PATTERN Cited by 2 sources

Global configuration push

Antipattern framing. A fleet-wide configuration-delivery channel that propagates every edit to every server in seconds, with no canary, no staged rollout, no per-POP health gating.

Used deliberately for rapid threat response — DDoS mitigations, malicious-IP blacklists, zero-day WAF rules — where a canary rollout measured in hours would defeat the purpose. The trade-off: rapid reach = rapid blast radius. One bad push reaches the entire fleet as fast as one good push.

This wiki labels the shape as an antipattern not because rapid global config delivery is wrong — it isn't — but because an organisation that only has this channel has no defense against a bad push. The pattern is dangerous when it is the only option; safe when it is one of several with appropriate guardrails.

The shape

• Push goes in.
• Seconds later, every POP / every server / every worker has the new value.
• No staged rollout.
• No health-gated pause.
• No automated rollback on regression.
• Human has to notice and manually revert.

Why organisations build it

• Threat response: DDoS / new CVE / malicious bot signature needs to propagate in seconds.
• Feature flag flips: internal-tool enable/disable.
• Emergency overrides: rapid revert of a bad deploy that's worse than the current state.

Canonical Cloudflare instances

• 2025-11-18 — the Bot Management feature-file distribution queue had this shape. A ClickHouse permission migration caused the generator to emit a doubled file; the doubled file propagated fleet-wide; FL2 panicked; ~3 hours core-traffic outage. See sources/2025-11-18-cloudflare-outage-on-november-18-2025.
• 2025-12-05 — the "global configuration system" named explicitly in the post-mortem. A tool-disable flag hit a 7-year-old Lua bug. Same shape, different surface. See sources/2025-12-05-cloudflare-outage-on-december-5-2025. The post notes this system was "under review following the outage we experienced on November 18" — review incomplete, same system delivered the 12-05 trigger.

Compensating patterns

The structural fix is not to remove the channel — threat response needs it — but to compose it with guardrails:

• Progressive configuration rollout — staged + health-gated + auto- rollback. Still fast (minutes not hours), but not instantaneous.
• Global feature killswitch — orthogonal fast-off path so a feature consuming bad config can be disabled without waiting to clean up the config.
• Ingest hardening — downstream consumers treat the config as untrusted input and validate before loading.
• patterns/fast-rollback — the revert path.

Seen in

• sources/2025-11-18-cloudflare-outage-on-november-18-2025
• sources/2025-12-05-cloudflare-outage-on-december-5-2025
• sources/2025-07-16-cloudflare-1111-incident-on-july-14-2025 — sibling-but-distinct surface (addressing / service topology) with the same structural hazard.

Related

• concepts/global-configuration-system
• concepts/blast-radius
• patterns/progressive-configuration-rollout
• patterns/global-feature-killswitch
• patterns/harden-ingestion-of-internal-config
• patterns/fast-rollback