v3.4.0

📚 Quick Links

v3.4.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.4.0
Thanks to all our contributors! 😊

🎉 Ingress to Gateway Migration Tool

We are excited to introduce the Ingress to Gateway Migration Tool, the biggest addition in this release! This tooling helps you migrate AWS Load Balancer Controller (LBC) Ingress resources to Gateway API resources, step by step. The migration is designed to be safe and non-disruptive — new ALBs are created alongside your existing ones, so current workloads keep running throughout the entire process.

Two tools are provided to help you migrate with confidence:s

• lbc-migrate CLI: Translates your Ingress manifests (annotations, rules, and IngressGroups) into equivalent Gateway API YAML. Supports cluster scraping (--from-cluster), file input (-f), directory input (--input-dir), single-Ingress and multi-namespace scoping, and per-namespace output splitting.
• Migration Console: A local, in-cluster web UI that compares the AWS resource stack produced by both the Ingress and Gateway controllers, field by field. This lets you verify equivalence before applying your Gateway manifests for real.

To get started, see the Migration Guide for the end-to-end walkthrough.

We encourage you to try it out and welcome any feedback via GitHub Issues.

⚠️ Gateway API Behavior Change

Only one L4 route per listener is eligible for traffic when using an NLB Gateway

• Change: When multiple L4 (TCP/UDP/TLS) routes target the same listener, the controller only forwards traffic to the oldest route. (#4745).
• Impact: If you currently attach more than one TCP/UDP/TLS route to the same listener, only the oldest route will continue serving traffic after upgrading. Review your L4 route configurations and consolidate to a single route per listener to avoid unexpected traffic changes.

🔧 Enhancements and Fixes

• Regex path reconcile loop: Ignore the top-level RegexValues field that AWS mirrors in DescribeRules responses, preventing an unnecessary ModifyRule on every reconcile (#4749)
• Service reconciler nil check: Return early in the service reconciler when the load balancer is nil (#4751)
• TGC health check for ALB target groups: Fixed an error when updating health check settings in TargetGroupConfiguration for Gateway API ALB target groups (#4741)
• NLB weighted target groups: Allow weight 0 for NLB weighted target groups, with a guard requiring at least one non-zero weight (#4738)
• Capacity units validation: Validate CapacityUnits on capacity reservation annotations instead of silently dropping parse errors (which reset the reservation to 0) (#4750)
• Checkpoint early-exit race: Ensure pods with pending readiness gates are always reconciled, fixing a checkpoint early-exit race with same-IP re-registration (#4737)
• Retryable error wrapping: Wrap the last retryable error with a timeout error for clearer failure reporting (#4761)
• Readiness gate efficiency: The TargetGroupBinding controller now watches pod events instead of requeueing on a fixed timer when using readiness gates, responding faster while avoiding unnecessary requeues (#4678)
• Unit-test workflow permissions: Declare contents: read on the unit-test workflow to pin the default GITHUB_TOKEN to read-only (#4736)
• Webhooks upgraded to v1: Admission webhooks were upgraded from v1beta1 to v1. Applied automatically on upgrade — no action needed (#4743)
• Listener rule tag reconcile: Reconcile listener rule tags for all matched rules (#4772)

🌟 Complete Change Log

• [feat i2g]support split by namespace output by @shuqz in #4733
• [feat i2g] Fix user tag propagation to ListenerRuleConfigurations in lbc-migrate by @shuqz in #4735
• [feat i2g] Add IngressPlanAnnotation feature gate for dry-run plan by @shuqz in #4734
• fix checkpoint early-exit by @wweiwei-li in #4737
• [fix]allow weight zero in NLB target group by @shuqz in #4738
• Watch pod events for updating TargetGroupBindings with ReadinessGates by @cezarsa in #4678
• [feat i2g] multi-ingress TGC with RouteConfigurations by @shuqz in #4742
• upgrade webhooks to v1 by @zac-nixon in #4743
• Fix error when updating health check settings in TGC for Gateway API ALB target groups by @shraddhabang in #4741
• reject multiple l4 routes for same listener by @zac-nixon in #4745
• fix: return early in service reconciler when lb is nil by @wweiwei-li in #4751
• Validate load balancer capacity units annotations by @immanuwell in #4750
• [feat i2g] bug fix by @shuqz in #4746
• [feat i2g]setup e2e test for migration tool by @shuqz in #4739
• ci(test): declare contents: read on the unit-test workflow by @arpitjain099 in #4736
• [feat i2g]add in-cluster console for model comparison by @shuqz in #4728
• fix: ignore top-level RegexValues mirrored by AWS in DescribeRules response by @pataraktw in #4749
• [feat i2g] add e2e tests for ingress2gateway migration tool by @shuqz in #4771
• [feat i2g] docs: migration guide, lbc-migrate reference, and in-cluster console by @shuqz in #4759
• Add multiple ingress test that sorts rules based on priority by @jupdec in #4756
• Reconcile listener rule tags for all matched rules by @andreybutenko in #4772
• cut v3.4.0 release by @shuqz in #4776

New Contributors

• @immanuwell made their first contribution in #4750
• @arpitjain099 made their first contribution in #4736
• @pataraktw made their first contribution in #4749

Full Changelog: v3.3.0...v3.4.0

v3.3.0

v3.3.0 Release Notes

📚 Quick Links

v3.3.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.3.0

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

CRD Updates

Action: Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

IAM Policy Updates

If you enable the EnableCertificateManagement feature gate, attach the additional IAM policy for ACM and Route53 permissions to your controller's IAM role. See the documentation for details.

Gateway API updates

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• If using only ALB Gateway
  • Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.0/standard-install.yaml
• If using NLB Gateway
  • Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [Required: Used for L4 Routes]

🚀 What's New

Ingress Features

• ACM Certificate Management (Feature Gate: EnableCertificateManagement): The controller can now automatically create and manage TLS certificates in ACM using hostnames from Ingress resources. It supports both Amazon-issued certificates with DNS validation via Route53 and private certificates via AWS Private CA. Enable with --feature-gates=EnableCertificateManagement=true and the create-acm-cert: "true" annotation. See the Certificate Management documentation for setup, IAM policy requirements, and ingress group behavior.

🔧 Enhancements and Fixes

• [Bug fix] Fix ENI resolution when pod has an IPv6 address (#4706)
• [Bug fix] Fix frontend NLB listener and target group tagging (#4700)
• [Bug fix] Add externalId into cache key for cross-account TGB (#4714)
• [Bug fix] ACM cert management bug fixes and doc improvements
• [Enhancement] Gateway API auto-detection improvements and LBC-specific CRD handling in Helm

Documentation Updates

• ACM Certificate Management guide with ingress group behavior, security considerations, and IAM policy scoping
• Updated the gateway api installation docs to include the AWS vended CRD as pre-requisites

What's Changed

• fix: tag frontend NLB target groups and listeners by @hakman in #4700
• Retry gateway nlb with tls listener send https request test by @bobert-2 in #4701
• Retry gateway nlb with tls listener and instance target test by @bobert-2 in #4703
• randomize gatewayclass in e2e test by @zac-nixon in #4704
• [feat i2g]support group ingress translate by @shuqz in #4692
• [feat i2g] add documentation for tgb by @shuqz in #4705
• feat(acm): add ACM certificate management feature by @the-technat in #4554
• [feat i2g]support dry-run mode for gateway api controller by @shuqz in #4709
• fix eni resolution when pod has an ipv6 address by @zac-nixon in #4706
• Automate helm ClusterRole RBAC sync from kubebuilder by @shraddhabang in #4686
• Increase timeout for gateway nlb tls listener tests by @bobert-2 in #4713
• add externalId into cache key by @shuqz in #4714
• enhance gateway auto detection logic for CRD by @shuqz in #4721
• [feat acm-certs-mgmt] bug fixes and doc improvements by @shraddhabang in #4711
• cut v3.3.0 release by @shraddhabang in #4723

New Contributors

• @hakman made their first contribution in #4700

Full Changelog: v3.2.2...v3.3.0

v3.2.2

v3.2.2 Release Notes

📚 Quick Links

v3.2.2 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.2.2

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

What's Changed

• [feat i2g]support ssl-redirect translate by @shuqz in #4669
• Add dynamic annoucement banner for live docs by @shraddhabang in #4673
• fixed#4680 wrapping last retryable err with timeout err by @viveksb007 in #4681
• [feat i2g]support auth translate by @shuqz in #4679
• [feat i2g]support jwt-validation translate by @shuqz in #4683
• Fix HyperPod pod ENI resolution with VPC CNI prefix delegation by @guessi in #4667
• remove special isolated region check for listener attributes by @zac-nixon in #4690
• pin shas for github workflows by @zac-nixon in #4691
• Override user agent by @wweiwei-li in #4694
• ignore listenerset when CRD is missing by @zac-nixon in #4689
• release v3.2.2 by @zac-nixon in #4696

New Contributors

• @viveksb007 made their first contribution in #4681

Full Changelog: v3.2.1...v3.2.2

v3.2.1

Same release as https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v3.2.0, but fixes ListenerSet permissions for Gateway API users installing via Helm.

v3.2.0

v3.2.0 Release Notes

📚 Quick Links

v3.2.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.2.0

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

Gateway API updates

🚨 This release moves the Gateway API version from 1.3 to 1.5. For NLB Gateway users, this means that TLSRoute has been moved to the v1 API and is no longer served in the Alpha API version. It is recommended to install the experimental version of the TLSRoute to ensure zero downtime upgrades. 🚨

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• If using only ALB Gateway
  • Standard Gateway API CRDs: kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.0/standard-install.yaml
• If using NLB Gateway
  • Experimental Gateway API CRDs: kubectl apply --server-side=true -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.5.0/experimental-install.yaml [Required: Used for L4 Routes]

🚨Deprecations

• --aws-vpc-tag-key is now deprecated and ignored. All tags from --aws-vpc-tags are always used for VPC lookup. This flag will be removed in a future release.

🚨Breaking Changes

• If you were passing multiple tags via --aws-vpc-tags but your VPC only matched a subset of them, the controller will now fail to find the VPC since all tags are used as filters. Update your VPC tags or your --aws-vpc-tags value to ensure they match.

🚀 What's New

Gateway API Features

• Update to Gateway API v1.5.0
• Autodetect Gateway resources. No more feature flag flipping! The feature flags are still available to turn off the Gateway API feature.
• Introduce ListenerSet resources

Ingress Features

• Add Frontend NLB attributes annotation

🔧 Enhancements and Fixes

• [Bug fix] Fixed subnet resolution when subnets having conflicting name tags.
• [Bug fix] Fixed multi tag VPC look ups.
• [Bug fix] Normalize ingress DNS name to lower case.
• [Bug fix] Prevent nil pointer when assigning endpoints to WAF / Shield clients.
• [Enhancement] Configurable re-queue time for Target Group Bindings.
• [Enhancement] Automatically skip aws: system tags during tag reconcilation.
• [Enhancement] Backfill concurrency controls in Helm chart.
• [Enhancement] Adding namespace selectors to Service and Ingress webhooks.

Documentation Updates

• Add cert expiry best practices
• Add more AGA examples
• Update label selector documentation

What's Changed

• update golang.org/x/net/ to resolve cves by @zac-nixon in #4608
• add auto detection of gateway api resources by @zac-nixon in #4602
• feat(ingress): add frontend-nlb-attribtues annotation for ingress by @swarner1033 in #4380
• Update documents for TargetGroupBinding and Helm Installation with ArgoCD by @zac-nixon in #4610
• Fix subnet resolution when multiple subnets share the same Name tag by @bjhaid in #4588
• add sorting after describeSubnet and update contribute instruction by @shuqz in #4612
• Upgrade to v1.5 of Gateway API by @zac-nixon in #4613
• [feat gw-api]add gateway and gatewayclass level tgc support by @shuqz in #4611
• fix route status reconciler for gw v1.5 upgrade by @zac-nixon in #4615
• ListenerSet event handler by @zac-nixon in #4616
• Add flag supporting configurable targetgroupbinding requeue duration by @cezarsa in #4617
• add target optimizer field to gateway documentation by @zac-nixon in #4619
• add listenerset, fix bug with route reconciler, add proper unit tests by @zac-nixon in #4620
• add cert expiry best practice by @zac-nixon in #4622
• [feat i2g]setup cli and framework by @shuqz in #4621
• Add missing feature gates to docs and fix search bar by @swibrow in #4618
• [feat aga] Add additional examples for usecases by @shraddhabang in #4623
• [Gateway API] ListenerSet Loader by @zac-nixon in #4625
• add ingress webhook validator selectors to helm chart by @zac-nixon in #4626
• Skip AWS system tags during tag reconciliation by @wweiwei-li in #4628
• [Gateway API] Validate ListenerSet listeners by @zac-nixon in #4629
• [feat i2g]implement annotation translate by @shuqz in #4630
• Expose some missing max-concurrency flags in Helm chart by @cezarsa in #4637
• [Gateway API] Support attaching routes from listeners originating from a ListenerSet by @zac-nixon in #4639
• [feat i2g]add translate for use-annotation by @shuqz in #4642
• [Gateway API] ListenerSet status updater by @zac-nixon in #4645
• fix: Allowing namespace selectors for mservice webhook by @wesbrownfavor in #4646
• add listener set docs by @zac-nixon in #4647
• Change default client-side rate-limiter to correctly match ELBv2 api limits by @cezarsa in #4641
• Fix multi-tag VPC lookup by @shraddhabang in #4638
• Update LabelSelector reference to v1.32 by @saivenkateshi in #4635
• resolve parent ref gateway whenever listener is used by @zac-nixon in #4650
• Fix ingress and service controllers to normalize dns name by @bobert-2 in #4655
• Fix FindLoadBalancerByDNSName to be case-insensitive by @bobert-2 in #4657
• fixes from listenerset conformance testing by @zac-nixon in #4660
• Fix: skip empty ExternalId in AssumeRole for cross-account TGB by @devanshpoplii in #4659
• fix: guard BaseEndpoint assignment for wafregional and shield clients by @kahirokunn in #4658
• Refactor Gateway API tests into modules by @zac-nixon in #4661
• update base image by @zac-nixon in #4664
• implement conditions and transforms translation by @shuqz in #4653
• add calculate attached listenerset unit test by @zac-nixon in #4665

New Contributors

• @bjhaid made their first contribution in #4588
• @cezarsa made their first contribution in #4617
• @swibrow made their first contribution in #4618
• @wesbrownfavor made their first contribution in #4646
• @saivenkateshi made their first contribution in #4635
• @devanshpoplii made their first contribution in #4659

Full Changelog: v3.1.0...v3.2.0

v3.1.0

📚 Quick Links

v3.1.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.1.0

Documentation

Thanks to all our contributors!💜💜💜

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

If using Gateway API feature

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml [REQUIRED]
• Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [OPTIONAL: Used for L4 Routes]

🚀 What's New

Gateway API Enhancements

• [ALB Gateway] Port defaulting for scheme - Fixed redirect port handling to comply with Gateway API spec. When port is not specified in HTTPRequestRedirectFilter, the controller correctly defaults to well-known ports (80 for http, 443 for https) based on the redirect scheme.
• [ALB Gateway] Improved regex handling - Corrected regex value handling in Gateway API route matching
• [Gateway] Status hostname normalization - Gateway status hostnames are now normalized to lowercase for consistency

AWS Global Accelerator Controller

• [AGA] Cross-namespace reference support - AGA resources can now reference resources across namespaces, enabling more flexible multi-tenant architectures

🔧 Enhancements and Fixes

• [NLB Gateway] TLS passthrough listener - Fixed TLS listener construction to respect TLS mode configuration. NLB Gateways now support passthrough, termination, and re-encryption modes as defined in Gateway API spec. Note: SNI-based routing is not supported due to AWS NLB dataplane limitations.
• [Ingress] Rule optimizer - Fixed incorrect removal of regex-based listener rules that could cause routing failures
• [HelmUpgrade] Webhook certificate regeneration - Fixed certificate regeneration issues during Helm upgrades. Reintroduce the keepTLSSecret parameter with improved logic that maintains cert-manager compatibility.
• [Gateway] NPE on invalid parameters - Added null pointer protection and enhanced debugging for invalid parameter references

Documentation Updates

• Updated service.beta.kubernetes.io/aws-load-balancer-type annotation documentation
• Moved QUIC documentation to L4 section for better organization
• Updated Helm chart information

Changelog since v3.0.0

• [feat aga] Add cross-namespace reference support for AGA by @shraddhabang in #4547
• fix TLS passthrough listener by @zac-nixon in #4559
• Fix NPE on invalid parameters ref, add more debugging details to accepted status by @zac-nixon in #4562
• add port defaulting for scheme by @zac-nixon in #4568
• move QUIC documentation to l4 by @zac-nixon in #4570
• Fix rule optimizer incorrectly removing regex-based listener rules by @shraddhabang in #4569
• correct regex value handling in gateway api by @zac-nixon in #4577
• Add k8s event for TGB failures by @vishwas121 in #4571
• Update docs for service.beta.kubernetes.io/aws-load-balancer-type annotation by @kellyyan in #4578
• update helm info by @zac-nixon in #4583
• Fix webhook certificate regeneration on Helm upgrades by @shraddhabang in #4581
• Filter RequeueNeeded errors to skip event triggers on TGB controller by @vishwas121 in #4584
• fix(gateway): normalize status hostname to lowercase by @TOGEP in #4591

New Contributors

• @vishwas121 made their first contribution in #4571
• @TOGEP made their first contribution in #4591

Full Changelog: v3.0.0...v3.1.0

v3.0.0

📚 Quick Links

v3.0.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.0.0

Documentation

Thanks to all our contributors!💜💜💜

---

🎉 Gateway API is Now GA!

We are excited to announce that Gateway API support is now Generally Available (GA) in AWS Load Balancer Controller v3.0.0! This milestone marks the production-ready status of Gateway API features for managing AWS Application Load Balancers and Network Load Balancers through the Kubernetes Gateway API. We encourage you to try it out and welcome any feedback via GitHub Issues.
For more gateway api details, please refer to our live doc.

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

If using Gateway API feature

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml [REQUIRED]
• Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [OPTIONAL: Used for L4 Routes]

Webhook Certificate Issue

• Issue: #4359 attempted to fix a race condition in webhook certificate renewal but introduced a critical bug. The aws-load-balancer-tls Secret persists but the Certificate that owned and renewed it was removed, causing eventual certificate expiration and webhook TLS failures (#4541). This prevents the controller from updating target group bindings and can lead to outages. This bug impacts users deploying with Helm and utilizing the enableCertManager=true flag.
• Action for users staying on older versions: Set keepTLSSecret=false in your helm chart to mitigate the issue
• Action for users upgrading to v3.0.0: No action required - the fix is included in this release

🔧 Enhancements and Fixes

• Helm Chart Version Alignment: Helm chart version now aligns with LBC version. Previously, LBC v2.x used Helm chart v1.x (e.g., LBC v2.17 = Helm v1.17). Starting with v3.0.0, both versions match.
• Gateway Deletion: Removed route count check when deleting gateways, allowing deletion of gateways with attached routes (#4549)
• Subnet Ordering: Fixed subnet order preservation when using aws-load-balancer-subnets annotation - now maintains requested order instead of non-deterministic ordering (#4504)
• AZ Mismatch Fix: Fixed orphaned targets issue caused by AvailabilityZone mismatch in refreshUnhealthyTargets - targets are now properly deregistered regardless of cached AZ (#4544)
• NLB Target Group Limit: Fixed target group association limit error for weighted configs by including base service UID in target group name generation (#4540)
• Listener Error Propagation: Fixed target group tuple error messages not being propagated to end users (#4545)
• Webhook Certificate: Reverted race condition fix in webhook certificate renewal that caused issues (#4542)

📋 Full Changelog

• Revert "fix: Race condition in webhook certificate renewal with cert-… by @zac-nixon in #4542
• Fix NLB target group association limit issue for weighted configs by @shraddhabang in #4540
• Fix AZ mismatch in refreshUnhealthyTargets causing orphaned targets by @MinhNguyen-at in #4544
• Update model_build_listener.go by @zac-nixon in #4545
• Fix: preserve requested order for subnets when using aws-load-balancer-subnets annotation by @nelsen129 in #4504
• Remove KeepTLS parameter in helm chart by @zac-nixon in #4548
• [gateway api] remove route count check for deleting gateway by @zac-nixon in #4549
• [feat gateway-api]update gw api doc by @shuqz in #4550
• cut v3.0.0 release by @shuqz in #4551

New Contributors

• @MinhNguyen-at made their first contribution in #4544
• @nelsen129 made their first contribution in #4504

Full Changelog: v2.17.1...v3.0.0

v2.17.1

v2.17.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.17.1
Thanks to all our contributors! 😊

🚀 What's New

QUIC Protocol Support: Added QUIC protocol support for Gateway API and Service API
JWT Validation: Support for JWT validation in Gateway API
Default Load Balancer Scheme: Added support for specifying —default-load-balancer-scheme flag in Helm chart

🔧 Enhancements and Fixes

Bug Fixes

• Helm Chart: Duplicated CRD in helm kustomization

Documentation Updates

• Service Actions: Fixed service.beta.kubernetes.io/actions example in documentation
• Conformance Report: Generated v2.17.0 conformance test report

Changelog since v2.17.0

• Merge Main to release-2.17 (#4533, @wweiwei-li)
• [GW API] Add QUIC support (#4530, @zac-nixon)
• docs: fix service.beta.kubernetes.io/actions example (#4529, @davidxia)
• Add E2E tests for QUIC support in Service API. (#4527, @zac-nixon)
• feat(chart): add support for specifying —default-load-balancer-scheme flag (#4141, @ysam12345)
• fix: duplicated CRD in helm kustomization (#4518, @wweiwei-li)
• generate v2.17.0 conformance test report (#4521, @shuqz)
• [feat gw-api]support jwt validation (#4516, @shuqz)
• fix helm chart version (#4515, @wweiwei-li)

v2.17.0

v2.17.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.17.0
Thanks to all our contributors! 😊

Known Issues

Helm Chart 1.17.0 includes duplicated CRD globalaccelerators, causing kustomize render to fail

⚠️ Actions required to use the new AWS Global Accelerator controller

• CRD Updates - If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/aga/aga.k8s.aws_globalaccelerators.yaml
• IAM Policy Updates - Update the controller's IAM policy with Global Accelerator permissions (see IAM Policy)
• RBAC Updates - Apply the latest RBAC definitions for Global Accelerator controller permissions (see RBAC)
• Feature Flag for Global Accelerator - Enable the feature flag --enable-global-accelerator=true,--feature-gates=EnableRGTAPI to use Accelerator functionality

🚀 What's New

AWS Global Accelerator Support - A new controller that enables declarative management of AWS Global Accelerators directly from Kubernetes using Custom Resource Definitions (CRDs). It allows users to define Global Accelerator resources as Kubernetes manifests, automatically provisioning and managing accelerators, listeners, endpoint groups, and endpoints that reference Kubernetes Ingress, Kubernetes Services, Kubernetes Gateway, and AWS resource ARNs. For more details, check the documentation:

• Introduction of AWS Global Accelerator Controller
• Installation and Prerequisites for AWS Global Accelerator Controller
• Example of using AWS Global Accelerator Controller

Gateway API - GA Release Candidate: The Gateway API implementation in this release is considered a Release Candidate for its General Availability (GA) release planned for next month. We encourage extensive testing in production-like environments and welcome your feedback via GitHub issues to ensure a stable GA release. What's new in this release:

• TCP_UDP Protocol: Complete support for combined TCP_UDP protocol on NLB Gateways with detailed usage guidance
• Per-ParentRef Status: Route status now correctly updates per parentRef instead of per-route
• ReplacePrefixMatch: Enhanced support with documented ALB limitations
• Conformance Report: Generated Gateway API conformance report with detailed test results
• ACM Cert Discovery: Fixed memory leak in ACM certificate discovery
• App Protocol Support: Added support for kubernetes.io/h2c App Protocol

🔧 Enhancements and Fixes

✨ Enhancements

• Cross-Zone Handling: Improved handling for cross-zone disabled ALBs with automatic AZ detection
• Weighted Target Groups: Added support for weighted target groups on NLB listeners

🐛 Bug Fixes

• Helm Template: Fixed objectSelector.matchExpressions indentation in webhook.yaml
• Helm Chart: Added --max-targets-per-target-group flag support

📚 Documentation

• Prometheus Metrics: Corrected metric names to include aws_ prefix in documentation

Changelog since v2.16.0

• cut v2.17.0 release (#4514, @wweiwei-li)
• fix kustomize build error by correcting webhook name (#4513, @wweiwei-li)
• Fix markdown issue for the FR template (#4507, @guessi)
• bundle AGA crds into standard deployment (#4512, @wweiwei-li)
• Fix IPv6 tests (#4511, @wweiwei-li)
• Fix typo in pod readiness gate doc (#4420, @davidxia)
• add trust store e2e test and script for local testing (#4510, @shuqz)
• correct drift check for mtls listeners (#4505, @zac-nixon)
• handle cross zone disabled for alb (#4496, @shuqz)
• Add missing RBAC permissions for GlobalAccelerator CRD (#4508, @wweiwei-li)
• Run CI test in parallel (#4503, @wweiwei-li)
• Add check for duplicate endpoints (#4502, @wweiwei-li)
• Add condition to AGA IAM policy (#4501, @wweiwei-li)
• refactor app protocol, add support for app protocols that kubernetes + elb supports (#4500, @zac-nixon)
• Add basic aga controller e2e tests (#4485, @wweiwei-li)
• docs(prometheus): metric name should include aws_ prefix (#4443, @samuelmasuy)
• feat: add maxTargetsPerTarget group flag to helm chart (#4408, @mmiller-sh)
• use one instance of acm cert discovery in gateway builder (#4493, @zac-nixon)
• [feat gw-api]conformance report (#4489, @shuqz)
• [feat gw-api]add e2e for gateway status update validation (#4488, @shuqz)
• [feat gw-api]modify route status update per parentRef (#4483, @shuqz)
• NLB weighted target groups (#4484, @zac-nixon)
• [feat aga] Move iam policies into its own file for easy setup (#4486, @shraddhabang)
• [feat aga] Implement auto-discovery feature for supported endpoints (#4476, @shraddhabang)
• [feat aga] Add documentation for AGA controller (#4478, @shraddhabang)
• [feat aga] Implement endpoint management for endpoint groups in accelerator (#4471, @shraddhabang)
• [gw api] Add TCP_UDP for gateway api (#4469, @zac-nixon)
• Support BYOIP (#4475, @wweiwei-li)
• [feat aga] Implement endpoint group management with port override conflict resolution (#4470, @shraddhabang)
• [feat aga] Implement AGA endpoint resource references loading and monitoring (#4458, @shraddhabang)
• Merge AGAController branch into main (#4466, @zac-nixon)
• [feat aga] Add AGA listener support without auto-discovery (#4436, @shraddhabang)

v2.16.0

v2.16.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.16.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 For ALB Target Optimizer Users who want to use auto-injection for ALB target control agent: New CRD ALBTargetControlConfig has been added. Update your CRDs and RBAC. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/bases/elbv2.k8s.aws_albtargetcontrolconfigs.yaml also update rbac policy by applying the latest changes kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/rbac/role.yaml

What’s new

We're excited to announce two new features!

• Introduced Target Optimizer for Application Load Balancers (ALB). This feature enables ALB customers to configure capacity-aware load balancing, useful for workloads that have strict limitations on how many concurrent requests each target can process. To get started, you must deploy the Target Optimizer agent sidecar with your application pods.
  • AWS what’s new
  • Drive application performance with Application Load Balancer Target Optimizer
  • How to use it in the controller
• Introduced weighted target groups for Network Load Balancers (NLB). This feature allows users to configure weights among multiple NLB target groups. Weighted target groups enable you to easily perform blue/green and canary deployment strategies, all while using one NLB and with zero downtime.
  • AWS what’s new
  • Network Load Balancers now support Weighted Target Groups
  • How to use it in the controller

Changelog since v2.15.0

• cut v2.16.0 release (#4462, @wweiwei-li)
• Support ALB TargetOptimizer (#4461, @wweiwei-li)
• Add support for service weighted target groups (#4455, @kellyyan)