Add annotation to disable patching of loadbalancer services.

axel7born · axel7born · commit 12a1259f3fdf · 2025-08-28T12:50:38.000+02:00
diff --git a/docs/usage/ipv6.md b/docs/usage/ipv6.md
@@ -85,6 +85,7 @@ When creating a load balancer, the corresponding annotations need to be configur
 
 The AWS Load Balancer Controller allows dual-stack ingress so that an IPv6-only shoot cluster can serve IPv4 and IPv6 clients.
 You can find an example [here](dual-stack-ingress.md#creating-an-ipv4ipv6-dual-stack-ingress).
+A mutating webhook will automatically add the required annotations. To disable this automated behavior, use the annotation `extensions.gardener.cloud/ignore-load-balancer: "true"`.
 
 > [!WARNING]
 > When accessing Network Load Balancers (NLB) from within the same IPv6-only cluster, it is crucial to add the annotation `service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false`.
@@ -176,19 +177,3 @@ You can find more information about the process and the steps required [here](ht
 > [!WARNING]
 > Please note that the dual-stack migration requires the IPv4-only cluster to run in native routing mode, i.e. pod overlay network needs to be disabled.
 > The default quota of routes per route table in AWS is 50. This restricts the cluster size to about 50 nodes. Therefore, please adapt (if necessary) the routes per route table limit in the Amazon Virtual Private Cloud quotas accordingly before switching to native routing. The maximum setting is currently 1000.
-
-### Load Balancer Configuration
-
-The AWS Load Balancer Controller is automatically deployed when using a dual-stack shoot cluster.
-When creating a load balancer, the corresponding annotations need to be configured, see [AWS Load Balancer Documentation - Network Load Balancer](https://kubernetes-sigs.github.io/aws-load-balancer-controller/latest/guide/service/nlb/) for details.
-
-> [!WARNING]
-> Please note that load balancer services without any special annotations will default to IPv4-only regardless how `.spec.ipFamilies` is set.
-
-The AWS Load Balancer Controller allows dual-stack ingress so that a dual-stack shoot cluster can serve IPv4 and IPv6 clients.
-You can find an example [here](dual-stack-ingress.md#creating-an-ipv4ipv6-dual-stack-ingress).
-
-> [!WARNING]
-> When accessing external Network Load Balancers (NLB) from within the same cluster via IPv6 or internal NLBs via IPv4, it is crucial to add the annotation `service.beta.kubernetes.io/aws-load-balancer-target-group-attributes: preserve_client_ip.enabled=false`.
-> Without this annotation, if a request is routed by the NLB to the same target instance from which it originated, the client IP and destination IP will be identical.
-> This situation, known as the hair-pinning effect, will prevent the request from being processed.
diff --git a/pkg/webhook/shootservice/mutator.go b/pkg/webhook/shootservice/mutator.go
@@ -63,7 +63,9 @@ func (m *mutator) Mutate(ctx context.Context, newObj, _ client.Object) error {
 	if metav1.HasAnnotation(service.ObjectMeta, "service.beta.kubernetes.io/aws-load-balancer-scheme") &&
 		service.Annotations["service.beta.kubernetes.io/aws-load-balancer-scheme"] == "internal" ||
 		metav1.HasAnnotation(service.ObjectMeta, "service.beta.kubernetes.io/aws-load-balancer-internal") &&
-			service.Annotations["service.beta.kubernetes.io/aws-load-balancer-internal"] == "true" {
+			service.Annotations["service.beta.kubernetes.io/aws-load-balancer-internal"] == "true" ||
+		metav1.HasAnnotation(service.ObjectMeta, "extensions.gardener.cloud/ignore-load-balancer") &&
+			service.Annotations["extensions.gardener.cloud/ignore-load-balancer"] == "true" {
 		return nil
 	}
 
diff --git a/pkg/webhook/shootservice/mutator_test.go b/pkg/webhook/shootservice/mutator_test.go
@@ -106,6 +106,27 @@ var _ = Describe("Mutator", func() {
 
 		Entry("no data", &corev1.Service{ObjectMeta: loadBalancerServiceMapMeta, Spec: corev1.ServiceSpec{Type: corev1.ServiceTypeLoadBalancer, IPFamilies: []corev1.IPFamily{corev1.IPv4Protocol, corev1.IPv6Protocol}}}),
 	)
+
+	DescribeTable("#Mutate",
+		func(service *corev1.Service) {
+			metav1.SetMetaDataAnnotation(&service.ObjectMeta, "extensions.gardener.cloud/ignore-load-balancer", "true")
+			Expect(fakeShootClient.Patch(context.TODO(), &corev1.Service{
+				ObjectMeta: metav1.ObjectMeta{Name: "kube-dns", Namespace: "kube-system"},
+				Spec: corev1.ServiceSpec{
+					IPFamilies: []corev1.IPFamily{corev1.IPv4Protocol},
+				},
+			}, client.MergeFrom(&corev1.Service{ObjectMeta: metav1.ObjectMeta{Name: "kube-dns", Namespace: "kube-system"}}))).To(Succeed())
+			err := mutator.Mutate(ctxWithClient, service, nil)
+			Expect(err).To(Not(HaveOccurred()))
+			Expect(service.Annotations).ToNot(HaveKeyWithValue("service.beta.kubernetes.io/aws-load-balancer-ip-address-type", "dualstack"))
+			Expect(service.Annotations).ToNot(HaveKeyWithValue("service.beta.kubernetes.io/aws-load-balancer-scheme", "internet-facing"))
+			Expect(service.Annotations).ToNot(HaveKeyWithValue("service.beta.kubernetes.io/aws-load-balancer-nlb-target-type", "instance"))
+			Expect(service.Annotations).ToNot(HaveKeyWithValue("service.beta.kubernetes.io/aws-load-balancer-type", "external"))
+		},
+
+		Entry("no data", &corev1.Service{ObjectMeta: loadBalancerServiceMapMeta, Spec: corev1.ServiceSpec{Type: corev1.ServiceTypeLoadBalancer, IPFamilies: []corev1.IPFamily{corev1.IPv4Protocol, corev1.IPv6Protocol}}}),
+	)
+
 	It("should return error if resource is not a Service", func() {
 		err := mutator.Mutate(ctxWithClient, &corev1.ConfigMap{}, nil)
 		Expect(err).To(HaveOccurred())
