Releases: kubernetes-sigs/aws-load-balancer-controller
v2.10.1
v2.10.1 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.1
Thanks to all our contributors! 😊
What's new
- Supports HTTP and HTTPS listener attributes on load balancers.
- Application Load Balancer (ALB) now supports HTTP request and response header modification giving you greater controls to manage your application’s traffic and security posture without having to alter your application code. For more information checkout what’s new post and the ALB document.
Enhancement and Fixes
- Use pod target namespace to get pod info from repo when resolving endpoint.
- Remove sort by ID so that EIP allocations and subnet ID order is respected.
- [Doc] fixed documentation styling for Support UDP-based services over IPv6.
- Publish internal controller metrics, such as target register time.
- Trim control characters from OIDC secret
Changelog since v2.10.0
- enable http and https listener attributes (#3948, @wweiwei-li)
- FEAT: LBC metric collector (#3941, @zac-nixon)
- fix: use pod target namespace to get pod info from repo when resolving endpoint (#3914, @Revolution1)
- [BUG FIX] trim control characters from secret to prevent newlines in client secret (#3936, @zac-nixon)
- Fix: order must match specified subnets (#3925, @wweiwei-li)
- fixed documentation styling for Support UDP-based services over IPv6 (#3928, @shethyogita83)
Full Changelog: v2.10.0...v2.10.1
v2.10.0
v2.10.0 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.0
Thanks to all our contributors!
Action required
🚨 🚨 🚨 We’ve added the multiClusterTargetGroup field to the TargetGroupBinding which users can set in order to share target groups among different Kubernetes clusters. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
ELB has updated their managed policy to include ec2:GetSecurityGroupsForVpc
. We have updated the Load Balancer Controller policy to reflect that change. Please be sure to apply the latest IAM policy when upgrading.
What’s new
- AWS Load Balancer Controller now supports MultiCluster target groups. This mode allows users to share target groups among multiple clusters, enabling a wide variety of use cases. For more information checkout the use case documentation
- We’ve added support SageMaker HyperPod clusters. Users can now install the Load Balancer Controller into SageMaker HyperPod clusters in order to get integration with AWS ELB.
- We’ve added integration with a new ELB feature that allows configuring sourceNAT for Dualstack NLBs to allow UDP traffic over IPv6.
Enhancement and Fixes
- Update shield integration to use in-region endpoint rather then always using us-east-1.
- (docs) Fix TLS Ingress annotation documentation for Security policy
- (docs) Fix configuration documentation typos
- (docs) Fix external-dns routing policies link
- Add new ec2:GetSecurityGroupsForVpc permission to LBC policy.
Changelog since v2.9.2
- UDP Support over IPv6 via Dualstack NLBs using SourceNAT configurations (#3926)
- Refactor aws cloud service and introduce a client provider (#3895)
- New Feature: Multi Cluster TargetGroupBinding (#3853)
- add sagemaker-hyperpod compute type to resolve its pods via VPC ENI (#3886)
- Fixed documentation typos (#3885)
- Fix alphabetic order in CRD for verify CRD to run (#3911)
- chore(docs): fix external-dns routing policies link (#3893)
- fix(docs): Update the link to the AWS documentation for the TLS Ingress annotation for Security policy (#3876)
- update the region of shield api (#3920)
- add ec2:GetSecurityGroupsForVpc to account for ELB API changes (#3921)
- BUG FIX: fix log message when target group and cluster are in different VPCs (#3924)
v2.9.2
v2.9.2 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.2
Thanks to all our contributors! 😊
Action required
N/A
What’s New
N/A
Enhancement and Fixes
- Fixes the controller crash due to enabling shield protection on ingress while creation
- Skips newly added listener attributes reconcile for iso regions.
ChangeLog since v2.9.0
- Skip listener attributes reconcile for Isolated regions (#3884, @wweiwei-li)
- Fix controller crash due enabling shield protection after AWSSDKGoV2 upgrade (#3896, @shraddhabang)
v2.9.1
v2.9.1 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.1
Thanks to all our contributors! 😊
Action required
🚨 🚨 🚨 The v2.9.1 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.
What’s New
- AWS Load Balancer Controller now implements a deferral queue for TargetGroupBindings that change rarely. This means that during leadership failover, the controller will immediately work on target groups that have had their membership change. Previously, the controller would try to reconcile all target groups which could delay potential changes if the cluster had many TargetGroupBindings. This new deferral queue will detect TargetGroupBindings without any change and choose to reconcile them at a slower pace in the future, prioritizing TargetGroupBindings that have changed since the last reconcile cycle.
Enhancement and Fixes
- Slow start containers should be more responsive to pod readiness checks. Previously, the controller could back-off for up to 16 minutes for checking the container readiness state. Now the controller will use a static 15 second delay to continually ensure your containers have started.
- Implement a deferral queue to sideline TargetGroupBindings without a recent change.
ChangeLog since v2.9.0
- Feature: Deferred queue for no-op TGB (#3861)
v2.9.0
v2.9.0 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.0
Thanks to all our contributors! 😊
Action required
🚨 🚨 🚨 The v2.9.0 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.
We've added a listenerAttributes
field to IngressClassParams
to support listener attributes for load balancers in the future. Note that there are no listener attributes supported on Application Load Balancers (ALBs) yet. Therefore, this field is currently not used. However, updating CRDs is necessary for future compatibility. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
AWS NLB now supports configurable TCP idle timeout. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeListenerAttributes
and elasticloadbalancing:ModifyListenerAttributes
permissions for describing and modifying this listener attribute for NLB's TCP listener resources on controller.
What's new
- AWS Load Balancer Controller now uses the new AWS SDK Go v2 version. The v2 SDK is designed to make API calls more efficiently, leading to improved performance in your applications. It comes with built-in retry mechanisms which will help us retrying the requests less aggressively. It also includes a variety of built-in backoff strategies, such as exponential backoff. These strategies help to avoid overwhelming the AWS service and give it time to recover from temporary errors.
- Supports listener attributes on load balancers.
- AWS Network Load Balancer (NLB) now supports configurable TCP idle timeout. This allows you to align the TCP idle timeout value of NLB with clients and target applications. This capability can help reduce TCP connection retries and latency in applications that use long-lived flows, such as telemetry reporting devices, databases, streaming services, and ERP systems.
- Support for allowing multiple security groups with the same Name tag to be resolved for load balancers. The old implementation incorrectly assumed a one-to-one mapping between security group names. This fix allows multiple security groups with the same name to be resolved and attached to load balancers, providing flexible configurations and avoiding errors.
- Support for identifying VPC by tags using a new runtime argument. This is helpful when access to AWS metadata is blocked and the VPC ID is unknown at deploy time.
Enhancement and Fixes
- (Chart): Allow disabling ingress validation via helm flag
- Migrate AWS SDK GO V1 to V2.
- Support vpc- in target group binding vpc-id validation
- Set klog logger to harmonize logging format
Changelog since v2.8.3
- Use the documented .Capabilities.KubeVersion.Version built-in value in the hpa template (#3766, @prasadkatti)
- Migrate aws sdk go v1 to v2 (#3844, @shraddhabang)
- Support listener attributes (#3843, @, @wweiwei-li)
- feat: support vpc- in target group binding vpc-id validation (#3845, @khizunov)
- Allow disabling ingress validation via helm flag (#3847, @sarevalo2002)
- fix: Set klog logger to harmonize logging format (#3833, @mycrEEpy)
- Doc: Fix markdown table (#3832, @linoleparquet)
- [Doc] Update cert-manager GitHub URL (#3842, @capytan)
- bump up base image version (#3854, @oliviassss)
- update mkdocs dependencies (#3803, @M00nF1sh)
- Allow multiple SGs with the same Name tag(#3775, @alloveras)
- Fetch VPC ID from runtime using VPC tags provided via controller flags (#3656, @jeswinkoshyninan)
Full Changelog: v2.8.3...v2.9.0
v2.8.3
v2.8.3 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.3
Thanks to all our contributors! 😊
What's new
Patch CVE CVE-2024-39689
of ca-certificates
introduced by base image.
What's Changed
- cherry-pick: bump up base image version (#3854) by @oliviassss in #3855
- cut v2.8.3 release by @oliviassss in #3856
Full Changelog: v2.8.2...v2.8.3
v2.8.2
v2.8.2 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.2
Thanks to all our contributors! 😊
What's new
Enhancements
- We have changed the behavior for Application LoadBalancer Addons related annotations(WAFClassic,WAFv2,Shield Advanced) as follows:
alb.ingress.kubernetes.io/waf-acl-id
- [new behavior] when this annotation is absent, existing WAFClassic WebACL(if any) on Application LoadBalancer won't be changed.
- [new behavior] when this annotation is set to 'none', existing WAFClassic WebACL(if any) on Application LoadBalancer will be disassociated.
- [unchanged behavior] when this annotation is set to any webACL ID, specified WAFClassic WebACL will be associated on Application LoadBalancer.
alb.ingress.kubernetes.io/wafv2-acl-arn
- [new behavior] when this annotation is absent, existing WAFv2 WebACL(if any) on Application LoadBalancer won't be changed.
- [new behavior] when this annotation is set to 'none', existing WAFv2 WebACL(if any) on Application LoadBalancer will be disassociated.
- [unchanged behavior] when this annotation is set to any webACL ID, specified WAFv2 WebACL will be associated on Application LoadBalancer.
alb.ingress.kubernetes.io/shield-advanced-protection
- [new behavior] when this annotation is absent, existing shield advanced protection(if any) on Application LoadBalancer won't be changed.
- [unchanged behavior] when this annotation is set to 'false', existing shield advanced protection(if name matches
managed by aws-load-balancer-controller
) on Application LoadBalancer will be disassociated. - [unchanged behavior] when this annotation is set to 'true', an new shield advanced protection with name(
managed by aws-load-balancer-controller
) will be created and associated with Application LoadBalancer.
Changelog since v2.8.1
What's Changed
- bump up go to 1.22.5 by @oliviassss in #3798
- keep LB addons' settings unchanged unless explicitly specified by @M00nF1sh in #3800
- cut v2.8.2 release by @M00nF1sh in #3802
Full Changelog: v2.8.1...v2.8.2
V2.8.1
v2.8.1 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.1
Thanks to all our contributors! 😊
What's new
Dependencies Upgrade:
controller-runtime
from 0.14.6 to v0.18.2k8s.io
deps from v0.26.x to v0.30.0
Bug fixes
- Fix the incompatibility with sidecar
restartPolicy
field for k8s 1.29+ - Fix the bug with mTLS feature, by having the controller return nil for
MutualAuthentication
if the feature is not enabled by cx explicitly. As this object is not supported by ELB API in outposts and local zones currently. - Restrict the
resolveViaVPCENIs()
to fargate nodes only
Enhancement
- helm chart enhancement: add
envFrom
parameter; addcreator
parameter to disable default helm labels - doc enhancement
Changelog since v2.8.0
What's Changed
- cut v2.8.1 release by @oliviassss in #3733
- fixed the mTLS bug (#3717, @shethyogita83)
- update the traffic test for ingress (#3725, @oliviassss)
- prevent controller runtime complaining about SetupLogger() was never called (#3724, @oliviassss)
- Update go to v1.22, controller-runtime dependency to v0.18.2, and kubernetes libs to v0.30.0(#3707, @larntz)
- restrict resolveViaVPCENIs to fargate only (#3709, @oliviassss)
- Added helm envFrom value parameter for cluster-name (#3683, @omerap12)
- feat: disable default helm labels (#3574, @darkweaver87)
- Removed extra slash to fix kubectl apply of crd command (#3638, @hyperbolic2346)
Full Changelog: v2.8.0...v2.8.1
v2.8.0
v2.8.0 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.0
Thanks to all our contributors! 😊
Action required
We have added certificateArn
and updated ipAddressType
fields in IngressClassParams, and added vpcID
field in TargetGroupBinding. If you are upgrading the charts using helm upgrade, you need to update CRDs manually kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
ALB mTLS is now available in the China partition. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores
permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. If you want to use the ALB mTLS feature in China region, updating your controller IAM policies with the new permissions.
Whats new
- Support set the
certificateArn
for Ingress at the IngressClass level. This feature adds newcertificateArn
to the IngressClassParams Spec to configure the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams. - Support public IPv4 disablement for dualstack customer. This feature adds new ipAddressType enum
dualstack-without-public-ipv4
to allow customers to provision load balancers without IPv4s for clients that can connect using just IPv6s. For example, users can choose a dualstack ALB without public IPv4 when setting up a new internet facing ALB, or switch to dualstack without public IPv4 for an existing internet facing ALB by specifyingalb.ingress.kubernetes.io/ip-address-type: dualstack-without-public-ipv4
. To set theipAddressType
for ingress at the IngressClass level, addipAddressType: dualstack-without-public-ipv4
to the IngressClassParams Spec. See AWS Launch What’s New Post about this feature. - Support optionally enforcing NLB security groups on PrivateLink traffic. This feature adds new annotation
aws-load-balancer-inbound-sg-rules-on-private-link-traffic
to configure whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink. - Support for TargetGroupBinding on targets outside the cluster's VPC. This feature adds
vpcID
to the TargetGroupBinding Spec to allow registration in target groups that are created with in a VPC that is different from the cluster VPC. If thevpcID
is unspecified, the controller will fetch the clustervpcID
by default. - Support for Specify Managed Prefix List for access control. This feature adds new annotation
alb.ingress.kubernetes.io/security-group-prefix-lists
andservice.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists
to ensure the security group attached to the load balancer can allow access from the specified Managed Prefix List. The annotation will be ignored ifalb.ingress.kubernetes.io/security-groups
orservice.beta.kubernetes.io/aws-load-balancer-security-groups
is present.
Enhancement and Fixes
- (Chart): Add additional service monitor functionality
- (Chart): Allow passing template values for clusterName, region and vpcId
- (Chart): Add RuntimeClassName
- (Chart) Support —load-balancer-class in Helm Chart
- Provide more customization options for the service mutator webhook
- Preserve loadBalancerClass on Service updates
Changelog since v2.7.2
- Restrict dual-stack-without-ipv4 e2e test to pdx only (#3700, @oliviassss)
- Add IPAddressTypeWithoutPublicIPV4 (#3693, @wweiwei-li)
- Add dual stack without public IPv4 IP Address type (#3688, @wweiwei-li)
- Add non-alphanumeric input validation test for vpcID and fix typo (#3687, @shraddhabang)
- [DOC] add KAT documentation (#3682, @ChuksGrinage)
- feat(chart): Added additional service monitor functionality (#3645, @stevehipwell)
- [helm chart] Allow passing template values for clusterName, region and vpcId (#3664, @adriananeci)
- Add validation for vpcID in tgb spec (#3663, @shraddhabang)
- feat(chart) : add RuntimeClassName (#3646, @LiuQhahah)
- upgrade x/net to v0.23.0 (#3659, @oliviassss)
- feat: Specify Managed Prefix List for access control (#3584, @yo-ga)
- Provide more customization options for the service mutator webhook (#3653, @diversario)
- Add DescribeTrustStores to IAM policy for China partition (#3662, @andreybutenko)
- Feature Support —load-balancer-class in Helm Chart (#3647, @yoonhyunwoo)
- Preserve loadBalancerClass on Service updates (#3641, @diversario)
- Add support for optionally enforcing NLB security groups on PrivateLi… (#3594, @wweiwei-li)
- Add certificateArn field to IngressClassParam(#3616, @Nezz7)
- feat: Support TargetGroupBinding on targets outside the cluster's VPC (#3479, @ikosenn)
- docs: ingress subnets annotation - clarify locale differences (#3579, @alebedev87)
v2.7.2
v2.7.2 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.2
Thanks to all our contributors! 😊
Enhancement and Fixes
- Feat : Allow ACM cert discovery to filter on CA ARNs
- Enhancement : Adding support for Availability Zone Affinity
- CVE patch for CVE-2024-24786
- Doc updates
Changelog since v2.7.1
- Update golang.org/protobuf version to fix CVE-2024-24786 (#3618, @shraddhabang)
- Adding support for Availability Zone Affinity (#3470, @alex-berger)
- update go version to mitigate CVE (#3615, @haouc)
- Repo controlled build go version (#3598, @xdu31)
- fix: new ca-filter causing expontentially more api-calls (#3608, @the-technat)
- Add example for NLB target-group-attributes to enable unhealthy target connection draining (#3577, @jukie)
- feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591, @the-technat)
- bump up controller-tools version to fix ci failure (#3580, @oliviassss)
- fix log level in listener manager and tagging manager (#3573, @oliviassss)