-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Description
Describe the feature you are requesting
Currently you can configure the order of rules on the ALB using alb.ingress.kubernetes.io/group.order
If you want to introduce a rule that is always evaluated first, it suggests you have to set the group.order
on ALL ingresses
in that group.
That's not possible to achieve for us (ingresses are created across different teams/apps). We also want to keep the number of groups to a minimum.
Motivation
A fairly common requirement is to introduce a default high priority rule that denies access to /metrics
and common health endpoints. This is our main use-case.
Describe the proposed solution you'd like
Either allowing negative group-orders, or duplicate group orders would help us.
Option 1. Negative ordering. This means we could set the deny-rule for metrics to -1
. The current default is 0
, at which point we don't have to modify any other existing ingress here.
Option 2. Duplicate group-ordering. This means we could set the deny-rule for metrics to 1
, and set the existing metrics to 2
.
Describe alternatives you've considered
I think we were wrongly relying on the lexical ordering of ingresses. I believe it takes into account the namespace as well, so an ingress named 1-deny-monitoring-endpoints
is not enough for us. It wouldn't be ideal for us to introduce a namespace a
(for example) just to hold this ingress.
Contribution Intention (Optional)
-[ ] Yes, I am willing to contribute a PR to implement this feature
-[x] No, I cannot work on a PR at this time
Activity
zac-nixon commentedon Feb 28, 2025
Hi. While these are interesting suggestions the ELB APIs that back the controller do not allow duplicate or negative priorities.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-update-rules.html.
I have some concerns about this statement:
Why are you exposing these endpoints on your load balancer? Ideally, you would put this kind of internal stuff behind another port that the LB can't route to.
k8s-triage-robot commentedon May 29, 2025
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied,lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
k8s-triage-robot commentedon Jun 28, 2025
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied,lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten