diff --git a/master_node_install.sh b/master_node_install.sh
index 4620593..088ee34 100644
--- a/master_node_install.sh
+++ b/master_node_install.sh
@@ -5,7 +5,7 @@ set -Eeuo pipefail
 # Arch Linux Kubernetes Control Plane
 # Fully automated master node installer
 # + Helm
-# + Traefik
+# + ingress-nginx
 # + cert-manager
 # + Rancher
 ########################################
@@ -20,19 +20,21 @@ JOIN_COMMAND_FILE="/root/kubeadm-join-command.sh"
 INSTALL_HELM="${INSTALL_HELM:-true}"
 INSTALL_RANCHER="${INSTALL_RANCHER:-true}"
 
-# Single-node/lab convenience
+# Single-node/lab convenience:
+# Rancher, ingress-nginx, cert-manager, CoreDNS, etc. need schedulable capacity.
+# On a single control-plane node, removing the control-plane taint is the simplest way.
 ALLOW_WORKLOADS_ON_CONTROL_PLANE="${ALLOW_WORKLOADS_ON_CONTROL_PLANE:-true}"
 
 # Rancher settings
 RANCHER_REPO_CHANNEL="${RANCHER_REPO_CHANNEL:-stable}"    # stable | latest | alpha
 RANCHER_BOOTSTRAP_PASSWORD="${RANCHER_BOOTSTRAP_PASSWORD:-}"
 RANCHER_HOSTNAME="${RANCHER_HOSTNAME:-}"                  # if empty, auto-generate rancher.<NODE_IP>.sslip.io
-RANCHER_REPLICAS="${RANCHER_REPLICAS:-1}"
+RANCHER_REPLICAS="${RANCHER_REPLICAS:-1}"                # 1 for single-node lab installs
 RANCHER_NAMESPACE="${RANCHER_NAMESPACE:-cattle-system}"
 
-# Traefik settings
-TRAEFIK_NAMESPACE="${TRAEFIK_NAMESPACE:-traefik}"
-TRAEFIK_INGRESS_CLASS_NAME="${TRAEFIK_INGRESS_CLASS_NAME:-traefik}"
+# ingress-nginx settings
+INGRESS_NAMESPACE="${INGRESS_NAMESPACE:-ingress-nginx}"
+INGRESS_CLASS_NAME="${INGRESS_CLASS_NAME:-nginx}"
 
 # cert-manager settings
 CERT_MANAGER_NAMESPACE="${CERT_MANAGER_NAMESPACE:-cert-manager}"
@@ -294,7 +296,7 @@ chmod 600 /root/rancher-bootstrap-password.txt
 # ---------- Step 21: Install Helm repos ----------
 if [[ "${INSTALL_HELM}" == "true" ]]; then
   log "Configuring Helm repositories"
-  helm_repo_add_force traefik https://traefik.github.io/charts
+  helm_repo_add_force ingress-nginx https://kubernetes.github.io/ingress-nginx
   helm_repo_add_force jetstack https://charts.jetstack.io
 
   case "${RANCHER_REPO_CHANNEL}" in
@@ -318,34 +320,29 @@ if [[ "${INSTALL_HELM}" == "true" ]]; then
   helm repo update
 fi
 
-# ---------- Step 22: Install Traefik ----------
+# ---------- Step 22: Install ingress-nginx ----------
 if [[ "${INSTALL_RANCHER}" == "true" ]]; then
-  log "Installing Traefik"
+  log "Installing ingress-nginx"
 
-  kubectl_ns_apply "${TRAEFIK_NAMESPACE}"
+  kubectl_ns_apply "${INGRESS_NAMESPACE}"
 
-  helm upgrade --install traefik traefik/traefik \
-    --namespace "${TRAEFIK_NAMESPACE}" \
+  helm upgrade --install ingress-nginx ingress-nginx/ingress-nginx \
+    --namespace "${INGRESS_NAMESPACE}" \
     --create-namespace \
-    --set deployment.kind=DaemonSet \
-    --set updateStrategy.type=RollingUpdate \
-    --set updateStrategy.rollingUpdate.maxUnavailable=1 \
-    --set updateStrategy.rollingUpdate.maxSurge=0 \
-    --set hostNetwork=true \
-    --set deployment.dnsPolicy=ClusterFirstWithHostNet \
-    --set ingressClass.enabled=true \
-    --set ingressClass.isDefaultClass=true \
-    --set ingressClass.name="${TRAEFIK_INGRESS_CLASS_NAME}" \
-    --set providers.kubernetesIngress.enabled=true \
-    --set ports.web.port=80 \
-    --set ports.websecure.port=443 \
-    --set service.enabled=false \
-    --set logs.general.level=INFO \
+    --set controller.kind=DaemonSet \
+    --set controller.hostNetwork=true \
+    --set controller.dnsPolicy=ClusterFirstWithHostNet \
+    --set controller.service.type=ClusterIP \
+    --set controller.ingressClass="${INGRESS_CLASS_NAME}" \
+    --set controller.ingressClassResource.name="${INGRESS_CLASS_NAME}" \
+    --set controller.ingressClassResource.default=true \
+    --set controller.watchIngressWithoutClass=true \
+    --set controller.reportNodeInternalIp=true \
     --wait \
     --timeout 15m
 
-  log "Waiting for Traefik rollout"
-  kubectl -n "${TRAEFIK_NAMESPACE}" rollout status daemonset/traefik --timeout=15m
+  log "Waiting for ingress-nginx controller"
+  kubectl -n "${INGRESS_NAMESPACE}" rollout status daemonset/ingress-nginx-controller --timeout=15m
 fi
 
 # ---------- Step 23: Install cert-manager ----------
@@ -379,7 +376,7 @@ if [[ "${INSTALL_RANCHER}" == "true" ]]; then
     --set hostname="${RANCHER_HOSTNAME}" \
     --set bootstrapPassword="${RANCHER_BOOTSTRAP_PASSWORD}" \
     --set replicas="${RANCHER_REPLICAS}" \
-    --set ingress.ingressClassName="${TRAEFIK_INGRESS_CLASS_NAME}" \
+    --set ingress.ingressClassName="${INGRESS_CLASS_NAME}" \
     --wait \
     --timeout 20m
 
@@ -424,7 +421,7 @@ if [[ "${INSTALL_RANCHER}" == "true" ]]; then
   echo
   echo "Notes:"
   echo "  - sslip.io is used automatically when RANCHER_HOSTNAME is not set."
-  echo "  - Because Traefik is using host networking, access Rancher directly on this node's IP over 443."
+  echo "  - Because ingress-nginx is using host networking, access Rancher directly on this node's IP over 443."
   echo "  - If a local firewall is enabled, ensure ports 80 and 443 are allowed."
   echo
 fi
\ No newline at end of file