Lua

Lua code embedded in NGINX must be strictly non-blocking to maintain event-driven performance. Using standard Lua libraries or C libraries that perform blocking I/O (e.g., standard `os.time()` or slow file I/O) halts the entire NGINX worker, causing massive performance degradation, high latency, and request timeouts for all concurrent requests.

Lua-based annotation parsers in ingress-nginx (e.g., `auth-url`, `auth-tls-match-cn`, mirror UID parsers) fail to properly sanitize user inputs before incorporating them into NGINX/Lua configurations. Attackers can craft malicious Ingress annotations that inject arbitrary directives into the NGINX configuration template via the admission controller's validation logic.

Frequent dynamic endpoint updates driven by Lua in ingress-nginx cause the NGINX master process to fail to properly reap worker child processes, resulting in zombie processes accumulating on the host OS. These zombies consume system resources and complicate process management.

Lua-based load balancing logic in Kubernetes ingress-nginx, particularly under high pod counts, results in severe traffic imbalance where a small subset of backend pods receives an overwhelming majority of traffic, creating 'hot pods' and 'cold pods' and degrading overall cluster performance.

Variables set in one Lua phase may not be available or may be stale in later phases if timing and scope are misunderstood. Logic relying on variables set in different phases (e.g., `set_by_lua*` vs. `access_by_lua*`) results in NGINX variables being empty or holding stale values, causing incorrect routing, logging, or access decisions.

Errors in third-party Lua modules cause gradual, indefinite memory consumption increases leading to out-of-memory crashes. Without strict control over module versions and dependencies, operators face increased risk of subtle instability that is hard to debug.

Complex Lua scripts that run for long durations or depend on data size block the entire Redis instance while executing. Moving business logic into Lua for atomic operations can cause Redis to block under load, reducing availability.

Incomplete termination of Lua execution phases can lead to inconsistent logging or leaking of internal NGINX headers, causing information disclosure or incorrect log entries.