Skip to content

Releases: kubernetes-sigs/aws-load-balancer-controller

v2.12.0

10 Mar 17:54
@zac-nixon zac-nixon
v2.12.0
ab69d95
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.12.0 Latest
Latest

v2.12.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

In v2.12.0, we have changed the default policy of the LBC webhook from Fail to Ignore in order to improve disaster recovery. See our documentation for how to change the policy back to Fail if you want better guarantees for having readiness gates getting attached to your pods.

We’ve added new fields to both the IngressClassParams and
TargetGroupBinding. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS ALB now supports integrating with AWS VPC IPAM (ec2:DescribeIpamPools, elasticloadbalancing:ModifyIpPools). We also have added new IAM permissions (elasticloadbalancing:SetRulePriorities) in order to effectively manage your ALB listener rules. We've updated the reference IAM policies to explicitly add new permissions to allow for usage of the features.

What’s new

  • Support AWS VPC IPAM with Application Load Balancers.
    • Application Load Balancer (ALB) now supports BYOIP (Bring your own IP) utilizing AWS VPC IP Manager.
  • Application Load Balancer now supports Advertise CA when using mTLS.
    • When you enable Advertise CA subject names, the Application Load Balancer will advertise the list of Certificate Authorities (CAs) subject names that it trusts, based on the trust store it's associated with. When a client connects to a target through the Application Load Balancer, the client receives the list of trusted CA subject names.
  • NLB now supports path discovery using ICMP.
    • It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them. This work introduces a Service annotation that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.
  • The LBC now supports registering targets in cross account target groups.
    • You can now use the iamRoleArnToAssume field in the TargetGroupBinding CRD to allow for registration and deregistration of IP targets into Target Groups outside the account that owns the cluster.
  • The LBC now supports multiple references to the same Target Group.
    • In previous releases there was an enforced 1-1 mapping of TargetGroupBinding to Target Group. v2.12.0 removes this limitation if the MultiCluster flag is set on each binding.

Enhancement and Fixes

  • ListenerRule modification have been refactored to allow for no downtime changes to routing rules.
  • SG ingress and egress rule modifications are re-ordered to prevent outage on mis-configured SG setting.
  • Fixed a bug that prevented the controller from setting Dualstack mode.
  • Used better metric buckets for publishing readiness gate latency.
  • Added support for karpenter.sh/disrupted:NoSchedule taint to improve application availability during node patching and scaling.

Changelog since v2.11.0

Contributors

marcosdiez, orsenthil, and 9 other contributors
Assets 4
Loading

v2.11.0

12 Dec 21:56
@shraddhabang shraddhabang
v2.11.0
ba4152c
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.11.0

v2.11.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.11.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 We’ve added new fields for capacity unit reservation on IngressClassParams. We’ve also added the targetGroupName field to the TargetGroupBinding which users can set in order to fetch targetGroup by Name instead or ARN. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeCapacityReservation and elasticloadbalancing:ModifyCapacityReservation permissions for describing and modifying capacity reservation. Please be sure to apply the latest IAM policy when upgrading.

What’s new

  • Support Load balancer Capacity Unit Reservation for ALB and NLBs.
    • Application Load Balancer (ALB) and Network Load Balancer (NLB) now support Load Balancer Capacity Unit (LCU) Reservation that allows you to proactively set a minimum capacity for your load balancer, complementing its existing ability to auto-scale based on your traffic pattern. For more info checkout what’s new post.

Enhancement and Fixes

  • Add support to set the default load balancer scheme at the controller level
  • TargetGroupBinding now support targetGroupName
  • Bug fix: EnablePrefixForIpv6SourceNat is only applicable to NLB

Changelog since v2.10.1

Contributors

fatmcgav, zac-nixon, and 3 other contributors
Loading

v2.10.1

22 Nov 20:00
@wweiwei-li wweiwei-li
v2.10.1
2a63f05
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.10.1

v2.10.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.1
Thanks to all our contributors! 😊

What's new

  • Supports HTTP and HTTPS listener attributes on load balancers.
    • Application Load Balancer (ALB) now supports HTTP request and response header modification giving you greater controls to manage your application’s traffic and security posture without having to alter your application code. For more information checkout what’s new post and the ALB document.

Enhancement and Fixes

  • Use pod target namespace to get pod info from repo when resolving endpoint.
  • Remove sort by ID so that EIP allocations and subnet ID order is respected.
  • [Doc] fixed documentation styling for Support UDP-based services over IPv6.
  • Publish internal controller metrics, such as target register time.
  • Trim control characters from OIDC secret

Changelog since v2.10.0

Full Changelog: v2.10.0...v2.10.1

Contributors

Revolution1, zac-nixon, and 2 other contributors
Loading

v2.10.0

01 Nov 00:46
@shraddhabang shraddhabang
v2.10.0
8416a43
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.10.0

v2.10.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.0
Thanks to all our contributors!

Action required

🚨 🚨 🚨 We’ve added the multiClusterTargetGroup field to the TargetGroupBinding which users can set in order to share target groups among different Kubernetes clusters. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

ELB has updated their managed policy to include ec2:GetSecurityGroupsForVpc. We have updated the Load Balancer Controller policy to reflect that change. Please be sure to apply the latest IAM policy when upgrading.

What’s new

  • AWS Load Balancer Controller now supports MultiCluster target groups. This mode allows users to share target groups among multiple clusters, enabling a wide variety of use cases. For more information checkout the use case documentation
  • We’ve added support SageMaker HyperPod clusters. Users can now install the Load Balancer Controller into SageMaker HyperPod clusters in order to get integration with AWS ELB.
  • We’ve added integration with a new ELB feature that allows configuring sourceNAT for Dualstack NLBs to allow UDP traffic over IPv6.

Enhancement and Fixes

  • Update shield integration to use in-region endpoint rather then always using us-east-1.
  • (docs) Fix TLS Ingress annotation documentation for Security policy
  • (docs) Fix configuration documentation typos
  • (docs) Fix external-dns routing policies link
  • Add new ec2:GetSecurityGroupsForVpc permission to LBC policy.

Changelog since v2.9.2

  • UDP Support over IPv6 via Dualstack NLBs using SourceNAT configurations (#3926)
  • Refactor aws cloud service and introduce a client provider (#3895)
  • New Feature: Multi Cluster TargetGroupBinding (#3853)
  • add sagemaker-hyperpod compute type to resolve its pods via VPC ENI (#3886)
  • Fixed documentation typos (#3885)
  • Fix alphabetic order in CRD for verify CRD to run (#3911)
  • chore(docs): fix external-dns routing policies link (#3893)
  • fix(docs): Update the link to the AWS documentation for the TLS Ingress annotation for Security policy (#3876)
  • update the region of shield api (#3920)
  • add ec2:GetSecurityGroupsForVpc to account for ELB API changes (#3921)
  • BUG FIX: fix log message when target group and cluster are in different VPCs (#3924)
Loading

v2.9.2

17 Oct 20:57
@shraddhabang shraddhabang
v2.9.2
22fcc22
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.9.2

v2.9.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.2
Thanks to all our contributors! 😊

Action required

N/A

What’s New

N/A

Enhancement and Fixes

  • Fixes the controller crash due to enabling shield protection on ingress while creation
  • Skips newly added listener attributes reconcile for iso regions.

ChangeLog since v2.9.0

  • Skip listener attributes reconcile for Isolated regions (#3884, @wweiwei-li)
  • Fix controller crash due enabling shield protection after AWSSDKGoV2 upgrade (#3896, @shraddhabang)

Contributors

shraddhabang and wweiwei-li
Loading

v2.9.1

12 Oct 00:52
@M00nF1sh M00nF1sh
v2.9.1
e0f59c6
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.9.1

v2.9.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.1
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 The v2.9.1 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.

What’s New

  • AWS Load Balancer Controller now implements a deferral queue for TargetGroupBindings that change rarely. This means that during leadership failover, the controller will immediately work on target groups that have had their membership change. Previously, the controller would try to reconcile all target groups which could delay potential changes if the cluster had many TargetGroupBindings. This new deferral queue will detect TargetGroupBindings without any change and choose to reconcile them at a slower pace in the future, prioritizing TargetGroupBindings that have changed since the last reconcile cycle.

Enhancement and Fixes

  • Slow start containers should be more responsive to pod readiness checks. Previously, the controller could back-off for up to 16 minutes for checking the container readiness state. Now the controller will use a static 15 second delay to continually ensure your containers have started.
  • Implement a deferral queue to sideline TargetGroupBindings without a recent change.

ChangeLog since v2.9.0

  • Feature: Deferred queue for no-op TGB (#3861)
Loading

v2.9.0

30 Sep 21:56
@shraddhabang shraddhabang
v2.9.0
0700e85
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.9.0

v2.9.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.9.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 The v2.9.0 contains a bug which will crash controllers with the account subscribed to AWS shield advanced service as described in #3888, please upgrade to v2.9.2+ for the bug fix if your account has subscribed to AWS shield and your controller has shield service enabled.
We've added a listenerAttributes field to IngressClassParams to support listener attributes for load balancers in the future. Note that there are no listener attributes supported on Application Load Balancers (ALBs) yet. Therefore, this field is currently not used. However, updating CRDs is necessary for future compatibility. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS NLB now supports configurable TCP idle timeout. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeListenerAttributes and elasticloadbalancing:ModifyListenerAttributes permissions for describing and modifying this listener attribute for NLB's TCP listener resources on controller.

What's new

  • AWS Load Balancer Controller now uses the new AWS SDK Go v2 version. The v2 SDK is designed to make API calls more efficiently, leading to improved performance in your applications. It comes with built-in retry mechanisms which will help us retrying the requests less aggressively. It also includes a variety of built-in backoff strategies, such as exponential backoff. These strategies help to avoid overwhelming the AWS service and give it time to recover from temporary errors.
  • Supports listener attributes on load balancers.
    • AWS Network Load Balancer (NLB) now supports configurable TCP idle timeout. This allows you to align the TCP idle timeout value of NLB with clients and target applications. This capability can help reduce TCP connection retries and latency in applications that use long-lived flows, such as telemetry reporting devices, databases, streaming services, and ERP systems.
  • Support for allowing multiple security groups with the same Name tag to be resolved for load balancers. The old implementation incorrectly assumed a one-to-one mapping between security group names. This fix allows multiple security groups with the same name to be resolved and attached to load balancers, providing flexible configurations and avoiding errors.
  • Support for identifying VPC by tags using a new runtime argument. This is helpful when access to AWS metadata is blocked and the VPC ID is unknown at deploy time.

Enhancement and Fixes

  • (Chart): Allow disabling ingress validation via helm flag
  • Migrate AWS SDK GO V1 to V2.
  • Support vpc- in target group binding vpc-id validation
  • Set klog logger to harmonize logging format

Changelog since v2.8.3

Full Changelog: v2.8.3...v2.9.0

Contributors

mycrEEpy, prasadkatti, and 10 other contributors
Loading

v2.8.3

17 Sep 06:17
@oliviassss oliviassss
v2.8.3
a1418f9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.8.3

v2.8.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.3
Thanks to all our contributors! 😊

What's new

Patch CVE CVE-2024-39689 of ca-certificates introduced by base image.

What's Changed

Full Changelog: v2.8.2...v2.8.3

Contributors

oliviassss
Loading

v2.8.2

09 Aug 23:03
@M00nF1sh M00nF1sh
v2.8.2
f39ae43
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
v2.8.2

v2.8.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.2
Thanks to all our contributors! 😊

What's new

Enhancements

  • We have changed the behavior for Application LoadBalancer Addons related annotations(WAFClassic,WAFv2,Shield Advanced) as follows:
    • alb.ingress.kubernetes.io/waf-acl-id
      • [new behavior] when this annotation is absent, existing WAFClassic WebACL(if any) on Application LoadBalancer won't be changed.
      • [new behavior] when this annotation is set to 'none', existing WAFClassic WebACL(if any) on Application LoadBalancer will be disassociated.
      • [unchanged behavior] when this annotation is set to any webACL ID, specified WAFClassic WebACL will be associated on Application LoadBalancer.
    • alb.ingress.kubernetes.io/wafv2-acl-arn
      • [new behavior] when this annotation is absent, existing WAFv2 WebACL(if any) on Application LoadBalancer won't be changed.
      • [new behavior] when this annotation is set to 'none', existing WAFv2 WebACL(if any) on Application LoadBalancer will be disassociated.
      • [unchanged behavior] when this annotation is set to any webACL ID, specified WAFv2 WebACL will be associated on Application LoadBalancer.
    • alb.ingress.kubernetes.io/shield-advanced-protection
      • [new behavior] when this annotation is absent, existing shield advanced protection(if any) on Application LoadBalancer won't be changed.
      • [unchanged behavior] when this annotation is set to 'false', existing shield advanced protection(if name matches managed by aws-load-balancer-controller) on Application LoadBalancer will be disassociated.
      • [unchanged behavior] when this annotation is set to 'true', an new shield advanced protection with name(managed by aws-load-balancer-controller) will be created and associated with Application LoadBalancer.

Changelog since v2.8.1

What's Changed

Full Changelog: v2.8.1...v2.8.2

Contributors

M00nF1sh and oliviassss
Loading

V2.8.1

31 May 22:17
@oliviassss oliviassss
v2.8.1
e6ce604
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.
Compare
Choose a tag to compare
V2.8.1

v2.8.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.1
Thanks to all our contributors! 😊

What's new

Dependencies Upgrade:

  • controller-runtime from 0.14.6 to v0.18.2
  • k8s.io deps from v0.26.x to v0.30.0

Bug fixes

  • Fix the incompatibility with sidecar restartPolicy field for k8s 1.29+
  • Fix the bug with mTLS feature, by having the controller return nil for MutualAuthentication if the feature is not enabled by cx explicitly. As this object is not supported by ELB API in outposts and local zones currently.
  • Restrict the resolveViaVPCENIs() to fargate nodes only

Enhancement

  • helm chart enhancement: add envFrom parameter; add creator parameter to disable default helm labels
  • doc enhancement

Changelog since v2.8.0

What's Changed

Full Changelog: v2.8.0...v2.8.1

Contributors

darkweaver87, hyperbolic2346, and 4 other contributors
Loading