Docs: clarify behavior for manage-backend-security-group-rules

Issue #3660. Signed-off-by: Raul Gutierrez Segales <[email protected]>
kubernetes-sigs · Apr 23, 2024 · 74184a0 · 74184a0
1 parent 102b616
commit 74184a0
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -49,7 +49,7 @@
 | [service.beta.kubernetes.io/aws-load-balancer-target-node-labels](#target-node-labels)           | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-attributes](#load-balancer-attributes)             | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-security-groups](#security-groups)                 | stringList              |                           |                                                        | 
-| [service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true                      |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true                      | If `service.beta.kubernetes.io/aws-load-balancer-security-groups` is specified, this must also be explicitly specified otherwise it defaults to `false`. |
 | [service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic](#update-security-settings)         | string                  |                           |                                                                                   
 
 ## Traffic Routing
@@ -482,7 +482,7 @@ Load balancer access can be controlled via following annotations:
 - <a name="manage-backend-sg-rules">`service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules`</a> specifies whether the controller should automatically add the ingress rules to the instance/ENI security group.
 
     !!!warning ""
-        If you disable the automatic management of security group rules for an NLB, you will need to manually add appropriate ingress rules to your EC2 instance or ENI security groups to allow access to the traffic and health check ports.
+        If you disable the automatic management of security group rules for an NLB (e.g.: by setting `service.beta.kubernetes.io/aws-load-balancer-security-groups`), you will need to manually add appropriate ingress rules to your EC2 instance or ENI security groups to allow access to the traffic and health check ports.
 
     !!!example
         ```