v2.5.0

v2.5.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.5.0

Thanks to all our contributors! 😊

Action Required

🚨 🚨 🚨 The v2.5.0 ingress validator is not able to handle ingress rules without HTTP path due to bug #3158. If your ingress rules don't have the http paths defined, do not upgrade to v2.5.0 release.

• 🚨 🚨 🚨We've updated the controller manifests, so either use helm upgrade or apply the new manifest. The new controller image is not compatible with manifests from earlier releases, so we don't recommend editing existing deployment and updating the image tag.
• 🚨 🚨 🚨We have made the LBC the default controller for service type LoadBalancer by adding a mutating webhook. Therefore, from v2.5.0, it is required to use k8s 1.22 or later to support the spec.loadBalancerClass. This controller creates an internal NLB by default. You need to specify the annotation service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing on your service if you want to create an internet-facing NLB for your service.
• We have added subnets, InboundCIDRs and SSLPolicy fields in IngressClassParams. If you are upgrading the chart via helm upgrade, you need to update the IngressClassParams CRD manually by running kubectl apply -k "http://github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"

Whats new

• The AWS LBC provides a mutating webhook for service resources to set the spec.loadBalancerClass field for service of type LoadBalancer on create. This makes the AWS LBC the default controller for service of type LoadBalancer. You can disable this feature and revert to set CCM as the default by setting the helm chart value enableServiceMutatorWebhook to false. You will no longer be able to provision new Classic Load Balancer (CLB) from your kubernetes service unless you disable this feature. Existing CLB will continue to work fine.
• You can set the default target type for the load balancer target groups. For helm chart, you can specify the defaultTargetType value during chart install/upgrade.
• Fields subnets, InboundCIDRs and SSLPolicy in IngressClassParams

Enhancements

• Update controller runtime
• Add a validation step on service annotation service.beta.kubernetes.io/aws-load-balancer-ssl-ports
• Handle the validation error on ingress annotation alb.ingress.kubernetes.io/conditions.${conditions-name}
• Enable EndpointsFailOpen by default
• Allow multiple TLS certificate for the same host for ALB during certificate discovery
• Migrate to ConfigMap leases for the leader election
• Documentation enhancement

Changelog since v2.4.7

• rename configuration value to enableServiceMutatorWebhook (#3142, @jerryhe1999)
• Add docker-push-w-buildx make target (#3135, @ivyostosh)
• Add the service mutator webhook manifest to make the controller default for service of type LoadBalancer (#3139, @jerryhe1999)
• Subnet discovery documentation edits (#3128, @jimdial-aws)
• NLB documentation edits (#3129, @jimdial-aws)
• documentation enhacement (#3136, @oliviassss)
• fix installation.md rendering (#3127, @oliviassss)
• update iam policy version to 2.4.7 (#3123, @oliviassss)
• update eksctl and default eks versions (#3120, @kishorj)
• Added alternate policies and other edits. (#3121, @jimdial-aws)
• add test coverage for endPointSlices (#3119, @oliviassss)
• Add webhook for claiming load balancers without LoadBalancerClass (#2925, @olemarkus)
• Update ko to v0.13.0 (#3115, @kishorj)
• Update module dependencies (#3114, @kishorj)
• Added ssl-ports validation in case unused ports are introduced in the aws-load-balancer-ssl-ports annotation (#3067, @ahrakos)
• update to discovery.k8s.io/v1 (#3072, @kishorj)
• docs: add a new page about security groups management (#2988, @prasadkatti)
• Add InboundCIDRs field to IngressClassParams (#3089, @johngmyers)
• Add SSLPolicy field to IngressClassParams (#3025, @johngmyers)
• enable EndpointsFailOpen by default (#3078, @kishorj)
• Update the default container base image (#3075, @kishorj)
• update recommended IAM policy template (#3068, @jdn5126)
• update to discovery.k8s.io/v1 (#3072, @kishorj)
• Validate Ingress condition annotations (#2735, @r-erema)
• Fix conciseLogger's incorrect call to variadic func (#3066, @johngmyers)
• Verify CRDs are up to date in merge check (#3022, @johngmyers)
• Refactor model builder test (#3024, @johngmyers)
• Remove constrains of multiple TLS on certificate auto-discovery (#3028, @jerryhe1999)
• fix: check default ingclass when ingclass is nill (#2963, @yasinlachiny)
• Add subnets field to IngressClassParams (#2945, @johngmyers)
• Verify generated files are up to date in merge check (#3007, @johngmyers)
• Update module dependencies (#2998, @johngmyers)
• Add johngmyers as reviewer (#2999, @johngmyers)
• helm: add "defaultTargetType" values setting (#2990, @johngmyers)
• Update module dependencies (#2994, @johngmyers)
• Fix typo in 'Subnet Discovery' (#2996, @KENNYSOFT)
• Build image with ko (#2955, @johngmyers)
• Start migration to leases for leader election (#2993, @johngmyers)
• Upgrade aws-sdk-go to v1.44.184 (#2992, @johngmyers)
• Replace inet.af/netaddr with net/netip (#2987, @jerryhe1999)
• Add —default-target-type flag (#2840, @johngmyers)
• Add GitHub Action for tagging releases and creating release branches (#2881, @johngmyers)