Open wbar opened 4 months ago
Everything works on version 1.5.5
We do not support using existing NLB for service now. But we are have a feature soon, You can track it here : https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/228
TargetGroupBlinding supports Existing ALB/NLB, can you take a look to see if it helps with your case: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/guide/targetgroupbinding/targetgroupbinding/
Thanks for a response.
You have been supporting this till version 1.5.5.
Now, when AWS introduced Security Groups for NLB and you changed you Controller to use this feature, you are totally ignoring:
service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: 'false'
Even adding this:
service.beta.kubernetes.io/aws-load-balancer-security-groups: ''
wont help because AWS Controller is building model with security groups:
// resources["AWS::ElasticLoadBalancingV2::LoadBalancer"]
{
"LoadBalancer": {
"spec": {
"name": "XXXXXXX",
"type": "network",
"scheme": "internet-facing",
"ipAddressType": "ipv4",
"subnetMapping": [
{
"subnetID": "subnet-aaaaaaaaa"
},
{
"subnetID": "subnet-bbbbbbb"
},
{
"subnetID": "subnet-ggggggg"
}
],
"securityGroups": [
{
"$ref": "#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"
},
"sg-TTTTTTTTTTTT"
]
}
}
}
Can you on given service.beta.kubernetes.io/aws-load-balancer-security-groups: ''
not add this SGs to the model ? Maybe that will not be causing an error:
A load balancer with the same name 'XXXXXXX' exists, but with different settings.
@wbar, by 1.5.5 I suppose you mean helm chart version.
From controller version v2.6.0, we support SGs for NLB and the controller will create front-end and back-end SGs and attach to the NLBs by default. If you want to opt-out, you can specify the feature gate flag --feature-gates=NLBSecurityGroup=false
, or --set controllerConfig.featureGates.NLBSecurityGroup=false
in helm cmd.
see https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/configurations/#feature-gates
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
Description:
I am encountering an issue when trying to integrate a Kubernetes Service with a pre-existing Network Load Balancer (NLB) that was created via Terraform. Despite correctly tagging the NLB and configuring the Service with the necessary annotations, I receive an error indicating a conflict due to the NLB having "the same name but with different settings". This seems related to the management of Security Groups by the AWS Load Balancer Controller, which has been introduced in a recent feature update for Network Load Balancers.
Environment:
Steps to Reproduce:
Expected Result: The Kubernetes Service should successfully associate with the pre-created NLB without any conflicts regarding the load balancer's name or settings.
Actual Result: Received an error message:
This suggests an issue with how the AWS Load Balancer Controller handles existing NLBs, particularly regarding Security Groups settings.
Additional Information:
service.beta.kubernetes.io/aws-load-balancer-security-groups: ""
in an attempt to bypass automatic Security Group management.