v2.13.2

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.2

This release fixes TLS Protocol detection:
#4183
#4181

v2.13.1

v2.13.1 (requires Kubernetes 1.22+)

[PLEASE USE v2.13.2]

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.1
Thanks to all our contributors! 😊

This release fixes the v2.13.0 release that contained a bug that erroneously published reconcile error metrics

v2.13.0

v2.13.0 (requires Kubernetes 1.22+)

[PLEASE USE v2.13.2]

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

We’ve added new fields to the IngressClassParams CRD. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

What’s new

• Improved Prometheus metrics!
  • Checkout the new Prometheus metrics. Their documentation can be found here. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/metrics/prometheus. We hope this improves the ability to debug issues using the LBC and monitoring general trends. Please submit an issue if you think we missed an important metric to collect.
• Added support for ALB as a target of NLB to Service objects.
  • We are thrilled to add support for this highly requested, popular NLB / ALB feature. https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/
  • Check out the new annotations in the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/ingress/annotations/#enable-frontend-nlb to get started.
• LBC now supports RAM shared VPCs
  • In the v2.12.0 release, LBC added support for cross account Target Groups. However, we missed some critical functionality to support Target Groups using RAM shared VPCs.
  • Using https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/targetgroupbinding/targetgroupbinding/#assumerole should seamlessly work for peered and RAM shared VPCs.
• LBC now supports TCP_UDP type Listeners and TargetGroups.
  • TCP_UDP is a popular listener type for AWS NLB, which allows serving both TCP and UDP from the same port. We have backfilled this feature into the LBC.
  • You can enable this feature by specifying a service with TCP and UDP protocols on the same port.
  • In order to enable the feature, please enable the LBC feature flag EnableTCPUDPListener or specify individual services to enable the feature by using the annotation service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener
• The LBC now supports a very basic Gateway API implementation
  • We have implemented a basic Gateway for both ALB and NLB.
  • See the documentation here https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/gateway/gateway/

Enhancement and Fixes

• Added more customization options (TargetType, PrefixListsIDs) to the IngressClassParams CRD.
• Allow for setting PPv2 header at per target group level.
• Refactored Subnet discovery to make LB creation easier.
• Updated to Go 1.24.2 and AL2023 base image to resolve security vulnerabilities.
• Lots of documentation and logging fixes!

Changelog since v2.12.0

• Bump version to 2.13, add documentation for Gateway API (4169, @zac-nixon)
• [gw api] gateway class reconciler, config generation (4163, @zac-nixon)
• [feat gw-api] add support for capacity reservation and add simple logic to process lb configuration (4162, @shuqz)
• Add certs discovery (4159, @wweiwei-li)
• Add support for TCP_UDP to NLB TargetGroups and Listeners (4161, @lyda, @amorey, @zac-nixon)
• [feat: gw api] Add common listener config for gateway api (4160, @shraddhabang)
• bug: fix misformated crd url in CRD cleanup (4157, @Issacwww)
• [feat:gw-api] add support for ServiceExternalTrafficPolicyLocal (4156, @shuqz)
• [feat: gw-api] Creating Target Group + TGB from Gateway spec (4150, @zac-nixon)
• [feat: gw api] Add eventhandler for the gateway resource (4149, @shraddhabang)
• Enable frontend NLB (4126, @wweiwei-li)
• [feat: gw api] subnet discovery that works for both ALB / NLB (4137, @zac-nixon)
• support cli flag to enable manage backend SG rules for ALB (4145, @shuqz)
• chore: change tgb field to lowercase everywhere to avoid logs dropped due to conflict in OS/ES (4143, @94DanielBrown)
• Add TargetType field to IngressClassParams (4029, @mikutas)
• Update security_groups.md (4120, @tucktuck9)
• Update configurations.md (4120, @tucktuck9)
• fix bug in subnet resolver (4114, @M00nF1sh)
• Allow the same certificate to be specified for both the default and SNI certificate (4113, @u-kai)
• Allow override of Certificate resource fields for duration of webhook certs (4105, @usamaahmadkhan)
• Merge pull request #4109 from M00nF1sh/subnet-reachability (4109, @M00nF1sh)
• Update Go to version 1.24.1, update base image to AL2023 (4104, @kellyyan)
• docs: fix broken link to targetgroupbinding CRD page (4101, @ariyonaty)
• Add prometheus metrics (4056, @wweiwei-li)
• [bug fix] handle ram shared VPCs for cross account tgb (4095, @zac-nixon)
• Add PrefixListsIDs field to IngressClassParams (3860, @gdlx)
• Added support for setting Proxy protocol per target group based on ServicePort (4079, @pthak94)
• Added example for multiple certificates to Service annotation (4078, @raghu-manne)
• service healthcheck timeout doc (3945, @phuhung273)
• add missing targets field to de/registered targets log (3898, @applike-ss)

v2.12.0

v2.12.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

In v2.12.0, we have changed the default policy of the LBC webhook from Fail to Ignore in order to improve disaster recovery. See our documentation for how to change the policy back to Fail if you want better guarantees for having readiness gates getting attached to your pods.

We’ve added new fields to both the IngressClassParams and
TargetGroupBinding. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS ALB now supports integrating with AWS VPC IPAM (ec2:DescribeIpamPools, elasticloadbalancing:ModifyIpPools). We also have added new IAM permissions (elasticloadbalancing:SetRulePriorities) in order to effectively manage your ALB listener rules. We've updated the reference IAM policies to explicitly add new permissions to allow for usage of the features.

What’s new

• Support AWS VPC IPAM with Application Load Balancers.
  • Application Load Balancer (ALB) now supports BYOIP (Bring your own IP) utilizing AWS VPC IP Manager.
• Application Load Balancer now supports Advertise CA when using mTLS.
  • When you enable Advertise CA subject names, the Application Load Balancer will advertise the list of Certificate Authorities (CAs) subject names that it trusts, based on the trust store it's associated with. When a client connects to a target through the Application Load Balancer, the client receives the list of trusted CA subject names.
• NLB now supports path discovery using ICMP.
  • It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them. This work introduces a Service annotation that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.
• The LBC now supports registering targets in cross account target groups.
  • You can now use the iamRoleArnToAssume field in the TargetGroupBinding CRD to allow for registration and deregistration of IP targets into Target Groups outside the account that owns the cluster.
• The LBC now supports multiple references to the same Target Group.
  • In previous releases there was an enforced 1-1 mapping of TargetGroupBinding to Target Group. v2.12.0 removes this limitation if the MultiCluster flag is set on each binding.

Enhancement and Fixes

• ListenerRule modification have been refactored to allow for no downtime changes to routing rules.
• SG ingress and egress rule modifications are re-ordered to prevent outage on mis-configured SG setting.
• Fixed a bug that prevented the controller from setting Dualstack mode.
• Used better metric buckets for publishing readiness gate latency.
• Added support for karpenter.sh/disrupted:NoSchedule taint to improve application availability during node patching and scaling.

Changelog since v2.11.0

• Add ALB IPAM Support (#4081, @zac-nixon)
• Update rule management to avoid sporadic 503 errors (#4039, @shraddhabang)
• Fix TGB webhook error message to report changes to immutable field (#4070, @maruina)
• Do not render .spec.replicas if Autoscaling is Enabled (#4059, @sherifabdlnaby)
• add toggle to adjust failurePolicy of pod webhook and documentations (#4063, @M00nF1sh)
• [feat] allow multiple targetgroupbindings to reference same tg arn if using multicluster mode (#4021, @zac-nixon)
• Checking for taint karpenter.sh/disrupted:NoSchedule while checking if node is suitable to handle traffic. (#4022, @kahirokunn)
• Added ISO Policy for iso-e and iso-f in example docs, and updated integration test script based on testing already done (#4032, @orsenthil)
• TargetGroupBindings can now manipulate target groups from different aws accounts (#3691, @marcosdiez)
• bug fix: use reasonable buckets for readiness gate flip metrics (#4001, @zac-nixon)
• Fix CVE-2024-45338 - golang.org/x/net (#4010, @shraddhabang)
• bug fix: try SG permission add prior to revoke (#3952, @zac-nixon)
• fix(helm): change topologySpreadConstraints default value (#3983, @yann-soubeyrand)
• fix: Cannot set the IPv6 addresses in dualstack mode during modification (#3959, @wweiwei-li)
• feat: add advertise ca for mtls listener (#3974, @zac-nixon)
• feat(NLB): Introduce Service annotation to allow ICMP for Path MTU Discovery (#3939, @chriswachira)

v2.11.0

v2.11.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.11.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 We’ve added new fields for capacity unit reservation on IngressClassParams. We’ve also added the targetGroupName field to the TargetGroupBinding which users can set in order to fetch targetGroup by Name instead or ARN. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeCapacityReservation and elasticloadbalancing:ModifyCapacityReservation permissions for describing and modifying capacity reservation. Please be sure to apply the latest IAM policy when upgrading.

What’s new

• Support Load balancer Capacity Unit Reservation for ALB and NLBs.
  • Application Load Balancer (ALB) and Network Load Balancer (NLB) now support Load Balancer Capacity Unit (LCU) Reservation that allows you to proactively set a minimum capacity for your load balancer, complementing its existing ability to auto-scale based on your traffic pattern. For more info checkout what’s new post.

Enhancement and Fixes

• Add support to set the default load balancer scheme at the controller level
• TargetGroupBinding now support targetGroupName
• Bug fix: EnablePrefixForIpv6SourceNat is only applicable to NLB

Changelog since v2.10.1

• fix failing test (#3976, @zac-nixon)
• Update owners of the project (#3975, @shraddhabang)
• fix: EnablePrefixForIpv6SourceNat is only applicable to NLB (#3958, @wweiwei-li)
• Add support for capacity unit reservation for load balancers (#3950, @shraddhabang)
• Add —default-load-balancer-scheme command line flag (#3908, @phuhung273)
• TargetGroupBinding now support targetGroupName - #2655 refresh (#3903, @fatmcgav)

v2.10.1

v2.10.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.1
Thanks to all our contributors! 😊

What's new

• Supports HTTP and HTTPS listener attributes on load balancers.
  • Application Load Balancer (ALB) now supports HTTP request and response header modification giving you greater controls to manage your application’s traffic and security posture without having to alter your application code. For more information checkout what’s new post and the ALB document.

Enhancement and Fixes

• Use pod target namespace to get pod info from repo when resolving endpoint.
• Remove sort by ID so that EIP allocations and subnet ID order is respected.
• [Doc] fixed documentation styling for Support UDP-based services over IPv6.
• Publish internal controller metrics, such as target register time.
• Trim control characters from OIDC secret

Changelog since v2.10.0

• enable http and https listener attributes (#3948, @wweiwei-li)
• FEAT: LBC metric collector (#3941, @zac-nixon)
• fix: use pod target namespace to get pod info from repo when resolving endpoint (#3914, @Revolution1)
• [BUG FIX] trim control characters from secret to prevent newlines in client secret (#3936, @zac-nixon)
• Fix: order must match specified subnets (#3925, @wweiwei-li)
• fixed documentation styling for Support UDP-based services over IPv6 (#3928, @shethyogita83)

Full Changelog: v2.10.0...v2.10.1

v2.10.0

v2.10.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.0
Thanks to all our contributors!

Action required

🚨 🚨 🚨 We’ve added the multiClusterTargetGroup field to the TargetGroupBinding which users can set in order to share target groups among different Kubernetes clusters. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

ELB has updated their managed policy to include ec2:GetSecurityGroupsForVpc. We have updated the Load Balancer Controller policy to reflect that change. Please be sure to apply the latest IAM policy when upgrading.

What’s new

• AWS Load Balancer Controller now supports MultiCluster target groups. This mode allows users to share target groups among multiple clusters, enabling a wide variety of use cases. For more information checkout the use case documentation
• We’ve added support SageMaker HyperPod clusters. Users can now install the Load Balancer Controller into SageMaker HyperPod clusters in order to get integration with AWS ELB.
• We’ve added integration with a new ELB feature that allows configuring sourceNAT for Dualstack NLBs to allow UDP traffic over IPv6.

Enhancement and Fixes

• Update shield integration to use in-region endpoint rather then always using us-east-1.
• (docs) Fix TLS Ingress annotation documentation for Security policy
• (docs) Fix configuration documentation typos
• (docs) Fix external-dns routing policies link
• Add new ec2:GetSecurityGroupsForVpc permission to LBC policy.

Changelog since v2.9.2

• UDP Support over IPv6 via Dualstack NLBs using SourceNAT configurations (#3926)
• Refactor aws cloud service and introduce a client provider (#3895)
• New Feature: Multi Cluster TargetGroupBinding (#3853)
• add sagemaker-hyperpod compute type to resolve its pods via VPC ENI (#3886)
• Fixed documentation typos (#3885)
• Fix alphabetic order in CRD for verify CRD to run (#3911)
• chore(docs): fix external-dns routing policies link (#3893)
• fix(docs): Update the link to the AWS documentation for the TLS Ingress annotation for Security policy (#3876)
• update the region of shield api (#3920)
• add ec2:GetSecurityGroupsForVpc to account for ELB API changes (#3921)
• BUG FIX: fix log message when target group and cluster are in different VPCs (#3924)

v2.9.2

v2.9.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.2
Thanks to all our contributors! 😊

Action required

N/A

What’s New

N/A

Enhancement and Fixes

• Fixes the controller crash due to enabling shield protection on ingress while creation
• Skips newly added listener attributes reconcile for iso regions.

ChangeLog since v2.9.0

• Skip listener attributes reconcile for Isolated regions (#3884, @wweiwei-li)
• Fix controller crash due enabling shield protection after AWSSDKGoV2 upgrade (#3896, @shraddhabang)

v2.9.1

v2.9.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.1
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 The v2.9.1 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.

What’s New

• AWS Load Balancer Controller now implements a deferral queue for TargetGroupBindings that change rarely. This means that during leadership failover, the controller will immediately work on target groups that have had their membership change. Previously, the controller would try to reconcile all target groups which could delay potential changes if the cluster had many TargetGroupBindings. This new deferral queue will detect TargetGroupBindings without any change and choose to reconcile them at a slower pace in the future, prioritizing TargetGroupBindings that have changed since the last reconcile cycle.

Enhancement and Fixes

• Slow start containers should be more responsive to pod readiness checks. Previously, the controller could back-off for up to 16 minutes for checking the container readiness state. Now the controller will use a static 15 second delay to continually ensure your containers have started.
• Implement a deferral queue to sideline TargetGroupBindings without a recent change.

ChangeLog since v2.9.0

• Feature: Deferred queue for no-op TGB (#3861)

v2.9.0

v2.9.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 The v2.9.0 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.
We've added a listenerAttributes field to IngressClassParams to support listener attributes for load balancers in the future. Note that there are no listener attributes supported on Application Load Balancers (ALBs) yet. Therefore, this field is currently not used. However, updating CRDs is necessary for future compatibility. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS NLB now supports configurable TCP idle timeout. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeListenerAttributes and elasticloadbalancing:ModifyListenerAttributes permissions for describing and modifying this listener attribute for NLB's TCP listener resources on controller.

What's new

• AWS Load Balancer Controller now uses the new AWS SDK Go v2 version. The v2 SDK is designed to make API calls more efficiently, leading to improved performance in your applications. It comes with built-in retry mechanisms which will help us retrying the requests less aggressively. It also includes a variety of built-in backoff strategies, such as exponential backoff. These strategies help to avoid overwhelming the AWS service and give it time to recover from temporary errors.
• Supports listener attributes on load balancers.
  • AWS Network Load Balancer (NLB) now supports configurable TCP idle timeout. This allows you to align the TCP idle timeout value of NLB with clients and target applications. This capability can help reduce TCP connection retries and latency in applications that use long-lived flows, such as telemetry reporting devices, databases, streaming services, and ERP systems.
• Support for allowing multiple security groups with the same Name tag to be resolved for load balancers. The old implementation incorrectly assumed a one-to-one mapping between security group names. This fix allows multiple security groups with the same name to be resolved and attached to load balancers, providing flexible configurations and avoiding errors.
• Support for identifying VPC by tags using a new runtime argument. This is helpful when access to AWS metadata is blocked and the VPC ID is unknown at deploy time.

Enhancement and Fixes

• (Chart): Allow disabling ingress validation via helm flag
• Migrate AWS SDK GO V1 to V2.
• Support vpc- in target group binding vpc-id validation
• Set klog logger to harmonize logging format

Changelog since v2.8.3

• Use the documented .Capabilities.KubeVersion.Version built-in value in the hpa template (#3766, @prasadkatti)
• Migrate aws sdk go v1 to v2 (#3844, @shraddhabang)
• Support listener attributes (#3843, @, @wweiwei-li)
• feat: support vpc- in target group binding vpc-id validation (#3845, @khizunov)
• Allow disabling ingress validation via helm flag (#3847, @sarevalo2002)
• fix: Set klog logger to harmonize logging format (#3833, @mycrEEpy)
• Doc: Fix markdown table (#3832, @linoleparquet)
• [Doc] Update cert-manager GitHub URL (#3842, @capytan)
• bump up base image version (#3854, @oliviassss)
• update mkdocs dependencies (#3803, @M00nF1sh)
• Allow multiple SGs with the same Name tag(#3775, @alloveras)
• Fetch VPC ID from runtime using VPC tags provided via controller flags (#3656, @jeswinkoshyninan)

Full Changelog: v2.8.3...v2.9.0