v3.0.0

📚 Quick Links

v3.0.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v3.0.0

Documentation

Thanks to all our contributors!💜💜💜

---

🎉 Gateway API is Now GA!

We are excited to announce that Gateway API support is now Generally Available (GA) in AWS Load Balancer Controller v3.0.0! This milestone marks the production-ready status of Gateway API features for managing AWS Application Load Balancers and Network Load Balancers through the Kubernetes Gateway API. We encourage you to try it out and welcome any feedback via GitHub Issues.
For more gateway api details, please refer to our live doc.

⚠️ Action Required

CRD Updates

Action : Please apply the latest CRD definitions

• kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

If using Gateway API feature

• Installation of LBC Gateway API specific CRDs: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml
• Standard Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/standard-install.yaml [REQUIRED]
• Experimental Gateway API CRDs: kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.3.0/experimental-install.yaml [OPTIONAL: Used for L4 Routes]

Webhook Certificate Issue

• Issue: #4359 attempted to fix a race condition in webhook certificate renewal but introduced a critical bug. The aws-load-balancer-tls Secret persists but the Certificate that owned and renewed it was removed, causing eventual certificate expiration and webhook TLS failures (#4541). This prevents the controller from updating target group bindings and can lead to outages. This bug impacts users deploying with Helm and utilizing the enableCertManager=true flag.
• Action for users staying on older versions: Set keepTLSSecret=false in your helm chart to mitigate the issue
• Action for users upgrading to v3.0.0: No action required - the fix is included in this release

🔧 Enhancements and Fixes

• Helm Chart Version Alignment: Helm chart version now aligns with LBC version. Previously, LBC v2.x used Helm chart v1.x (e.g., LBC v2.17 = Helm v1.17). Starting with v3.0.0, both versions match.
• Gateway Deletion: Removed route count check when deleting gateways, allowing deletion of gateways with attached routes (#4549)
• Subnet Ordering: Fixed subnet order preservation when using aws-load-balancer-subnets annotation - now maintains requested order instead of non-deterministic ordering (#4504)
• AZ Mismatch Fix: Fixed orphaned targets issue caused by AvailabilityZone mismatch in refreshUnhealthyTargets - targets are now properly deregistered regardless of cached AZ (#4544)
• NLB Target Group Limit: Fixed target group association limit error for weighted configs by including base service UID in target group name generation (#4540)
• Listener Error Propagation: Fixed target group tuple error messages not being propagated to end users (#4545)
• Webhook Certificate: Reverted race condition fix in webhook certificate renewal that caused issues (#4542)

📋 Full Changelog

• Revert "fix: Race condition in webhook certificate renewal with cert-… by @zac-nixon in #4542
• Fix NLB target group association limit issue for weighted configs by @shraddhabang in #4540
• Fix AZ mismatch in refreshUnhealthyTargets causing orphaned targets by @MinhNguyen-at in #4544
• Update model_build_listener.go by @zac-nixon in #4545
• Fix: preserve requested order for subnets when using aws-load-balancer-subnets annotation by @nelsen129 in #4504
• Remove KeepTLS parameter in helm chart by @zac-nixon in #4548
• [gateway api] remove route count check for deleting gateway by @zac-nixon in #4549
• [feat gateway-api]update gw api doc by @shuqz in #4550
• cut v3.0.0 release by @shuqz in #4551

New Contributors

• @MinhNguyen-at made their first contribution in #4544
• @nelsen129 made their first contribution in #4504

Full Changelog: v2.17.1...v3.0.0

v2.17.1

v2.17.1 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.17.1
Thanks to all our contributors! 😊

🚀 What's New

QUIC Protocol Support: Added QUIC protocol support for Gateway API and Service API
JWT Validation: Support for JWT validation in Gateway API
Default Load Balancer Scheme: Added support for specifying —default-load-balancer-scheme flag in Helm chart

🔧 Enhancements and Fixes

Bug Fixes

• Helm Chart: Duplicated CRD in helm kustomization

Documentation Updates

• Service Actions: Fixed service.beta.kubernetes.io/actions example in documentation
• Conformance Report: Generated v2.17.0 conformance test report

Changelog since v2.17.0

• Merge Main to release-2.17 (#4533, @wweiwei-li)
• [GW API] Add QUIC support (#4530, @zac-nixon)
• docs: fix service.beta.kubernetes.io/actions example (#4529, @davidxia)
• Add E2E tests for QUIC support in Service API. (#4527, @zac-nixon)
• feat(chart): add support for specifying —default-load-balancer-scheme flag (#4141, @ysam12345)
• fix: duplicated CRD in helm kustomization (#4518, @wweiwei-li)
• generate v2.17.0 conformance test report (#4521, @shuqz)
• [feat gw-api]support jwt validation (#4516, @shuqz)
• fix helm chart version (#4515, @wweiwei-li)

v2.17.0

v2.17.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.17.0
Thanks to all our contributors! 😊

Known Issues

Helm Chart 1.17.0 includes duplicated CRD globalaccelerators, causing kustomize render to fail

⚠️ Actions required to use the new AWS Global Accelerator controller

• CRD Updates - If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/aga/aga.k8s.aws_globalaccelerators.yaml
• IAM Policy Updates - Update the controller's IAM policy with Global Accelerator permissions (see IAM Policy)
• RBAC Updates - Apply the latest RBAC definitions for Global Accelerator controller permissions (see RBAC)
• Feature Flag for Global Accelerator - Enable the feature flag --enable-global-accelerator=true,--feature-gates=EnableRGTAPI to use Accelerator functionality

🚀 What's New

AWS Global Accelerator Support - A new controller that enables declarative management of AWS Global Accelerators directly from Kubernetes using Custom Resource Definitions (CRDs). It allows users to define Global Accelerator resources as Kubernetes manifests, automatically provisioning and managing accelerators, listeners, endpoint groups, and endpoints that reference Kubernetes Ingress, Kubernetes Services, Kubernetes Gateway, and AWS resource ARNs. For more details, check the documentation:

• Introduction of AWS Global Accelerator Controller
• Installation and Prerequisites for AWS Global Accelerator Controller
• Example of using AWS Global Accelerator Controller

Gateway API - GA Release Candidate: The Gateway API implementation in this release is considered a Release Candidate for its General Availability (GA) release planned for next month. We encourage extensive testing in production-like environments and welcome your feedback via GitHub issues to ensure a stable GA release. What's new in this release:

• TCP_UDP Protocol: Complete support for combined TCP_UDP protocol on NLB Gateways with detailed usage guidance
• Per-ParentRef Status: Route status now correctly updates per parentRef instead of per-route
• ReplacePrefixMatch: Enhanced support with documented ALB limitations
• Conformance Report: Generated Gateway API conformance report with detailed test results
• ACM Cert Discovery: Fixed memory leak in ACM certificate discovery
• App Protocol Support: Added support for kubernetes.io/h2c App Protocol

🔧 Enhancements and Fixes

✨ Enhancements

• Cross-Zone Handling: Improved handling for cross-zone disabled ALBs with automatic AZ detection
• Weighted Target Groups: Added support for weighted target groups on NLB listeners

🐛 Bug Fixes

• Helm Template: Fixed objectSelector.matchExpressions indentation in webhook.yaml
• Helm Chart: Added --max-targets-per-target-group flag support

📚 Documentation

• Prometheus Metrics: Corrected metric names to include aws_ prefix in documentation

Changelog since v2.16.0

• cut v2.17.0 release (#4514, @wweiwei-li)
• fix kustomize build error by correcting webhook name (#4513, @wweiwei-li)
• Fix markdown issue for the FR template (#4507, @guessi)
• bundle AGA crds into standard deployment (#4512, @wweiwei-li)
• Fix IPv6 tests (#4511, @wweiwei-li)
• Fix typo in pod readiness gate doc (#4420, @davidxia)
• add trust store e2e test and script for local testing (#4510, @shuqz)
• correct drift check for mtls listeners (#4505, @zac-nixon)
• handle cross zone disabled for alb (#4496, @shuqz)
• Add missing RBAC permissions for GlobalAccelerator CRD (#4508, @wweiwei-li)
• Run CI test in parallel (#4503, @wweiwei-li)
• Add check for duplicate endpoints (#4502, @wweiwei-li)
• Add condition to AGA IAM policy (#4501, @wweiwei-li)
• refactor app protocol, add support for app protocols that kubernetes + elb supports (#4500, @zac-nixon)
• Add basic aga controller e2e tests (#4485, @wweiwei-li)
• docs(prometheus): metric name should include aws_ prefix (#4443, @samuelmasuy)
• feat: add maxTargetsPerTarget group flag to helm chart (#4408, @mmiller-sh)
• use one instance of acm cert discovery in gateway builder (#4493, @zac-nixon)
• [feat gw-api]conformance report (#4489, @shuqz)
• [feat gw-api]add e2e for gateway status update validation (#4488, @shuqz)
• [feat gw-api]modify route status update per parentRef (#4483, @shuqz)
• NLB weighted target groups (#4484, @zac-nixon)
• [feat aga] Move iam policies into its own file for easy setup (#4486, @shraddhabang)
• [feat aga] Implement auto-discovery feature for supported endpoints (#4476, @shraddhabang)
• [feat aga] Add documentation for AGA controller (#4478, @shraddhabang)
• [feat aga] Implement endpoint management for endpoint groups in accelerator (#4471, @shraddhabang)
• [gw api] Add TCP_UDP for gateway api (#4469, @zac-nixon)
• Support BYOIP (#4475, @wweiwei-li)
• [feat aga] Implement endpoint group management with port override conflict resolution (#4470, @shraddhabang)
• [feat aga] Implement AGA endpoint resource references loading and monitoring (#4458, @shraddhabang)
• Merge AGAController branch into main (#4466, @zac-nixon)
• [feat aga] Add AGA listener support without auto-discovery (#4436, @shraddhabang)

v2.16.0

v2.16.0 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.16.0
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 For ALB Target Optimizer Users who want to use auto-injection for ALB target control agent: New CRD ALBTargetControlConfig has been added. Update your CRDs and RBAC. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/bases/elbv2.k8s.aws_albtargetcontrolconfigs.yaml also update rbac policy by applying the latest changes kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/rbac/role.yaml

What’s new

We're excited to announce two new features!

• Introduced Target Optimizer for Application Load Balancers (ALB). This feature enables ALB customers to configure capacity-aware load balancing, useful for workloads that have strict limitations on how many concurrent requests each target can process. To get started, you must deploy the Target Optimizer agent sidecar with your application pods.
  • AWS what’s new
  • Drive application performance with Application Load Balancer Target Optimizer
  • How to use it in the controller
• Introduced weighted target groups for Network Load Balancers (NLB). This feature allows users to configure weights among multiple NLB target groups. Weighted target groups enable you to easily perform blue/green and canary deployment strategies, all while using one NLB and with zero downtime.
  • AWS what’s new
  • Network Load Balancers now support Weighted Target Groups
  • How to use it in the controller

Changelog since v2.15.0

• cut v2.16.0 release (#4462, @wweiwei-li)
• Support ALB TargetOptimizer (#4461, @wweiwei-li)
• Add support for service weighted target groups (#4455, @kellyyan)

v2.15.0

📚 Quick Links

v2.15.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.15.0

Documentation

Thanks to all our contributors!💜💜💜

---

What’s new

We're excited to announce two new features!

• ALB has added the ability to configure JWT validation. See the what's new post for more information. https://aws.amazon.com/about-aws/whats-new/2025/11/application-load-balancer-jwt-verification. For more information, check out the new ingress annotation, alb.ingress.kubernetes.io/jwt-validation.
• NLB has added a new protocol, QUIC pass through. See the what's new post for more information. https://aws.amazon.com/about-aws/whats-new/2025/11/aws-network-load-balancer-quic-passthrough-mode. To see how to get started with QUIC and the load balancer controller, checkout the new use case: https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.15/guide/use_cases/quic/

What's Changed

• fix: Race condition in webhook certificate renewal with cert-manager self-signed issuer without a dedicated CA certificate by @praddy26 in #4359
• [feat: aga] add accelerator model builder by @shraddhabang in #4403
• [gw api] add disable security group flag to lb config for gateway users by @zac-nixon in #4404
• [gw api] discover certs for route hostnames by @zac-nixon in #4407
• [gw api] Support literal target group ARNs by @zac-nixon in #4406
• Fix EIP Allocations annotation in docs by @arcdigital in #4409
• [feat gw-api]return multiple types in listener status by @shuqz in #4411
• [gw api] Support SG rule generation for no SG LBs by @zac-nixon in #4413
• Add generic tag processing system for controllers by @shraddhabang in #4415
• update to go 1.24.9 by @zac-nixon in #4421
• [gw api] fix listener config generation when port is duplicated by @zac-nixon in #4419
• [feat gw-api]handle hostname intersection by @shuqz in #4417
• [feat gw-api]add conformance test setup by @shuqz in #4422
• Correct hostname by @wweiwei-li in #4425
• Add eusc iam policy by @wweiwei-li in #4426
• New use case "Legacy App Integration" by @dumlutimuralp in #4424
• Support URLRewrite in HTTPRoutes by @zac-nixon in #4418
• [gw api] Implement ALB target of NLB by @zac-nixon in #4430
• Correct enum for healthCheckProtocol field by @dex4er in #4432
• [feat aga] Disable AGAController as its in ready yet by @shraddhabang in #4435
• add shuqz in owner file by @shuqz in #4441
• update to use controller-gen v0.19.0 by @shuqz in #4444
• Add support for jwt validation action at the ingress level by @sarevalo2002 in #4445
• Add support QUIC Passthrough for NLB by @zac-nixon in #4448
• v2.15.0 release by @zac-nixon in #4449

New Contributors

• @arcdigital made their first contribution in #4409
• @dumlutimuralp made their first contribution in #4424
• @dex4er made their first contribution in #4432

Full Changelog: v2.14.1...v2.15.0

v2.14.1

📚 Quick Links

v2.14.1 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.14.1

Documentation

Thanks to all our contributors!💜💜💜

---

What’s new

We’re excited to announce support for ALB URL Rewrite! You can use this new feature to transform request URLs using regex patterns (e.g., rewrite /api/v1/users to /users, or ^/api/v1/(.*)$ to /$1). Check out the new use case in our documentation on how to configure your ingress resources to utilize this new capability. For more information about the feature, please see the AWS launch announcement.

Enhancement and Fixes

• Introduced ALB URL Rewrite support! ( Too many feature request issues to link here ;) )
• Fixed ListenerAttribute string parsing to allow for multiple values. (#4363)
• Added ability to configure maximum targets per TargetGroupBinding (#4360)
• Fixed ListenerRule comparison check that incorrectly marks rules as drifted.
• New Gateway Route & Listener Statuses
• Fixed WAF name retrieval (#4388)
• Added support for EKS Hybrid nodes (#4315)
• Added low priority tag additions (#4030)
• Fixed edge case that prevented Listener modifications if rule limit has been exceeded (#4373)
• Updated docs for NLB healthchecks (#3419)

What's Changed

• feat: Add flag to limit the max number of targets added to an ELB by @mmiller-sh in #4361
• support comma in string pars value by @shuqz in #4375
• fix e2e tests by @zac-nixon in #4379
• feat(helm): support templating in service account annotations by @samuelmasuy in #4374
• fix sorting when comparing listener rule differences by @zac-nixon in #4382
• [feat gw-api]update gateway status based on observation generation by @shuqz in #4383
• test: replace AWS SDK v1 imports with v2 by @Juneezee in #4364
• fix waf name resolution by @zac-nixon in #4390
• [feat: aga] add AWS Global Accelerator CRD with comprehensive validation by @shraddhabang in #4389
• [feat: aga] add basic framework for AGA controller by @shraddhabang in #4392
• feat: add EKS Hybrid Nodes support by @sanbyk in #4336
• Implement support for URL and Host Header Rewrite for Application Load Balancer by @andreybutenko in #4396
• feat: add feature toggle to allow controller default tags to be overridden by annotation supplied tags by @mwhittington21 in #4384
• Update annotations documentation to include support for named ports in NLB health check configuration by @igor-kupczynski in #4386
• re-enable tls tests with new certs by @zac-nixon in #4397
• fix bad merge conflict resolution by @zac-nixon in #4401
• [bug fix] handle rules exceeded error in listener rule synthesizer by @zac-nixon in #4393
• cut v2.14.1 release by @zac-nixon in #4402

New Contributors

• @mmiller-sh made their first contribution in #4361
• @samuelmasuy made their first contribution in #4374
• @Juneezee made their first contribution in #4364
• @sanbyk made their first contribution in #4336
• @mwhittington21 made their first contribution in #4384
• @igor-kupczynski made their first contribution in #4386

Full Changelog: v2.14.0...v2.14.1

v2.14.0

Beta Release: Gateway API Layer 7 (L7) Routing for AWS Load Balancer Controller

We are excited to announce the Beta release of Layer 7 (L7) routing support for the Kubernetes Gateway API within the AWS Load Balancer Controller (LBC)!🥳🥳🥳 This highly anticipated feature allows you to provision and manage AWS Application Load Balancers (ALBs) for HTTP, HTTPS, and GRPC traffic directly from your Kubernetes clusters using the extensible Gateway API. Please refer to L7 Gateway API Documentation to learn more.

This beta release focuses on Gateway API features with comprehensive status reporting, advanced authentication, and stability improvements. While we encourage you to test these features extensively in your development environments, please be aware that this is a Beta release and is not yet production-ready. We are actively gathering feedback to finalize stability for official production use. This Beta status applies only to the new Gateway API features. All existing controller functionality for standard Ingress, Service and TargetGroupBinding resources remains stable and is safe for production workflows. Please restrict use of the new Gateway API features to testing and development environments.

---

📚 Quick Links

v2.14.0 (requires Kubernetes 1.22+)

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.14.0

Documentation

Thanks to all our contributors!💜💜💜

---

⚠️ Action Required

EndpointSlices Now Default

• Change: EndpointSlices enabled by default (better performance and old endpoint api is on deprecation path: https://kubernetes.io/blog/2025/04/24/endpoints-deprecation/)
• Action: No action needed. Use --enable-endpoint-slices=false if issues occur

CRD Updates

• Change: We’ve added new fields to both the IngressClassParams and TargetGroupBinding.
• Action : Please apply the latest CRD definitions: kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"

---

🚀 What's New in Ingress, Services and TargetGroupBinding

Enhanced Defaulting Flag

• New: EnhancedDefaultBehavior flag for better annotation lifecycle management
• Impact: Enable this feature to allow the controller to remove ALPN and mTLS settings by removing the corresponding annotation

CRD Naming Fix

• Fixed: IngressClassParams singular name: ingressclassparams → ingressclassparam
• Impact: No action required. Both name will be supported, existing customers are not impacted. New customers please use correct name. Resolves SingularConflict errors

Configuration Improvements

• IngressClassParams Enhancements:
  • Load balancer name specification
  • SSL redirect port configuration
  • WAFv2 ARN/name support
  • PrefixListsIDs backward compatibility
• Target Group Names: Use names instead of ARNs in forward actions
• Granular NLB SG: Disable NLB Security Groups at the individual Service, instead of at the controller level.
• Frontend NLB Tags: Dedicated tagging for frontend NLBs

---

🚀 What's New in Gateway API

Status Update & Observability

• Gateway Listener Status: Complete status reporting with all condition types (Conflicted, Accepted, ResolvedRefs, Programmed)
• Route Status Management: Fixed infinite reconcile loops, proper lifecycle management
• E2E Status Tests: Comprehensive validation for UDP, TCP, HTTP, gRPC route statuses
• Target Group Metrics: New aws_target_group_info metric for CloudWatch integration

Advanced Authentication

• OIDC Support: Complete OpenID Connect integration via ListenerRuleConfiguration
• Cognito Integration: Complete AWS Cognito integration via ListenerRuleConfiguration

Enhanced Routing

• gRPC Partially Supported: Complete gRPC routing with header/method matching, E2E tests
• Source IP Conditions: Advanced source IP matching in rules
• Multiple Header Values: Support comma-separated header values
• Hostname Uniqueness: Enforced between gRPC and HTTP routes

Traffic Management

• Target Group Stickiness: Session affinity support
• Fixed Response Actions: Custom status codes and response bodies
• Port-Specific Attributes: Different target group attributes per service port
• Weighted Target Group Fixes: Improved comparison logic

Infrastructure

• Gateway API Addons: WAFv2 and Shield support for Gateway API
• IPv6 Support: Complete IPv6 testing and validation
• Elastic IP Support: Frontend NLB Elastic IP allocation

---

🔧 Enhancements and Fixes

Performance & Reliability

• Go 1.24.6: Security fixes and performance improvements
• DNS Timeout: Configurable DNS propagation timeout
• TGB Checkpoints: Fixed check-pointing after accidental service port deletion.
• Error Metrics: Fixed metric pollution from expected errors

Bug Fixes

• Weighted Target Groups: Fixed unnecessary rule modifications causing 4XX errors when using Weighted Target Groups.
• TCP_UDP Security Groups: Proper ingress rule generation for TCP_UDP listeners
• Backend SG Tags: Automatically sync Security Groups tags on backend Security Groups.

Documentation & Testing

• Resource Cleanup Guide: Proper deletion order documentation
• Scaling Documentation: Guidelines for large cluster deployments
• Comprehensive E2E Tests: gRPC, IPv6, status validation, authentication
• Error Message Improvements: Clearer guidance for common issues

🌟 Complete Change Log

• [feat gw-api]implement hostname uniqueness for httproute and grpcrout… by @shuqz in #4288
• [Gateway API] Add Addon Support by @zac-nixon in #4277
• chore: fix prefixlistsids typo in readme by @1ms-ms in #4289
• Add TG protocol into TGB by @zac-nixon in #4282
• feat: allow targetGroupName instead of targetGroupARN in forward action ingress annotations by @pascal-hofmann in #4281
• modify PrefixListsIDs with backward compatibility by @shuqz in #4293
• feature: add load balancer name to IngressClassParams by @1ms-ms in #4290
• upgrade go version by @shuqz in #4299
• [helm-chart] allow setting revisionHistoryLimit for webhook Certificate by @alex-berger in #4228
• [feat:gw api] Add tg stickiness and fixed response by @shuqz in #4298
• add granular NLBSG disable annotation by @zac-nixon in #4295
• fix sg rule generation for TCP_UDP and legacy SG path by @zac-nixon in #4305
• fix/docs: formatting issue in security_groups.md by @mtulio in #4219
• Fix IngressClassParams CRD singular naming to resolve SingularConflict by @laradji in #4201
• Add wafv2AclArn field to IngressClassParams by @mikutas in #3961
• [gw api] Fix overwrite of route status by @zac-nixon in #4309
• feat: add target group info metric by @msvticket in #3581
• add configurable timeout for dns propagation by @zac-nixon in #4311
• [feat gw api] Add auth cognito action for secure listeners on ALBs by @shraddhabang in #4313
• feature: get waf arn from name by @1ms-ms in #4312
• fix http / grpc route rule generation by @zac-nixon in #4316
• re introduce grpc routes by @zac-nixon in #4318
• feature: add ssl redirect port to IngressClassParams by @1ms-ms in #4308
• [feat gw-api]support multiple header value in condition by @shuqz in #4321
• [gw api] add grpc e2e tests by @zac-nixon in #4323
• fix: Resource tags don't propagate to frontend NLB #4279 by @praddy26 in #4328
• doc updates for scaling, IMDS usage by @zac-nixon in #4327
• Add elastic IP annotation to front end NLB by @swarner1033 in #4330
• feat: sync created Backend SG tags by @phuhung273 in #3990
• [feat gw api] Add authenticate oidc action support for L7 gateway by @shraddhabang in ...

v2.13.4

v2.13.4 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.4
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 For user who is trying out our gateway api features, we’ve created a new CRD ListenerRuleConfiguration. Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml also update rbac policy by applying the latest changes from rbac.yaml

What’s new

We’ve been working on ALB support in Gateway API. Some of the main additions are:

• introduced a new ListenerRuleConfiguration CRD that lets you use those AWS ALB features that Gateway API doesn't support yet. Note: we have not complete all development on this new CRD. Therefore, it is not recommended to use it at this time.
• added Reference Grant support
• added mTLS support
• weighted target group is now supported for HTTPRoutes
• TLS listeners now accept TCP routes

Enhancement and Fixes

• Upgraded Go to 1.24.5
• Fixed NLB security groups not working when multiple security groups assigned
• Added Patch permission to loadbalancerconfigurations in helm chart
• Made the error message more clear when someone tries to use ClusterIP services with Instance targets
• CI now runs on K8s 1.32 instead of 1.25
• Increased E2E test coverage

Full Changelog

• feat: Allow usage of namedPorts for sidecar containers by @heshamelsherif97 in #4237
• Feat(performance): Use protobuf as default type instead of json by @RiskyAdventure in #4093
• update ci k8s version by @zac-nixon in #4244
• clear confusion around using ClusterIP service and Instance targets by @zac-nixon in #4243
• [feat gw-api]implement httproute matching and weighted target group by @shuqz in #4241
• Bugfix: Add ability to patch loadbalancerconfigurations to helm RBAC by @timothy-spencer in #4248
• [gw api] add TLS and UDP listener tests. Fix bugs that were found from the tests by @zac-nixon in #4250
• [feat gw-api]support httproute filter type - RequestRedirect by @shuqz in #4255
• [feat: gw api] Add secure HTTPRoute and mutual auth support for L7 Ga… by @shraddhabang in #4259
• fix frontend NLB security group by @wweiwei-li in #4261
• [feat: gw api] Add Rules CRD for customizing Gateway API L7 routes by @shraddhabang in #4265
• Update K8s version support by @realjoshparker in #4266
• [feat gw-api] backfill E2E tests by @shuqz in #4264
• [gw api] Reference Grant support to allow cross namespace service access by @zac-nixon in #4267
• refactor how no backends are modeled in NLB / ALB Gateways by @zac-nixon in #4273
• [feat: gw api] Add event handling for Rules CRD by @shraddhabang in #4274
• [feat gw-api] implement grpcroute match by @shuqz in #4270
• [feat: gw api] Add finalizers for Rules CRD by @shraddhabang in #4275
• upgrade go version to 1.24.5 by @shuqz in #4276
• cut v2.13.4 release by @shuqz in #4278

New Contributors

• @heshamelsherif97 made their first contribution in #4237
• @RiskyAdventure made their first contribution in #4093
• @timothy-spencer made their first contribution in #4248
• @realjoshparker made their first contribution in #4266

Full Changelog: v2.13.3...v2.13.4

v.2.13.3

v2.13.3 (requires Kubernetes 1.22+)

Documentation

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.3
Thanks to all our contributors! 😊

Action required

🚨 🚨 🚨 We’ve updated the Gateway API relevant LBC CRDs LoadBalancerConfigurations and TargetGroupConfigurations Make sure to update the CRD definition in your cluster. If you're upgrading the charts using helm upgrade, you need to update CRDs manually: kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/refs/heads/main/config/crd/gateway/gateway-crds.yaml

What’s new

• We are pleased to announce the (Beta) of Layer 4 (L4) routing support for the Kubernetes Gateway API within the AWS Load Balancer Controller (LBC). This significant enhancement allows users to provision and manage AWS Network Load Balancers (NLBs) for TCP, UDP, and TLS traffic directly from their Kubernetes clusters, leveraging the powerful and extensible Gateway API. The LBC now fully supports the GatewayClass ,Gateway, TCPRoute, UDPRoute, and TLSRoute resources from the Gateway API. Please refer L4Routing for more info.

Enhancement and Fixes

• Upgraded Secuirty group deletion to be more responsive.
• Reduced the duplicated DescribeTargetGroups calls to enhance performance.
• Docs updates

Changelog since v2.13.2

• [feat: gw api]Adding docs for L4 routing for gateway api (#4232, @shraddhabang)
• Add ingress class example (#4221, @wweiwei-li)
• tg / lb conf finalizers (#4230, @zac-nixon)
• Update to go 1.24.4 (#4231, @zac-nixon)
• add ip target tests for gateway api(#4227, @zac-nixon)
• [feat: gw api] Fix edge cases for lb config finalizers (#4225, @shraddhabang)
• refactor deferred reconciler to always process tgb on start up (#4224, @zac-nixon)
• [gw api] Add TG config logic to find and create user specified TG config.(4220, @zac-nixon)
• [feat gw-api]implement finalizer (#4217, @shuqz)
• [bug fix] Make SG deletion more responsive(#4216,@zac-nixon)
• [feat: gw api][bug fix] generate sg rules using listener protocols (#4198, @shraddhabang)
• docs: update security_groups.md tabulation (#4193, @mtulio)
• fix: Failing tests in ipv6 cluster(#4211, @wweiwei-li)
• [feat: gw api] Fix the auto cert discovery logic for secure listeners on gateways (#4214, @shraddhabang)
• [feat gw-api]handle resolvedRef for route status update and update ho…(#4210, @shuqz)
• Reduce duplicated DescribeTargetGroups calls(#4208, @wweiwei-li)
• [feat gw-api]bugfix and prevent backward generation route status update(##4206, @shuqz)
• [gw api] Add Gateway API integ framework(#4205, @zac-nixon)
• Add EKS Auto Mode considerations to documentation(#4196, Andrey Butenko)
• docs: Change AWS Cognito Domain tip to warning(#4195, @ragul-engg)
• [feat gw api] add support for infra labels + annotations(#4191, @zac-nixon)
• [feat: gw api] support gw deletion(#4192, @zac-nixon)
• Fix prefixListIDs typos(#4187, @gdlx)

v2.13.2

Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.2

This release fixes TLS Protocol detection:
#4183
#4181