sina-devel opened a new issue, #12704: URL: https://github.com/apache/apisix/issues/12704
### Current Behavior The controller creates multiple global rules per plugin. The resulting plugin execution order depends on the creation timestamp of each global rule, not the order defined in the APISIX Documentation. The effective execution becomes: ``` ip-restriction -> real-ip ``` which causes `ip-restriction` to evaluate the wrong client IP. ### Expected Behavior According to the [APISIX Documentation](https://apisix.apache.org/docs/apisix/terminology/plugin/#plugins-execution-order) , the plugin order should follow: Plugins in global rules 1. rewrite phase 2. access phase plugins bound to other objects 1. rewrite phase 2. access phase Therefore, the expected execution order in this case is: ``` real-ip -> ip-restriction ``` since `real-ip` (rewrite phase) should run before `ip-restriction` (access phase). ### Error Logs _No response_ ### Steps to Reproduce 1. Create an initial `ApisixGlobalRule`: ``` apiVersion: apisix.apache.org/v2 kind: ApisixGlobalRule metadata: name: global namespace: apisix spec: plugins: - name: ip-restriction enable: true config: whitelist: - ... ``` 2. Apply the manifest. 3. Later, update it to include another plugin: ``` apiVersion: apisix.apache.org/v2 kind: ApisixGlobalRule metadata: name: global namespace: apisix spec: plugins: - name: real-ip enable: true config: source: http_x_real_ip - name: ip-restriction enable: true config: whitelist: - ... ``` 4. Apply the manifest again. ### Environment - APISIX version (run `apisix version`): 3.13 - APISIX Ingress Controller version: 2.0.0-rc3 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
