3 Open Source Projects that Could Be the Next Ingress-NGINX

The CNCF announced the retirement of Ingress-NGINX earlier this year. It’s an open source project that’s used by roughly half of all Kubernetes deployments, but it had one big flaw – it was being maintained by just two unpaid volunteers in their spare time. While it sent shockwaves through the entire cloud-native ecosystem, it’s also raised valid questions about the ethics and economics of open source, and what this means for organizations that rely on open source projects to run production systems.

If your organization relies on open source projects, it’s time to take stock of which of these projects are in a similar spot, and consider what actions you could take. The first step is to consider your own options and how reliant your stack is on these projects. Next, think about how you could get involved to keep these projects well supported. While the list of open source projects used at organizations today is long, we’re here to get you started on that path. Here are three projects worth putting on your radar.

External Secrets Operator (ESO)

In August 2025, External Secrets Operator — the widely-used Kubernetes tool for syncing secrets from providers like AWS, GCP, and Azure — officially froze all releases. The core team was burned out, and the project had narrowed down to a single quasi-full-time maintainer. The announcement was stark: “Money doesn’t write code, review pull requests, or manage releases.” The project had sponsorships and funding, however, it lacked what open source projects need most – people.

Since that announcement, the ESO project saw around 300 people hop on board to help maintain the project. This has given them a lifeline, and they’ve resumed releases, however, the project is worth keeping your radar still. ESO manages secrets for fintech companies and government agencies globally.

Read more about the ESO freeze

FluxCD

In early 2024, Weaveworks — the company that created and employed most of FluxCD’s core maintainers — shut down without warning. The GitOps tool used by thousands of Kubernetes teams overnight lost the majority of its active contributors. For weeks, the project faced the real prospect of stagnation, unpatched security vulnerabilities, and growing incompatibility with new Kubernetes releases.

FluxCD was ultimately rescued through emergency intervention: a coalition of companies hired key maintainers and pledged ongoing support. It survived, but is a case study in how quickly a project can go from healthy to existentially threatened. Since then, ArgoCD has picked up in adoption, and is the preferred option for most organizations looking for a replacement to FluxCD.

Read about the Weaveworks shutdown and what came next

FFmpeg

FFmpeg is the invisible backbone of modern video. It powers your browser’s video playback, your streaming service, your video conferencing tool. You’ve almost certainly used it today without knowing it. Billion-dollar companies depend on it. Most of their engineers have never heard of it.

It remains largely maintained by volunteers. As recently as late 2025, those developers were being buried by demands for security fixes from companies like Google — with no corresponding compensation. It’s sparked demands to “pay the maintainers” – and rightly so. FFmpeg is not a niche project with a niche user base, but foundational infrastructure that powers the modern internet, maintained by people doing it out of principle rather than pay.

Read The New Stack’s article on the FFmpeg problem

What you should do

None of this requires a big response. Start by simply auditing your dependencies. Any project with fewer than three active maintainers, long gaps between releases, or maintainers publicly asking for help is worth flagging. Look at whether the companies behind those projects are still operating. Check when the last security patch was released.

The companies extracting the most value from open source are rarely the ones contributing back. That imbalance is increasingly showing up as production risk. Ingress-NGINX made the news. Others may not, but they could leave your systems vulnerable nonetheless.