v2.8.0

v2.8.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.0
Thanks to all our contributors! 😊

Action required

We have added certificateArn and updated ipAddressType fields in IngressClassParams, and added vpcID field in TargetGroupBinding. If you are upgrading the charts using helm upgrade, you need to update CRDs manually kubectl apply -k https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/crds/crds.yaml

ALB mTLS is now available in the China partition. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. If you want to use the ALB mTLS feature in China region, updating your controller IAM policies with the new permissions.

Whats new

• Support set the certificateArn for Ingress at the IngressClass level. This feature adds new certificateArn to the IngressClassParams Spec to configure the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
• Support public IPv4 disablement for dualstack customer. This feature adds new ipAddressType enum dualstack-without-public-ipv4 to allow customers to provision load balancers without IPv4s for clients that can connect using just IPv6s. For example, users can choose a dualstack ALB without public IPv4 when setting up a new internet facing ALB, or switch to dualstack without public IPv4 for an existing internet facing ALB by specifying alb.ingress.kubernetes.io/ip-address-type: dualstack-without-public-ipv4 . To set the ipAddressType for ingress at the IngressClass level, add ipAddressType: dualstack-without-public-ipv4 to the IngressClassParams Spec. See AWS Launch What’s New Post about this feature.
• Support optionally enforcing NLB security groups on PrivateLink traffic. This feature adds new annotation aws-load-balancer-inbound-sg-rules-on-private-link-traffic to configure whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink.
• Support for TargetGroupBinding on targets outside the cluster's VPC. This feature adds vpcID to the TargetGroupBinding Spec to allow registration in target groups that are created with in a VPC that is different from the cluster VPC. If the vpcID is unspecified, the controller will fetch the cluster vpcID by default.
• Support for Specify Managed Prefix List for access control. This feature adds new annotation alb.ingress.kubernetes.io/security-group-prefix-lists and service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists to ensure the security group attached to the load balancer can allow access from the specified Managed Prefix List. The annotation will be ignored if alb.ingress.kubernetes.io/security-groups or service.beta.kubernetes.io/aws-load-balancer-security-groups is present.

Enhancement and Fixes

• (Chart): Add additional service monitor functionality
• (Chart): Allow passing template values for clusterName, region and vpcId
• (Chart): Add RuntimeClassName
• (Chart) Support —load-balancer-class in Helm Chart
• Provide more customization options for the service mutator webhook
• Preserve loadBalancerClass on Service updates

Changelog since v2.7.2

• Restrict dual-stack-without-ipv4 e2e test to pdx only (#3700, @oliviassss)
• Add IPAddressTypeWithoutPublicIPV4 (#3693, @wweiwei-li)
• Add dual stack without public IPv4 IP Address type (#3688, @wweiwei-li)
• Add non-alphanumeric input validation test for vpcID and fix typo (#3687, @shraddhabang)
• [DOC] add KAT documentation (#3682, @ChuksGrinage)
• feat(chart): Added additional service monitor functionality (#3645, @stevehipwell)
• [helm chart] Allow passing template values for clusterName, region and vpcId (#3664, @adriananeci)
• Add validation for vpcID in tgb spec (#3663, @shraddhabang)
• feat(chart) : add RuntimeClassName (#3646, @LiuQhahah)
• upgrade x/net to v0.23.0 (#3659, @oliviassss)
• feat: Specify Managed Prefix List for access control (#3584, @yo-ga)
• Provide more customization options for the service mutator webhook (#3653, @diversario)
• Add DescribeTrustStores to IAM policy for China partition (#3662, @andreybutenko)
• Feature Support —load-balancer-class in Helm Chart (#3647, @YoonHyunWoo)
• Preserve loadBalancerClass on Service updates (#3641, @diversario)
• Add support for optionally enforcing NLB security groups on PrivateLi… (#3594, @wweiwei-li)
• Add certificateArn field to IngressClassParam(#3616, @Nezz7)
• feat: Support TargetGroupBinding on targets outside the cluster's VPC (#3479, @ikosenn)
• docs: ingress subnets annotation - clarify locale differences (#3579, @alebedev87)

v2.7.2

v2.7.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.2
Thanks to all our contributors! 😊

Enhancement and Fixes

• Feat : Allow ACM cert discovery to filter on CA ARNs
• Enhancement : Adding support for Availability Zone Affinity
• CVE patch for CVE-2024-24786
• Doc updates

Changelog since v2.7.1

• Update golang.org/protobuf version to fix CVE-2024-24786 (#3618, @shraddhabang)
• Adding support for Availability Zone Affinity (#3470, @alex-berger)
• update go version to mitigate CVE (#3615, @haouc)
• Repo controlled build go version (#3598, @xdu31)
• fix: new ca-filter causing expontentially more api-calls (#3608, @the-technat)
• Add example for NLB target-group-attributes to enable unhealthy target connection draining (#3577, @jukie)
• feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591, @the-technat)
• bump up controller-tools version to fix ci failure (#3580, @oliviassss)
• fix log level in listener manager and tagging manager (#3573, @oliviassss)

v2.7.1

v2.7.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.1
Thanks to all our contributors! 😊

Enhancement and Fixes

• introduced caches for ELB resource tags. Which shall improve Ingress/Service reconcile performance when there are large number of ALB/NLBs in VPC. (Note, if the controller have internet access, enable feature flag EnableRGTAPI shall provide even better performance)
• Added ability to configure ServiceTargetENISGTags in helm charts.

Changelog since v2.7.0

• cut v2.7.1 release (#3566, @M00nF1sh)
• log enhancement for enabling RGT API (#3564, @oliviassss)
• Add a note to recommend to use compatible chart and image versions (#3559, @shraddhabang)
• update helm chart for ServiceTargetENISGTags and README (#3558, @oliviassss)
• cache ELB resource tags to reduce API calls (#3550, @M00nF1sh)

v2.7.0

v2.7.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.0
Thanks to all our contributors! 😊

Action required

We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. load balancer and listener resources. We recommend updating your controller IAM policies with the new permissions for your existing installations as well.

Whats new

• Introducing the support for (mTLS) Mutual Transport Layer Security on Ingress through AWS LB Controller. Its delivers mTLS feature by integrating the trust stores into listener management. The customer will be able to set the desired mTLS mode and will be able to provide the existing trust store Name/ARN (they have created through CLI/Console) through new annotations for Ingress. To use this feature, you need to update the IAM policy to add elasticloadbalancing:DescribeTrustStores permission
• Add a controller flag --service-target-eni-security-group-tags to allow users to specify additional tags that should be used when the controller looks for the security group to use when adding ingress rules for NLB targets
• Adding support for default readiness probe for controller. Please note that the installation of older image tags against the latest helm chart version (1.7.0 or later) will fail due to this new addition of readiness probe.

Enhancement and Fixes

• Support for EKS pod identities
• Helm chart enhancements: add webhook readiness check; add revisionHistoryLimit
• Helm chart field to enable HPA. The main purpose of enable HPA is to survive load induced failure by the calls to the aws-load-balancer-webhook-service
• Documentation enhancements

Changelog since v2.6.2

• Adding the support for Unhealthy.draining state (#3548, @shraddhabang)
• Doc updates for mTLS feature and minor documentation bugs (#3547, @shraddhabang)
• fix: Add revisionHistoryLimit override (#3486, @bodgit)
• Improvement for the error log while Subnet Discovery failed (#3545, @guessi)
• Implement mutual TLS authentication support for Ingress (#3532, @shraddhabang)
• Add Blue/Green use case to the side menu (#3520, @henriquesantanati)
• chore: add webhook readiness check (#3375, @davidkl97)
• add oliviassss as approver (#3534, @oliviassss)
• improve the enable primary ipv6 address and TEST_ID in prow script (#3524, @oliviassss)
• update prow script to enable primary ipv6 address (#3510, @oliviassss)
• Disable WAF to run tests against YYC. (#3515, @orsenthil)
• bump aws-sdk-go to v1.47.13 (#3489, @oliviassss)
• Add johngmyers as approver (#3356, @johngmyers)
• Improve documentations for tolerate-non-existent-backend-{service,action} (#3442, @guessi)
• Drop the Security disclosures that point to AWS security (#3467, @dims)
• Doc: remove unnecessary uppercase letters (#3472, @Nezz7)
• Add dims to SECURITY_CONTACTS (#3483, @dims)
• Set the flag to fail if the test fails or times out (#3481, @jaydeokar)
• doc update for automated target weights (#3496, @oliviassss)
• update go from 1.21.3 to 1.21.4 (#3484, @oliviassss)
• enable ingress instance e2e test for ipv6 (#3416, @oliviassss)
• update prow script (#3406, @oliviassss)
• update file paths in prow script for adc regions (#3398, @oliviassss)
• remove unnecessary cleanup in prow script (#3387, @oliviassss)
• udpate prow script to install lbc via manifest for ADC (#3355, @oliviassss)
• Add deprecated apiGroups detection on workflow. (#3351, @jerryhe1999)
• Add doc updates (#3347, @oliviassss)
• Enables providing multiple tags for worker node security group discovery(#3147, @carflo)

v2.6.2

v2.6.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.2
Thanks to all our contributors! 😊

Enhancement and Fixes

• Expose ingress configuration options for missing backends
• Feat: resolve health check port name for NLB
• Don't block TGB reconciliation loop on failed SG ingress reconciliation
• CVE patch for CVE-2023-3978, CVE-2023-39325
• Doc updates

Changelog since v2.6.1

• update ci e2e script for cert IDs (#3392, @oliviassss)
• doc updates (#3426, @oliviassss)
• Change of text "your-cluster-name" (#3152, @git4example)
• Expose ingress configuration options for missing backends (#3342, @kc9ddi)
• don't block TGB reconciliation loop on failed SG ingress reconciliation (#3296, @michaelsaah)
• Stricter dependency/security review (#3429, @dims)
• feat: resolve health check port name for NLB (#3419, @fad3t)

v2.6.1

v2.6.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.1
Thanks to all our contributors! 😊

Fixes

• Fixes a performance related issue when "PodReadinessGate" feature is enabled

Changelog since v2.6.1

• remove unnecessary patch requests (#3373, @M00nF1sh )

v2.6.0

v2.6.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.0
Thanks to all our contributors! 😊

Enhancement

• Added support of Security Groups for NLB. With the security group support, it is feasible to forward the NLB traffic to the EC2 instances without having to open up the instances for global access. For backwards compatibility, NLBs created without the security groups or the existing NLBs will continue to provide the legacy behavior. Similar to ALB, there are two sets of SGs for NLB - frontend and backend SGs:
  • The controller will automatically create and attach the frontend SG to the NLB provisioned, and add rules for inbound-cidrs and listen-ports. If the users want to attach existing frontend SG to the NLB, they can explicitly specify via annotation service.beta.kubernetes.io/aws-load-balancer-security-groups
  • The Backend SG controls the traffic between the NLB and the EC2 instances/ENIs, and it gets attached to the NLB similar to the frontend SG. In case of auto-generated frontend SG, the controller automatically adds Node/ENI SG rules to allow egress traffic from the NLB. The rule management is disabled by default if the frontend SG is specified via annotation. We provide an annotation to configure controller’s management on backend SG rules regardless of the frontend SG type service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: true/false
• Improved the ingress cert auto-discovery to discover more cert types from ACM:

     KeyAlgorithmRsa1024,
     KeyAlgorithmRsa2048,
     KeyAlgorithmRsa3072,
     KeyAlgorithmRsa4096,
     KeyAlgorithmEcPrime256v1,
     KeyAlgorithmEcSecp384r1,
     KeyAlgorithmEcSecp521r1,

Fixes

• Fixed the race condition in pod cache and endpoint resolver
• Made the ingress validating webhook ignore ingresses that are not managed by AWS LBC
• Fixed typo in doc

Changelog since v2.5.4

• Add support for NLB security groups (#3329, @kishorj, @oliviassss)
• Allow TLS 1.2 with restricted ciphers for webhooks (#3318, @johngmyers)
• Update the RSA filter for Cert discovery (#3314, @shraddhabang)
• Doc: Add note for rename behavior of IngressGroup (#3283, @yubingjiaocn)
• Make Ingress validating webhook ignore ingresses not managed by AWS LBC (#3272, @johngmyers)
• add oliviassss as reviewer (#3306, @oliviassss)
• fix the race condition in pod cache and endpoint resolver (#3305, @oliviassss)
• Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.11.0 (#3300, @dependabot)
• Bump github.com/aws/aws-sdk-go from 1.44.184 to 1.44.294 (#3271, @dependabot)
• Provide better explanation of failure to find a subnet (#3292, @johngmyers)
• test/framework: replace deprecated ioutil.ReadAll (#3256, @komisan19)
• Add warning in doc for ServiceMutatorWebhook (#3180, @punkwalker)
• Add note about keeping OWNERS in sync (#3289, @johngmyers)
• Docs: Fix typo in nlb.md. (#3257, @Gacko)
• fix: typo in PR template (#3267, @nakamume)

v2.5.4

v2.5.4 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.4
Thanks to all our contributors! 😊

Fixes

• Fixed a bug in the eventhandler that was ignoring the update event triggered by --sync-period and preventing the auto-reconciliation of the controller. From this version, the controller will reconcile all the resources even if there is no change in manifest, per the default interval of 10hr. For more information, please refer to the doc

Changelog since v2.5.3

• doc enhancement for waf addons and reconciliation (#3281, @oliviassss)
• update protobuf to the latest version (#3274, @oliviassss)
• fix the bug that evenhanlder ignores the update per sync-period (#3280, @oliviassss)

v2.5.3

v2.5.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.3
Thanks to all our contributors! 😊

Enhancement

• Update go dependencies and base image to address CVEs
• Drop the support for policy/v1beta1 of PodDisruptionBudget, since the k8s 1.22+ supports policy/v1
• Drop the support for cert-manager.io/v1alpha2, and explicitly set to cert-manager.io/v1

Fixes

• Update k8s.io/client-go to v0.26.5 to fix the promethus-adapter issue that causes the client-go to crash in k8s 1.27

Changelog since v2.5.2

• update to go 1.20.5 (#3253, @oliviassss)
• Update dependency and base image (#3239, @oliviassss)
• update aws partition in test script and add iam policy for iso regions (#3246, @oliviassss)
• Remove policy/v1beta1 since the min supported k8s version supports policy/v1 (#3230, @rdrgmnzs)
• chore: Added dependabot (#3228, @ellistarn)
• fix typo in test script (#3226, @oliviassss)
• Fix formatting (#3219, @hsusanoo)
• Explicitly setting CertManager APIVersion to V1 (#3189, @hawkesn)

v2.5.2

v2.5.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.2

Thanks to all our contributors! 😊

Enhancement

• Added support for the AWS Resource Group API which can be enabled via the feature flag EnableRGTAPI, disabled by default. This feature allows the tagging manager to utilize RGT APIs to filter matching Load Balancers and Target Group resources, and is helpful when there are numerous resources. RGT feature is not available for private clusters. If you intend to enable this feature, you need to do the following:
  • set --feature-gates=EnableRGTAPI=true in controller command line flag or helm value --set controllerConfig.featureGates.EnableRGTAPI=true during chart install/upgrade
  • add additional permission to the IAM policy used by the controller

  { 
   "Effect": "Allow", 
   "Action": [ 
       "tag:GetResources" 
   ], 
   "Resource": "*" 
  }
  

• Refactor backend SG provider, controller deletes backend SG when not required without waiting for all ingresses to be deleted.

Fixes

• Check both sdkLS and resLS sslpolicy for nil when updating extra certs for listeners

Changelog since v2.5.1

• update go.sum (#3206, @oliviassss)
• cut v2.5.2 release (#3205, @oliviassss)
• Fix typo in mkdocs.yml file (#3202, @Dragotic)
• check both sdkLS and resLS sslpolicy for nil (#3196, @oliviassss)
• Support AWS RGT APIs with feature flag (#3186, @oliviassss)
• cherry-pick: Support AWS RGT APIs with feature flag (#3186) (#3193, @oliviassss)
• refactor backend SG provider (#2836, @kishorj)
• add objectSelector to the new controller webhooks (#3165, @kishorj)
• chore(aws-load-balancer-controller): update all controllerConfig.featureGates samples default values (#3161, @kahirokunn)