Ingress Controllers Compared
| Feature | NGINX Ingress | Traefik | Envoy Gateway |
|---|---|---|---|
| Performance (RPS) | 50K+ | 40K+ | 60K+ |
| Memory (idle) | 100MB | 50MB | 150MB |
| Config reload | nginx reload (brief drop) | Hot reload (zero-drop) | Hot reload |
| Gateway API | β (v1.2+) | β | β (native) |
| Rate limiting | β (annotation) | β (middleware) | β (native) |
| mTLS | β | β | β |
| WASM plugins | β | β | β |
| Dashboard | β | β Built-in | β |
| License | Apache 2.0 | MIT | Apache 2.0 |
| Backing | F5/NGINX | Traefik Labs | Envoy/CNCF |
NGINX Ingress Controller
The most widely deployed (40%+ market share):
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: api
annotations:
nginx.ingress.kubernetes.io/rate-limit: "100"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "https://app.example.com"
spec:
ingressClassName: nginx
tls:
- hosts: [api.example.com]
secretName: api-tls
rules:
- host: api.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: api-service
port:
number: 8080Traefik
Auto-discovers services, built-in dashboard:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: api
spec:
entryPoints:
- websecure
routes:
- match: Host(`api.example.com`)
kind: Rule
services:
- name: api-service
port: 8080
middlewares:
- name: rate-limit
- name: compress
tls:
certResolver: letsencrypt
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: rate-limit
spec:
rateLimit:
average: 100
burst: 200Envoy Gateway (Gateway API Native)
The future β built on Gateway API standard:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: main
spec:
gatewayClassName: envoy
listeners:
- name: https
protocol: HTTPS
port: 443
tls:
mode: Terminate
certificateRefs:
- name: wildcard-tls
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: api-route
spec:
parentRefs:
- name: main
hostnames:
- "api.example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /v1
backendRefs:
- name: api-v1
port: 8080
weight: 90
- name: api-v2
port: 8080
weight: 10 # Canary!When to Choose Which
| Scenario | Best Choice |
|---|---|
| Simple apps, proven stability | NGINX |
| Auto-discovery, Docker/Swarm migration | Traefik |
| Advanced traffic management, Gateway API | Envoy Gateway |
| Existing NGINX expertise | NGINX |
| Need built-in dashboard | Traefik |
| gRPC-heavy, HTTP/3 | Envoy Gateway |
| Maximum raw performance | Envoy Gateway |
Gateway API: The Future
Gateway API replaces Ingress as the standard. All three controllers now support it:
# Same spec works across NGINX, Traefik, and Envoy
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRouteMy recommendation for 2026: Start new projects with Gateway API. Migrate existing Ingress resources gradually.
