Skip to content

fix: lb leak preventing changes in Load Balancer type annotation after creation#1325

Merged
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
mtulio:fix-1254-lb-leak
Jan 13, 2026
Merged

fix: lb leak preventing changes in Load Balancer type annotation after creation#1325
k8s-ci-robot merged 1 commit intokubernetes:masterfrom
mtulio:fix-1254-lb-leak

Conversation

@mtulio
Copy link
Contributor

@mtulio mtulio commented Jan 5, 2026

What type of PR is this?

/kind bug

What this PR does / why we need it:

This PR adds validation to prevent users from changing the Load Balancer type annotation (service.beta.kubernetes.io/aws-load-balancer-type) after the load balancer has already been created. This prevents load balancer resource leaks and potential service disruptions that can occur when attempting to change between Classic Load Balancer (CLB) and Network Load Balancer (NLB) after it has been created.

The validation works by:

  1. Detecting if a load balancer already exists by checking the service's LoadBalancer status
  2. Identifying the current load balancer type by analyzing the hostname pattern:
    • Classic Load Balancer: hostname ends with .elb.amazonaws.com
    • Network Load Balancer: hostname ends with .elb.<region>.amazonaws.com
  3. Comparing the annotation value against the detected type
  4. Returning a validation error if a type change is detected

Which issue(s) this PR fixes:

Fixes #1254

Special notes for your reviewer:

  • The validation uses hostname pattern matching to detect load balancer type, which is reliable since AWS uses consistent hostname formats
  • The validation only triggers when a load balancer already exists (non-empty ingress status)
  • Includes comprehensive test coverage with 19 test cases covering:
    • New services (no restrictions)
    • Existing services with same type (allowed)
    • Type change attempts (rejected)
    • Edge cases with different regional hostname formats

Does this PR introduce a user-facing change?:

Prevent Load Balancer type annotation changes after creation to avoid load balancer resource leak, and service disruptions.

Note: This PR was assisted by Claude (AI Assistant). Implementation authored by Marco Braga (@mtulio).

Signed-off-by: Claude (AI Assistant) noreply@anthropic.com
Co-Authored-By: Marco Braga mtulio@mtulio.dev

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. kind/bug Categorizes issue or PR as related to a bug. labels Jan 5, 2026
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Jan 5, 2026
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 5, 2026

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jan 5, 2026
@mtulio mtulio changed the title Prevent Load Balancer type annotation changes after creation fix: prevent Load Balancer type annotation changes after creation Jan 5, 2026
@mtulio mtulio mentioned this pull request Jan 5, 2026
Closed
@mtulio mtulio marked this pull request as draft January 5, 2026 21:46
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 5, 2026
@mtulio
Copy link
Contributor Author

mtulio commented Jan 5, 2026

Converting to draft til e2e is reviewed and healthy

@mtulio
Copy link
Contributor Author

mtulio commented Jan 6, 2026

/test all

@mtulio
Copy link
Contributor Author

mtulio commented Jan 8, 2026

/test pull-cloud-provider-aws-e2e-kubetest2

@mtulio mtulio changed the title fix: prevent Load Balancer type annotation changes after creation fix: prevent changes in Load Balancer type annotation after creation Jan 8, 2026
@mtulio
Prevent Load Balancer type annotation changes after creation
54ac0d6 
Adds validation to prevent users from changing the Load Balancer type
annotation (service.beta.kubernetes.io/aws-load-balancer-type) after
the load balancer has been created. This prevents undefined behavior
and potential service disruptions.

The validation detects the current load balancer type by analyzing the
hostname pattern in the service's LoadBalancer status:
- Classic Load Balancer: hostname ends with ".elb.amazonaws.com"
- Network Load Balancer: hostname ends with ".elb.<region>.amazonaws.com"

If a mismatch is detected between the annotation and the existing load
balancer type, the controller returns a validation error preventing the
update.

Relatest to Issue 1254

Signed-off-by: Claude (AI Assistant) <noreply@anthropic.com>
Co-Authored-By: Marco Braga <mrbraga@redhat.com>
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/invalid-commit-message Indicates that a PR should not merge because it has an invalid commit message. label Jan 8, 2026
@mtulio
Copy link
Contributor Author

mtulio commented Jan 8, 2026
edited
Loading

  • tests passing as expected
  • removed special keyword referencing the issue
  • tests passing, converting from draft to regular PR

/assign @kmala @elmiko

@mtulio mtulio marked this pull request as ready for review January 8, 2026 13:33
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 8, 2026
@mtulio mtulio changed the title fix: prevent changes in Load Balancer type annotation after creation fix: lb leak preventing changes in Load Balancer type annotation after creation Jan 8, 2026
elmiko
elmiko reviewed Jan 8, 2026
View reviewed changes
Copy link
Contributor

@elmiko elmiko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks Marco

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 8, 2026
@kmala
Copy link
Member

kmala commented Jan 13, 2026

/approve

@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Jan 13, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kmala

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jan 13, 2026
@k8s-ci-robot k8s-ci-robot merged commit 742c08c into kubernetes:master Jan 13, 2026
14 checks passed
@mtulio mtulio deleted the fix-1254-lb-leak branch January 13, 2026 12:05
@damdo
Copy link
Member

damdo commented Feb 11, 2026

/cherry-pick release-1.34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bridgetkromhout bridgetkromhout Awaiting requested review from bridgetkromhout

@yue9944882 yue9944882 Awaiting requested review from yue9944882

@olemarkus olemarkus Awaiting requested review from olemarkus

1 more reviewer

@elmiko elmiko elmiko left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

@elmiko elmiko

@kmala kmala

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Controller leaks Load Balancer when Service annotation service.beta.kubernetes.io/aws-load-balancer-type is added/removed

5 participants

@mtulio @k8s-ci-robot @kmala @damdo @elmiko