ingress-nginx

Lua-based annotation parsers in ingress-nginx (e.g., `auth-url`, `auth-tls-match-cn`, mirror UID parsers) fail to properly sanitize user inputs before incorporating them into NGINX/Lua configurations. Attackers can craft malicious Ingress annotations that inject arbitrary directives into the NGINX configuration template via the admission controller's validation logic.

The ingress-nginx project has become too heavy for volunteer-driven community maintenance due to massive operational burden from handling edge cases, feature requests, performance tuning, security hardening, and multi-architecture builds. The project is scheduled to end maintenance by March 2026.

Frequent dynamic endpoint updates driven by Lua in ingress-nginx cause the NGINX master process to fail to properly reap worker child processes, resulting in zombie processes accumulating on the host OS. These zombies consume system resources and complicate process management.

Lua-based load balancing logic in Kubernetes ingress-nginx, particularly under high pod counts, results in severe traffic imbalance where a small subset of backend pods receives an overwhelming majority of traffic, creating 'hot pods' and 'cold pods' and degrading overall cluster performance.

Configuration synchronization issues in Kubernetes ingress-nginx sometimes require manual intervention to delete and recreate Services and Ingresses, creating operational toil and potential downtime.