[aws-load-balancer-controller] Proposal: distribute managed LB inbound rules across multiple security groups

8 views
Skip to first unread message

Lacina ZINA

unread,
Jun 26, 2026, 6:13:55 PM (5 days ago) Jun 26
to kubernetes-sig-cloud-provider
Hi all — opening a discussion before I start a PR.

Problem: the controller puts all inbound rules into a single managed frontend security group, so large allow-lists (common in shared-tenant IngressGroups) hit AWS's ~60-rules-per-SG limit and reconciliation fails on RulesPerSecurityGroupLimitExceeded without ever adding capacity.

Proposal: when rules exceed per-SG capacity, distribute them across multiple managed SGs (up to the SGs-per-ENI budget), sized via Service Quotas with a 60/5 fallback. Backward-compatible, opt-in via feature gate + annotation, covers Ingress/Service/Gateway.

This re-raises #3538 (closed, not planned in 2024). Full write-up and design: https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/4800

I'm willing to implement it — looking for a 👍 on direction or any concerns first. Thanks!
— Zina (@zinastack)
Reply all
Reply to author
Forward
0 new messages