Documentation not reflecting NBL security group support (2.6)

[robert-heinzmann-logmein]

Describe the bug

It seems the documentation is not up to date in multiple ways.

• It is not currently published for v2.6 (only 2.5 available)
• It does still mention that Security Group support is missing for NLB while the release notes for 2.6 state that there is support.
• Also the annotations are not documented here https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/service/annotations/

Steps to reproduce

Doc: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/service/nlb.md
Release Notes: https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.6.0

Expected outcome

Documentation for 2.6 should be published
Documentation for 2.6 should reflect the new feature

Environment

• AWS Load Balancer controller version: 2.6
• Kubernetes version: does not matter
• Using EKS (yes/no), if so version? : does not matter

[ilias-at-adarma]

Not sure if it will be documented or not but we are observing contradicting behaviour to what the changelog is suggesting

service.beta.kubernetes.io/inbound-cidrs and service.beta.kubernetes.io/listen-ports should manage the front end SG but instead we are seeing is
service.beta.kubernetes.io/load-balancer-source-ranges and ports coming from spec.ports{} manage the front end SG

[oliviassss]

@ilias-at-adarma, hi sorry for the delay but we have the PR for live doc update for NLB SG #3332.
The service.beta.kubernetes.io/inbound-cidrs and service.beta.kubernetes.io/listen-ports are not valid annotation supported by AWS LBC. The CIDR of NLB is specified by service.beta.kubernetes.io/load-balancer-source-ranges, and also we recommend specifying the CIDRs of NLB via Spec.LoadBalancerSourceRanges over the annotation. you can check more info on our current live docs for the annotations:
https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.5/guide/service/annotations/#access-control

[robert-heinzmann-logmein]

It seems 2.6 doc's have been pushed and it now lists the new annotations. However the NLB page https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.6/guide/service/nlb/#security-group still mentions

AWS doesn't support attaching security groups to NLBs

which I assume is not correct anymore.

[kadeguilherme]

Hi @oliviassss in the current documentation of the AWS Load Balancer Controller, there is an inconsistency in the annotations in the section:
"When this annotation is not present, the controller will automatically create one security group. The security group will be attached to the LoadBalancer and allow access from inbound-cidrs to the listen-ports. Also, the securityGroups for target instances/ENIs will be modified to allow inbound traffic from this securityGroup."
In this scenario, the correction would be:
"When this annotation is not present, the controller will automatically create one security group. The security group will be attached to the LoadBalancer and Inbound Security Group Rules will be formed using CIDR from service.beta.kubernetes.io/load-balancer-source-ranges and ports from Service in Kubernetes spec.ports[].port. Also, the securityGroups for target instances/ENIs will be modified to allow inbound traffic from this securityGroup."

[oliviassss]

@kadeguilherme, thanks for the suggestion, we can have the doc fix here. And you are more than welcome to raise a PR.