Skip to content

Controller does not support ports in sidecar containers (initContainers with restartPolicy=Always) #4239

@heshamelsherif97

Description

@heshamelsherif97

Bug Description

When an Ingress is configured in ip mode, the AWS Load Balancer Controller (aws-lbc) fails to properly consider ports exposed by sidecar containers. This leads to incorrect Security Group (SG) rule configurations.
P.S The sidecar feature in kubernetes has graduated to stable in 1.33

Steps to Reproduce

  • Set up a Kubernetes pod that uses sidecar containers (defined as initContainers with restartPolicy=Always).
  • Configure these sidecar containers to expose specific containerPorts.
  • Create a Kubernetes Service that targets these sidecar ports.
  • Create an Ingress resource with alb.ingress.kubernetes.io/target-type: ip that points to the service created in the previous step.

Example manifests

apiVersion: v1
kind: Service
metadata:
  name: dummy
  namespace: default
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 9001
  - name: https
    port: 443
    protocol: TCP
    targetPort: 10000
  selector:
    app.kubernetes.io/instance: dummy
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    alb.ingress.kubernetes.io/backend-protocol: HTTPS
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: "[{\"HTTP\": 80, \"HTTPS\": 443}]"
    alb.ingress.kubernetes.io/target-group-attributes: >-
      deregistration_delay.timeout_seconds=600,load_balancing.algorithm.type=least_outstanding_requests
  name: dummy
  namespace: default
spec:
  ingressClassName: internal
  rules:
  - host: dummy.com
    http:
      paths:
      - backend:
          service:
            name: dummy
            port:
              name: https
        path: /
        pathType: Prefix
---
apiVersion: v1
kind: Pod
metadata:
  labels:
    app.kubernetes.io/instance: dummy
  name: dummy
  namespace: default
spec:
  containers:
    - command:
        - sleep
        - "3600"
      image: busybox
      name: pods-simple-container
  initContainers:
    - image: envoyproxy/envoy:v1.24.1
      restartPolicy: Always
      name: envoy
      ports:
      - containerPort: 9001
        name: http
        protocol: TCP
      - containerPort: 10000
        name: https
        protocol: TCP
      - containerPort: 9901
        name: envoy-admin
        protocol: TCP

Expected Behavior

  • The controller should correctly identify and use the ports exposed by sidecar containers, especially when creating necessary Security Group rules.

Actual Behavior

The AWS Load Balancer Controller logs errors indicating it cannot find the specified ports on the pod. Consequently, the Node Security Group rules are not updated as required to permit inbound traffic on these ports.

{"level":"error","ts":"2025-06-18T11:53:23Z","msg":"Requesting network requeue due to error from ReconcileForPodEndpoints","tgb":{"name":"k8s-default-default-819a6e156a","namespace":"default"},"error":"unable to find port https on pod default/dummy"}

Environment

  • AWS Load Balancer controller version: 2.13
  • Kubernetes version: 1.32

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions