Hi all — opening a discussion before I start a PR.
Problem: the controller puts all inbound rules into a single managed frontend security group, so large allow-lists (common in shared-tenant IngressGroups) hit AWS's ~60-rules-per-SG limit and reconciliation fails on RulesPerSecurityGroupLimitExceeded without ever adding capacity.
Proposal: when rules exceed per-SG capacity, distribute them across multiple managed SGs (up to the SGs-per-ENI budget), sized via Service Quotas with a 60/5 fallback. Backward-compatible, opt-in via feature gate + annotation, covers Ingress/Service/Gateway.
This re-raises #3538 (closed, not planned in 2024). Full write-up and design:
https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/4800I'm willing to implement it — looking for a 👍 on direction or any concerns first. Thanks!
— Zina (@zinastack)