alpha1
kind: Observer
metadata:
  name: ingress-nginx
spec:
  crontab: "*/5 * * * *"
  initial: 4.12.0
  target:
    order: SEMVER
    type: ADDON # selecting our addon compatibility tables to poll
    addon:
      name: ingress-nginx # polling ingress nginx specifically
      kubernetesVersions: # ensures the newest version we'd deploy
      - "1.28"            # is compatible with the given K8s versions in use
      - "1.29"
      - "1.30"
  actions:
  - type: PIPELINE
    configuration:
      pipeline:
        pipelineRef:
          name: ingress-nginx
          namespace: infra
        context:
          name: ingress-nginx
          version: $value

When a new compatible version is detected, the system automatically generates a PR with the necessary changes:

The resulting PR contains everything needed to safely update the component:

What makes this approach particularly powerful is that it's not just for one-off fixes. The Observer pattern can be applied to your entire Kubernetes ecosystem, ensuring that security patches are applied promptly across all components, updates never break compatibility with your existing infrastructure, and you can finally escape the dependency hell that comes with manual Kubernetes ecosystem management

Plural's Runtime Chart for Simplified Setup

Beyond security updates, Plural simplifies the initial setup and day-to-day management of essential Kubernetes components. We use a “runtime chart” to streamline the installation and configuration of common tools like ingress-nginx. This chart acts as a blueprint, defining the necessary resources and their configurations. It’s especially useful for edge networking components, which often require careful coordination between Ingress, DNS, and SSL certificates. This approach reduces the chances of misconfigurations and simplifies ongoing maintenance.

With Plural, you don't need to manually piece together YAML files or wrestle with Helm charts. The runtime chart handles the heavy lifting, ensuring a consistent and reliable setup. It also allows you to easily customize settings like resource allocation and replica counts without delving into complex configuration files. This means less time spent on configuration management and more time focused on building and deploying your applications.

Installing Edge Networking Components

Setting up your edge networking involves Ingress, DNS registration, and SSL certificate management. Plural's plural up command simplifies this entire process. The runtime chart streamlines the installation of components like ingress-nginx, ensuring they’re correctly configured and integrated with your cluster. This includes setting up load balancing, TLS termination, and other essential features. Because plural up is driven by our declarative GitOps engine, your entire edge networking stack is managed as code, making it auditable, reproducible, and easy to roll back if needed. This gives you a clear history of changes and simplifies troubleshooting.

Configuring ExternalDNS as a Global Service

DNS registration is a critical part of edge networking. It automatically updates your DNS records when new services are added, so users can find your application. Plural uses ExternalDNS for this, integrating it seamlessly with the runtime chart. You can configure ExternalDNS as a GlobalService in Plural. This means you define it once, and it’s automatically deployed and managed across your entire fleet of Kubernetes clusters. This simplifies management and ensures consistent DNS configuration across all your environments, reducing the risk of errors and inconsistencies.

Next Steps with Plural

This latest ingress-nginx vulnerability is a reminder that automated, compatibility-aware update pipelines aren’t just convenient - they’re essential for any team serious about production Kubernetes. And with Plural, you get them out-of-the-box.

Want to learn more about how Plural can help automate your Kubernetes security posture? Let us know - we're always looking for ways to make managing Kubernetes less painful and more secure.

Related Articles

• How Plural can Help you Patch the Latest CVE for ingress-nginx
• Kubernetes Ingress and How Plural Makes It Safer
• 7 Benefits of Upgrading to a Cluster
• Best practices for multi-cluster Kubernetes upgrades
• Plural | Edge Kubernetes

Frequently Asked Questions

How does Plural handle upgrades for other Kubernetes components besides ingress-nginx?

Plural's Observer resource isn't limited to ingress-nginx. It works with any Kubernetes component you define, checking for new versions and ensuring compatibility with your cluster's Kubernetes version before suggesting an upgrade. You can configure multiple Observer resources to manage updates for your entire ecosystem.

What if my team uses a custom Ingress controller or a different Ingress solution altogether?

Plural is flexible enough to support custom or alternative Ingress solutions. While the blog post focuses on ingress-nginx as a common example, the underlying principles of version checking, compatibility validation, and automated PR generation apply regardless of the specific Ingress controller you use. You can adapt the Observer configuration to work with your chosen solution.

Is Plural only for managing security updates?

No. While security updates are a critical use case, Plural streamlines all kinds of Kubernetes upgrades and configuration changes. The Observer can track new features, performance improvements, or any other updates relevant to your components. The runtime chart simplifies initial setup and ongoing configuration management, reducing manual effort and ensuring consistency.

How does Plural's runtime chart work with my existing infrastructure as code setup?

Plural's runtime chart complements your existing IaC. It provides a standardized way to define and deploy common Kubernetes components, but you can still customize these deployments through your IaC tools. The runtime chart acts as a template, and you can override settings or add additional configurations as needed.

What are the prerequisites for using Plural's Kubernetes upgrade features?

You'll need a running Kubernetes cluster and a Plural installation. The blog post provides examples of Observer and runtime chart configurations, which you'll need to adapt to your specific environment. Plural's documentation offers detailed instructions on setting up and configuring these features.