v2.8.0 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.0
Thanks to all our contributors! 😊
Action required
We have added certificateArn and updated ipAddressType fields in IngressClassParams, and added vpcID field in TargetGroupBinding. If you are upgrading the charts using helm upgrade, you need to update CRDs manually kubectl apply -k https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/crds/crds.yaml
ALB mTLS is now available in the China partition. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. If you want to use the ALB mTLS feature in China region, updating your controller IAM policies with the new permissions.
Whats new
- Support set the
certificateArnfor Ingress at the IngressClass level. This feature adds newcertificateArnto the IngressClassParams Spec to configure the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams. - Support public IPv4 disablement for dualstack customer. This feature adds new ipAddressType enum
dualstack-without-public-ipv4to allow customers to provision load balancers without IPv4s for clients that can connect using just IPv6s. For example, users can choose a dualstack ALB without public IPv4 when setting up a new internet facing ALB, or switch to dualstack without public IPv4 for an existing internet facing ALB by specifyingalb.ingress.kubernetes.io/ip-address-type: dualstack-without-public-ipv4. To set theipAddressTypefor ingress at the IngressClass level, addipAddressType: dualstack-without-public-ipv4to the IngressClassParams Spec. See AWS Launch What’s New Post about this feature. - Support optionally enforcing NLB security groups on PrivateLink traffic. This feature adds new annotation
aws-load-balancer-inbound-sg-rules-on-private-link-trafficto configure whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink. - Support for TargetGroupBinding on targets outside the cluster's VPC. This feature adds
vpcIDto the TargetGroupBinding Spec to allow registration in target groups that are created with in a VPC that is different from the cluster VPC. If thevpcIDis unspecified, the controller will fetch the clustervpcIDby default. - Support for Specify Managed Prefix List for access control. This feature adds new annotation
alb.ingress.kubernetes.io/security-group-prefix-listsandservice.beta.kubernetes.io/aws-load-balancer-security-group-prefix-liststo ensure the security group attached to the load balancer can allow access from the specified Managed Prefix List. The annotation will be ignored ifalb.ingress.kubernetes.io/security-groupsorservice.beta.kubernetes.io/aws-load-balancer-security-groupsis present.
Enhancement and Fixes
- (Chart): Add additional service monitor functionality
- (Chart): Allow passing template values for clusterName, region and vpcId
- (Chart): Add RuntimeClassName
- (Chart) Support —load-balancer-class in Helm Chart
- Provide more customization options for the service mutator webhook
- Preserve loadBalancerClass on Service updates
Changelog since v2.7.2
- Restrict dual-stack-without-ipv4 e2e test to pdx only (#3700, @oliviassss)
- Add IPAddressTypeWithoutPublicIPV4 (#3693, @wweiwei-li)
- Add dual stack without public IPv4 IP Address type (#3688, @wweiwei-li)
- Add non-alphanumeric input validation test for vpcID and fix typo (#3687, @shraddhabang)
- [DOC] add KAT documentation (#3682, @ChuksGrinage)
- feat(chart): Added additional service monitor functionality (#3645, @stevehipwell)
- [helm chart] Allow passing template values for clusterName, region and vpcId (#3664, @adriananeci)
- Add validation for vpcID in tgb spec (#3663, @shraddhabang)
- feat(chart) : add RuntimeClassName (#3646, @LiuQhahah)
- upgrade x/net to v0.23.0 (#3659, @oliviassss)
- feat: Specify Managed Prefix List for access control (#3584, @yo-ga)
- Provide more customization options for the service mutator webhook (#3653, @diversario)
- Add DescribeTrustStores to IAM policy for China partition (#3662, @andreybutenko)
- Feature Support —load-balancer-class in Helm Chart (#3647, @YoonHyunWoo)
- Preserve loadBalancerClass on Service updates (#3641, @diversario)
- Add support for optionally enforcing NLB security groups on PrivateLi… (#3594, @wweiwei-li)
- Add certificateArn field to IngressClassParam(#3616, @Nezz7)
- feat: Support TargetGroupBinding on targets outside the cluster's VPC (#3479, @ikosenn)
- docs: ingress subnets annotation - clarify locale differences (#3579, @alebedev87)