Kubernetes users face a huge deadline

Welcome to Runtime! Today: Kubernetes installations that use the Ingress NGINX controller have a month to make new arrangements, Salesforce sends Heroku into early retirement, and the latest funding rounds in enterprise tech.

Please forward this email to a friend or colleague! If it was forwarded to you, sign up here to get Runtime each week, and if you value independent enterprise tech journalism, click the button below and become a Runtime supporter today.

Beware the ides of March

After ten years of enormous growth on its way to becoming a standard for container orchestration, the Kubernetes community is proud of the fact that the project has become "boring," which means most people consider it stable and reliable. But around half of its users face a cliffhanger over the next several weeks that could leave their clusters open to attack if left unaddressed.

As of the end of March 2026 — next month — Kubernetes will no longer support the popular Ingress NGINX controller with bug fixes or security patches, and users will be forced to migrate to an alternative or put their clusters at risk. As of the end of January around 50% of Kubernetes installations were still using that controller, according to Kat Cosgrove, head of developer advocacy at Minimus and a member of the Kubernetes Steering Committee.

• The controller manages how outside users safely access Kubernetes clusters, and the Ingress NGINX controller has been the default option for administrators for several years.
• But the discovery of several severe security flaws in late 2024 and early 2025 revealed problems with the initial design of the project that were exposed as Kubernetes evolved.
• "Ingress NGINX was designed with a ton of flexibility that for a long time was a good thing, but over time has become a pretty significant security problem," Cosgrove said in an interview with Runtime.
• Last November at Kubecon North America Kubernetes leaders decided that the security problem was insurmountable; some people wanted to shut down support for Ingress NGINX immediately, while the project's maintainers wanted to give users a year to find alternatives, and according to Cosgrove the committee settled on six months.

The Ingress NGINX problem is just the most recent example of the pressures faced by maintainers of popular open-source projects to keep up the speed of modern enterprise tech trends while operating largely on their own. According to the Kubernetes Steering Committee, Ingress NGINX "has been maintained solely by one or two people working in their free time," despite its central role in the Kubernetes ecosystem, which generates billions in revenue for enterprise tech companies.

• Those maintainers put out calls for help several years ago when it might have been possible to alter the direction of Ingress NGINX toward a more secure design, but those calls went unanswered until it was too late, Cosgrove said.
• "It doesn't matter how many people you throw at it now. … Ingress NGINX fundamentally needed to go eventually because of the way it was built, but the problem was certainly exacerbated by maintainer burnout, which I think is going to increasingly become a security problem," she said.
• Open source maintainers and users have been talking about the burnout problem for a very long time, introducing several proposals to pay maintainers directly for their efforts, but nothing seems to have fundamentally changed.
• "There are a ton of really, really, really small projects with just one or two maintainers that are also propping up a significant portion of the world's digital infrastructure, and if one of them raised a red flag and said, 'hey, I need help,' it might be that nobody listens because they aren't the second largest open-source project in the world," Cosgrove said.

In the short term, however, Kubernetes users still need to put in the work to migrate off Ingress NGINX, which for the record has no affiliation with F5's NGINX ("naming things is hard," Cosgrove joked, invoking an age-old truth about computer science).

• The Kubernetes project recommends Gateway API, which is an official part of the larger project, and there are several other alternatives.
• The amount of work involved in making the switch depends greatly on the size and complexity of a company's Kubernetes cluster, Cosgrove said, but anyone starting from scratch at this point will be under the gun to make the switch before the last release comes out around KubeCon Europe in late March.
• "The last release of Ingress NGNIX is going to be as secure as we can make it," Cosgrove said, but "any vulnerability that's found in it after the shutdown is going to be actively exploitable [at] anybody who has not moved off of it."

A MESSAGE FROM GITLAB

Speeding up code isn't enough. GitLab delivers AI across the entire software lifecycle. Learn more at GitLab.com.

When PaaS becomes passé

It's generally safe to assume that when multibillion corporations decide to make announcements on a Friday, they're not exactly trying to maximize impact. Salesforce executed a classic news dump as the weekend began by revealing that it would no longer develop new features for Heroku, the pioneering platform-as-a-service product it acquired 15 years ago.

"Today, Heroku is transitioning to a sustaining engineering model focused on stability, security, reliability, and support," chief product officer Nitin Bhat wrote in a terse blog post. Salesforce will continue to operate the platform and existing customers will see no immediate changes, but it will not sell enterprise contracts to new customers.

“The combination of declining innovation, rising relative cost, and growing opportunity cost of engineering resources likely informed Salesforce’s decision to shift investment toward higher-growth priorities, including AI-centric services and broader cloud integrations,” Avasant's Chandrika Dutt told InfoWorld. In its heyday Heroku was a very popular tool for building applications without having to think about infrastructure, but modern developers prefer newer alternatives like Vercel and Fly.io.

Enterprise funding

Databricks added another $5 billion in new funding to the Series L round it raised in December, which valued the company at $134 billion.

Cerebras Systems raised $1 billion in Series H funding, which values the AI chip company at $23 billion.

Positron landed $230 million in Series B funding for its chip technology, which like Cerebras is trying to win AI inference business away from Nvidia.

Oxide scored $200 million in Series C funding for its server designs, which bring the tricks that the cloud hyperscalers use to tune their servers to companies that want to manage their own hardware.

Vega raised $120 million in Series B funding for its security technology, which uses data analytics to improve threat detection.

Entire launched with $60 million in seed funding as it builds out a new agent-friendly developer platform led by former GitHub CEO Thomas Dohmke.

The Runtime roundup

GitHub users were hit with several incidents Monday affecting fundamental parts of the service like pull requests and issues, in what appears to be just the latest example of its fight to stay up and running during the last few months.

Cloudflare beat Wall Street's expectations for revenue and profit and raised its guidance for the current quarter, sending its stock up more than 13% in after-hours trading Tuesday.

Kyndryl's stock was cut in half Monday after it reported accounting regularities and the departure of both its chief financial officer and its general counsel.

Salesforce CEO Marc Benioff seems profoundly incapable of reading the room these days, kicking off a company-wide meeting Tuesday with jokes about ICE agents tracking employees.

A MESSAGE FROM GITLAB

Speeding up code isn't enough. GitLab delivers AI across the entire software lifecycle. Learn more at GitLab.com.

Thanks for reading — see you Thursday!