Shared backend security group is not added when `security-groups` annotation is provided

[jralph]

Describe the bug When the annotation alb.ingress.kubernetes.io/security-groups is used to attach your own security group to the alb, the shared backend security group is not added, causing all traffic to be blocked by the node/pod security group.

Steps to reproduce Deploy an ingress with a custom security group using the alb.ingress.kubernetes.io/security-groups annotation, along with nodes that are private.

We're running an eks cluster with vpc cni networking, and the alb.ingress.kubernetes.io/target-type annotation set to ip.

Expected outcome The shared backend security group should always be added, even when the alb.ingress.kubernetes.io/security-groups annotation is used.

Optionally, there could be another annotation to disable this, although I'd guess that use case would be pretty rare. Why would you want an alb that is unable to talk to the backend pods/nodes?

Environment

• AWS Load Balancer controller version: Helm Chart Version 1.4.3
• Kubernetes version 1.24
• Using EKS (yes/no), if so version? Yes, 1.24

Additional Context: When trying to add a custom security group to only allow connections to our alb from the CoudFront prefix list, we encountered this issue.

[kishorj]

@jralph, controller doesn't manage the ingress SG rules by default if you manually specify the SGs via alb.ingress.kubernetes.io/security-groups annotation. If you want the controller to manage backend rules with the security-groups annotation, then you'd need to specify the annotation alb.ingress.kubernetes.io/manage-backend-security-group-rules: "true", for further details, please refer to the live docs https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/guide/ingress/annotations/#manage-backend-security-group-rules

[ghost]

Similar issue, @kishorj's solution worked 😳 😄

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[oliviassss]

@jralph, I'm closing this issue as for now, please feel free to reach out or reopen if you have any questions. Thanks.