-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove global-rate-limit feature #11851
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rikatz The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
✅ Deploy Preview for kubernetes-ingress-nginx ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
8da8f93
to
62ea0a5
Compare
please do not cherry-pick this change :) |
62ea0a5
to
cfda5f8
Compare
global-rate-limit-memcached-host: "memcached.{{ .Release.Namespace }}.svc.kubernetes.local" | ||
global-rate-limit-memcached-port: 11211 | ||
use-gzip: true | ||
asserts: | ||
- equal: | ||
path: data.global-rate-limit-memcached-host | ||
value: memcached.NAMESPACE.svc.kubernetes.local | ||
- equal: | ||
path: data.global-rate-limit-memcached-port | ||
value: "11211" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was meant for testing different value types, not the global-rate-limit
feature itself. Gonna re-add other values.
Any recommendation for people who use ingress-nginx as the fronting load balancer? :) |
I think the infra-provider created LoadBalancers support rate-limiting on most cloud providers. |
Sad fact: vSphere works with MetalLB, so there is no such Load Balancer fronting your cluster. The Load Balancer IP is a virtual IP of a node. Just one example... |
True. But also practical aspect is Metallb/On-premise type engineers will make sophisticated choices like rate-limit or DDOS protection etc on their edge router. |
How do you know this feature isn't widely used? There are no easy answers for a global-rate-limit for bare-metal or on-prem setups. Especially when you look at l7-aware rate-limiting, or internal rate limiting. Cilium and MetalLB LoadBalancers do not support the same features, and this removes a pretty significant function from ingress-nginx. I think this is a mistake. What would it take to add this back? A fork or internal (to ingress-nginx) implementation? |
Wait, what evidence do you have that this feature is not widely used? Because I can tell you, in my org, it is. |
The maintainers understand that this is a breaking change. Attempts have been made to communicate the reasons leading up to this and other changes.
|
We have:
Still it seems to not be enough to let people know we have some actions in place to simplify ingress-nginx We have a long term running project to simplify ingress-nginx for a simple reason: today is unsustainable. We got multiple CVEs coming from multiple different features and while we've been asked by the users to add (and keep) more features, we've also been asked by k8s leadership to take actions to fix and simplify these kind of problems. And yes, some hard to swallow pills should be taken to increase project quality, including deprecating features. There is no restriction on this project being forked, or internally maintained, or if your company is willing to support you on being an opensource contributor for us to accept your contributions but, being clear, we are limiting now to bugfixes and security improvements. So if you decide going to the fork/private repo and find some bug/issue on main code, please remember so far this project existed by volunteers contributions. Thanks |
+100 to what the maintainers say, I'm completely sure that people want the features, but that they also want well maintained code without bugs, and foremost without CVEs, because if your company is hacked because the ingress-nginx that you are running has security issues, the project is to blame.
This code is under Apache license, forking is always an option |
I would recommend updating the documentation site on every page with a banner warning about upcoming changes, as well as include warnings in the release notes. It would also be nice to have deprecation warnings in any patch releases to give users time to update their configurations. Similar to how the k8s api deprecates features.
I understand that the code base isn't currently maintainable, and that simplification and feature removal is necessary. I also think that the communication could be improved. Removal of the global-rate-limit isn't the end of the world, but I expect you'll find a lot more people were using features when things break or release notes show that ingress-nginx has been gutted. |
that is a fair point and a good comment Thanks |
What this PR does / why we need it:
This PR removes the global-rate-limit feature. On the goal to make ingress-nginx more slim, we need to deprecate features not widely used.
Specifically this feature should be controlled by the fronting Load Balancer and not by ingress-nginx, and it adds some complexity on the code that we may not be able to maintain in future releases
/kind deprecation