Nginx attributes for connecting with AWS NLB not being applied to NLB instance

[Timotej979]

Hello 😄

currently I'm facing an issue regarding applying the helm chart values of a ingress-nginx controller connected to the AWS NLB using service annotations in EKS. My current values.yaml file for the nginx-ingress look like this:

controller:
  service:
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
      service.beta.kubernetes.io/aws-load-balancer-attributes: |
        load_balancing.cross_zone.enabled=true,
        deletion_protection.enabled=true

  resources:
    limits:
      cpu: "500m"
      memory: "512Mi"
    requests:
      cpu: "500m"
      memory: "512Mi"
  admissionWebhooks:
    createSecretJob:
      resources:
        limits:
          cpu: "100m"
          memory: "64Mi"
        requests:
          cpu: "100m"
          memory: "64Mi"
    patchWebhookJob:
      resources:
        limits:
          cpu: "100m"
          memory: "64Mi"
        requests:
          cpu: "100m"
          memory: "64Mi"

They look correct to me from outside, however on the terraform apply command of a helm release with this values the load balancer fails to enable cross zone load balancing, I managed to overcome this using an alternative annotation which still works apparently, even thou in the latest docs it is said to be deprecated. Link to the annotation: service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled

The issue I am specifically having is the deletion protection argument/annotation, which I would really like to have on the infrastructure.

I'm using an EKS cluster version 1.30.
Latest ingress nginx helm chart version from: https://kubernetes.github.io/ingress-nginx.

Any help would be much appreciated, even thou it seems like a really simple issue 😅

[shraddhabang]

@Timotej979 Will you be able to share which version of aws-lb-controller have you installed also if possible will you be able to share the logs for lb controller? I tried this with the latest version on lb controller. It seems to be working for me. Logs would be helpful to see if there are any errors.

[Timotej979]

Hello,

sorry for the late reply (Was sick in between and had some other higher prio work to do and the ticket was pushed back a bit 😅).

Anyways as explored our cluster setup further I figured out that we did not even install the aws-lb-controller and as such some attributes could not be applied, so false alarm on my part, sorry.

However with this in mind I have a question regarding security as in case that we do install the aws-lb-controller is the controller compatible/how many more errors would need fixing running the HardenEKS becnhmark (Is there any admin access and such, was this checked in any other instance and could I get a link to that if it exists? 😄 ). Because the requirements (as always) specify deletion protection and some other settings, which aws-lb-controller does enable access to so I would really want to use it, however if with it we generate a medium/big footprint of security vulnerabilities it would be better maybe to do this manually?

Kind regards and thanks for your patience and answer 😄