v2.7.0
v2.7.0 (requires Kubernetes 1.22+)
Documentation
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.7.0
Thanks to all our contributors! 😊
Action required
We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores
permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. load balancer and listener resources. We recommend updating your controller IAM policies with the new permissions for your existing installations as well.
Whats new
- Introducing the support for (mTLS) Mutual Transport Layer Security on Ingress through AWS LB Controller. Its delivers mTLS feature by integrating the trust stores into listener management. The customer will be able to set the desired mTLS mode and will be able to provide the existing trust store Name/ARN (they have created through CLI/Console) through new annotations for Ingress. To use this feature, you need to update the IAM policy to add
elasticloadbalancing:DescribeTrustStores
permission - Add a controller flag
--service-target-eni-security-group-tags
to allow users to specify additional tags that should be used when the controller looks for the security group to use when adding ingress rules for NLB targets - Adding support for default readiness probe for controller. Please note that the installation of older image tags against the latest helm chart version (1.7.0 or later) will fail due to this new addition of readiness probe.
Enhancement and Fixes
- Support for EKS pod identities
- Helm chart enhancements: add webhook readiness check; add revisionHistoryLimit
- Helm chart field to enable HPA. The main purpose of enable HPA is to survive load induced failure by the calls to the aws-load-balancer-webhook-service
- Documentation enhancements
Changelog since v2.6.2
- Adding the support for Unhealthy.draining state (#3548, @shraddhabang)
- Doc updates for mTLS feature and minor documentation bugs (#3547, @shraddhabang)
- fix: Add revisionHistoryLimit override (#3486, @bodgit)
- Improvement for the error log while Subnet Discovery failed (#3545, @guessi)
- Implement mutual TLS authentication support for Ingress (#3532, @shraddhabang)
- Add Blue/Green use case to the side menu (#3520, @henriquesantanati)
- chore: add webhook readiness check (#3375, @davidkl97)
- add oliviassss as approver (#3534, @oliviassss)
- improve the enable primary ipv6 address and TEST_ID in prow script (#3524, @oliviassss)
- update prow script to enable primary ipv6 address (#3510, @oliviassss)
- Disable WAF to run tests against YYC. (#3515, @orsenthil)
- bump aws-sdk-go to v1.47.13 (#3489, @oliviassss)
- Add johngmyers as approver (#3356, @johngmyers)
- Improve documentations for tolerate-non-existent-backend-{service,action} (#3442, @guessi)
- Drop the Security disclosures that point to AWS security (#3467, @dims)
- Doc: remove unnecessary uppercase letters (#3472, @Nezz7)
- Add dims to SECURITY_CONTACTS (#3483, @dims)
- Set the flag to fail if the test fails or times out (#3481, @jaydeokar)
- doc update for automated target weights (#3496, @oliviassss)
- update go from 1.21.3 to 1.21.4 (#3484, @oliviassss)
- enable ingress instance e2e test for ipv6 (#3416, @oliviassss)
- update prow script (#3406, @oliviassss)
- update file paths in prow script for adc regions (#3398, @oliviassss)
- remove unnecessary cleanup in prow script (#3387, @oliviassss)
- udpate prow script to install lbc via manifest for ADC (#3355, @oliviassss)
- Add deprecated apiGroups detection on workflow. (#3351, @jerryhe1999)
- Add doc updates (#3347, @oliviassss)
- Enables providing multiple tags for worker node security group discovery(#3147, @carflo)