Skip to content

Allow negative or duplicate group ordering #4067

@nabadger

Description

@nabadger

Describe the feature you are requesting

Currently you can configure the order of rules on the ALB using alb.ingress.kubernetes.io/group.order

If you want to introduce a rule that is always evaluated first, it suggests you have to set the group.order on ALL ingresses
in that group.

That's not possible to achieve for us (ingresses are created across different teams/apps). We also want to keep the number of groups to a minimum.

Motivation

A fairly common requirement is to introduce a default high priority rule that denies access to /metrics and common health endpoints. This is our main use-case.

Describe the proposed solution you'd like

Either allowing negative group-orders, or duplicate group orders would help us.

Option 1. Negative ordering. This means we could set the deny-rule for metrics to -1. The current default is 0, at which point we don't have to modify any other existing ingress here.

Option 2. Duplicate group-ordering. This means we could set the deny-rule for metrics to 1, and set the existing metrics to 2.

Describe alternatives you've considered

I think we were wrongly relying on the lexical ordering of ingresses. I believe it takes into account the namespace as well, so an ingress named 1-deny-monitoring-endpoints is not enough for us. It wouldn't be ideal for us to introduce a namespace a (for example) just to hold this ingress.

Contribution Intention (Optional)

-[ ] Yes, I am willing to contribute a PR to implement this feature
-[x] No, I cannot work on a PR at this time

Activity

zac-nixon

zac-nixon commented on Feb 28, 2025

@zac-nixon
Collaborator

Hi. While these are interesting suggestions the ELB APIs that back the controller do not allow duplicate or negative priorities.

https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html.

I have some concerns about this statement:

A fairly common requirement is to introduce a default high priority rule that denies access to /metrics and common health endpoints. This is our main use-case.

Why are you exposing these endpoints on your load balancer? Ideally, you would put this kind of internal stuff behind another port that the LB can't route to.

k8s-triage-robot

k8s-triage-robot commented on May 29, 2025

@k8s-triage-robot

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle stale
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

added
lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
on May 29, 2025
k8s-triage-robot

k8s-triage-robot commented on Jun 28, 2025

@k8s-triage-robot

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue as fresh with /remove-lifecycle rotten
  • Close this issue with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten

added
lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.
and removed
lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.
on Jun 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/featureCategorizes issue or PR as related to a new feature.lifecycle/rottenDenotes an issue or PR that has aged beyond stale and will be auto-closed.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @zac-nixon@shraddhabang@k8s-ci-robot@nabadger@k8s-triage-robot

        Issue actions

          Allow negative or duplicate group ordering · Issue #4067 · kubernetes-sigs/aws-load-balancer-controller