Fix hairpinning traffic on internal NLB by introducing TG attribute reconciler#1214
Merged
k8s-ci-robot merged 4 commits intokubernetes:masterfrom Aug 29, 2025
Merged
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
needs-triage
Contributor
|
This issue is currently awaiting triage. If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the The DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
needs-ok-to-test
Contributor
|
Hi @mtulio. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
size/XXL
Contributor
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
mtulio
commented
Jul 18, 2025
mtulio
commented
Jul 18, 2025
mtulio
force-pushed
the
fix-hairpin-feat-tg-attrib
branch
from
9b21dd2 to
8c18565
Compare
Contributor
Author
|
/test all |
Contributor
Author
|
timeouts /test pull-cloud-provider-aws-e2e |
k8s-ci-robot
added
the
needs-rebase
mtulio
force-pushed
the
fix-hairpin-feat-tg-attrib
branch
from
8c18565 to
bf23dea
Compare
k8s-ci-robot
added
size/XL
mtulio
changed the title
Contributor
Author
|
PR #1215 merged. Rebased. Re-testing. /test pull-cloud-provider-aws-e2e |
mtulio
force-pushed
the
fix-hairpin-feat-tg-attrib
branch
from
0e5e2d0 to
19ef6f3
Compare
Contributor
Author
|
HI @elmiko and @kmala , PR updated with suggestions to remove disruptions. I also updated the releate notes. Would you mind taking a look? |
kmala
reviewed
Aug 26, 2025
Introduce the target group annotation[1] for all listeners on a Service type-loadBalancer NLB. [1] Annotation service.beta.kubernetes.io/aws-load-balancer-target-group-attributes The annotation provides a interface for users to opt into non-default configurations of a target group when creating or updating a Service. This change also provides a fix for a critical hairpin bug impacting NLB default configuration (using target type instance), which disables the 'preserve source ip configuration' attribute, leading to timeouts in such scenario.
mtulio
force-pushed
the
fix-hairpin-feat-tg-attrib
branch
from
19ef6f3 to
73428cd
Compare
elmiko
reviewed
Aug 29, 2025
Contributor
elmiko
left a comment
elmiko
left a comment
There was a problem hiding this comment.
i think this is looking good for me
/lgtm
k8s-ci-robot
added
the
lgtm
Member
|
/approve |
Contributor
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kmala The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Dec 4, 2025
…ontroller Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214
4 tasks
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Dec 4, 2025
…ontroller Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Dec 4, 2025
…ontroller Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214
This was referenced Dec 9, 2025
Merged
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Dec 9, 2025
Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214 OCPBUGS-65885: regenerate delegating AWS client for new ELBv2 permissions
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Dec 9, 2025
Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214 OCPBUGS-65885
This was referenced Dec 10, 2025
k8s-ci-robot
added a commit
that referenced
this pull request
Dec 10, 2025
…stream-release-1.34 Automated cherry pick of #1214: doc/service: describe supported target group attributes
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Dec 18, 2025
Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214 OCPBUGS-65885
mtulio
added a commit
to mtulio/hypershift
that referenced
this pull request
Jan 8, 2026
Added permission to IAM managed policy for control plane controllers affecting a specific case where it is required to reconcile the NLB target group. The behavior is added after the fix on kubernetes/cloud-provider-aws#1214 OCPBUGS-65885
k8s-ci-robot
added a commit
that referenced
this pull request
Jan 21, 2026
-#1215-#1217-#1214-upstream-release-1.33 Automated cherry pick of #1153: e2e/deps: enhance test scenarios with NLB #1161: e2e/loadbalancer: implement hairpin connection cases #1215: refact: e2e tests documenting hooks and enhance logging/steps #1217: e2e/debug: increase data collection on e2e failures #1214: doc/service: describe supported target group attributes
k8s-ci-robot
added a commit
that referenced
this pull request
Jan 21, 2026
-#1215-#1217-#1214-upstream-release-1.32 Automated cherry pick of #1153: e2e/deps: enhance test scenarios with NLB #1161: e2e/loadbalancer: implement hairpin connection cases #1215: refact: e2e tests documenting hooks and enhance logging/steps #1217: e2e/debug: increase data collection on e2e failures #1214: doc/service: describe supported target group attributes
k8s-ci-robot
added a commit
that referenced
this pull request
Jan 21, 2026
-#1215-#1217-#1214-upstream-release-1.31 Automated cherry pick of #1153: e2e/deps: enhance test scenarios with NLB #1161: e2e/loadbalancer: implement hairpin connection cases #1215: refact: e2e tests documenting hooks and enhance logging/steps #1217: e2e/debug: increase data collection on e2e failures #1214: doc/service: describe supported target group attributes
ameukam
pushed a commit
to ameukam/kops
that referenced
this pull request
Feb 25, 2026
Added permission to read and write/modify Target Group Attributes on clusters of cloud-provider-aws (CCM) project. The modify permission is conditional for targget clusters. This permission is required to be able to test the new requirement, modify target group attributes, through e2e CI clusters. More information: kubernetes/cloud-provider-aws#1214 Example of CI job without this permission: https://prow.k8s.io/view/gs/kubernetes-ci-logs/pr-logs/pull/cloud-provider-aws/1214/pull-cloud-provider-aws-e2e/1948477553773645824 Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
/kind bug
/kind documentation
/kind failing-test
/kind feature
What this PR does / why we need it:
This PR introduces the annotation to allow users to configure the target group attributes. This configuration is required to fix the hairpinning traffic affecting internal NLB on the default configurations (target type instance).
The proposal introduce Target Group configuration flexibility only for the following attributes for annotation
service.beta.kubernetes.io/aws-load-balancer-target-group-attributesas those are required to fix the hairpinning traffic:preserve_client_ip.enabledproxy_protocol_v2.enabledDone checklist:
Which issue(s) this PR fixes:
Fixes #1160
Special notes for your reviewer:
The proposal is not disruptive and will follow the user's explicitly configuration, which means will not change target group attributes from existing services when the new annotation is not added.
Additional discussion int the Slack on kube namespace: https://kubernetes.slack.com/archives/C0LRMHZ1T/p1755530062752269
In conformance with the k8s review policy: this PR has been assisted by: Cursor AI (PR review, documentation strings, and unit tests)
Does this PR introduce a user-facing change?: