v3.3.0 Release Notes

📚 Quick Links

v3.3.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.3.0

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

CRD Updates

Action: Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

IAM Policy Updates

If you enable the EnableCertificateManagement feature gate, attach the additional IAM policy for ACM and Route53 permissions to your controller's IAM role. See the documentation for details.

Gateway API updates

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• If using only ALB Gateway
  • Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.0/standard-install.yaml
• If using NLB Gateway
  • Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [Required: Used for L4 Routes]

🚀 What's New

Ingress Features

• ACM Certificate Management (Feature Gate: EnableCertificateManagement): The controller can now automatically create and manage TLS certificates in ACM using hostnames from Ingress resources. It supports both Amazon-issued certificates with DNS validation via Route53 and private certificates via AWS Private CA. Enable with --feature-gates=EnableCertificateManagement=true and the create-acm-cert: "true" annotation. See the Certificate Management documentation for setup, IAM policy requirements, and ingress group behavior.

🔧 Enhancements and Fixes

• [Bug fix] Fix ENI resolution when pod has an IPv6 address (#4706)
• [Bug fix] Fix frontend NLB listener and target group tagging (#4700)
• [Bug fix] Add externalId into cache key for cross-account TGB (#4714)
• [Bug fix] ACM cert management bug fixes and doc improvements
• [Enhancement] Gateway API auto-detection improvements and LBC-specific CRD handling in Helm

Documentation Updates

• ACM Certificate Management guide with ingress group behavior, security considerations, and IAM policy scoping
• Updated the gateway api installation docs to include the AWS vended CRD as pre-requisites

What's Changed

• fix: tag frontend NLB target groups and listeners by @hakman in #4700
• Retry gateway nlb with tls listener send https request test by @bobert-2 in #4701
• Retry gateway nlb with tls listener and instance target test by @bobert-2 in #4703
• randomize gatewayclass in e2e test by @zac-nixon in #4704
• [feat i2g]support group ingress translate by @shuqz in #4692
• [feat i2g] add documentation for tgb by @shuqz in #4705
• feat(acm): add ACM certificate management feature by @the-technat in #4554
• [feat i2g]support dry-run mode for gateway api controller by @shuqz in #4709
• fix eni resolution when pod has an ipv6 address by @zac-nixon in #4706
• Automate helm ClusterRole RBAC sync from kubebuilder by @shraddhabang in #4686
• Increase timeout for gateway nlb tls listener tests by @bobert-2 in #4713
• add externalId into cache key by @shuqz in #4714
• enhance gateway auto detection logic for CRD by @shuqz in #4721
• [feat acm-certs-mgmt] bug fixes and doc improvements by @shraddhabang in #4711
• cut v3.3.0 release by @shraddhabang in #4723

New Contributors

• @hakman made their first contribution in #4700

Full Changelog: v3.2.2...v3.3.0