Deprecate and remove snippet annotations #11667
Comments
k8s-ci-robot
added
kind/deprecation
|
This issue is currently awaiting triage. If Ingress contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
The ability to add custom configuration to nginx is a feature for me, and I cannot realistically see it replaced by annotations or even the gateway API. We're making extensive use of maps, custom rate limits and rewrites, for example. The potential for a "security risk" lies entirely with the operator running the controller, with snippet annotations already being turned off by default now. There is no risk to the project itself and I'm not happy to just hand wave a "you have been warned" feature away because someone could potentially misconfigure something. |
Ingress NGINX has 130 annotations, and still some of the required features are not implemented.
The workaround to expose more of the NGINX functionality to users was to allow snippet annotations, which in fact allows users to add their own configuration to nginx.conf.
The problem is that these kind of annotation allow users to add random and dangerous configurations and present a security risk for the project.
This way, I propose that we deprecate and remove snippet annotations and configuration from Ingress NGINX and future features should be analyzed and implemented via proper annotations or only if supported on the Gateway API annotations
/kind deprecation
The text was updated successfully, but these errors were encountered: