Inconsistency across docs/code for aws-load-balancer-manage-backend-security-group-rules

[rgs1]

In the annotations docs it says that aws-load-balancer-manage-backend-security-group-rules defaults to true:

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blame/main/docs/guide/service/annotations.md#L52

[service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true          

However in the security docs the writing implies that it needs to be explicitly set:

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blame/main/docs/deploy/security_groups.md#L64

- To enable managing backend security group rules, apply an additional annotation to Ingress and Service resources.
  - For Ingress resources, set the `alb.ingress.kubernetes.io/manage-backend-security-group-rules` annotation to `true`.
  - For Service resources, set the `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules` annotation to `true`.

To make things consistent we either need to document that the annotation defaults to false or make the default actually true. Making it true by default is probably the desired path for most setups.

[rgs1]

Ok I see the issue now, it's true by default if aws-load-balancer-security-groups is not set. If aws-load-balancer-security-groups is set, then you must specifically opt in. I'll update the docs to make this more clear.

[oliviassss]

@rgs1, yes your understanding is correct. If the user specifies the self-managed SG through aws-load-balancer-security-groups annotation, the controller by default won't manage the backend sg rules. You can also check here for more details https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/deploy/security_groups/

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle rotten
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle rotten