kubernetes-sigs/aws-load-balancer-controller v2.3.0 on GitHub

v2.3.0 (requires Kubernetes 1.16+)

Documentation

Image: docker.io/amazon/aws-alb-ingress-controller:v2.3.0

Thanks to all our contributors! 😊

Action Required

New IAM Permissions needed for IPv6 clusters: sample policy, sample policy for cn, sample policy for gov-cloud
New RBAC permissions needed (included in latest yaml/helm chart)
CRD/Webhook updates needed (included in latest yaml/helm chart)
Included yaml manifests use cert-manager apiversion v1. You need to update cert-manager to v1.5.3 or later if you install via yaml manifests or enable cert-manager for helm chart

Additional Note

This release introduces optimized security group rules for ALB. The controller uses a shared security group across multiple ALBs in the cluster to allow access to your application pods. As a result, your existing ALBs get updated on controller upgrade. There is a possible time window during reconfiguration where your client traffic might get impacted. We recommend upgrading the controller during a maintenance window.

If you don't prefer the controller create an additional security group, you can either specify a backend security group via the --backend-security-group controller flag, or revert to the previous behavior by setting the controller flag --enable-backend-security-group to false. If you install the helm chart, you can set the desired configuration via enableBackendSecurityGroup and backendSecurityGroup values.

What's new

Improved security groups handling
ALB IPv6 target groups
Helm v3 chart
Support for Endpointslices
Upgrade controller runtime, k8s dependencies
Use admission/v1
Update to use golang v1.16.3

Enhancements

IngressClassParams support for load balancer attributes
Specify NLB attributes via annotation, support for NLB deletion protection
Restrict subnet auto-discovery to new LB creation for ALB/NLB
Discover subnets based on available IP addresses
Filter target group and load balancers by VPC ID
Handling of deletion protection configured via annotation
Custom AWS endpoints configuration
Port range restriction for SG rules
Discover AWS region from environment configuration
Documentation changes

Helm chart

Helm v3 chart
Use pdb/v1 if available
Reuse existing TLS secrets
cert-manager apiversion v1
optional serviceAnnotations
specifying TLS certs/key for webhook

Changelog since v2.2.4

Add support for ALB IPv6 target groups (#2284, @kishorj)
add utilities to help write e2e tests and a few basic e2e tests cases (#2294, @M00nF1sh)
provide scoped down IAM permissions example (#2283, @kishorj)
Refactor custom AWS endpoint resolver (#2270, @kishorj)
fix sdk override script for linux platform (#2280, @kishorj)
update ssl redirect documentation (#2274, @kishorj)
Reject custom load balancer name longer than 32 characters (#2295, @kishorj)
modify .Capabilities.APIVersions.Has for pdb (#2293, @cw-sakamoto)
fix typo in service annotations (#2290, @neha-viswanathan)
Update documentation site to show grpc example tutorial (#2277, @brianannis)
doc: Update configuration notes for working with IMDSv2 metadata server (#2243, @alexku7)
Enable Helm chart to reuse existing TLS secrets, use v3 charts (#2264, @oliviassss)
Bump pdb apiVersion to v1 (#2192, @Evalle)
Add parameter to create IngressClass Resource (#2248,@lazouz)
Add code for acquiring AWS region from env (#2217, @Shreya027)
Support optimized security group rules for ALB (#2205, @kishorj)
cert-manager apiversion to v1 (#2189, @cw-sakamoto)
Fix documentation edit link to correct repo (#2267, @Yasumoto)
doc: Fix typo in aws-load-balancer-controller README (#2268, @bhops)
Clarify helm installation when using IAM roles or not (#2265, @Yasumoto)
Fix typo in service annotations guide (#2262, @jeremydonahue)
Add port range restriction for SG (#2236, @oliviassss)
Add custom AWS endpoints configuration (#2179, @papigers)
Create optional serviceAnnotations value in helm chart (#2171, @jwenz723)
Add "--region" parameter of eksctl CLI (#2227, @davidshtian)
EndpointSlice support for IP target groups (#2169, @harivall)
Fix typo in README.md (#2223, @PascalBourdier)
Support specifying TLS certs/key for webhook in helm chart (#2198, @agaffney)
Set maximum length for custom load-balancer-name (#2195, @bnutt)
add load balancer attributes support for IngressClassParams (#2190, @oliviassss)
use minimal base docker image (#2196, @M00nF1sh)
update docs for deletion_protection (#2181, @oliviassss)
update docs about multiple controller deployment (#2186, @M00nF1sh)
Force delete lb when deletion_protection is disabled (#2172, @oliviassss)
Add code for filtering target group & load balancers by VPC ID (#2157, @Shreya027)
Fix the regression of IP mode support for fargate pods (#2158, @M00nF1sh)
Improve contributing documentation (#2155, @akuzni2)
Discovery subnets by available ip addresses (#2146, @oliviassss)
Fix typo (#2153, @joedborg)
alpn-policy: Don't require TLS target groups (#2147, @iAnomaly)
add support for pods supported by IPv4Prefix on ENI (#2137, @M00nF1sh)
Update repo name to load-balancer (#2140, @tyron)
Add deployment update strategy to aws-load-balancer-controller (#2130, @kirrmann)
Restrict subnet auto-discovery to new LB creation on service side (#2129, @oliviassss)
Clean up extra spaces (#2121,@jayonlau)
Clean up extra spaces (#2120,@jayonlau)
Restrict subnet auto-discovery to new LB creation only (#2125, @oliviassss)
Docs: Document Reconciliation Behaviour When Deletion Protection is Enabled. (#2119, @korenyoni)
Add support for AWS SDK override (#2114, @M00nF1sh)
Update NLB docs (#2111, @kishorj)
upgrade dependencies including controller-runtime & k8s (#2104, @M00nF1sh)
add NLB deletion protection annotation (#2057, @JacekDuszenko)

ECR images

013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
558608220178.dkr.ecr.me-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
590381155156.dkr.ecr.eu-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ap-northeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ap-northeast-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ap-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.ca-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.eu-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.eu-north-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.eu-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.eu-west-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.sa-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.us-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
800184023465.dkr.ecr.ap-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
877085696533.dkr.ecr.af-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.3.0
961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.3.0