Skip to content

After upgrade ack-ec2-controller caused production impact from SG reconciliation behaviour #2951

Description

@Preranahp

Describe the bug

Hi team,

After upgrading the ACK EC2 controller from v1.3.2 to v1.6.2, we observed that the controller revoked and immediately re-authorized Security Group ingress rules across multiple Security Groups. During this reconciliation, it also logged EC2 retry quota exceeded errors, which impacted application health probes in our production environment.
This pattern is not ideal for production workloads requiring continuous network connectivity, it resulted in approximately 2-3 mins of application downtime.

Errors occued during upgrading ack-ec2-controller:

operation error EC2: RevokeSecurityGroupIngress, failed to get rate limit token, retry quota exceeded, 1 available, 5 requested
AuthorizeSecurityGroupIngress: failed to get rate limit token, retry quota exceeded, 0 available, 5 requested

We couldn't find any release notes mentioning a change in SecurityGroup reconciliation behavior.

AWS Support informed us that the probe failures were caused by the Security Group reconciliation pattern, where ingress rules are deleted and then recreated.

Could you help us understand:

  • Is this revoke-then-authorize reconciliation expected behavior in v1.6.2?
  • Was there any change in the SecurityGroup reconciler or ACK runtime between v1.3.2 and v1.6.2 that would explain this?
  • If so, which release or commit introduced it?
  • Is there a recommended way to avoid this behavior for production workloads where temporary loss of Security Group rules can impact connectivity?

Thanks in advance!

Environment

  • Kubernetes version: 1.33
  • Using EKS (yes/no), if so version? yes,1.33
  • AWS service targeted (S3, RDS, etc.) : EC2 (Security group)

Metadata

Metadata

Labels

kind/bugCategorizes issue or PR as related to a bug.service/ec2Indicates issues or PRs that are related to ec2-controller.

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions