Feature Request: Support tagging backend security groups created by LoadBalancer services (externalTrafficPolicy=Local) #1220
Description
What would you like to be added?
Add support for tagging the automatically created backend security group that is attached to EC2 nodes when using:
Service.type=LoadBalancerexternalTrafficPolicy=Local
This could be implemented via a new service annotation like:
[service.beta.kubernetes.io/aws-load-balancer-backend-security-group-tags](http://service.beta.kubernetes.io/aws-load-balancer-backend-security-group-tags): "Environment=prod,Owner=devops"This would allow users to inject tags into the backend security group during creation.
Why is this needed?
In AWS, when externalTrafficPolicy: Local is used with a LoadBalancer-type Service (e.g., ingress-nginx or other controllers), the Cloud Controller Manager (CCM) automatically creates a backend security group to allow ingress from the NLB to EC2 worker nodes.
However, this SG is created without tags.
In organizations where Service Control Policies (SCPs) are enforced (e.g., AWS Organizations with tagging compliance), this causes the NLB provisioning to fail, because untagged resources are denied at creation time.
Currently:
- There is support for tagging the LoadBalancer itself using:
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags - There is no support for tagging this backend SG
This feature is critical for:
- Enterprises with strict SCPs
- Environments using automated governance or tagging audits
- Improved security and visibility of all resources created by Kubernetes
/kind feature