github kubernetes-sigs/aws-load-balancer-controller v3.4.0
on GitHub

4 hours ago

📚 Quick Links

v3.4.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.4.0
Thanks to all our contributors! 😊

🎉 Ingress to Gateway Migration Tool

We are excited to introduce the Ingress to Gateway Migration Tool, the biggest addition in this release! This tooling helps you migrate AWS Load Balancer Controller (LBC) Ingress resources to Gateway API resources, step by step. The migration is designed to be safe and non-disruptive — new ALBs are created alongside your existing ones, so current workloads keep running throughout the entire process.

Two tools are provided to help you migrate with confidence:s

  • lbc-migrate CLI: Translates your Ingress manifests (annotations, rules, and IngressGroups) into equivalent Gateway API YAML. Supports cluster scraping (--from-cluster), file input (-f), directory input (--input-dir), single-Ingress and multi-namespace scoping, and per-namespace output splitting.
  • Migration Console: A local, in-cluster web UI that compares the AWS resource stack produced by both the Ingress and Gateway controllers, field by field. This lets you verify equivalence before applying your Gateway manifests for real.

To get started, see the Migration Guide for the end-to-end walkthrough.

We encourage you to try it out and welcome any feedback via GitHub Issues.

⚠️ Gateway API Behavior Change

Only one L4 route per listener is eligible for traffic when using an NLB Gateway

  • Change: When multiple L4 (TCP/UDP/TLS) routes target the same listener, the controller only forwards traffic to the oldest route. (#4745).
  • Impact: If you currently attach more than one TCP/UDP/TLS route to the same listener, only the oldest route will continue serving traffic after upgrading. Review your L4 route configurations and consolidate to a single route per listener to avoid unexpected traffic changes.

🔧 Enhancements and Fixes

  • Regex path reconcile loop: Ignore the top-level RegexValues field that AWS mirrors in DescribeRules responses, preventing an unnecessary ModifyRule on every reconcile (#4749)
  • Service reconciler nil check: Return early in the service reconciler when the load balancer is nil (#4751)
  • TGC health check for ALB target groups: Fixed an error when updating health check settings in TargetGroupConfiguration for Gateway API ALB target groups (#4741)
  • NLB weighted target groups: Allow weight 0 for NLB weighted target groups, with a guard requiring at least one non-zero weight (#4738)
  • Capacity units validation: Validate CapacityUnits on capacity reservation annotations instead of silently dropping parse errors (which reset the reservation to 0) (#4750)
  • Checkpoint early-exit race: Ensure pods with pending readiness gates are always reconciled, fixing a checkpoint early-exit race with same-IP re-registration (#4737)
  • Retryable error wrapping: Wrap the last retryable error with a timeout error for clearer failure reporting (#4761)
  • Readiness gate efficiency: The TargetGroupBinding controller now watches pod events instead of requeueing on a fixed timer when using readiness gates, responding faster while avoiding unnecessary requeues (#4678)
  • Unit-test workflow permissions: Declare contents: read on the unit-test workflow to pin the default GITHUB_TOKEN to read-only (#4736)
  • Webhooks upgraded to v1: Admission webhooks were upgraded from v1beta1 to v1. Applied automatically on upgrade — no action needed (#4743)
  • Listener rule tag reconcile: Reconcile listener rule tags for all matched rules (#4772)

🌟 Complete Change Log

  • [feat i2g]support split by namespace output by @shuqz in #4733
  • [feat i2g] Fix user tag propagation to ListenerRuleConfigurations in lbc-migrate by @shuqz in #4735
  • [feat i2g] Add IngressPlanAnnotation feature gate for dry-run plan by @shuqz in #4734
  • fix checkpoint early-exit by @wweiwei-li in #4737
  • [fix]allow weight zero in NLB target group by @shuqz in #4738
  • Watch pod events for updating TargetGroupBindings with ReadinessGates by @cezarsa in #4678
  • [feat i2g] multi-ingress TGC with RouteConfigurations by @shuqz in #4742
  • upgrade webhooks to v1 by @zac-nixon in #4743
  • Fix error when updating health check settings in TGC for Gateway API ALB target groups by @shraddhabang in #4741
  • reject multiple l4 routes for same listener by @zac-nixon in #4745
  • fix: return early in service reconciler when lb is nil by @wweiwei-li in #4751
  • Validate load balancer capacity units annotations by @immanuwell in #4750
  • [feat i2g] bug fix by @shuqz in #4746
  • [feat i2g]setup e2e test for migration tool by @shuqz in #4739
  • ci(test): declare contents: read on the unit-test workflow by @arpitjain099 in #4736
  • [feat i2g]add in-cluster console for model comparison by @shuqz in #4728
  • fix: ignore top-level RegexValues mirrored by AWS in DescribeRules response by @pataraktw in #4749
  • [feat i2g] add e2e tests for ingress2gateway migration tool by @shuqz in #4771
  • [feat i2g] docs: migration guide, lbc-migrate reference, and in-cluster console by @shuqz in #4759
  • Add multiple ingress test that sorts rules based on priority by @jupdec in #4756
  • Reconcile listener rule tags for all matched rules by @andreybutenko in #4772
  • cut v3.4.0 release by @shuqz in #4776

New Contributors

Full Changelog: v3.3.0...v3.4.0

Check out latest releases or
releases around kubernetes-sigs/aws-load-balancer-controller v3.4.0

Don't miss a new aws-load-balancer-controller release

NewReleases is sending notifications on new releases.

Get notifications