Release v2.4.1 · kubernetes-sigs/aws-load-balancer-controller

v2.4.1 (requires Kubernetes 1.19+)

Documentation

Image: docker.io/amazon/aws-alb-ingress-controller:v2.4.1

Thanks to all our contributors! 😊

Action Required

🚨 🚨 🚨 The new HelmChart(version 1.4.1) and installation YAML for v2.4.1+ no longer contain the RBAC permission for controller to access Secret resources by default.

If you don't use the authentication via OIDC IDP feature for any Ingresses in cluster, no action is needed.
If you do use the authentication via OIDC IDP feature for any Ingress in cluster, you must grant the controller RBAC permission to access Secret resources been referenced. For backwards compatibility, the helm chart provides an option to grant controller RBAC permission to access all Secrets by explicitly setting --set clusterSecretsPermissions.allowAllSecrets=true. However, we recommend configuring separate namespaced Role/RoleBinding to grant controller access to your specific secret resources to strengthen security posture.

What's new

Introduce a new featureGate named EndpointsFailOpen: Once enabled, when all eligible nodes get into "ready: unknown" state due to misconfiguration or outage, the controller will ensure fault-tolerance by registering nodes/pods in unknown state as targets to let load balancer still able to handle traffic. This featureGate is not enabled by default in this version and can be enabled via the controller flag --feature-gates=EndpointsFailOpen=true.
The controller will no longer require permissions for all Secret resources. If the authentication via OIDC IDP feature is used, you must grant the controller RBAC permission to access the referenced Secret resources.

Bug fixes

Fix issue with certificates reconcile so the controller can recover from TooManyCertificates error
Fix race condition between pod readiness gate inject and ingress model update
Restrict webhook server to TLS 1.3
Monitor secrets only if necessary
documentation changes

Changelog since v2.4.0

update iam permissions for TGB only configuration (#2554, @kishorj)
Update pods with readinessGate as healthy for deleted TGB (#2524, @oliviassss)
add support to optionally fail-open when all nodes are been isolated (#2546, @M00nF1sh)
monitor secret resources only if necessary (#2550, @kishorj)
Upgrade webhook server minimum version to TLS1.3 (#2547, @oliviassss)
Clarify cluster tag requirement in docs (#2527, @adammw)
remove undesired certificates before adding new ones (#2528, @oliviassss)
typo error (#2518, @nimboya)
Updated test helper script for e2e tests (#2510, @cgchinmay)
Make e2e LB name test work with clusters that have . in the name (#2516, @olemarkus)
update docs-publish target to v2.4 (#2513, @kishorj)

ECR images

013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
558608220178.dkr.ecr.me-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
590381155156.dkr.ecr.eu-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ap-northeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ap-northeast-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ap-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ap-southeast-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ap-southeast-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.ca-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.eu-central-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.eu-north-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.eu-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.eu-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.eu-west-3.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.sa-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.us-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.us-east-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.us-west-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
800184023465.dkr.ecr.ap-east-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
877085696533.dkr.ecr.af-south-1.amazonaws.com/amazon/aws-load-balancer-controller:v2.4.1
918309763551.dkr.ecr.cn-north-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.4.1
961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon/aws-load-balancer-controller:v2.4.1

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v2.4.1