A Kubernetes controller for Elastic Load Balancers
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.2
Thanks to all our contributors! π
EnableRGTAPI
, disabled by default. This feature allows the tagging manager to utilize RGT APIs to filter matching Load Balancers and Target Group resources, and is helpful when there are numerous resources. RGT feature is not available for private clusters. If you intend to enable this feature, you need to do the following:
--feature-gates=EnableRGTAPI=true
in controller command line flag or helm value --set controllerConfig.featureGates.EnableRGTAPI=true
during chart install/upgrade{
"Effect": "Allow",
"Action": [
"tag:GetResources"
],
"Resource": "*"
}
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.1
Thanks to all our contributors! π
enableServiceMutatorWebhook
to false
. You will no longer be able to provision new Classic Load Balancer (CLB) from your kubernetes service unless you disable this feature.
Please refer to the v2.5.0 release notes for further details.
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.0
Thanks to all our contributors! π
π¨ π¨ π¨ The v2.5.0 ingress validator is not able to handle ingress rules without HTTP path due to bug #3158. If your ingress rules don't have the http paths defined, do not upgrade to v2.5.0 release.
spec.loadBalancerClass
. This controller creates an internal
NLB by default. You need to specify the annotation service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
on your service if you want to create an internet-facing
NLB for your service.subnets
, InboundCIDRs
and SSLPolicy
fields in IngressClassParams
. If you are upgrading the chart via helm upgrade, you need to update the IngressClassParams CRD manually by running kubectl apply -k "http://github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"
spec.loadBalancerClass
field for service of type LoadBalancer
on create. This makes the AWS LBC the default controller for service of type LoadBalancer
. You can disable this feature and revert to set CCM as the default by setting the helm chart value enableServiceMutatorWebhook
to false
. You will no longer be able to provision new Classic Load Balancer (CLB) from your kubernetes service unless you disable this feature. Existing CLB will continue to work fine.defaultTargetType
value during chart install/upgrade.subnets
, InboundCIDRs
and SSLPolicy
in IngressClassParams
service.beta.kubernetes.io/aws-load-balancer-ssl-ports
alb.ingress.kubernetes.io/conditions.${conditions-name}
EndpointsFailOpen
by defaultImage: public.ecr.aws/eks/aws-load-balancer-controller:v2.4.7
Thanks to all our contributors! π
π¨ π¨ π¨ We've updated the reference IAM policies to explicitly add the AddTag
permission for creating load balancer and listener resources. We recommend updating your controller IAM policies with the new permissions for existing installations as well.
CreateTargetGroup
and CreateLoadBalancer
. You will have to update the existing controller IAM permissions if you encounter the AccessDenied errors for the elbv2 APIsImage: public.ecr.aws/eks/aws-load-balancer-controller:v2.4.6
Thanks to all our contributors! π
service.beta.kubernetes.io/aws-load-balancer-healthcheck-success-codes
to configure the HTTP success codes for NLB target group health check for http/https healthcheck protocolNLBHealthCheckAdvancedConfiguration
to false
service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout
. You can disable this by setting the feature gate NLBHealthCheckAdvancedConfiguration
to false
Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.5
Thanks to all our contributors! π
webhookNamespaceSelectors
in HelmChart (#2816, @mikutas)Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.4
Thanks to all our contributors! π
service.beta.kubernetes.io/aws-load-balancer-ipv6-addresses
, which allows to customize the IPv6 addresses on NLB.ingressClassConfig.default
, which allows to set the default provided alb
IngressClass as default IngressClass in cluster.cluster.dnsDomain
, which allows to set customized dnsDomain other than the default cluster.local
controllerConfig.featureGates
, which allows to set --feature-gates
flag on controller Deployment.Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.3
Thanks to all our contributors! π
SubnetsClusterTagCheck
, if set to false
the controller ignores the cluster tag kubernetes.io/cluster/${cluster-name}
during subnet auto-discovery. This featureGate is set to true
by default, you can disable via the controller flag --feature-gates=SubnetsClusterTagCheck=false
.EnableIPTargetType
, if set to false, disables IP target support.Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.2
Thanks to all our contributors! π
Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.1
Thanks to all our contributors! π
π¨ π¨ π¨ The new HelmChart(version 1.4.1) and installation YAML for v2.4.1+ no longer contain the RBAC permission for controller to access Secret resources by default.
--set clusterSecretsPermissions.allowAllSecrets=true
. However, we recommend configuring separate namespaced Role/RoleBinding to grant controller access to your specific secret resources to strengthen security posture.EndpointsFailOpen
: Once enabled, when all eligible nodes get into "ready: unknown" state due to misconfiguration or outage, the controller will ensure fault-tolerance by registering nodes/pods in unknown state as targets to let load balancer still able to handle traffic. This featureGate is not enabled by default in this version and can be enabled via the controller flag --feature-gates=EndpointsFailOpen=true
.