Merge pull request #14540 from olemarkus/bump-lbc-245

Bump AWS Load Balancer Controller to 2.4.5

docs/releases/1.26-NOTES.md

@@ -14,6 +14,7 @@ This is a document to gather the release notes prior to the release.
 
 * Instance group images can now be dynamically fetched through an AWS SSM Parameter.
 
+* The AWS Load Balancer, when enabled, will run on worker nodes if IRSA is enabled as of Kubernetes version 1.24.
 
 # Breaking changes
 

tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -890,11 +890,16 @@ spec:
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
         env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
         - name: AWS_ROLE_ARN
           value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:

tests/integration/update_cluster/aws-lb-controller/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -47,7 +47,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: f3e44a9cd8ba1650b8dbebf5507d01e5c833d646d0c34ef099c052f7b379e072
+    manifestHash: 19ea2082a06998052ce085e25c25a2434d0d284a73c8dcb908744727b84c8deb
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -890,11 +890,16 @@ spec:
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
         env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
         - name: AWS_ROLE_ARN
           value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:

tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -97,7 +97,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: f3e44a9cd8ba1650b8dbebf5507d01e5c833d646d0c34ef099c052f7b379e072
+    manifestHash: 19ea2082a06998052ce085e25c25a2434d0d284a73c8dcb908744727b84c8deb
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -890,11 +890,16 @@ spec:
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
         env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
         - name: AWS_ROLE_ARN
           value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:

tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -104,7 +104,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: 0c048675f400abb6108ed571576574a4f4138a70ee0917dcfc980764172a03d1
+    manifestHash: 615a3bf4083d8d907e99738f5eb1cddafd5fae8c42b5cf02fcd574447bdc846b
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -857,7 +857,7 @@ metadata:
   name: aws-load-balancer-controller
   namespace: kube-system
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app.kubernetes.io/component: controller
@@ -870,16 +870,6 @@ spec:
         app.kubernetes.io/name: aws-load-balancer-controller
         kops.k8s.io/managed-by: kops
     spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node-role.kubernetes.io/control-plane
-                operator: Exists
-            - matchExpressions:
-              - key: node-role.kubernetes.io/master
-                operator: Exists
       containers:
       - args:
         - --cluster-name=minimal.example.com
@@ -890,11 +880,16 @@ spec:
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
         env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
         - name: AWS_ROLE_ARN
           value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:
@@ -928,11 +923,6 @@ spec:
         fsGroup: 1337
       serviceAccountName: aws-load-balancer-controller
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - key: node-role.kubernetes.io/control-plane
-        operator: Exists
-      - key: node-role.kubernetes.io/master
-        operator: Exists
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:

tests/integration/update_cluster/many-addons-ccm-irsa24/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -104,7 +104,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: 0c048675f400abb6108ed571576574a4f4138a70ee0917dcfc980764172a03d1
+    manifestHash: da760fddf2cf54757b8715a92146a7ce5f332199b885bd9b308645180ea215e1
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -857,7 +857,7 @@ metadata:
   name: aws-load-balancer-controller
   namespace: kube-system
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app.kubernetes.io/component: controller
@@ -870,16 +870,6 @@ spec:
         app.kubernetes.io/name: aws-load-balancer-controller
         kops.k8s.io/managed-by: kops
     spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node-role.kubernetes.io/control-plane
-                operator: Exists
-            - matchExpressions:
-              - key: node-role.kubernetes.io/master
-                operator: Exists
       containers:
       - args:
         - --cluster-name=minimal.example.com
@@ -890,11 +880,16 @@ spec:
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
         env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
         - name: AWS_ROLE_ARN
           value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:
@@ -928,11 +923,6 @@ spec:
         fsGroup: 1337
       serviceAccountName: aws-load-balancer-controller
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - key: node-role.kubernetes.io/control-plane
-        operator: Exists
-      - key: node-role.kubernetes.io/master
-        operator: Exists
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:

tests/integration/update_cluster/many-addons-ccm-irsa25/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -104,7 +104,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: 0c048675f400abb6108ed571576574a4f4138a70ee0917dcfc980764172a03d1
+    manifestHash: da760fddf2cf54757b8715a92146a7ce5f332199b885bd9b308645180ea215e1
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -857,7 +857,7 @@ metadata:
   name: aws-load-balancer-controller
   namespace: kube-system
 spec:
-  replicas: 1
+  replicas: 2
   selector:
     matchLabels:
       app.kubernetes.io/component: controller
@@ -870,16 +870,6 @@ spec:
         app.kubernetes.io/name: aws-load-balancer-controller
         kops.k8s.io/managed-by: kops
     spec:
-      affinity:
-        nodeAffinity:
-          requiredDuringSchedulingIgnoredDuringExecution:
-            nodeSelectorTerms:
-            - matchExpressions:
-              - key: node-role.kubernetes.io/control-plane
-                operator: Exists
-            - matchExpressions:
-              - key: node-role.kubernetes.io/master
-                operator: Exists
       containers:
       - args:
         - --cluster-name=minimal.example.com
@@ -890,11 +880,16 @@ spec:
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
         env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
         - name: AWS_ROLE_ARN
           value: arn:aws-test:iam::123456789012:role/aws-load-balancer-controller.kube-system.sa.minimal.example.com
         - name: AWS_WEB_IDENTITY_TOKEN_FILE
           value: /var/run/secrets/amazonaws.com/token
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:
@@ -928,11 +923,6 @@ spec:
         fsGroup: 1337
       serviceAccountName: aws-load-balancer-controller
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - key: node-role.kubernetes.io/control-plane
-        operator: Exists
-      - key: node-role.kubernetes.io/master
-        operator: Exists
       topologySpreadConstraints:
       - labelSelector:
           matchLabels:

tests/integration/update_cluster/many-addons-ccm-irsa26/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -97,7 +97,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: 0c048675f400abb6108ed571576574a4f4138a70ee0917dcfc980764172a03d1
+    manifestHash: da760fddf2cf54757b8715a92146a7ce5f332199b885bd9b308645180ea215e1
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -889,7 +889,13 @@ spec:
         - --ingress-class=alb
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:

tests/integration/update_cluster/many-addons-ccm/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -97,7 +97,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: 5b35b6eba1236bd63720efb533b04bad96eba1c7cb9f1289653a9738b3a2f5e1
+    manifestHash: b2689c2b0412fca98856b0a86b757233c89b6fd65e45d3770f6ea2cc1e6bc710
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-aws-load-balancer-controller.addons.k8s.io-k8s-1.19_content

@@ -889,7 +889,13 @@ spec:
         - --ingress-class=alb
         - --default-tags=KubernetesCluster=minimal.example.com
         - --aws-region=us-test-1
-        image: amazon/aws-alb-ingress-controller:v2.4.3
+        env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        image: amazon/aws-alb-ingress-controller:v2.4.5
         livenessProbe:
           failureThreshold: 2
           httpGet:

tests/integration/update_cluster/many-addons/data/aws_s3_object_minimal.example.com-addons-bootstrap_content

@@ -97,7 +97,7 @@ spec:
     version: 9.99.0
   - id: k8s-1.19
     manifest: aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml
-    manifestHash: 5b35b6eba1236bd63720efb533b04bad96eba1c7cb9f1289653a9738b3a2f5e1
+    manifestHash: b2689c2b0412fca98856b0a86b757233c89b6fd65e45d3770f6ea2cc1e6bc710
     name: aws-load-balancer-controller.addons.k8s.io
     needsPKI: true
     selector:

upup/models/cloudup/resources/addons/aws-load-balancer-controller.addons.k8s.io/k8s-1.19.yaml.template

@@ -717,7 +717,7 @@ metadata:
   name: aws-load-balancer-controller
   namespace: kube-system
 spec:
-  replicas: {{ ControlPlaneControllerReplicas false }}
+  replicas: {{ ControlPlaneControllerReplicas (IsKubernetesGTE "1.24") }}
   selector:
     matchLabels:
       app.kubernetes.io/component: controller
@@ -729,6 +729,7 @@ spec:
         app.kubernetes.io/name: aws-load-balancer-controller
     spec:
       nodeSelector: null
+      {{ if not (and UseServiceAccountExternalPermissions (IsKubernetesGTE "1.24")) }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -739,6 +740,7 @@ spec:
             - matchExpressions:
               - key: node-role.kubernetes.io/master
                 operator: Exists
+      {{ end }}
       containers:
       - args:
         - --cluster-name={{ ClusterName }}
@@ -748,7 +750,13 @@ spec:
         - --ingress-class=alb
         - "--default-tags={{ CloudLabels }}"
         - --aws-region={{ Region }}
-        image: amazon/aws-alb-ingress-controller:{{ or .AWSLoadBalancerController.Version "v2.4.3" }}
+        env:
+        - name: NODENAME
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: spec.nodeName
+        image: amazon/aws-alb-ingress-controller:{{ or .AWSLoadBalancerController.Version "v2.4.5" }}
         livenessProbe:
           failureThreshold: 2
           httpGet:
@@ -779,11 +787,13 @@ spec:
         fsGroup: 1337
       serviceAccountName: aws-load-balancer-controller
       terminationGracePeriodSeconds: 10
+      {{ if not (and UseServiceAccountExternalPermissions (IsKubernetesGTE "1.24")) }}
       tolerations:
         - key: node-role.kubernetes.io/control-plane
           operator: Exists
         - key: node-role.kubernetes.io/master
           operator: Exists
+      {{ end }}
       topologySpreadConstraints:
       - maxSkew: 1
         topologyKey: "topology.kubernetes.io/zone"