kubernetes-sigs/aws-load-balancer-controller v2.12.0

on GitHub

v2.12.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

In v2.12.0, we have changed the default policy of the LBC webhook from Fail to Ignore in order to improve disaster recovery. See our documentation for how to change the policy back to Fail if you want better guarantees for having readiness gates getting attached to your pods.

We’ve added new fields to both the IngressClassParams and
TargetGroupBinding. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS ALB now supports integrating with AWS VPC IPAM (ec2:DescribeIpamPools, elasticloadbalancing:ModifyIpPools). We also have added new IAM permissions (elasticloadbalancing:SetRulePriorities) in order to effectively manage your ALB listener rules. We've updated the reference IAM policies to explicitly add new permissions to allow for usage of the features.

What’s new

• Support AWS VPC IPAM with Application Load Balancers.
  • Application Load Balancer (ALB) now supports BYOIP (Bring your own IP) utilizing AWS VPC IP Manager.
• Application Load Balancer now supports Advertise CA when using mTLS.
  • When you enable Advertise CA subject names, the Application Load Balancer will advertise the list of Certificate Authorities (CAs) subject names that it trusts, based on the trust store it's associated with. When a client connects to a target through the Application Load Balancer, the client receives the list of trusted CA subject names.
• NLB now supports path discovery using ICMP.
  • It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them. This work introduces a Service annotation that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.
• The LBC now supports registering targets in cross account target groups.
  • You can now use the iamRoleArnToAssume field in the TargetGroupBinding CRD to allow for registration and deregistration of IP targets into Target Groups outside the account that owns the cluster.
• The LBC now supports multiple references to the same Target Group.
  • In previous releases there was an enforced 1-1 mapping of TargetGroupBinding to Target Group. v2.12.0 removes this limitation if the MultiCluster flag is set on each binding.

Enhancement and Fixes

• ListenerRule modification have been refactored to allow for no downtime changes to routing rules.
• SG ingress and egress rule modifications are re-ordered to prevent outage on mis-configured SG setting.
• Fixed a bug that prevented the controller from setting Dualstack mode.
• Used better metric buckets for publishing readiness gate latency.
• Added support for karpenter.sh/disrupted:NoSchedule taint to improve application availability during node patching and scaling.

Changelog since v2.11.0

• Add ALB IPAM Support (#4081, @zac-nixon)
• Update rule management to avoid sporadic 503 errors (#4039, @shraddhabang)
• Fix TGB webhook error message to report changes to immutable field (#4070, @maruina)
• Do not render .spec.replicas if Autoscaling is Enabled (#4059, @sherifabdlnaby)
• add toggle to adjust failurePolicy of pod webhook and documentations (#4063, @M00nF1sh)
• [feat] allow multiple targetgroupbindings to reference same tg arn if using multicluster mode (#4021, @zac-nixon)
• Checking for taint karpenter.sh/disrupted:NoSchedule while checking if node is suitable to handle traffic. (#4022, @kahirokunn)
• Added ISO Policy for iso-e and iso-f in example docs, and updated integration test script based on testing already done (#4032, @orsenthil)
• TargetGroupBindings can now manipulate target groups from different aws accounts (#3691, @marcosdiez)
• bug fix: use reasonable buckets for readiness gate flip metrics (#4001, @zac-nixon)
• Fix CVE-2024-45338 - golang.org/x/net (#4010, @shraddhabang)
• bug fix: try SG permission add prior to revoke (#3952, @zac-nixon)
• fix(helm): change topologySpreadConstraints default value (#3983, @yann-soubeyrand)
• fix: Cannot set the IPv6 addresses in dualstack mode during modification (#3959, @wweiwei-li)
• feat: add advertise ca for mtls listener (#3974, @zac-nixon)
• feat(NLB): Introduce Service annotation to allow ICMP for Path MTU Discovery (#3939, @chriswachira)