v2.14.0

Beta Release: Gateway API Layer 7 (L7) Routing for AWS Load Balancer Controller

We are excited to announce the Beta release of Layer 7 (L7) routing support for the Kubernetes Gateway API within the AWS Load Balancer Controller (LBC)!🥳🥳🥳 This highly anticipated feature allows you to provision and manage AWS Application Load Balancers (ALBs) for HTTP, HTTPS, and GRPC traffic directly from your Kubernetes clusters using the extensible Gateway API. Please refer to L7 Gateway API Documentation to learn more.

This beta release focuses on Gateway API features with comprehensive status reporting, advanced authentication, and stability improvements. While we encourage you to test these features extensively in your development environments, please be aware that this is a Beta release and is not yet production-ready. We are actively gathering feedback to finalize stability for official production use. This Beta status applies only to the new Gateway API features. All existing controller functionality for standard Ingress, Service and TargetGroupBinding resources remains stable and is safe for production workflows. Please restrict use of the new Gateway API features to testing and development environments.

---

📚 Quick Links

v2.14.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.14.0

Documentation

Thanks to all our contributors!💜💜💜

---

⚠️ Action Required

EndpointSlices Now Default

• Change: EndpointSlices enabled by default (better performance and old endpoint api is on deprecation path: https://kubernetes.io/blog/2025/04/24/endpoints-deprecation/)
• Action: No action needed. Use --enable-endpoint-slices=false if issues occur

CRD Updates

• Change: We’ve added new fields to both the IngressClassParams and TargetGroupBinding.
• Action : Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

---

🚀 What's New in Ingress, Services and TargetGroupBinding

Enhanced Defaulting Flag

• New: EnhancedDefaultBehavior flag for better annotation lifecycle management
• Impact: Enable this feature to allow the controller to remove ALPN and mTLS settings by removing the corresponding annotation

CRD Naming Fix

• Fixed: IngressClassParams singular name: ingressclassparams → ingressclassparam
• Impact: No action required. Both name will be supported, existing customers are not impacted. New customers please use correct name. Resolves SingularConflict errors

Configuration Improvements

• IngressClassParams Enhancements:
  • Load balancer name specification
  • SSL redirect port configuration
  • WAFv2 ARN/name support
  • PrefixListsIDs backward compatibility
• Target Group Names: Use names instead of ARNs in forward actions
• Granular NLB SG: Disable NLB Security Groups at the individual Service, instead of at the controller level.
• Frontend NLB Tags: Dedicated tagging for frontend NLBs

---

🚀 What's New in Gateway API

Status Update & Observability

• Gateway Listener Status: Complete status reporting with all condition types (Conflicted, Accepted, ResolvedRefs, Programmed)
• Route Status Management: Fixed infinite reconcile loops, proper lifecycle management
• E2E Status Tests: Comprehensive validation for UDP, TCP, HTTP, gRPC route statuses
• Target Group Metrics: New aws_target_group_info metric for CloudWatch integration

Advanced Authentication

• OIDC Support: Complete OpenID Connect integration via ListenerRuleConfiguration
• Cognito Integration: Complete AWS Cognito integration via ListenerRuleConfiguration

Enhanced Routing

• gRPC Partially Supported: Complete gRPC routing with header/method matching, E2E tests
• Source IP Conditions: Advanced source IP matching in rules
• Multiple Header Values: Support comma-separated header values
• Hostname Uniqueness: Enforced between gRPC and HTTP routes

Traffic Management

• Target Group Stickiness: Session affinity support
• Fixed Response Actions: Custom status codes and response bodies
• Port-Specific Attributes: Different target group attributes per service port
• Weighted Target Group Fixes: Improved comparison logic

Infrastructure

• Gateway API Addons: WAFv2 and Shield support for Gateway API
• IPv6 Support: Complete IPv6 testing and validation
• Elastic IP Support: Frontend NLB Elastic IP allocation

---

🔧 Enhancements and Fixes

Performance & Reliability

• Go 1.24.6: Security fixes and performance improvements
• DNS Timeout: Configurable DNS propagation timeout
• TGB Checkpoints: Fixed check-pointing after accidental service port deletion.
• Error Metrics: Fixed metric pollution from expected errors

Bug Fixes

• Weighted Target Groups: Fixed unnecessary rule modifications causing 4XX errors when using Weighted Target Groups.
• TCP_UDP Security Groups: Proper ingress rule generation for TCP_UDP listeners
• Backend SG Tags: Automatically sync Security Groups tags on backend Security Groups.

Documentation & Testing

• Resource Cleanup Guide: Proper deletion order documentation
• Scaling Documentation: Guidelines for large cluster deployments
• Comprehensive E2E Tests: gRPC, IPv6, status validation, authentication
• Error Message Improvements: Clearer guidance for common issues

🌟 Complete Change Log

• [feat gw-api]implement hostname uniqueness for httproute and grpcrout… by @shuqz in #4288
• [Gateway API] Add Addon Support by @zac-nixon in #4277
• chore: fix prefixlistsids typo in readme by @1ms-ms in #4289
• Add TG protocol into TGB by @zac-nixon in #4282
• feat: allow targetGroupName instead of targetGroupARN in forward action ingress annotations by @pascal-hofmann in #4281
• modify PrefixListsIDs with backward compatibility by @shuqz in #4293
• feature: add load balancer name to IngressClassParams by @1ms-ms in #4290
• upgrade go version by @shuqz in #4299
• [helm-chart] allow setting revisionHistoryLimit for webhook Certificate by @alex-berger in #4228
• [feat:gw api] Add tg stickiness and fixed response by @shuqz in #4298
• add granular NLBSG disable annotation by @zac-nixon in #4295
• fix sg rule generation for TCP_UDP and legacy SG path by @zac-nixon in #4305
• fix/docs: formatting issue in security_groups.md by @mtulio in #4219
• Fix IngressClassParams CRD singular naming to resolve SingularConflict by @laradji in #4201
• Add wafv2AclArn field to IngressClassParams by @mikutas in #3961
• [gw api] Fix overwrite of route status by @zac-nixon in #4309
• feat: add target group info metric by @msvticket in #3581
• add configurable timeout for dns propagation by @zac-nixon in #4311
• [feat gw api] Add auth cognito action for secure listeners on ALBs by @shraddhabang in #4313
• feature: get waf arn from name by @1ms-ms in #4312
• fix http / grpc route rule generation by @zac-nixon in #4316
• re introduce grpc routes by @zac-nixon in #4318
• feature: add ssl redirect port to IngressClassParams by @1ms-ms in #4308
• [feat gw-api]support multiple header value in condition by @shuqz in #4321
• [gw api] add grpc e2e tests by @zac-nixon in #4323
• fix: Resource tags don't propagate to frontend NLB #4279 by @praddy26 in #4328
• doc updates for scaling, IMDS usage by @zac-nixon in #4327
• Add elastic IP annotation to front end NLB by @swarner1033 in #4330
• feat: sync created Backend SG tags by @phuhung273 in #3990
• [feat gw api] Add authenticate oidc action support for L7 gateway by @shraddhabang in ...

v2.13.4

v2.13.4 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.4
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 For user who is trying out our gateway api features, we’ve created a new CRD ListenerRuleConfiguration. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml also update rbac policy by applying the latest changes from rbac.yaml

What’s new

We’ve been working on ALB support in Gateway API. Some of the main additions are:

• introduced a new ListenerRuleConfiguration CRD that lets you use those AWS ALB features that Gateway API doesn't support yet. Note: we have not complete all development on this new CRD. Therefore, it is not recommended to use it at this time.
• added Reference Grant support
• added mTLS support
• weighted target group is now supported for HTTPRoutes
• TLS listeners now accept TCP routes

Enhancement and Fixes

• Upgraded Go to 1.24.5
• Fixed NLB security groups not working when multiple security groups assigned
• Added Patch permission to loadbalancerconfigurations in helm chart
• Made the error message more clear when someone tries to use ClusterIP services with Instance targets
• CI now runs on K8s 1.32 instead of 1.25
• Increased E2E test coverage

Full Changelog

• feat: Allow usage of namedPorts for sidecar containers by @heshamelsherif97 in #4237
• Feat(performance): Use protobuf as default type instead of json by @RiskyAdventure in #4093
• update ci k8s version by @zac-nixon in #4244
• clear confusion around using ClusterIP service and Instance targets by @zac-nixon in #4243
• [feat gw-api]implement httproute matching and weighted target group by @shuqz in #4241
• Bugfix: Add ability to patch loadbalancerconfigurations to helm RBAC by @timothy-spencer in #4248
• [gw api] add TLS and UDP listener tests. Fix bugs that were found from the tests by @zac-nixon in #4250
• [feat gw-api]support httproute filter type - RequestRedirect by @shuqz in #4255
• [feat: gw api] Add secure HTTPRoute and mutual auth support for L7 Ga… by @shraddhabang in #4259
• fix frontend NLB security group by @wweiwei-li in #4261
• [feat: gw api] Add Rules CRD for customizing Gateway API L7 routes by @shraddhabang in #4265
• Update K8s version support by @realjoshparker in #4266
• [feat gw-api] backfill E2E tests by @shuqz in #4264
• [gw api] Reference Grant support to allow cross namespace service access by @zac-nixon in #4267
• refactor how no backends are modeled in NLB / ALB Gateways by @zac-nixon in #4273
• [feat: gw api] Add event handling for Rules CRD by @shraddhabang in #4274
• [feat gw-api] implement grpcroute match by @shuqz in #4270
• [feat: gw api] Add finalizers for Rules CRD by @shraddhabang in #4275
• upgrade go version to 1.24.5 by @shuqz in #4276
• cut v2.13.4 release by @shuqz in #4278

New Contributors

• @heshamelsherif97 made their first contribution in #4237
• @RiskyAdventure made their first contribution in #4093
• @timothy-spencer made their first contribution in #4248
• @realjoshparker made their first contribution in #4266

Full Changelog: v2.13.3...v2.13.4

v.2.13.3

v2.13.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.3
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 We’ve updated the Gateway API relevant LBC CRDs LoadBalancerConfigurations and TargetGroupConfigurations Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml

What’s new

• We are pleased to announce the (Beta) of Layer 4 (L4) routing support for the Kubernetes Gateway API within the AWS Load Balancer Controller (LBC). This significant enhancement allows users to provision and manage AWS Network Load Balancers (NLBs) for TCP, UDP, and TLS traffic directly from their Kubernetes clusters, leveraging the powerful and extensible Gateway API. The LBC now fully supports the GatewayClass ,Gateway, TCPRoute, UDPRoute, and TLSRoute resources from the Gateway API. Please refer L4Routing for more info.

Enhancement and Fixes

• Upgraded Secuirty group deletion to be more responsive.
• Reduced the duplicated DescribeTargetGroups calls to enhance performance.
• Docs updates

Changelog since v2.13.2

• [feat: gw api]Adding docs for L4 routing for gateway api (#4232, @shraddhabang)
• Add ingress class example (#4221, @wweiwei-li)
• tg / lb conf finalizers (#4230, @zac-nixon)
• Update to go 1.24.4 (#4231, @zac-nixon)
• add ip target tests for gateway api(#4227, @zac-nixon)
• [feat: gw api] Fix edge cases for lb config finalizers (#4225, @shraddhabang)
• refactor deferred reconciler to always process tgb on start up (#4224, @zac-nixon)
• [gw api] Add TG config logic to find and create user specified TG config.(4220, @zac-nixon)
• [feat gw-api]implement finalizer (#4217, @shuqz)
• [bug fix] Make SG deletion more responsive(#4216,@zac-nixon)
• [feat: gw api][bug fix] generate sg rules using listener protocols (#4198, @shraddhabang)
• docs: update security_groups.md tabulation (#4193, @mtulio)
• fix: Failing tests in ipv6 cluster(#4211, @wweiwei-li)
• [feat: gw api] Fix the auto cert discovery logic for secure listeners on gateways (#4214, @shraddhabang)
• [feat gw-api]handle resolvedRef for route status update and update ho…(#4210, @shuqz)
• Reduce duplicated DescribeTargetGroups calls(#4208, @wweiwei-li)
• [feat gw-api]bugfix and prevent backward generation route status update(##4206, @shuqz)
• [gw api] Add Gateway API integ framework(#4205, @zac-nixon)
• Add EKS Auto Mode considerations to documentation(#4196, Andrey Butenko)
• docs: Change AWS Cognito Domain tip to warning(#4195, @ragul-engg)
• [feat gw api] add support for infra labels + annotations(#4191, @zac-nixon)
• [feat: gw api] support gw deletion(#4192, @zac-nixon)
• Fix prefixListIDs typos(#4187, @gdlx)

v2.13.2

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.2

This release fixes TLS Protocol detection:
#4183
#4181

v2.13.1

v2.13.1 (requires Kubernetes 1.22+)

[PLEASE USE v2.13.2]

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.1
Thanks to all our contributors! 😊

This release fixes the v2.13.0 release that contained a bug that erroneously published reconcile error metrics

v2.13.0

v2.13.0 (requires Kubernetes 1.22+)

[PLEASE USE v2.13.2]

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.3
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

We’ve added new fields to the IngressClassParams CRD. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

What’s new

• Improved Prometheus metrics!
  • Checkout the new Prometheus metrics. Their documentation can be found here. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/metrics/prometheus. We hope this improves the ability to debug issues using the LBC and monitoring general trends. Please submit an issue if you think we missed an important metric to collect.
• Added support for ALB as a target of NLB to Service objects.
  • We are thrilled to add support for this highly requested, popular NLB / ALB feature. https://aws.amazon.com/blogs/networking-and-content-delivery/application-load-balancer-type-target-group-for-network-load-balancer/
  • Check out the new annotations in the https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/ingress/annotations/#enable-frontend-nlb to get started.
• LBC now supports RAM shared VPCs
  • In the v2.12.0 release, LBC added support for cross account Target Groups. However, we missed some critical functionality to support Target Groups using RAM shared VPCs.
  • Using https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/targetgroupbinding/targetgroupbinding/#assumerole should seamlessly work for peered and RAM shared VPCs.
• LBC now supports TCP_UDP type Listeners and TargetGroups.
  • TCP_UDP is a popular listener type for AWS NLB, which allows serving both TCP and UDP from the same port. We have backfilled this feature into the LBC.
  • You can enable this feature by specifying a service with TCP and UDP protocols on the same port.
  • In order to enable the feature, please enable the LBC feature flag EnableTCPUDPListener or specify individual services to enable the feature by using the annotation service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener
• The LBC now supports a very basic Gateway API implementation
  • We have implemented a basic Gateway for both ALB and NLB.
  • See the documentation here https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.13/guide/gateway/gateway/

Enhancement and Fixes

• Added more customization options (TargetType, PrefixListsIDs) to the IngressClassParams CRD.
• Allow for setting PPv2 header at per target group level.
• Refactored Subnet discovery to make LB creation easier.
• Updated to Go 1.24.2 and AL2023 base image to resolve security vulnerabilities.
• Lots of documentation and logging fixes!

Changelog since v2.12.0

• Bump version to 2.13, add documentation for Gateway API (4169, @zac-nixon)
• [gw api] gateway class reconciler, config generation (4163, @zac-nixon)
• [feat gw-api] add support for capacity reservation and add simple logic to process lb configuration (4162, @shuqz)
• Add certs discovery (4159, @wweiwei-li)
• Add support for TCP_UDP to NLB TargetGroups and Listeners (4161, @lyda, @amorey, @zac-nixon)
• [feat: gw api] Add common listener config for gateway api (4160, @shraddhabang)
• bug: fix misformated crd url in CRD cleanup (4157, @Issacwww)
• [feat:gw-api] add support for ServiceExternalTrafficPolicyLocal (4156, @shuqz)
• [feat: gw-api] Creating Target Group + TGB from Gateway spec (4150, @zac-nixon)
• [feat: gw api] Add eventhandler for the gateway resource (4149, @shraddhabang)
• Enable frontend NLB (4126, @wweiwei-li)
• [feat: gw api] subnet discovery that works for both ALB / NLB (4137, @zac-nixon)
• support cli flag to enable manage backend SG rules for ALB (4145, @shuqz)
• chore: change tgb field to lowercase everywhere to avoid logs dropped due to conflict in OS/ES (4143, @94DanielBrown)
• Add TargetType field to IngressClassParams (4029, @mikutas)
• Update security_groups.md (4120, @tucktuck9)
• Update configurations.md (4120, @tucktuck9)
• fix bug in subnet resolver (4114, @M00nF1sh)
• Allow the same certificate to be specified for both the default and SNI certificate (4113, @u-kai)
• Allow override of Certificate resource fields for duration of webhook certs (4105, @usamaahmadkhan)
• Merge pull request #4109 from M00nF1sh/subnet-reachability (4109, @M00nF1sh)
• Update Go to version 1.24.1, update base image to AL2023 (4104, @kellyyan)
• docs: fix broken link to targetgroupbinding CRD page (4101, @ariyonaty)
• Add prometheus metrics (4056, @wweiwei-li)
• [bug fix] handle ram shared VPCs for cross account tgb (4095, @zac-nixon)
• Add PrefixListsIDs field to IngressClassParams (3860, @gdlx)
• Added support for setting Proxy protocol per target group based on ServicePort (4079, @pthak94)
• Added example for multiple certificates to Service annotation (4078, @raghu-manne)
• service healthcheck timeout doc (3945, @phuhung273)
• add missing targets field to de/registered targets log (3898, @applike-ss)

v2.12.0

v2.12.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.12.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨

In v2.12.0, we have changed the default policy of the LBC webhook from Fail to Ignore in order to improve disaster recovery. See our documentation for how to change the policy back to Fail if you want better guarantees for having readiness gates getting attached to your pods.

We’ve added new fields to both the IngressClassParams and
TargetGroupBinding. Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

AWS ALB now supports integrating with AWS VPC IPAM (ec2:DescribeIpamPools, elasticloadbalancing:ModifyIpPools). We also have added new IAM permissions (elasticloadbalancing:SetRulePriorities) in order to effectively manage your ALB listener rules. We've updated the reference IAM policies to explicitly add new permissions to allow for usage of the features.

What’s new

• Support AWS VPC IPAM with Application Load Balancers.
  • Application Load Balancer (ALB) now supports BYOIP (Bring your own IP) utilizing AWS VPC IP Manager.
• Application Load Balancer now supports Advertise CA when using mTLS.
  • When you enable Advertise CA subject names, the Application Load Balancer will advertise the list of Certificate Authorities (CAs) subject names that it trusts, based on the trust store it's associated with. When a client connects to a target through the Application Load Balancer, the client receives the list of trusted CA subject names.
• NLB now supports path discovery using ICMP.
  • It might be necessary for some environments to allow Path MTU discovery for negotiation of MTU between two hosts. If a receiving host has a smaller MTU than the sending host, the receiving host sends an ICMP message to instruct the sending host to split the payload into multiple smaller packets and retransmit them. This work introduces a Service annotation that when configured, will automatically add a security group rule to the managed security group, depending on the IP address type.
• The LBC now supports registering targets in cross account target groups.
  • You can now use the iamRoleArnToAssume field in the TargetGroupBinding CRD to allow for registration and deregistration of IP targets into Target Groups outside the account that owns the cluster.
• The LBC now supports multiple references to the same Target Group.
  • In previous releases there was an enforced 1-1 mapping of TargetGroupBinding to Target Group. v2.12.0 removes this limitation if the MultiCluster flag is set on each binding.

Enhancement and Fixes

• ListenerRule modification have been refactored to allow for no downtime changes to routing rules.
• SG ingress and egress rule modifications are re-ordered to prevent outage on mis-configured SG setting.
• Fixed a bug that prevented the controller from setting Dualstack mode.
• Used better metric buckets for publishing readiness gate latency.
• Added support for karpenter.sh/disrupted:NoSchedule taint to improve application availability during node patching and scaling.

Changelog since v2.11.0

• Add ALB IPAM Support (#4081, @zac-nixon)
• Update rule management to avoid sporadic 503 errors (#4039, @shraddhabang)
• Fix TGB webhook error message to report changes to immutable field (#4070, @maruina)
• Do not render .spec.replicas if Autoscaling is Enabled (#4059, @sherifabdlnaby)
• add toggle to adjust failurePolicy of pod webhook and documentations (#4063, @M00nF1sh)
• [feat] allow multiple targetgroupbindings to reference same tg arn if using multicluster mode (#4021, @zac-nixon)
• Checking for taint karpenter.sh/disrupted:NoSchedule while checking if node is suitable to handle traffic. (#4022, @kahirokunn)
• Added ISO Policy for iso-e and iso-f in example docs, and updated integration test script based on testing already done (#4032, @orsenthil)
• TargetGroupBindings can now manipulate target groups from different aws accounts (#3691, @marcosdiez)
• bug fix: use reasonable buckets for readiness gate flip metrics (#4001, @zac-nixon)
• Fix CVE-2024-45338 - golang.org/x/net (#4010, @shraddhabang)
• bug fix: try SG permission add prior to revoke (#3952, @zac-nixon)
• fix(helm): change topologySpreadConstraints default value (#3983, @yann-soubeyrand)
• fix: Cannot set the IPv6 addresses in dualstack mode during modification (#3959, @wweiwei-li)
• feat: add advertise ca for mtls listener (#3974, @zac-nixon)
• feat(NLB): Introduce Service annotation to allow ICMP for Path MTU Discovery (#3939, @chriswachira)

v2.11.0

v2.11.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.11.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 We’ve added new fields for capacity unit reservation on IngressClassParams. We’ve also added the targetGroupName field to the TargetGroupBinding which users can set in order to fetch targetGroup by Name instead or ARN. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

We've updated the reference IAM policies to explicitly add the elasticloadbalancing:DescribeCapacityReservation and elasticloadbalancing:ModifyCapacityReservation permissions for describing and modifying capacity reservation. Please be sure to apply the latest IAM policy when upgrading.

What’s new

• Support Load balancer Capacity Unit Reservation for ALB and NLBs.
  • Application Load Balancer (ALB) and Network Load Balancer (NLB) now support Load Balancer Capacity Unit (LCU) Reservation that allows you to proactively set a minimum capacity for your load balancer, complementing its existing ability to auto-scale based on your traffic pattern. For more info checkout what’s new post.

Enhancement and Fixes

• Add support to set the default load balancer scheme at the controller level
• TargetGroupBinding now support targetGroupName
• Bug fix: EnablePrefixForIpv6SourceNat is only applicable to NLB

Changelog since v2.10.1

• fix failing test (#3976, @zac-nixon)
• Update owners of the project (#3975, @shraddhabang)
• fix: EnablePrefixForIpv6SourceNat is only applicable to NLB (#3958, @wweiwei-li)
• Add support for capacity unit reservation for load balancers (#3950, @shraddhabang)
• Add —default-load-balancer-scheme command line flag (#3908, @phuhung273)
• TargetGroupBinding now support targetGroupName - #2655 refresh (#3903, @fatmcgav)

v2.10.1

v2.10.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.1
Thanks to all our contributors! 😊

What's new

• Supports HTTP and HTTPS listener attributes on load balancers.
  • Application Load Balancer (ALB) now supports HTTP request and response header modification giving you greater controls to manage your application’s traffic and security posture without having to alter your application code. For more information checkout what’s new post and the ALB document.

Enhancement and Fixes

• Use pod target namespace to get pod info from repo when resolving endpoint.
• Remove sort by ID so that EIP allocations and subnet ID order is respected.
• [Doc] fixed documentation styling for Support UDP-based services over IPv6.
• Publish internal controller metrics, such as target register time.
• Trim control characters from OIDC secret

Changelog since v2.10.0

• enable http and https listener attributes (#3948, @wweiwei-li)
• FEAT: LBC metric collector (#3941, @zac-nixon)
• fix: use pod target namespace to get pod info from repo when resolving endpoint (#3914, @Revolution1)
• [BUG FIX] trim control characters from secret to prevent newlines in client secret (#3936, @zac-nixon)
• Fix: order must match specified subnets (#3925, @wweiwei-li)
• fixed documentation styling for Support UDP-based services over IPv6 (#3928, @shethyogita83)

Full Changelog: v2.10.0...v2.10.1

v2.10.0

v2.10.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.10.0
Thanks to all our contributors!

Action required

🚨 🚨 🚨 We’ve added the multiClusterTargetGroup field to the TargetGroupBinding which users can set in order to share target groups among different Kubernetes clusters. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

ELB has updated their managed policy to include ec2:GetSecurityGroupsForVpc. We have updated the Load Balancer Controller policy to reflect that change. Please be sure to apply the latest IAM policy when upgrading.

What’s new

• AWS Load Balancer Controller now supports MultiCluster target groups. This mode allows users to share target groups among multiple clusters, enabling a wide variety of use cases. For more information checkout the use case documentation
• We’ve added support SageMaker HyperPod clusters. Users can now install the Load Balancer Controller into SageMaker HyperPod clusters in order to get integration with AWS ELB.
• We’ve added integration with a new ELB feature that allows configuring sourceNAT for Dualstack NLBs to allow UDP traffic over IPv6.

Enhancement and Fixes

• Update shield integration to use in-region endpoint rather then always using us-east-1.
• (docs) Fix TLS Ingress annotation documentation for Security policy
• (docs) Fix configuration documentation typos
• (docs) Fix external-dns routing policies link
• Add new ec2:GetSecurityGroupsForVpc permission to LBC policy.

Changelog since v2.9.2

• UDP Support over IPv6 via Dualstack NLBs using SourceNAT configurations (#3926)
• Refactor aws cloud service and introduce a client provider (#3895)
• New Feature: Multi Cluster TargetGroupBinding (#3853)
• add sagemaker-hyperpod compute type to resolve its pods via VPC ENI (#3886)
• Fixed documentation typos (#3885)
• Fix alphabetic order in CRD for verify CRD to run (#3911)
• chore(docs): fix external-dns routing policies link (#3893)
• fix(docs): Update the link to the AWS documentation for the TLS Ingress annotation for Security policy (#3876)
• update the region of shield api (#3920)
• add ec2:GetSecurityGroupsForVpc to account for ELB API changes (#3921)
• BUG FIX: fix log message when target group and cluster are in different VPCs (#3924)