kubernetes-sigs/aws-load-balancer-controller v2.14.0

on GitHub

Beta Release: Gateway API Layer 7 (L7) Routing for AWS Load Balancer Controller

We are excited to announce the Beta release of Layer 7 (L7) routing support for the Kubernetes Gateway API within the AWS Load Balancer Controller (LBC)!🥳🥳🥳 This highly anticipated feature allows you to provision and manage AWS Application Load Balancers (ALBs) for HTTP, HTTPS, and GRPC traffic directly from your Kubernetes clusters using the extensible Gateway API. Please refer to L7 Gateway API Documentation to learn more.

This beta release focuses on Gateway API features with comprehensive status reporting, advanced authentication, and stability improvements. While we encourage you to test these features extensively in your development environments, please be aware that this is a Beta release and is not yet production-ready. We are actively gathering feedback to finalize stability for official production use. This Beta status applies only to the new Gateway API features. All existing controller functionality for standard Ingress, Service and TargetGroupBinding resources remains stable and is safe for production workflows. Please restrict use of the new Gateway API features to testing and development environments.

📚 Quick Links

v2.14.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.14.0

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

EndpointSlices Now Default

• Change: EndpointSlices enabled by default (better performance and old endpoint api is on deprecation path: https://kubernetes.io/blog/2025/04/24/endpoints-deprecation/)
• Action: No action needed. Use --enable-endpoint-slices=false if issues occur

CRD Updates

• Change: We’ve added new fields to both the IngressClassParams and TargetGroupBinding.
• Action : Please apply the latest CRD definitions: kubectl apply -f github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master

🚀 What's New in Ingress, Services and TargetGroupBinding

Enhanced Defaulting Flag

• New: EnhancedDefaultBehavior flag for better annotation lifecycle management
• Impact: Enable this feature to allow the controller to remove ALPN and mTLS settings by removing the corresponding annotation

CRD Naming Fix

• Fixed: IngressClassParams singular name: ingressclassparams → ingressclassparam
• Impact: No action required. Both name will be supported, existing customers are not impacted. New customers please use correct name. Resolves SingularConflict errors

Configuration Improvements

• IngressClassParams Enhancements:
  • Load balancer name specification
  • SSL redirect port configuration
  • WAFv2 ARN/name support
  • PrefixListsIDs backward compatibility
• Target Group Names: Use names instead of ARNs in forward actions
• Granular NLB SG: Disable NLB Security Groups at the individual Service, instead of at the controller level.
• Frontend NLB Tags: Dedicated tagging for frontend NLBs

🚀 What's New in Gateway API

Status Update & Observability

• Gateway Listener Status: Complete status reporting with all condition types (Conflicted, Accepted, ResolvedRefs, Programmed)
• Route Status Management: Fixed infinite reconcile loops, proper lifecycle management
• E2E Status Tests: Comprehensive validation for UDP, TCP, HTTP, gRPC route statuses
• Target Group Metrics: New aws_target_group_info metric for CloudWatch integration

Advanced Authentication

• OIDC Support: Complete OpenID Connect integration via ListenerRuleConfiguration
• Cognito Integration: Complete AWS Cognito integration via ListenerRuleConfiguration

Enhanced Routing

• gRPC Partially Supported: Complete gRPC routing with header/method matching, E2E tests
• Source IP Conditions: Advanced source IP matching in rules
• Multiple Header Values: Support comma-separated header values
• Hostname Uniqueness: Enforced between gRPC and HTTP routes

Traffic Management

• Target Group Stickiness: Session affinity support
• Fixed Response Actions: Custom status codes and response bodies
• Port-Specific Attributes: Different target group attributes per service port
• Weighted Target Group Fixes: Improved comparison logic

Infrastructure

• Gateway API Addons: WAFv2 and Shield support for Gateway API
• IPv6 Support: Complete IPv6 testing and validation
• Elastic IP Support: Frontend NLB Elastic IP allocation

🔧 Enhancements and Fixes

Performance & Reliability

• Go 1.24.6: Security fixes and performance improvements
• DNS Timeout: Configurable DNS propagation timeout
• TGB Checkpoints: Fixed check-pointing after accidental service port deletion.
• Error Metrics: Fixed metric pollution from expected errors

Bug Fixes

• Weighted Target Groups: Fixed unnecessary rule modifications causing 4XX errors when using Weighted Target Groups.
• TCP_UDP Security Groups: Proper ingress rule generation for TCP_UDP listeners
• Backend SG Tags: Automatically sync Security Groups tags on backend Security Groups.

Documentation & Testing

• Resource Cleanup Guide: Proper deletion order documentation
• Scaling Documentation: Guidelines for large cluster deployments
• Comprehensive E2E Tests: gRPC, IPv6, status validation, authentication
• Error Message Improvements: Clearer guidance for common issues

🌟 Complete Change Log

• [feat gw-api]implement hostname uniqueness for httproute and grpcrout… by @shuqz in #4288
• [Gateway API] Add Addon Support by @zac-nixon in #4277
• chore: fix prefixlistsids typo in readme by @1ms-ms in #4289
• Add TG protocol into TGB by @zac-nixon in #4282
• feat: allow targetGroupName instead of targetGroupARN in forward action ingress annotations by @pascal-hofmann in #4281
• modify PrefixListsIDs with backward compatibility by @shuqz in #4293
• feature: add load balancer name to IngressClassParams by @1ms-ms in #4290
• upgrade go version by @shuqz in #4299
• [helm-chart] allow setting revisionHistoryLimit for webhook Certificate by @alex-berger in #4228
• [feat:gw api] Add tg stickiness and fixed response by @shuqz in #4298
• add granular NLBSG disable annotation by @zac-nixon in #4295
• fix sg rule generation for TCP_UDP and legacy SG path by @zac-nixon in #4305
• fix/docs: formatting issue in security_groups.md by @mtulio in #4219
• Fix IngressClassParams CRD singular naming to resolve SingularConflict by @laradji in #4201
• Add wafv2AclArn field to IngressClassParams by @mikutas in #3961
• [gw api] Fix overwrite of route status by @zac-nixon in #4309
• feat: add target group info metric by @msvticket in #3581
• add configurable timeout for dns propagation by @zac-nixon in #4311
• [feat gw api] Add auth cognito action for secure listeners on ALBs by @shraddhabang in #4313
• feature: get waf arn from name by @1ms-ms in #4312
• fix http / grpc route rule generation by @zac-nixon in #4316
• re introduce grpc routes by @zac-nixon in #4318
• feature: add ssl redirect port to IngressClassParams by @1ms-ms in #4308
• [feat gw-api]support multiple header value in condition by @shuqz in #4321
• [gw api] add grpc e2e tests by @zac-nixon in #4323
• fix: Resource tags don't propagate to frontend NLB #4279 by @praddy26 in #4328
• doc updates for scaling, IMDS usage by @zac-nixon in #4327
• Add elastic IP annotation to front end NLB by @swarner1033 in #4330
• feat: sync created Backend SG tags by @phuhung273 in #3990
• [feat gw api] Add authenticate oidc action support for L7 gateway by @shraddhabang in #4334
• [feat gw-api]support source ip and handle grpc filter by @shuqz in #4335
• add support IPv6 tests for Gateway API by @zac-nixon in #4337
• add ability to configure mTLS on LBC webhook by @zac-nixon in #4342
• feat: Support configure target-group-attributes for different service port #4326 by @praddy26 in #4338
• fix null pointer when using NLB Gateways by @zac-nixon in #4346
• Updated documentation to reflect the correct order of deletion for ingress-related resources by @praddy26 in #4347
• temporaily remove certs from e2e test until certs are re-generated by @zac-nixon in #4358
• update endpointslice to enabled by default by @zac-nixon in #4353
• Have TGB handler reset checkpoint properly on cleanUp(). by @zac-nixon in #4355
• Add EnhancedDefaulting flag to do sensible defaulting when possible by @zac-nixon in #4344
• fix metric population by requeueneeded error by @zac-nixon in #4356
• [feat gateway-api]implement gateway listener status by @shuqz in #4357
• Fix weighted target group comparison for forward action by @shraddhabang in #4350
• Add E2E tests that validate route statuses are properly set by @zac-nixon in #4362
• handle invalid yaml when generating helm crd by @zac-nixon in #4365
• l7 documentation, correct some warnings in other docs by @zac-nixon in #4352
• cut v2.14.0 release by @shuqz in #4370

🥳 New Contributors

• @1ms-ms made their first contribution in #4289
• @pascal-hofmann made their first contribution in #4281
• @laradji made their first contribution in #4201
• @msvticket made their first contribution in #3581
• @praddy26 made their first contribution in #4328
• @swarner1033 made their first contribution in #4330

Full Changelog: v2.13.4...v2.14.0

🎯 Provide Your Feedback!

As this is a beta release, your feedback is invaluable! We encourage you to:

• Try it out in your development or staging environments.
• Share your experience by opening issues on our [GitHub repository] (https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues)
• Report any bugs you encounter.
• Suggest improvements or features you'd like to see.

Your active participation will help us refine this feature for its General Availability release.