-
Notifications
You must be signed in to change notification settings - Fork 1.5k
Open
Labels
kind/bugCategorizes issue or PR as related to a bug.Categorizes issue or PR as related to a bug.
Description
Bug Description
When an Ingress is configured in ip mode, the AWS Load Balancer Controller (aws-lbc) fails to properly consider ports exposed by sidecar containers. This leads to incorrect Security Group (SG) rule configurations.
P.S The sidecar feature in kubernetes has graduated to stable in 1.33
Steps to Reproduce
- Set up a Kubernetes pod that uses sidecar containers (defined as initContainers with restartPolicy=Always).
- Configure these sidecar containers to expose specific containerPorts.
- Create a Kubernetes Service that targets these sidecar ports.
- Create an Ingress resource with alb.ingress.kubernetes.io/target-type: ip that points to the service created in the previous step.
Example manifests
apiVersion: v1
kind: Service
metadata:
name: dummy
namespace: default
spec:
ports:
- name: http
port: 80
protocol: TCP
targetPort: 9001
- name: https
port: 443
protocol: TCP
targetPort: 10000
selector:
app.kubernetes.io/instance: dummy
sessionAffinity: None
type: ClusterIP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
alb.ingress.kubernetes.io/backend-protocol: HTTPS
alb.ingress.kubernetes.io/healthcheck-path: /health
alb.ingress.kubernetes.io/target-type: ip
alb.ingress.kubernetes.io/listen-ports: "[{\"HTTP\": 80, \"HTTPS\": 443}]"
alb.ingress.kubernetes.io/target-group-attributes: >-
deregistration_delay.timeout_seconds=600,load_balancing.algorithm.type=least_outstanding_requests
name: dummy
namespace: default
spec:
ingressClassName: internal
rules:
- host: dummy.com
http:
paths:
- backend:
service:
name: dummy
port:
name: https
path: /
pathType: Prefix
---
apiVersion: v1
kind: Pod
metadata:
labels:
app.kubernetes.io/instance: dummy
name: dummy
namespace: default
spec:
containers:
- command:
- sleep
- "3600"
image: busybox
name: pods-simple-container
initContainers:
- image: envoyproxy/envoy:v1.24.1
restartPolicy: Always
name: envoy
ports:
- containerPort: 9001
name: http
protocol: TCP
- containerPort: 10000
name: https
protocol: TCP
- containerPort: 9901
name: envoy-admin
protocol: TCP
Expected Behavior
- The controller should correctly identify and use the ports exposed by sidecar containers, especially when creating necessary Security Group rules.
Actual Behavior
The AWS Load Balancer Controller logs errors indicating it cannot find the specified ports on the pod. Consequently, the Node Security Group rules are not updated as required to permit inbound traffic on these ports.
{"level":"error","ts":"2025-06-18T11:53:23Z","msg":"Requesting network requeue due to error from ReconcileForPodEndpoints","tgb":{"name":"k8s-default-default-819a6e156a","namespace":"default"},"error":"unable to find port https on pod default/dummy"}
Environment
- AWS Load Balancer controller version: 2.13
- Kubernetes version: 1.32
Metadata
Metadata
Assignees
Labels
kind/bugCategorizes issue or PR as related to a bug.Categorizes issue or PR as related to a bug.