v2.6.1

v2.6.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.1
Thanks to all our contributors! 😊

Fixes

• Fixes a performance related issue when "PodReadinessGate" feature is enabled

Changelog since v2.6.1

• remove unnecessary patch requests (#3373, @M00nF1sh )

v2.6.0

v2.6.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.6.0
Thanks to all our contributors! 😊

Enhancement

• Added support of Security Groups for NLB. With the security group support, it is feasible to forward the NLB traffic to the EC2 instances without having to open up the instances for global access. For backwards compatibility, NLBs created without the security groups or the existing NLBs will continue to provide the legacy behavior. Similar to ALB, there are two sets of SGs for NLB - frontend and backend SGs:
  • The controller will automatically create and attach the frontend SG to the NLB provisioned, and add rules for inbound-cidrs and listen-ports. If the users want to attach existing frontend SG to the NLB, they can explicitly specify via annotation service.beta.kubernetes.io/aws-load-balancer-security-groups
  • The Backend SG controls the traffic between the NLB and the EC2 instances/ENIs, and it gets attached to the NLB similar to the frontend SG. In case of auto-generated frontend SG, the controller automatically adds Node/ENI SG rules to allow egress traffic from the NLB. The rule management is disabled by default if the frontend SG is specified via annotation. We provide an annotation to configure controller’s management on backend SG rules regardless of the frontend SG type service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: true/false
• Improved the ingress cert auto-discovery to discover more cert types from ACM:

     KeyAlgorithmRsa1024,
     KeyAlgorithmRsa2048,
     KeyAlgorithmRsa3072,
     KeyAlgorithmRsa4096,
     KeyAlgorithmEcPrime256v1,
     KeyAlgorithmEcSecp384r1,
     KeyAlgorithmEcSecp521r1,

Fixes

• Fixed the race condition in pod cache and endpoint resolver
• Made the ingress validating webhook ignore ingresses that are not managed by AWS LBC
• Fixed typo in doc

Changelog since v2.5.4

• Add support for NLB security groups (#3329, @kishorj, @oliviassss)
• Allow TLS 1.2 with restricted ciphers for webhooks (#3318, @johngmyers)
• Update the RSA filter for Cert discovery (#3314, @shraddhabang)
• Doc: Add note for rename behavior of IngressGroup (#3283, @yubingjiaocn)
• Make Ingress validating webhook ignore ingresses not managed by AWS LBC (#3272, @johngmyers)
• add oliviassss as reviewer (#3306, @oliviassss)
• fix the race condition in pod cache and endpoint resolver (#3305, @oliviassss)
• Bump github.com/onsi/ginkgo/v2 from 2.6.0 to 2.11.0 (#3300, @dependabot)
• Bump github.com/aws/aws-sdk-go from 1.44.184 to 1.44.294 (#3271, @dependabot)
• Provide better explanation of failure to find a subnet (#3292, @johngmyers)
• test/framework: replace deprecated ioutil.ReadAll (#3256, @komisan19)
• Add warning in doc for ServiceMutatorWebhook (#3180, @punkwalker)
• Add note about keeping OWNERS in sync (#3289, @johngmyers)
• Docs: Fix typo in nlb.md. (#3257, @Gacko)
• fix: typo in PR template (#3267, @nakamume)

v2.5.4

v2.5.4 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.4
Thanks to all our contributors! 😊

Fixes

• Fixed a bug in the eventhandler that was ignoring the update event triggered by --sync-period and preventing the auto-reconciliation of the controller. From this version, the controller will reconcile all the resources even if there is no change in manifest, per the default interval of 10hr. For more information, please refer to the doc

Changelog since v2.5.3

• doc enhancement for waf addons and reconciliation (#3281, @oliviassss)
• update protobuf to the latest version (#3274, @oliviassss)
• fix the bug that evenhanlder ignores the update per sync-period (#3280, @oliviassss)

v2.5.3

v2.5.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.3
Thanks to all our contributors! 😊

Enhancement

• Update go dependencies and base image to address CVEs
• Drop the support for policy/v1beta1 of PodDisruptionBudget, since the k8s 1.22+ supports policy/v1
• Drop the support for cert-manager.io/v1alpha2, and explicitly set to cert-manager.io/v1

Fixes

• Update k8s.io/client-go to v0.26.5 to fix the promethus-adapter issue that causes the client-go to crash in k8s 1.27

Changelog since v2.5.2

• update to go 1.20.5 (#3253, @oliviassss)
• Update dependency and base image (#3239, @oliviassss)
• update aws partition in test script and add iam policy for iso regions (#3246, @oliviassss)
• Remove policy/v1beta1 since the min supported k8s version supports policy/v1 (#3230, @rdrgmnzs)
• chore: Added dependabot (#3228, @ellistarn)
• fix typo in test script (#3226, @oliviassss)
• Fix formatting (#3219, @hsusanoo)
• Explicitly setting CertManager APIVersion to V1 (#3189, @hawkesn)

v2.5.2

v2.5.2 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.2

Thanks to all our contributors! 😊

Enhancement

• Added support for the AWS Resource Group API which can be enabled via the feature flag EnableRGTAPI, disabled by default. This feature allows the tagging manager to utilize RGT APIs to filter matching Load Balancers and Target Group resources, and is helpful when there are numerous resources. RGT feature is not available for private clusters. If you intend to enable this feature, you need to do the following:
  • set --feature-gates=EnableRGTAPI=true in controller command line flag or helm value --set controllerConfig.featureGates.EnableRGTAPI=true during chart install/upgrade
  • add additional permission to the IAM policy used by the controller

  { 
   "Effect": "Allow", 
   "Action": [ 
       "tag:GetResources" 
   ], 
   "Resource": "*" 
  }
  

• Refactor backend SG provider, controller deletes backend SG when not required without waiting for all ingresses to be deleted.

Fixes

• Check both sdkLS and resLS sslpolicy for nil when updating extra certs for listeners

Changelog since v2.5.1

• update go.sum (#3206, @oliviassss)
• cut v2.5.2 release (#3205, @oliviassss)
• Fix typo in mkdocs.yml file (#3202, @Dragotic)
• check both sdkLS and resLS sslpolicy for nil (#3196, @oliviassss)
• Support AWS RGT APIs with feature flag (#3186, @oliviassss)
• cherry-pick: Support AWS RGT APIs with feature flag (#3186) (#3193, @oliviassss)
• refactor backend SG provider (#2836, @kishorj)
• add objectSelector to the new controller webhooks (#3165, @kishorj)
• chore(aws-load-balancer-controller): update all controllerConfig.featureGates samples default values (#3161, @kahirokunn)

v2.5.1

v2.5.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.1

Thanks to all our contributors! 😊

Action Required

• 🚨 🚨 🚨We've updated the controller manifests, so either use helm upgrade or apply the new manifest. The new controller image from the patch release is not compatible with manifests from v2.4.x or earlier releases
• 🚨 🚨 🚨We have made the LBC the default controller for service type LoadBalancer by adding a mutating webhook. You can disable the feature by setting the helm chart value enableServiceMutatorWebhook to false. You will no longer be able to provision new Classic Load Balancer (CLB) from your kubernetes service unless you disable this feature.

Please refer to the v2.5.0 release notes for further details.

Bug fixes

• Fix ingress validator to handle ingress rules without http paths, issue #3158

Changelog since v2.5.0

• cut v2.5.1 release (#3160, @kishorj)
• chore(aws-load-balancer-controller): add all controllerConfig.featureGates samples (#3156, @kahirokunn)
• Fix validator for ingress rules without http paths (#3159, @kishorj)
• update doc for 2.5 (#3154, @oliviassss)

v2.5.0

v2.5.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.0

Thanks to all our contributors! 😊

Action Required

🚨 🚨 🚨 The v2.5.0 ingress validator is not able to handle ingress rules without HTTP path due to bug #3158. If your ingress rules don't have the http paths defined, do not upgrade to v2.5.0 release.

• 🚨 🚨 🚨We've updated the controller manifests, so either use helm upgrade or apply the new manifest. The new controller image is not compatible with manifests from earlier releases, so we don't recommend editing existing deployment and updating the image tag.
• 🚨 🚨 🚨We have made the LBC the default controller for service type LoadBalancer by adding a mutating webhook. Therefore, from v2.5.0, it is required to use k8s 1.22 or later to support the spec.loadBalancerClass. This controller creates an internal NLB by default. You need to specify the annotation service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing on your service if you want to create an internet-facing NLB for your service.
• We have added subnets, InboundCIDRs and SSLPolicy fields in IngressClassParams. If you are upgrading the chart via helm upgrade, you need to update the IngressClassParams CRD manually by running kubectl apply -k "http://github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"

Whats new

• The AWS LBC provides a mutating webhook for service resources to set the spec.loadBalancerClass field for service of type LoadBalancer on create. This makes the AWS LBC the default controller for service of type LoadBalancer. You can disable this feature and revert to set CCM as the default by setting the helm chart value enableServiceMutatorWebhook to false. You will no longer be able to provision new Classic Load Balancer (CLB) from your kubernetes service unless you disable this feature. Existing CLB will continue to work fine.
• You can set the default target type for the load balancer target groups. For helm chart, you can specify the defaultTargetType value during chart install/upgrade.
• Fields subnets, InboundCIDRs and SSLPolicy in IngressClassParams

Enhancements

• Update controller runtime
• Add a validation step on service annotation service.beta.kubernetes.io/aws-load-balancer-ssl-ports
• Handle the validation error on ingress annotation alb.ingress.kubernetes.io/conditions.${conditions-name}
• Enable EndpointsFailOpen by default
• Allow multiple TLS certificate for the same host for ALB during certificate discovery
• Migrate to ConfigMap leases for the leader election
• Documentation enhancement

Changelog since v2.4.7

• rename configuration value to enableServiceMutatorWebhook (#3142, @jerryhe1999)
• Add docker-push-w-buildx make target (#3135, @ivyostosh)
• Add the service mutator webhook manifest to make the controller default for service of type LoadBalancer (#3139, @jerryhe1999)
• Subnet discovery documentation edits (#3128, @jimdial-aws)
• NLB documentation edits (#3129, @jimdial-aws)
• documentation enhacement (#3136, @oliviassss)
• fix installation.md rendering (#3127, @oliviassss)
• update iam policy version to 2.4.7 (#3123, @oliviassss)
• update eksctl and default eks versions (#3120, @kishorj)
• Added alternate policies and other edits. (#3121, @jimdial-aws)
• add test coverage for endPointSlices (#3119, @oliviassss)
• Add webhook for claiming load balancers without LoadBalancerClass (#2925, @olemarkus)
• Update ko to v0.13.0 (#3115, @kishorj)
• Update module dependencies (#3114, @kishorj)
• Added ssl-ports validation in case unused ports are introduced in the aws-load-balancer-ssl-ports annotation (#3067, @ahrakos)
• update to discovery.k8s.io/v1 (#3072, @kishorj)
• docs: add a new page about security groups management (#2988, @prasadkatti)
• Add InboundCIDRs field to IngressClassParams (#3089, @johngmyers)
• Add SSLPolicy field to IngressClassParams (#3025, @johngmyers)
• enable EndpointsFailOpen by default (#3078, @kishorj)
• Update the default container base image (#3075, @kishorj)
• update recommended IAM policy template (#3068, @jdn5126)
• update to discovery.k8s.io/v1 (#3072, @kishorj)
• Validate Ingress condition annotations (#2735, @r-erema)
• Fix conciseLogger's incorrect call to variadic func (#3066, @johngmyers)
• Verify CRDs are up to date in merge check (#3022, @johngmyers)
• Refactor model builder test (#3024, @johngmyers)
• Remove constrains of multiple TLS on certificate auto-discovery (#3028, @jerryhe1999)
• fix: check default ingclass when ingclass is nill (#2963, @yasinlachiny)
• Add subnets field to IngressClassParams (#2945, @johngmyers)
• Verify generated files are up to date in merge check (#3007, @johngmyers)
• Update module dependencies (#2998, @johngmyers)
• Add johngmyers as reviewer (#2999, @johngmyers)
• helm: add "defaultTargetType" values setting (#2990, @johngmyers)
• Update module dependencies (#2994, @johngmyers)
• Fix typo in 'Subnet Discovery' (#2996, @KENNYSOFT)
• Build image with ko (#2955, @johngmyers)
• Start migration to leases for leader election (#2993, @johngmyers)
• Upgrade aws-sdk-go to v1.44.184 (#2992, @johngmyers)
• Replace inet.af/netaddr with net/netip (#2987, @jerryhe1999)
• Add —default-target-type flag (#2840, @johngmyers)
• Add GitHub Action for tagging releases and creating release branches (#2881, @johngmyers)

v2.4.7

v2.4.7 (requires Kubernetes 1.19+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.4.7

Thanks to all our contributors! 😊

Action Required

🚨 🚨 🚨 We've updated the reference IAM policies to explicitly add the AddTag permission for creating load balancer and listener resources. We recommend updating your controller IAM policies with the new permissions for existing installations as well.

Whats new

• This patch release updates the controller to use discovery.k8s.io/v1 version of EndpointSlice for compatibility with k8s 1.25 and later releases. Starting this patch release, the controller will be able to support EndpointSlice in k8s 1.21 and later clusters only.
• We have also updated the reference IAM policies to explicitly allow the AddTag permission for the ELBv2 CreateTargetGroup and CreateLoadBalancer. You will have to update the existing controller IAM permissions if you encounter the AccessDenied errors for the elbv2 APIs

Changelog since v2.4.6

• update IAM policy template (#3046, @kishorj, @jdn5126, @Apollorion)
• update to discovery.k8s.io/v1 (#3073, @kishorj)

v2.4.6

v2.4.6 (requires Kubernetes 1.19+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.4.6

Thanks to all our contributors! 😊

Whats new

1. This release introduces new annotation service.beta.kubernetes.io/aws-load-balancer-healthcheck-success-codes to configure the HTTP success codes for NLB target group health check for http/https healthcheck protocol
2. Controller doesn't delete existing NLB target group to reconfigure health check configuration with default configuration. You can revert to the earlier behavior by setting the feature gate NLBHealthCheckAdvancedConfiguration to false
3. Controller configures the NLB target group health check timeout based on the annotation service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout. You can disable this by setting the feature gate NLBHealthCheckAdvancedConfiguration to false

Changelog since v2.4.5

• add example of blue/green deployment (#2911, @geoffcline)
• Ability to reconfigure NLB target group health check (#2967, @kishorj)
• Replace "SSL" with "TLS" where possible in documentation (#2962, @johngmyers)
• docs: update contibutor docs (#2961, @prasadkatti)
• Update eksctl and eks default versions for e2e tests (#2960, @kishorj)
• Update index.md (#2959, @Kostavro)
• docs: fix gRPCServer example (#2954, @prasadkatti)
• update controller-gen to v0.11.1 (#2953, @kishorj)
• fix typos in doc about self managed lb (#2947, @Kostavro)
• docs: make external-dns optional in echoserver walkthrough (#2950, @prasadkatti)
• fix: typo in synthesizer test (#2941, @yasinlachiny)
• use multi-arch image for service e2e test (#2943, @kishorj)
• Update installation.md (nit) (#2937, @mtulio)
• move test images to ecr public (#2935, @kishorj)
• Use public ECR repository by default (#2907, @kishorj)
• fix: health check timeout for services/NLB (#2899, @project0)
• update external dns manifest and docs (#2895, @kishorj)
• update external dns manifest url (#2892, @kishorj)
• update go packages and dependencies (#2887, @kishorj)
• update filename from the set-version script (#2889, @kishorj)
• Stop restricting branches for unit test action (#2879, @johngmyers)
• Improve echo server example documentation (#2853, @kevin85421)
• Fix consistency of version references in documentation, etc. (#2880, @johngmyers)
• Documentation update to warn of Access Control bypass when conversion from IPv4 to IPv6 on NLBs (#2868, @wilief)
• Fix to use a code block in the guide of ingress annotations (#2877, @hadusam)
• Fix typo of a comment in pkg/networking/subnet_resolver.go (#2876, @hadusam)

v2.4.5

v2.4.5 (requires Kubernetes 1.19+)

Documentation

Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.5

Thanks to all our contributors! 😊

Fixes

• Fix webhookNamespaceSelectors in HelmChart (#2816, @mikutas)

Changelog since v2.4.4

• Infer VPCID from controller's nodeName when running with cloud controller manager (#2824, @olemarkus )
• Query IMDS over IPv6 when controller pod don't have IPv4 addresses (#2453, @johngmyers)
• Upgrade controller-runtime to v0.9.7 (#2833, @jdn5126 )
• Upgrade Golang to v1.19.3 (#2871, @M00nF1sh )
• Maintain helm chart test.yaml file (#2872, @BobDu )
• Install correct ginkgo version and pass no color to script (#2839, @jdn5126 )
• Upgrade ginkgo version; address go fmt(#2835, @jdn5126 )
• Fix misspelling in documentation(#2871, @yiyu0x)
• Fix documentation about alpn-policy (#2831, @BouchaaraAdil)

ECR images

• 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 558608220178.dkr.ecr.me-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 590381155156.dkr.ecr.eu-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ap-northeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ap-northeast-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ap-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.ca-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.eu-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.eu-north-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.eu-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.eu-west-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.sa-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.us-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 800184023465.dkr.ecr.ap-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 877085696533.dkr.ecr.af-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.5
• 918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.4.5
• 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.4.5