Traefik Labs Makes Ingress NGINX Replacement GA, Adds Multi-Cluster API Federation and Agent-Aware AI Controls

SAN FRANCISCO--(BUSINESS WIRE)--Traefik Labs today shipped Traefik Proxy 3.7 and Traefik Hub 3.20, turning the Ingress NGINX migration forced by the Kubernetes project's retirement into a broader runtime-governance upgrade for platform teams. Proxy 3.7 makes Traefik's Ingress NGINX replacement generally available with 90%+ annotation coverage through 85 supported Ingress NGINX annotations. Hub 3.20 adds multi-cluster API federation, Nutanix Prism Central service discovery, gateway-level OpenAPI schema enforcement, FIPS 140-3 support, ModSecurity support to preserve WAF protections, and agent-aware AI controls for token cost, latency, custom data protection, and structured refusals.

This coordinated release builds on Traefik's March announcements: major platform vendors standardizing on Traefik Proxy as strategic Kubernetes ingress, and Traefik Hub's NVIDIA GTC preview of deeper LLM and MCP runtime governance. Teams migrating ingress traffic are often the same teams tasked with governing APIs, LLM traffic, and agent access without adding more gateway sprawl.

"This release is about operational consolidation. Platform teams should not have to solve ingress migration in one stack, API governance in another, and AI guardrails in a third. Proxy 3.7 and Hub 3.20 bring those responsibilities together, with migration coverage for real Ingress NGINX estates and guardrails that return responses agents can actually use." Sudeep Goswami, CEO, Traefik Labs

Traefik Proxy 3.7: Replacement Moves From Claim to GA

Traefik introduced the Ingress NGINX provider as an experimental capability in v3.5. In v3.7, it becomes a supported GA path for organizations responding to the Ingress NGINX retirement. Once enabled, Traefik reads existing Ingress NGINX resources and translates supported annotations into Traefik's routing model, reducing manifest rewrites before migration.

The 90%+ annotation coverage was prioritized using anonymized telemetry from Traefik's open-source migration tool. Real migrations are rarely blocked by the happy path. They are blocked by long-tail production annotations.

Proxy 3.7 also adds partial support for the complex configuration-snippet, server-snippet, and auth-snippet annotations. Rather than templating raw user input into runtime configuration, Traefik parses supported snippet content into structured input through a curated allowlist. The result is coverage for common snippet patterns without recreating the raw templating risk.

The release also targets day-two operations: a certificates view for TLS visibility, middlewares on services, Gateway API v1.5.1 support, and status-code-driven retry and failover for degraded upstream responses.

Traefik Hub 3.20: Less Fragmentation Across Distributed APIs

Hub 3.20 addresses a common platform problem: APIs are spread across clusters, but portals and governance workflows often remain fragmented. New multi-cluster support introduces a parent-child model with Uplink resources and Multi-Cluster API Portals, enabling APIs from multiple clusters to be published through a single portal and governed centrally.

The Nutanix Prism Central Provider extends Hub discovery to VM-based services through Prism Central categories, enabling teams to expose and govern those workloads without first moving them into Kubernetes.

OpenAPI Request Body Schema Validation turns API definitions into runtime enforcement. Hub can reject undocumented paths or schema-mismatched payloads at the gateway, helping teams reduce zombie endpoints and inconsistent validation across services.

FIPS 140-3 support helps federal agencies and regulated organizations qualify Traefik Hub for new API gateway procurements after September 2026, when FIPS 140-2 validated modules move to the CMVP Historical List and are no longer recommended for new federal systems.

For Ingress NGINX migrations, ModSecurity support for the Ingress NGINX provider helps preserve WAF behavior instead of treating security parity as a post-migration project. Hub 3.20 also adds API Portal Custom Content, OIDC trusted issuers, configurable JWT header names, OAuth scopes, and externalized API-key source configuration.

AI Runtime Governance That Fits Agent Workflows

Traefik has already shipped production AI runtime governance through Traefik Hub's Triple Gate architecture. Hub 3.20 makes that governance more operationally useful where cost, latency, custom data rules, and agent control flow matter.

AI Token Rate Limit & Quota Middleware gives teams burst-tolerant token rate limits and hard token quotas. With pre-request estimation and shared state across gateway replicas, Hub can reject oversized or over-budget prompts before they reach the model. Token controls become an active policy, not after-the-fact reporting.

Parallel LLM Guard Middleware runs multiple guardrails concurrently against the same prompt, allowing defense-in-depth without stacking the latency of each guard.

Content Guard Regex Engine lets teams define company-specific deterministic patterns, such as product codenames, customer identifiers, regulated IDs, or proprietary formats.

Guard onDenyResponse, clientRequestFormat, and Responses API support address a failure mode that matters for agents. Instead of returning only a hard HTTP 403, Hub can return refusals in the LLM message format the client expects, including Chat Completions JSON, Responses API refusal, raw text, or custom formats. Agents can handle blocked requests as normal control flow rather than crashing mid-workflow.

Availability

Traefik Proxy 3.7 is available on GitHub and Docker Hub. Traefik Hub 3.20 is available at traefik.io/traefik-hub. Ingress NGINX migration resources are available at ingressnginxmigration.org.

About Traefik Labs

Traefik Labs is the company behind Traefik Proxy, the cloud-native application proxy with 3.4B+ downloads and 63k+ GitHub stars, and Traefik Hub, the API management platform for API, LLM, and MCP governance.