v2.7.2

v2.7.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.2
Thanks to all our contributors! 😊

Enhancement and Fixes

• Feat : Allow ACM cert discovery to filter on CA ARNs
• Enhancement : Adding support for Availability Zone Affinity
• CVE patch for CVE-2024-24786
• Doc updates

Changelog since v2.7.1

• Update golang.org/protobuf version to fix CVE-2024-24786 (#3618, @shraddhabang)
• Adding support for Availability Zone Affinity (#3470, @alex-berger)
• update go version to mitigate CVE (#3615, @haouc)
• Repo controlled build go version (#3598, @xdu31)
• fix: new ca-filter causing expontentially more api-calls (#3608, @the-technat)
• Add example for NLB target-group-attributes to enable unhealthy target connection draining (#3577, @jukie)
• feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591, @the-technat)
• bump up controller-tools version to fix ci failure (#3580, @oliviassss)
• fix log level in listener manager and tagging manager (#3573, @oliviassss)

v2.7.1

v2.7.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.1
Thanks to all our contributors! 😊

Enhancement and Fixes

• introduced caches for ELB resource tags. Which shall improve Ingress/Service reconcile performance when there are large number of ALB/NLBs in VPC. (Note, if the controller have internet access, enable feature flag EnableRGTAPI shall provide even better performance)
• Added ability to configure ServiceTargetENISGTags in helm charts.

Changelog since v2.7.0

• cut v2.7.1 release (#3566, @M00nF1sh)
• log enhancement for enabling RGT API (#3564, @oliviassss)
• Add a note to recommend to use compatible chart and image versions (#3559, @shraddhabang)
• update helm chart for ServiceTargetENISGTags and README (#3558, @oliviassss)
• cache ELB resource tags to reduce API calls (#3550, @M00nF1sh)

v2.7.0

v2.7.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.0
Thanks to all our contributors! 😊

Action required

We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. load balancer and listener resources. We recommend updating your controller IAM policies with the new permissions for your existing installations as well.

Whats new

• Introducing the support for (mTLS) Mutual Transport Layer Security on Ingress through AWS LB Controller. Its delivers mTLS feature by integrating the trust stores into listener management. The customer will be able to set the desired mTLS mode and will be able to provide the existing trust store Name/ARN (they have created through CLI/Console) through new annotations for Ingress. To use this feature, you need to update the IAM policy to add elasticloadbalancing:DescribeTrustStores permission
• Add a controller flag --service-target-eni-security-group-tags to allow users to specify additional tags that should be used when the controller looks for the security group to use when adding ingress rules for NLB targets
• Adding support for default readiness probe for controller. Please note that the installation of older image tags against the latest helm chart version (1.7.0 or later) will fail due to this new addition of readiness probe.

Enhancement and Fixes

• Support for EKS pod identities
• Helm chart enhancements: add webhook readiness check; add revisionHistoryLimit
• Helm chart field to enable HPA. The main purpose of enable HPA is to survive load induced failure by the calls to the aws-load-balancer-webhook-service
• Documentation enhancements

Changelog since v2.6.2

• Adding the support for Unhealthy.draining state (#3548, @shraddhabang)
• Doc updates for mTLS feature and minor documentation bugs (#3547, @shraddhabang)
• fix: Add revisionHistoryLimit override (#3486, @bodgit)
• Improvement for the error log while Subnet Discovery failed (#3545, @guessi)
• Implement mutual TLS authentication support for Ingress (#3532, @shraddhabang)
• Add Blue/Green use case to the side menu (#3520, @henriquesantanati)
• chore: add webhook readiness check (#3375, @davidkl97)
• add oliviassss as approver (#3534, @oliviassss)
• improve the enable primary ipv6 address and TEST_ID in prow script (#3524, @oliviassss)
• update prow script to enable primary ipv6 address (#3510, @oliviassss)
• Disable WAF to run tests against YYC. (#3515, @orsenthil)
• bump aws-sdk-go to v1.47.13 (#3489, @oliviassss)
• Add johngmyers as approver (#3356, @johngmyers)
• Improve documentations for tolerate-non-existent-backend-{service,action} (#3442, @guessi)
• Drop the Security disclosures that point to AWS security (#3467, @dims)
• Doc: remove unnecessary uppercase letters (#3472, @Nezz7)
• Add dims to SECURITY_CONTACTS (#3483, @dims)
• Set the flag to fail if the test fails or times out (#3481, @jaydeokar)
• doc update for automated target weights (#3496, @oliviassss)
• update go from 1.21.3 to 1.21.4 (#3484, @oliviassss)
• enable ingress instance e2e test for ipv6 (#3416, @oliviassss)
• update prow script (#3406, @oliviassss)
• update file paths in prow script for adc regions (#3398, @oliviassss)
• remove unnecessary cleanup in prow script (#3387, @oliviassss)
• udpate prow script to install lbc via manifest for ADC (#3355, @oliviassss)
• Add deprecated apiGroups detection on workflow. (#3351, @jerryhe1999)
• Add doc updates (#3347, @oliviassss)
• Enables providing multiple tags for worker node security group discovery(#3147, @carflo)

v2.6.2

v2.6.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.2
Thanks to all our contributors! 😊

Enhancement and Fixes

• Expose ingress configuration options for missing backends
• Feat: resolve health check port name for NLB
• Don't block TGB reconciliation loop on failed SG ingress reconciliation
• CVE patch for CVE-2023-3978, CVE-2023-39325
• Doc updates

Changelog since v2.6.1

• update ci e2e script for cert IDs (#3392, @oliviassss)
• doc updates (#3426, @oliviassss)
• Change of text "your-cluster-name" (#3152, @git4example)
• Expose ingress configuration options for missing backends (#3342, @kc9ddi)
• don't block TGB reconciliation loop on failed SG ingress reconciliation (#3296, @michaelsaah)
• Stricter dependency/security review (#3429, @dims)
• feat: resolve health check port name for NLB (#3419, @fad3t)

v2.6.1

v2.6.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.1
Thanks to all our contributors! 😊

Fixes

• Fixes a performance related issue when "PodReadinessGate" feature is enabled

Changelog since v2.6.1

• remove unnecessary patch requests (#3373, @M00nF1sh )

v2.6.0

v2.6.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.0
Thanks to all our contributors! 😊

Enhancement

• Added support of Security Groups for NLB. With the security group support, it is feasible to forward the NLB traffic to the EC2 instances without having to open up the instances for global access. For backwards compatibility, NLBs created without the security groups or the existing NLBs will continue to provide the legacy behavior. Similar to ALB, there are two sets of SGs for NLB - frontend and backend SGs:
  • The controller will automatically create and attach the frontend SG to the NLB provisioned, and add rules for inbound-cidrs and listen-ports. If the users want to attach existing frontend SG to the NLB, they can explicitly specify via annotation service.beta.kubernetes.io/aws-load-balancer-security-groups
  • The Backend SG controls the traffic between the NLB and the EC2 instances/ENIs, and it gets attached to the NLB similar to the frontend SG. In case of auto-generated frontend SG, the controller automatically adds Node/ENI SG rules to allow egress traffic from the NLB. The rule management is disabled by default if the frontend SG is specified via annotation. We provide an annotation to configure controller’s management on backend SG rules regardless of the frontend SG type service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: true/false
• Improved the ingress cert auto-discovery to discover more cert types from ACM:

     KeyAlgorithmRsa1024,
     KeyAlgorithmRsa2048,
     KeyAlgorithmRsa3072,
     KeyAlgorithmRsa4096,
     KeyAlgorithmEcPrime256v1,
     KeyAlgorithmEcSecp384r1,
     KeyAlgorithmEcSecp521r1,

Fixes

• Fixed the race condition in pod cache and endpoint resolver
• Made the ingress validating webhook ignore ingresses that are not managed by AWS LBC
• Fixed typo in doc

Changelog since v2.5.4

• Add support for NLB security groups (#3329, @kishorj, @oliviassss)
• Allow TLS 1.2 with restricted ciphers for webhooks (#3318, @johngmyers)
• Update the RSA filter for Cert discovery (#3314, @shraddhabang)
• Doc: Add note for rename behavior of IngressGroup (#3283, @yubingjiaocn)
• Make Ingress validating webhook ignore ingresses not managed by AWS LBC (#3272, @johngmyers)
• add oliviassss as reviewer (#3306, @oliviassss)
• fix the race condition in pod cache and endpoint resolver (#3305, @oliviassss)
• Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.11.0 (#3300, @dependabot)
• Bump github.com/aws/aws-sdk-go from 1.44.184 to 1.44.294 (#3271, @dependabot)
• Provide better explanation of failure to find a subnet (#3292, @johngmyers)
• test/framework: replace deprecated ioutil.ReadAll (#3256, @komisan19)
• Add warning in doc for ServiceMutatorWebhook (#3180, @punkwalker)
• Add note about keeping OWNERS in sync (#3289, @johngmyers)
• Docs: Fix typo in nlb.md. (#3257, @Gacko)
• fix: typo in PR template (#3267, @nakamume)

v2.5.4

v2.5.4 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.4
Thanks to all our contributors! 😊

Fixes

• Fixed a bug in the eventhandler that was ignoring the update event triggered by --sync-period and preventing the auto-reconciliation of the controller. From this version, the controller will reconcile all the resources even if there is no change in manifest, per the default interval of 10hr. For more information, please refer to the doc

Changelog since v2.5.3

• doc enhancement for waf addons and reconciliation (#3281, @oliviassss)
• update protobuf to the latest version (#3274, @oliviassss)
• fix the bug that evenhanlder ignores the update per sync-period (#3280, @oliviassss)

v2.5.3

v2.5.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.3
Thanks to all our contributors! 😊

Enhancement

• Update go dependencies and base image to address CVEs
• Drop the support for policy/v1beta1 of PodDisruptionBudget, since the k8s 1.22+ supports policy/v1
• Drop the support for cert-manager.io/v1alpha2, and explicitly set to cert-manager.io/v1

Fixes

• Update k8s.io/client-go to v0.26.5 to fix the promethus-adapter issue that causes the client-go to crash in k8s 1.27

Changelog since v2.5.2

• update to go 1.20.5 (#3253, @oliviassss)
• Update dependency and base image (#3239, @oliviassss)
• update aws partition in test script and add iam policy for iso regions (#3246, @oliviassss)
• Remove policy/v1beta1 since the min supported k8s version supports policy/v1 (#3230, @rdrgmnzs)
• chore: Added dependabot (#3228, @ellistarn)
• fix typo in test script (#3226, @oliviassss)
• Fix formatting (#3219, @hsusanoo)
• Explicitly setting CertManager APIVersion to V1 (#3189, @hawkesn)

v2.5.2

v2.5.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.2

Thanks to all our contributors! 😊

Enhancement

• Added support for the AWS Resource Group API which can be enabled via the feature flag EnableRGTAPI, disabled by default. This feature allows the tagging manager to utilize RGT APIs to filter matching Load Balancers and Target Group resources, and is helpful when there are numerous resources. RGT feature is not available for private clusters. If you intend to enable this feature, you need to do the following:
  • set --feature-gates=EnableRGTAPI=true in controller command line flag or helm value --set controllerConfig.featureGates.EnableRGTAPI=true during chart install/upgrade
  • add additional permission to the IAM policy used by the controller

  { 
   "Effect": "Allow", 
   "Action": [ 
       "tag:GetResources" 
   ], 
   "Resource": "*" 
  }
  

• Refactor backend SG provider, controller deletes backend SG when not required without waiting for all ingresses to be deleted.

Fixes

• Check both sdkLS and resLS sslpolicy for nil when updating extra certs for listeners

Changelog since v2.5.1

• update go.sum (#3206, @oliviassss)
• cut v2.5.2 release (#3205, @oliviassss)
• Fix typo in mkdocs.yml file (#3202, @Dragotic)
• check both sdkLS and resLS sslpolicy for nil (#3196, @oliviassss)
• Support AWS RGT APIs with feature flag (#3186, @oliviassss)
• cherry-pick: Support AWS RGT APIs with feature flag (#3186) (#3193, @oliviassss)
• refactor backend SG provider (#2836, @kishorj)
• add objectSelector to the new controller webhooks (#3165, @kishorj)
• chore(aws-load-balancer-controller): update all controllerConfig.featureGates samples default values (#3161, @kahirokunn)

v2.5.1

v2.5.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.1

Thanks to all our contributors! 😊

Action Requrired

• 🚨 🚨 🚨We've updated the controller manifests, so either use helm upgrade or apply the new manifest. The new controller image from the patch release is not compatible with manifests from v2.4.x or earlier releases
• 🚨 🚨 🚨We have made the LBC the default controller for service type LoadBalancer by adding a mutating webhook. You can disable the feature by setting the helm chart value enableServiceMutatorWebhook to false. You will no longer be able to provision new Classic Load Balancer (CLB) from your kubernetes service unless you disable this feature.

Please refer to the v2.5.0 release notes for further details.

Bug fixes

• Fix ingress validator to handle ingress rules without http paths, issue #3158

Changelog since v2.5.0

• cut v2.5.1 release (#3160, @kishorj)
• chore(aws-load-balancer-controller): add all controllerConfig.featureGates samples (#3156, @kahirokunn)
• Fix validator for ingress rules without http paths (#3159, @kishorj)
• update doc for 2.5 (#3154, @oliviassss)