diff --git a/docs/deploy/installation.md b/docs/deploy/installation.md index 5f791597d..9febf4a5c 100644 --- a/docs/deploy/installation.md +++ b/docs/deploy/installation.md @@ -26,6 +26,9 @@ The LBC is supported by AWS. Some clusters may be using the legacy "in-tree" fun * Ensure subnets are tagged appropriately for auto-discovery to work * For IP targets, pods must have IPs from the VPC subnets. You can configure the [`amazon-vpc-cni-k8s`](https://github.com/aws/amazon-vpc-cni-k8s#readme) plugin for this purpose. +### Additional requirements for isolated cluster: +Isolated clusters are clusters without internet access, and instead reply on VPC endpoints for all required connects. +When installing the AWS LBC in isolated clusters, you need to disable shield, waf and wafv2 via controller flags `--enable-shield=false, --enable-waf=false, --enable-wafv2=false` ### Using the Amazon EC2 instance metadata server version 2 (IMDSv2) We recommend blocking the access to instance metadata by requiring the instance to use [IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html) only. For more information, please refer to the AWS guidance [here](https://aws.github.io/aws-eks-best-practices/security/docs/iam/#restrict-access-to-the-instance-profile-assigned-to-the-worker-node). If you are using the IMDSv2, set the hop limit to 2 or higher in order to allow the LBC to perform the metadata introspection. @@ -155,6 +158,7 @@ Review the [worker nodes security group](https://docs.aws.amazon.com/eks/latest/ If you use [eksctl](https://eksctl.io/usage/vpc-networking/), this is the default configuration. +If you use custom networking, please refer to the [EKS Best Practices Guides](https://aws.github.io/aws-eks-best-practices/networking/custom-networking/#use-custom-networking-when) for network configuration. ## Add controller to cluster We recommend using the Helm chart to install the controller. The chart supports Fargate and facilitates updating the controller. @@ -174,7 +178,8 @@ We recommend using the Helm chart to install the controller. The chart supports ``` 2. If upgrading the chart via `helm upgrade`, install the `TargetGroupBinding` CRDs. ``` - kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master" + wget https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml + kubectl apply -f crds.yaml ``` !!!tip diff --git a/docs/guide/ingress/ingress_class.md b/docs/guide/ingress/ingress_class.md index 42fd2830d..731d1e0a6 100644 --- a/docs/guide/ingress/ingress_class.md +++ b/docs/guide/ingress/ingress_class.md @@ -104,6 +104,33 @@ You can use IngressClassParams to enforce settings for a set of Ingresses. - key: idle_timeout.timeout_seconds value: "120" ``` + - with subnets.ids + ``` + apiVersion: elbv2.k8s.aws/v1beta1 + kind: IngressClassParams + metadata: + name: awesome-class + spec: + subnets: + ids: + - subnet-xxx + - subnet-123 + ``` + - with subnets.tags + ``` + apiVersion: elbv2.k8s.aws/v1beta1 + kind: IngressClassParams + metadata: + name: class2048-config + spec: + subnets: + tags: + kubernetes.io/role/internal-elb: + - "1" + myKey: + - myVal0 + - myVal1 + ``` ### IngressClassParams specification diff --git a/docs/index.md b/docs/index.md index 09ca5c88a..d21424e6f 100644 --- a/docs/index.md +++ b/docs/index.md @@ -52,3 +52,5 @@ This project was formerly known as "AWS ALB Ingress Controller", we rebranded it If you think you’ve found a potential security issue, please do not post it in the Issues. Instead, please follow the instructions [here](https://aws.amazon.com/security/vulnerability-reporting/) or [email AWS security directly](mailto:aws-security@amazon.com). +## Support Policy +Currently, AWS provides security updates and bug fixes to the latest available minor versions of AWS LBC. For other ad-hoc supports on older versions, please reach out through AWS support ticket. diff --git a/pkg/targetgroupbinding/networking_manager.go b/pkg/targetgroupbinding/networking_manager.go index e3ec314b8..9671c34b1 100644 --- a/pkg/targetgroupbinding/networking_manager.go +++ b/pkg/targetgroupbinding/networking_manager.go @@ -7,7 +7,6 @@ import ( "net" "strings" "sync" - libErrors "errors" awssdk "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awserr"