v2.3.0 (requires Kubernetes 1.16+)
Documentation
Image: docker.io/amazon/aws-alb-ingress-controller:v2.3.0
Thanks to all our contributors! 😊
Action Required
- New IAM Permissions needed for IPv6 clusters: sample policy, sample policy for cn, sample policy for gov-cloud
- New RBAC permissions needed (included in latest yaml/helm chart)
- CRD/Webhook updates needed (included in latest yaml/helm chart)
- Included yaml manifests use cert-manager apiversion v1. You need to update cert-manager to v1.5.3 or later if you install via yaml manifests or enable cert-manager for helm chart
Additional Note
This release introduces optimized security group rules for ALB. The controller uses a shared security group across multiple ALBs in the cluster to allow access to your application pods. As a result, your existing ALBs get updated on controller upgrade. There is a possible time window during reconfiguration where your client traffic might get impacted. We recommend upgrading the controller during a maintenance window.
If you don't prefer the controller create an additional security group, you can either specify a backend security group via the --backend-security-group
controller flag, or revert to the previous behavior by setting the controller flag --enable-backend-security-group
to false
. If you install the helm chart, you can set the desired configuration via enableBackendSecurityGroup
and backendSecurityGroup
values.
What's new
- Improved security groups handling
- ALB IPv6 target groups
- Helm v3 chart
- Support for Endpointslices
- Upgrade controller runtime, k8s dependencies
- Use
admission/v1
- Update to use golang v1.16.3
Enhancements
- IngressClassParams support for load balancer attributes
- Specify NLB attributes via annotation, support for NLB deletion protection
- Restrict subnet auto-discovery to new LB creation for ALB/NLB
- Discover subnets based on available IP addresses
- Filter target group and load balancers by VPC ID
- Handling of deletion protection configured via annotation
- Custom AWS endpoints configuration
- Port range restriction for SG rules
- Discover AWS region from environment configuration
- Documentation changes
Helm chart
- Helm v3 chart
- Use pdb/v1 if available
- Reuse existing TLS secrets
- cert-manager apiversion v1
- optional serviceAnnotations
- specifying TLS certs/key for webhook
Changelog since v2.2.4
- Add support for ALB IPv6 target groups (#2284, @kishorj)
- add utilities to help write e2e tests and a few basic e2e tests cases (#2294, @M00nF1sh)
- provide scoped down IAM permissions example (#2283, @kishorj)
- Refactor custom AWS endpoint resolver (#2270, @kishorj)
- fix sdk override script for linux platform (#2280, @kishorj)
- update ssl redirect documentation (#2274, @kishorj)
- Reject custom load balancer name longer than 32 characters (#2295, @kishorj)
- modify .Capabilities.APIVersions.Has for pdb (#2293, @cw-sakamoto)
- fix typo in service annotations (#2290, @neha-viswanathan)
- Update documentation site to show grpc example tutorial (#2277, @brianannis)
- doc: Update configuration notes for working with IMDSv2 metadata server (#2243, @alexku7)
- Enable Helm chart to reuse existing TLS secrets, use v3 charts (#2264, @oliviassss)
- Bump pdb apiVersion to v1 (#2192, @Evalle)
- Add parameter to create IngressClass Resource (#2248,@lazouz)
- Add code for acquiring AWS region from env (#2217, @Shreya027)
- Support optimized security group rules for ALB (#2205, @kishorj)
- cert-manager apiversion to v1 (#2189, @cw-sakamoto)
- Fix documentation edit link to correct repo (#2267, @Yasumoto)
- doc: Fix typo in aws-load-balancer-controller README (#2268, @bhops)
- Clarify helm installation when using IAM roles or not (#2265, @Yasumoto)
- Fix typo in service annotations guide (#2262, @jeremydonahue)
- Add port range restriction for SG (#2236, @oliviassss)
- Add custom AWS endpoints configuration (#2179, @papigers)
- Create optional serviceAnnotations value in helm chart (#2171, @jwenz723)
- Add "--region" parameter of eksctl CLI (#2227, @davidshtian)
- EndpointSlice support for IP target groups (#2169, @harivall)
- Fix typo in README.md (#2223, @PascalBourdier)
- Support specifying TLS certs/key for webhook in helm chart (#2198, @agaffney)
- Set maximum length for custom load-balancer-name (#2195, @bnutt)
- add load balancer attributes support for IngressClassParams (#2190, @oliviassss)
- use minimal base docker image (#2196, @M00nF1sh)
- update docs for deletion_protection (#2181, @oliviassss)
- update docs about multiple controller deployment (#2186, @M00nF1sh)
- Force delete lb when deletion_protection is disabled (#2172, @oliviassss)
- Add code for filtering target group & load balancers by VPC ID (#2157, @Shreya027)
- Fix the regression of IP mode support for fargate pods (#2158, @M00nF1sh)
- Improve contributing documentation (#2155, @akuzni2)
- Discovery subnets by available ip addresses (#2146, @oliviassss)
- Fix typo (#2153, @joedborg)
- alpn-policy: Don't require TLS target groups (#2147, @iAnomaly)
- add support for pods supported by IPv4Prefix on ENI (#2137, @M00nF1sh)
- Update repo name to load-balancer (#2140, @tyron)
- Add deployment update strategy to aws-load-balancer-controller (#2130, @kirrmann)
- Restrict subnet auto-discovery to new LB creation on service side (#2129, @oliviassss)
- Clean up extra spaces (#2121,@jayonlau)
- Clean up extra spaces (#2120,@jayonlau)
- Restrict subnet auto-discovery to new LB creation only (#2125, @oliviassss)
- Docs: Document Reconciliation Behaviour When Deletion Protection is Enabled. (#2119, @korenyoni)
- Add support for AWS SDK override (#2114, @M00nF1sh)
- Update NLB docs (#2111, @kishorj)
- upgrade dependencies including controller-runtime & k8s (#2104, @M00nF1sh)
- add NLB deletion protection annotation (#2057, @JacekDuszenko)
ECR images
- 013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 558608220178.dkr.ecr.me-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 590381155156.dkr.ecr.eu-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ap-northeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ap-northeast-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ap-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.ca-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.eu-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.eu-north-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.eu-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.eu-west-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.sa-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.us-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 800184023465.dkr.ecr.ap-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 877085696533.dkr.ecr.af-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.3.0
- 918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.3.0
- 961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.3.0