With the sunset of Ingress NGINX, more organizations rely on Kubernetes Gateway API for its flexible traffic management, and the gateway is quickly becoming one of the highest-value cybercrime targets in the environment. That’s not surprising as it’s the front door to every service behind it. Additionally, routing also becomes more dynamic and distributed, which makes protecting everything far more critical but also increasingly complex, with web application firewall (WAF) technology that is more traditional and less flexible to deploy and operate.
Platform and security teams need a way to apply WAF protections consistently—across services, clusters, and environments—without relying on one-off changes and manual updates. That is a challenge we see all too often no matter the industry. And this is why we continue to invest in major enhancements that bring our industry-leading WAF technology to the latest Kubernetes-native environments.
Our F5 WAF for NGINX now integrates with F5 NGINX Gateway Fabric in addition to F5 NGINX Ingress Controller to make security manageable and deployable for both Gateway API implementations and on-prem ingress controller requirements.
Security that fits how Kubernetes teams work
In the post-Claude Mythos era, AI is eliminating the time between vulnerability discovery and exploitation. As update cycles become more frequent, operational simplicity becomes essential to any viable security solution.
That is why we designed F5 WAF for NGINX Gateway Fabric to be Kubernetes-native, including policy orchestration, which is often one of the most demanding parts of day-to-day WAF operations.
Whether using NGINX Gateway Fabric or NGINX Ingress Controller, teams get the same intent driven, automated approach to security they rely on across the rest of their platform. Instead of managing security policy “somewhere else,” they can bring it directly into cluster workflows and operate it with greater consistency.
This is critical because deploying enterprise grade WAF protections at the gateway allows common attacks—such as injection, cross site scripting, API abuse, and malicious bots—to be blocked at scale, before they ever reach application workloads. Without this, a single exposed endpoint can quickly become a cluster-wide risk.
With this solution, policy orchestration is Kubernetes-native. Common workflows, such as policy updates and security signature updates, can be managed through Kubernetes manifests.
To further simplify operations, we made the solution GitOps-friendly, allowing users to reference security policies directly from external Git repositories and manage them as part of their existing automation pipelines. We also introduced the ability to detect newer signature packages, enabling pipelines and automation workflows to be triggered automatically when updates are available. And for highly restricted environments, the solution supports fully air-gapped deployments—for example, by referencing policies only from local Git repositories and signature packages only from local artifact repositories.
What this means for everyone on the team
For Platform Ops, they gain one control plane for traffic and security. WAF policy operations fit the same Kubernetes-native model used for Gateway configuration, reducing tool sprawl to help drive operational consistency across clusters. Teams can standardize and replicate policies for shared gateways and multi-cluster platforms without reinventing processes per team (e.g., works with Gateway API adoption paths and OpenShift).
For SecOps, they can now put security policy where exposure is highest—at the gateway—so protections apply consistently across apps and APIs. This delivers several major benefits, like:
- Faster response to emerging threats: Automated signature updates help close the gap between new attack techniques and deployed defenses.
- Policy-driven controls that scale: Manage WAF policies as structured artifacts (JSON/YAML) to support review, validation, and repeatable rollout.
- Better coverage for modern APIs: Helps address common API-facing risks (injection, abuse, bots) without relying on every service team to implement defenses perfectly.
When it comes to DevOps, they can treat WAF policies like declarative artifacts, enabling those policies to move through GitOps/CI-style pipelines (and reuse these policies across services). Ultimately, this creates far less friction between all the teams, enabling easier Gateway API adoption while keeping security controls consistent across environments and deployment models.
Standardized, automated, and orchestrated security for every Kubernetes entry point
This solution within F5 WAF for NGINX enables management, validation, and modification of F5 WAF policies inside Kubernetes environments using formats that work well in modern pipelines, including JSON and YAML (alongside bundled formats). That’s a meaningful shift for teams trying to standardize security controls.
Additionally, security signature updates can be automated, helping reduce exposure windows and keeping protections aligned with evolving attack patterns. And importantly, this isn’t limited to one Kubernetes entry point style—F5 WAF delivers a consistent user experience across both NGINX Gateway Fabric and NGINX Ingress Controller.
With compatibility and prebuilt integration support for platforms like Red Hat OpenShift, you can deploy WAF capabilities in front of mission-critical workloads with the scale and operational structure you require.
Enterprise-grade WAF for both Gateway API and traditional ingress implementations
By integrating F5 WAF for NGINX with F5 NGINX Gateway Fabric, it’s now far easier to reduce manual effort, keep protections current with automated signature updates, and apply consistent policy across Gateway and ingress deployments. To sum it up in a few key principles:
- Bring WAF policy into Kubernetes workflows instead of managing it out of band
- Automate continuous protection through signature update automation
- Support both Gateway API and traditional ingress models for consistent security as architectures evolve
To learn more about how F5 WAF for NGINX can optimize your environment, visit our webpage or reach out to an expert on our team. Also, be sure to read our recent press release.
About the Author
Related Blog Posts
Kubernetes-native WAF for the gateway era: F5 WAF for NGINX now integrates with F5 NGINX Gateway Fabric
F5 extends WAFs to deliver consistent, scalable protection across clusters and environments with F5 NGINX Gateway Fabric and F5 NGINX Ingress Controller.
From dashboard fatigue to operational excellence: Why XOps needs F5 Insight for ADSP
Learn how F5 Insight for ADSP lays the visibility foundation for XOps—turning fragmented signals across applications and infrastructure into actionable intelligence.
The hidden cost of unmanaged AI infrastructure
AI platforms don’t lose value because of models. They lose value because of instability. See how intelligent traffic management improves token throughput while protecting expensive GPU infrastructure.
Govern your AI present and anticipate your AI future
Learn from our field CISO, Chuck Herrin, how to prepare for the new challenge of securing AI models and agents.
F5 recognized as one of the Emerging Visionaries in the Emerging Market Quadrant of the 2025 Gartner® Innovation Guide for Generative AI Engineering
We’re excited to share that F5 has been recognized in 2025 Gartner Emerging Market Quadrant(eMQ) for Generative AI Engineering.
Self-Hosting vs. Models-as-a-Service: The Runtime Security Tradeoff
As GenAI systems continue to move from experimental pilots to enterprise-wide deployments, one architectural choice carries significant weight: how will your organization deploy runtime-based capabilities?