v2.10.0

v2.10.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.0
Thanks to all our contributors!

Action required

🚨 🚨 🚨 We’ve added the multiClusterTargetGroup field to the TargetGroupBinding which users can set in order to share target groups among different Kubernetes clusters. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

ELB has updated their managed policy to include ec2:GetSecurityGroupsForVpc. We have updated the Load Balancer Controller policy to reflect that change. Please be sure to apply the latest IAM policy when upgrading.

What’s new

• AWS Load Balancer Controller now supports MultiCluster target groups. This mode allows users to share target groups among multiple clusters, enabling a wide variety of use cases. For more information checkout the use case documentation
• We’ve added support SageMaker HyperPod clusters. Users can now install the Load Balancer Controller into SageMaker HyperPod clusters in order to get integration with AWS ELB.
• We’ve added integration with a new ELB feature that allows configuring sourceNAT for Dualstack NLBs to allow UDP traffic over IPv6.

Enhancement and Fixes

• Update shield integration to use in-region endpoint rather then always using us-east-1.
• (docs) Fix TLS Ingress annotation documentation for Security policy
• (docs) Fix configuration documentation typos
• (docs) Fix external-dns routing policies link
• Add new ec2:GetSecurityGroupsForVpc permission to LBC policy.

Changelog since v2.9.2

• UDP Support over IPv6 via Dualstack NLBs using SourceNAT configurations (#3926)
• Refactor aws cloud service and introduce a client provider (#3895)
• New Feature: Multi Cluster TargetGroupBinding (#3853)
• add sagemaker-hyperpod compute type to resolve its pods via VPC ENI (#3886)
• Fixed documentation typos (#3885)
• Fix alphabetic order in CRD for verify CRD to run (#3911)
• chore(docs): fix external-dns routing policies link (#3893)
• fix(docs): Update the link to the AWS documentation for the TLS Ingress annotation for Security policy (#3876)
• update the region of shield api (#3920)
• add ec2:GetSecurityGroupsForVpc to account for ELB API changes (#3921)
• BUG FIX: fix log message when target group and cluster are in different VPCs (#3924)

v2.9.2

v2.9.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.2
Thanks to all our contributors! 😊

Action required

N/A

What’s New

N/A

Enhancement and Fixes

• Fixes the controller crash due to enabling shield protection on ingress while creation
• Skips newly added listener attributes reconcile for iso regions.

ChangeLog since v2.9.0

• Skip listener attributes reconcile for Isolated regions (#3884, @wweiwei-li)
• Fix controller crash due enabling shield protection after AWSSDKGoV2 upgrade (#3896, @shraddhabang)

v2.9.1

v2.9.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.1
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 The v2.9.1 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.

What’s New

• AWS Load Balancer Controller now implements a deferral queue for TargetGroupBindings that change rarely. This means that during leadership failover, the controller will immediately work on target groups that have had their membership change. Previously, the controller would try to reconcile all target groups which could delay potential changes if the cluster had many TargetGroupBindings. This new deferral queue will detect TargetGroupBindings without any change and choose to reconcile them at a slower pace in the future, prioritizing TargetGroupBindings that have changed since the last reconcile cycle.

Enhancement and Fixes

• Slow start containers should be more responsive to pod readiness checks. Previously, the controller could back-off for up to 16 minutes for checking the container readiness state. Now the controller will use a static 15 second delay to continually ensure your containers have started.
• Implement a deferral queue to sideline TargetGroupBindings without a recent change.

ChangeLog since v2.9.0

• Feature: Deferred queue for no-op TGB (#3861)

v2.9.0

v2.9.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 The v2.9.0 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.
We've added a listenerAttributes field to IngressClassParams to support listener attributes for load balancers in the future. Note that there are no listener attributes supported on Application Load Balancers (ALBs) yet. Therefore, this field is currently not used. However, updating CRDs is necessary for future compatibility. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS NLB now supports configurable TCP idle timeout. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeListenerAttributes and elasticloadbalancing:ModifyListenerAttributes permissions for describing and modifying this listener attribute for NLB's TCP listener resources on controller.

What's new

• AWS Load Balancer Controller now uses the new AWS SDK Go v2 version. The v2 SDK is designed to make API calls more efficiently, leading to improved performance in your applications. It comes with built-in retry mechanisms which will help us retrying the requests less aggressively. It also includes a variety of built-in backoff strategies, such as exponential backoff. These strategies help to avoid overwhelming the AWS service and give it time to recover from temporary errors.
• Supports listener attributes on load balancers.
  • AWS Network Load Balancer (NLB) now supports configurable TCP idle timeout. This allows you to align the TCP idle timeout value of NLB with clients and target applications. This capability can help reduce TCP connection retries and latency in applications that use long-lived flows, such as telemetry reporting devices, databases, streaming services, and ERP systems.
• Support for allowing multiple security groups with the same Name tag to be resolved for load balancers. The old implementation incorrectly assumed a one-to-one mapping between security group names. This fix allows multiple security groups with the same name to be resolved and attached to load balancers, providing flexible configurations and avoiding errors.
• Support for identifying VPC by tags using a new runtime argument. This is helpful when access to AWS metadata is blocked and the VPC ID is unknown at deploy time.

Enhancement and Fixes

• (Chart): Allow disabling ingress validation via helm flag
• Migrate AWS SDK GO V1 to V2.
• Support vpc- in target group binding vpc-id validation
• Set klog logger to harmonize logging format

Changelog since v2.8.3

• Use the documented .Capabilities.KubeVersion.Version built-in value in the hpa template (#3766, @prasadkatti)
• Migrate aws sdk go v1 to v2 (#3844, @shraddhabang)
• Support listener attributes (#3843, @, @wweiwei-li)
• feat: support vpc- in target group binding vpc-id validation (#3845, @khizunov)
• Allow disabling ingress validation via helm flag (#3847, @sarevalo2002)
• fix: Set klog logger to harmonize logging format (#3833, @mycrEEpy)
• Doc: Fix markdown table (#3832, @linoleparquet)
• [Doc] Update cert-manager GitHub URL (#3842, @capytan)
• bump up base image version (#3854, @oliviassss)
• update mkdocs dependencies (#3803, @M00nF1sh)
• Allow multiple SGs with the same Name tag(#3775, @alloveras)
• Fetch VPC ID from runtime using VPC tags provided via controller flags (#3656, @jeswinkoshyninan)

Full Changelog: v2.8.3...v2.9.0

v2.8.3

v2.8.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.3
Thanks to all our contributors! 😊

What's new

Patch CVE CVE-2024-39689 of ca-certificates introduced by base image.

What's Changed

• cherry-pick: bump up base image version (#3854) by @oliviassss in #3855
• cut v2.8.3 release by @oliviassss in #3856

Full Changelog: v2.8.2...v2.8.3

v2.8.2

v2.8.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.2
Thanks to all our contributors! 😊

What's new

Enhancements

• We have changed the behavior for Application LoadBalancer Addons related annotations(WAFClassic,WAFv2,Shield Advanced) as follows:
  • alb.ingress.kubernetes.io/waf-acl-id
    • [new behavior] when this annotation is absent, existing WAFClassic WebACL(if any) on Application LoadBalancer won't be changed.
    • [new behavior] when this annotation is set to 'none', existing WAFClassic WebACL(if any) on Application LoadBalancer will be disassociated.
    • [unchanged behavior] when this annotation is set to any webACL ID, specified WAFClassic WebACL will be associated on Application LoadBalancer.
  • alb.ingress.kubernetes.io/wafv2-acl-arn
    • [new behavior] when this annotation is absent, existing WAFv2 WebACL(if any) on Application LoadBalancer won't be changed.
    • [new behavior] when this annotation is set to 'none', existing WAFv2 WebACL(if any) on Application LoadBalancer will be disassociated.
    • [unchanged behavior] when this annotation is set to any webACL ID, specified WAFv2 WebACL will be associated on Application LoadBalancer.
  • alb.ingress.kubernetes.io/shield-advanced-protection
    • [new behavior] when this annotation is absent, existing shield advanced protection(if any) on Application LoadBalancer won't be changed.
    • [unchanged behavior] when this annotation is set to 'false', existing shield advanced protection(if name matches managed by aws-load-balancer-controller) on Application LoadBalancer will be disassociated.
    • [unchanged behavior] when this annotation is set to 'true', an new shield advanced protection with name(managed by aws-load-balancer-controller) will be created and associated with Application LoadBalancer.

Changelog since v2.8.1

What's Changed

• bump up go to 1.22.5 by @oliviassss in #3798
• keep LB addons' settings unchanged unless explicitly specified by @M00nF1sh in #3800
• cut v2.8.2 release by @M00nF1sh in #3802

Full Changelog: v2.8.1...v2.8.2

V2.8.1

v2.8.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.1
Thanks to all our contributors! 😊

What's new

Dependencies Upgrade:

• controller-runtime from 0.14.6 to v0.18.2
• k8s.io deps from v0.26.x to v0.30.0

Bug fixes

• Fix the incompatibility with sidecar restartPolicy field for k8s 1.29+
• Fix the bug with mTLS feature, by having the controller return nil for MutualAuthentication if the feature is not enabled by cx explicitly. As this object is not supported by ELB API in outposts and local zones currently.
• Restrict the resolveViaVPCENIs() to fargate nodes only

Enhancement

• helm chart enhancement: add envFrom parameter; add creator parameter to disable default helm labels
• doc enhancement

Changelog since v2.8.0

What's Changed

• cut v2.8.1 release by @oliviassss in #3733
• fixed the mTLS bug (#3717, @shethyogita83)
• update the traffic test for ingress (#3725, @oliviassss)
• prevent controller runtime complaining about SetupLogger() was never called (#3724, @oliviassss)
• Update go to v1.22, controller-runtime dependency to v0.18.2, and kubernetes libs to v0.30.0(#3707, @larntz)
• restrict resolveViaVPCENIs to fargate only (#3709, @oliviassss)
• Added helm envFrom value parameter for cluster-name (#3683, @omerap12)
• feat: disable default helm labels (#3574, @darkweaver87)
• Removed extra slash to fix kubectl apply of crd command (#3638, @hyperbolic2346)

Full Changelog: v2.8.0...v2.8.1

v2.8.0

v2.8.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.0
Thanks to all our contributors! 😊

Action required

We have added certificateArn and updated ipAddressType fields in IngressClassParams, and added vpcID field in TargetGroupBinding. If you are upgrading the charts using helm upgrade, you need to update CRDs manually kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

ALB mTLS is now available in the China partition. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. If you want to use the ALB mTLS feature in China region, updating your controller IAM policies with the new permissions.

Whats new

• Support set the certificateArn for Ingress at the IngressClass level. This feature adds new certificateArn to the IngressClassParams Spec to configure the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
• Support public IPv4 disablement for dualstack customer. This feature adds new ipAddressType enum dualstack-without-public-ipv4 to allow customers to provision load balancers without IPv4s for clients that can connect using just IPv6s. For example, users can choose a dualstack ALB without public IPv4 when setting up a new internet facing ALB, or switch to dualstack without public IPv4 for an existing internet facing ALB by specifying alb.ingress.kubernetes.io/ip-address-type: dualstack-without-public-ipv4 . To set the ipAddressType for ingress at the IngressClass level, add ipAddressType: dualstack-without-public-ipv4 to the IngressClassParams Spec. See AWS Launch What’s New Post about this feature.
• Support optionally enforcing NLB security groups on PrivateLink traffic. This feature adds new annotation aws-load-balancer-inbound-sg-rules-on-private-link-traffic to configure whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink.
• Support for TargetGroupBinding on targets outside the cluster's VPC. This feature adds vpcID to the TargetGroupBinding Spec to allow registration in target groups that are created with in a VPC that is different from the cluster VPC. If the vpcID is unspecified, the controller will fetch the cluster vpcID by default.
• Support for Specify Managed Prefix List for access control. This feature adds new annotation alb.ingress.kubernetes.io/security-group-prefix-lists and service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists to ensure the security group attached to the load balancer can allow access from the specified Managed Prefix List. The annotation will be ignored if alb.ingress.kubernetes.io/security-groups or service.beta.kubernetes.io/aws-load-balancer-security-groups is present.

Enhancement and Fixes

• (Chart): Add additional service monitor functionality
• (Chart): Allow passing template values for clusterName, region and vpcId
• (Chart): Add RuntimeClassName
• (Chart) Support —load-balancer-class in Helm Chart
• Provide more customization options for the service mutator webhook
• Preserve loadBalancerClass on Service updates

Changelog since v2.7.2

• Restrict dual-stack-without-ipv4 e2e test to pdx only (#3700, @oliviassss)
• Add IPAddressTypeWithoutPublicIPV4 (#3693, @wweiwei-li)
• Add dual stack without public IPv4 IP Address type (#3688, @wweiwei-li)
• Add non-alphanumeric input validation test for vpcID and fix typo (#3687, @shraddhabang)
• [DOC] add KAT documentation (#3682, @ChuksGrinage)
• feat(chart): Added additional service monitor functionality (#3645, @stevehipwell)
• [helm chart] Allow passing template values for clusterName, region and vpcId (#3664, @adriananeci)
• Add validation for vpcID in tgb spec (#3663, @shraddhabang)
• feat(chart) : add RuntimeClassName (#3646, @LiuQhahah)
• upgrade x/net to v0.23.0 (#3659, @oliviassss)
• feat: Specify Managed Prefix List for access control (#3584, @yo-ga)
• Provide more customization options for the service mutator webhook (#3653, @diversario)
• Add DescribeTrustStores to IAM policy for China partition (#3662, @andreybutenko)
• Feature Support —load-balancer-class in Helm Chart (#3647, @yoonhyunwoo)
• Preserve loadBalancerClass on Service updates (#3641, @diversario)
• Add support for optionally enforcing NLB security groups on PrivateLi… (#3594, @wweiwei-li)
• Add certificateArn field to IngressClassParam(#3616, @Nezz7)
• feat: Support TargetGroupBinding on targets outside the cluster's VPC (#3479, @ikosenn)
• docs: ingress subnets annotation - clarify locale differences (#3579, @alebedev87)

v2.7.2

v2.7.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.2
Thanks to all our contributors! 😊

Enhancement and Fixes

• Feat : Allow ACM cert discovery to filter on CA ARNs
• Enhancement : Adding support for Availability Zone Affinity
• CVE patch for CVE-2024-24786
• Doc updates

Changelog since v2.7.1

• Update golang.org/protobuf version to fix CVE-2024-24786 (#3618, @shraddhabang)
• Adding support for Availability Zone Affinity (#3470, @alex-berger)
• update go version to mitigate CVE (#3615, @haouc)
• Repo controlled build go version (#3598, @xdu31)
• fix: new ca-filter causing expontentially more api-calls (#3608, @the-technat)
• Add example for NLB target-group-attributes to enable unhealthy target connection draining (#3577, @jukie)
• feat: allowed ACM cert discovery to filter on CA ARNs (#3565) (#3591, @the-technat)
• bump up controller-tools version to fix ci failure (#3580, @oliviassss)
• fix log level in listener manager and tagging manager (#3573, @oliviassss)

v2.7.1

v2.7.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.1
Thanks to all our contributors! 😊

Enhancement and Fixes

• introduced caches for ELB resource tags. Which shall improve Ingress/Service reconcile performance when there are large number of ALB/NLBs in VPC. (Note, if the controller have internet access, enable feature flag EnableRGTAPI shall provide even better performance)
• Added ability to configure ServiceTargetENISGTags in helm charts.

Changelog since v2.7.0

• cut v2.7.1 release (#3566, @M00nF1sh)
• log enhancement for enabling RGT API (#3564, @oliviassss)
• Add a note to recommend to use compatible chart and image versions (#3559, @shraddhabang)
• update helm chart for ServiceTargetENISGTags and README (#3558, @oliviassss)
• cache ELB resource tags to reduce API calls (#3550, @M00nF1sh)