Airlock Header

Microgateway 5.0

Kubernetes security for the time after Ingress NGINX

The new release brings improvements in both security and operability: step-up authentication for OIDC, ICAP integration for inline malware scanning, OpenTelemetry tracing for end-to-end request visibility, and CEL-based CRD validation, which replaces the validating webhook and thus reduces operational overhead.

It also prepares you for what’s next in Kubernetes networking: with Ingress NGINX entering retirement by March 2026 and the ecosystem moving toward Gateway API, Airlock Microgateway is ready for the transition and improves your long-term cryptographic posture against post-quantum “harvest now, decrypt later” risks.

Kubernetes Ingress is frozen and Ingress NGINX is being phased out – Microgateway is ready

The Kubernetes SIG Network and the Security Response Committee have announced the discontinuation of the Ingress NGINX controller by March 2026 (source: Kubernetes blog).

The future is called Kubernetes Gateway API.

Airlock Microgateway has already passed the official conformance tests with version 4.4 and has significantly expanded its feature set since then. We actively contribute to the further development of the standard. Together with vendors such as Google, Microsoft, Red Hat and Isovalent, we contribute our expertise, including on the new BackendTLSPolicy feature in Gateway API 1.4.

Airlock Microgateway is currently the only Kubernetes-native WAAP solution with:

  • Gateway API support
  • native OIDC RP integration
  • strong deny rules
  • Red Hat OpenShift certification

In short: a future-proof platform for API and microservice security.

Post-Quantum Cryptography – Protection against "Harvest Now, Decrypt Later"

Attackers are already collecting encrypted data today with the intention of decrypting it later using quantum computers. Microgateway 5.0 addresses this "harvest now, decrypt later" threat with several important enhancements, that make your systems resistant to future quantum attacks: 

  • Secure by default: PQC-capable KEM groups (Key Encapsulation Mechanisms) are enabled by default. 
  • Hybrid Key Exchanges: Classical and post-quantum algorithms are combined. This ensures that connections remain secure even if one of the methods is broken in the future.
  • Reporting: The logging clearly shows which clients already use PQC-capable groups. TLS key exchange groups appear in TLS-SESS-START and are also available as ENV cookies and rewrite variables.
  • Performance: PQC introduces no relevant performance degradation on the same hardware.
  • Broad compatibility: Chromium-based browsers such as Chrome and Edge already support PQC. Apple will enable PQC automatically with iOS/macOS 26. Firefox offers PQC support via configuration switch.

These capabilities have been evaluated in PoCs with customers and partners since early 2024, and the findings have been directly incorporated into Microgateway 5.0.

Further information can be found in our blog article.

OIDC step-up authentication for risk-based access control

Microgateway lets you require a higher authentication level for sensitive paths and actions, such as admin screens, member areas, or high-risk transactions.

  • Enforce strong authentication only where it matters.
  • Configure it directly alongside existing access control policies.
  • Prevent redirect loops if the user cannot satisfy the required authentication level.
  • Use a standards-based setup with acr_values or by ensuring the requested scope is issued.

Step-up authentication can be configured with any OIDC provider supporting this standard.

ICAP support blocks malware before they reach your web application

Microgateway can hand off HTTP requests to an external ICAP server for inspection using the Internet Content Adaptation Protocol (RFC 3507).

  • Block malware by integrating an external antivirus scanner via ICAP.
  • Keep deployments lean and scalable by offloading scanning to a dedicated ICAP service.
  • Enforce security policy inline at Microgateway by connecting ICAP-based security services.
  • Integrate with existing malware scanning ecosystems through a standards-based interface.

Connecing your ICAP scanning service to Microgateway blocks malware before it reaches your workloads.

Tracing support for end-to-end request visibility

Microgateway can send traces so you can follow a single request end-to-end across Pods and Services using OpenTelemetry compatible backends.

Troubleshoot faster by pinpointing which hop failed and where latency was introduced.
Gain performance insight through spans that capture timing and dependencies, making bottlenecks and slow components obvious.
Fit into your existing observability stack with OpenTelemetry ecosystem compatibility.
Avoid vendor lock-in by using a widely adopted industry standard.

With tracing support, you turn “guessing from logs” into actionable trace visualizations for complex Kubernetes request flows.

Common Expression Language (CEL) validation in CRD

Microgateway 5.0 now validates its Kubernetes Custom Resources using CEL validation rules directly in the CRD schema instead of relying on a validating admission webhook.

By replacing the validating admission webhook with CEL rules in the CRD, Microgateway 5.0 reduces operational overhead. No webhook component to run and maintain. Since the webhook is gone, the cert-manager is no longer a prerequisite for deploying Microgateway.

Switching to CEL-based validation simplifies deployment and alleviates your operational headache.

First on-site trainings now available – News from the Airlock Academy

Over the past months, we have expanded the Airlock Academy with brand-new Microgateway content designed to get teams productive faster. These two additions make it easier to start, learn, and roll out Airlock Microgateway with confidence.

New self-study labs: In 7 hands-on labs, you can explore the features of Airlock Microgateway step by step. Start the labs and get hands-on today!

On-site training 2026: Our first on-site trainings in 2026 are now open for registration! Find the next dates here.

 

 

This new release introduces numerous improvements for greater security, flexibility, and seamless integration. We look forward to your suggestions and feedback as we continue to improve Microgateway!

Airlock Microgateway 5.0 release video

Watch our release video to find out about all the new features of Airlock Microgateway 5.0.

This website uses cookies
This website uses tracking and targeting technologies (e.g. cookies). Cookies necessary for the operation of the site are set. In addition, we use technologies to analyze access to our website and to personalize content and advertisements. By clicking "Accept all", you agree to the use of the above technologies and cookies (revocable at any time). Under "Settings" you can change your preferences and refuse data processing.
Necessary cookies enable you to navigate our website and provide its basic functionality. Without these cookies, essential functions cannot be provided.Statistics Cookies are used to record the use of our website statistically and to evaluate it for the purpose of optimizing our offer for you.Marketing cookies may be placed on our website by us or our advertising partners to build a profile of your interests and show you relevant content on our and third-party websites. To show you relevant content on third-party websites, we share this information with third parties, such as advertising platforms and social networks.
←  Back
ImprintPrivacy Policy

Information for you

-Our whitepapers-

White paper: The puzzle pieces of modern authentication

Identity management is like a puzzle: you have to understand the big picture, identify the relevant pieces and put them together in the right order. This white paper shows how to do that.

 

Request white paper

Whitepaper: How to make cIAM a success

Increasing requirements for security and user-friendliness make Customer Identity and Access Management an essential. Read our whitepaper to find out how you can secure your competitive advantage with the right CIAM strategy.

 

Request whitepaper

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge