aws-load-balancer-controller: v2.8.0

[wweiwei-li]

v2.8.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.8.0
Thanks to all our contributors! 😊

Action required

We have added certificateArn and updated ipAddressType fields in IngressClassParams, and added vpcID field in TargetGroupBinding. If you are upgrading the charts using helm upgrade, you need to update CRDs manually kubectl apply -k https://github.com/aws/eks-charts/blob/master/stable/aws-load-balancer-controller/crds/crds.yaml

ALB mTLS is now available in the China partition. We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeTrustStores permission for describing the trust stores resources to use the new mTLS feature for ingresses on controller. If you want to use the ALB mTLS feature in China region, updating your controller IAM policies with the new permissions.

Whats new

• Support set the certificateArn for Ingress at the IngressClass level. This feature adds new certificateArn to the IngressClassParams Spec to configure the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
• Support public IPv4 disablement for dualstack customer. This feature adds new ipAddressType enum dualstack-without-public-ipv4 to allow customers to provision load balancers without IPv4s for clients that can connect using just IPv6s. For example, users can choose a dualstack ALB without public IPv4 when setting up a new internet facing ALB, or switch to dualstack without public IPv4 for an existing internet facing ALB by specifying alb.ingress.kubernetes.io/ip-address-type: dualstack-without-public-ipv4 . To set the ipAddressType for ingress at the IngressClass level, add ipAddressType: dualstack-without-public-ipv4 to the IngressClassParams Spec. See AWS Launch What's New Post about this feature.
• Support optionally enforcing NLB security groups on PrivateLink traffic. This feature adds new annotation aws-load-balancer-inbound-sg-rules-on-private-link-traffic to configure whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink.
• Support for TargetGroupBinding on targets outside the cluster's VPC. This feature adds vpcID to the TargetGroupBinding Spec to allow registration in target groups that are created with in a VPC that is different from the cluster VPC. If the vpcID is unspecified, the controller will fetch the cluster vpcID by default.
• Support for Specify Managed Prefix List for access control. This feature adds new annotation alb.ingress.kubernetes.io/security-group-prefix-lists and service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-lists to ensure the security group attached to the load balancer can allow access from the specified Managed Prefix List. The annotation will be ignored if alb.ingress.kubernetes.io/security-groups or service.beta.kubernetes.io/aws-load-balancer-security-groups is present.

Enhancement and Fixes

• (Chart): Add additional service monitor functionality
• (Chart): Allow passing template values for clusterName, region and vpcId
• (Chart): Add RuntimeClassName
• (Chart) Support —load-balancer-class in Helm Chart
• Provide more customization options for the service mutator webhook
• Preserve loadBalancerClass on Service updates

Changelog since v2.7.2

• Restrict dual-stack-without-ipv4 e2e test to pdx only (#3700, @oliviassss)
• Add IPAddressTypeWithoutPublicIPV4 (#3693, @wweiwei-li)
• Add dual stack without public IPv4 IP Address type (#3688, @wweiwei-li)
• Add non-alphanumeric input validation test for vpcID and fix typo (#3687, @shraddhabang)
• [DOC] add KAT documentation (#3682, @ChuksGrinage)
• feat(chart): Added additional service monitor functionality (#3645, @stevehipwell)
• [helm chart] Allow passing template values for clusterName, region and vpcId (#3664, @adriananeci)
• Add validation for vpcID in tgb spec (#3663, @shraddhabang)
• feat(chart) : add RuntimeClassName (#3646, @LiuQhahah)
• upgrade x/net to v0.23.0 (#3659, @oliviassss)
• feat: Specify Managed Prefix List for access control (#3584, @yo-ga)
• Provide more customization options for the service mutator webhook (#3653, @diversario)
• Add DescribeTrustStores to IAM policy for China partition (#3662, @andreybutenko)
• Feature Support —load-balancer-class in Helm Chart (#3647, @yoonhyunwoo)
• Preserve loadBalancerClass on Service updates (#3641, @diversario)
• Add support for optionally enforcing NLB security groups on PrivateLi… (#3594, @wweiwei-li)
• Add certificateArn field to IngressClassParam(#3616, @Nezz7)
• feat: Support TargetGroupBinding on targets outside the cluster's VPC (#3479, @ikosenn)
• docs: ingress subnets annotation - clarify locale differences (#3579, @alebedev87)

[wweiwei-li]

/assign @M00nF1sh

[M00nF1sh]

/lgtm
/approve