annotation "aws-load-balancer-subnets" not taken into account

[leandro-loos]

According to the documentation (https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/service/annotations.md):

service.beta.kubernetes.io/aws-load-balancer-subnets specifies the Availability Zone the NLB will route traffic to. See Network Load Balancers for more details.

!!!tip Subnets are auto-discovered if this annotation is not specified, see Subnet Discovery for further details.

I have a v1.18.15 and a v1.16.15 kubernetes clusters created with kops on top of EC2 instantes.

Deploying the following service as part of a nginx-controller-deployment:

---
kind: Service
apiVersion: v1
metadata:
  name: ingress-oso
  namespace: ingress-oso
  labels:
    app.kubernetes.io/name: ingress-oso
    app.kubernetes.io/part-of: ingress-oso
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-internal: "true"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
    service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-subnets: "subnet-XXXX,subnet-YYYY,subnet-ZZZZ"
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
  type: LoadBalancer
  loadBalancerSourceRanges:
    - 172.16.0.0/12
  selector:
    app.kubernetes.io/name: ingress-oso
    app.kubernetes.io/part-of: ingress-oso
  ports:
    - name: http
      port: 80
      targetPort: http

Where subnet-XXXX, subnet-YYYY, subnet-ZZZZ are valid subnets on the VPC from different AZs (a, b, and c).

The aws-load-balancer-subnets annotation is being ignored and the NLB is created on the auto discovered subnets.

(note that the whole lot of combinations like using ",', , etc were tested)

[kishorj]

@leandro-loos, did you specify the subnets annotation after creating the service, or modify the annotation? Do you see any errors in the controller logs? The issue could be on the AWS side where it is not allowing modifications to the NLB subnets after creation. You can check if the AWS has a "temporary limitation" when you try to edit the NLB subnets from the AWS console

[trucnguyenlam]

@kishorj I have exactly the same problem that @leandro-loos have

• there is no error in the controller logs, and
• this happens when creating service

Please fix this.

[kishorj]

@leandro-loos, the lb you are trying to create is reconciled by the AWS in-tree controller since the service.beta.kubernetes.io/aws-load-balancer-type is `nlb. The in-tree controller in the k8s versions that you mentioned does not support this annotation.

The fix for the in-tree controller was introduced by the PR kubernetes/kubernetes#97431 and will be available in k8s 1.21 release. In case of EKS, we've backported the fix, so the support is available from EKS 1.19 onwards. I will cherry-pick the changes to k8s 1.19 and 1.20 so kops users also get the fix.

As of now, this controller supports NLB IP targets only, the annotatoni service.beta.kubernetes.io/aws-load-balancer-type with value nlb-ip. The instance mode support from this controller is in progress and will be available in v2.2.0.

[kishorj]

@leandro-loos, I'm closing the issue. If you have further concerns, feel free to reopen or create a new issue.