Describe the bug
Hi team,
After upgrading the ACK EC2 controller from v1.3.2 to v1.6.2, we observed that the controller revoked and immediately re-authorized Security Group ingress rules across multiple Security Groups. During this reconciliation, it also logged EC2 retry quota exceeded errors, which impacted application health probes in our production environment.
This pattern is not ideal for production workloads requiring continuous network connectivity, it resulted in approximately 2-3 mins of application downtime.
Errors occued during upgrading ack-ec2-controller:
operation error EC2: RevokeSecurityGroupIngress, failed to get rate limit token, retry quota exceeded, 1 available, 5 requested
AuthorizeSecurityGroupIngress: failed to get rate limit token, retry quota exceeded, 0 available, 5 requested
We couldn't find any release notes mentioning a change in SecurityGroup reconciliation behavior.
AWS Support informed us that the probe failures were caused by the Security Group reconciliation pattern, where ingress rules are deleted and then recreated.
Could you help us understand:
- Is this revoke-then-authorize reconciliation expected behavior in v1.6.2?
- Was there any change in the SecurityGroup reconciler or ACK runtime between v1.3.2 and v1.6.2 that would explain this?
- If so, which release or commit introduced it?
- Is there a recommended way to avoid this behavior for production workloads where temporary loss of Security Group rules can impact connectivity?
Thanks in advance!
Environment
- Kubernetes version: 1.33
- Using EKS (yes/no), if so version? yes,1.33
- AWS service targeted (S3, RDS, etc.) : EC2 (Security group)
Describe the bug
Hi team,
After upgrading the ACK EC2 controller from v1.3.2 to v1.6.2, we observed that the controller revoked and immediately re-authorized Security Group ingress rules across multiple Security Groups. During this reconciliation, it also logged EC2 retry quota exceeded errors, which impacted application health probes in our production environment.
This pattern is not ideal for production workloads requiring continuous network connectivity, it resulted in approximately 2-3 mins of application downtime.
Errors occued during upgrading ack-ec2-controller:
operation error EC2: RevokeSecurityGroupIngress, failed to get rate limit token, retry quota exceeded, 1 available, 5 requestedAuthorizeSecurityGroupIngress: failed to get rate limit token, retry quota exceeded, 0 available, 5 requestedWe couldn't find any release notes mentioning a change in SecurityGroup reconciliation behavior.
AWS Support informed us that the probe failures were caused by the Security Group reconciliation pattern, where ingress rules are deleted and then recreated.
Could you help us understand:
Thanks in advance!
Environment