security group CIDRs are not updated when the `alb.ingress.kubernetes.io/inbound-cidrs` annotation is changed

ataxdr commented 1 year ago

Describe the bug

I have updated my ingress alb.ingress.kubernetes.io/inbound-cidrs annotation to add a new CIDR but the underlying security group does not get updated

Steps to reproduce

Create a new ingress with alb.ingress.kubernetes.io/inbound-cidrs set to something other than 0.0.0.0/0
kubectl edit ingress and add a new CIDR to the annotation.

Expected outcome

The LB managed security group will reconcile and the new CIDR will be added to the SG

Environment

AWS Load Balancer controller version v2.4.4
Kubernetes version
Using EKS (yes/no), if so version?
EKS 1.23

Additional Context:

M00nF1sh commented 1 year ago

@ataxdr do you have controller logs about this? the security group rules shall be updated when you make changes.

ataxdr commented 1 year ago

it seems to be working now, we run with a direct connect VPC and it does not have access to shield, so it might be timing out getting to shield and not actually doing the reconcile.

I do have another issue regarding: InvalidInstanceID.NotFound so I will open another issue. for now it can be closed

kubernetes-sigs / aws-load-balancer-controller

security group CIDRs are not updated when the `alb.ingress.kubernetes.io/inbound-cidrs` annotation is changed #3169