WIP: Add support for dual stack load balancers

[nrb]

What type of PR is this?
/kind feature

What this PR does / why we need it:

Adds basic support for configuring the IP address family on Services.

This functionality overlaps with the ALBC somewhat, but the goal here is to provide much more basic functionality, not the full scope of ALBC.

Which issue(s) this PR fixes:

Fixes #1219

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

Introduce `service.beta.kubernetes.io/aws-load-balancer-ip-address-type` to enable dual stack Services.

[k8s-ci-robot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[k8s-ci-robot]

This issue is currently awaiting triage.

If cloud-provider-aws contributors determine this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[nrb]

/test pull-cloud-provider-aws-test

[damdo]

Hey @kmala do we know what's happening with the Netlify checks? It looks like they are broken across many open PRs. TY

[damdo]

/retest

[nrb]

/retest

[nrb]

/retest

[nrb]

/test pull-cloud-provider-aws-test

One more run to see if this is a rate limiting issue or some sort of genuine issue with my code.

[tthvo]

I tested with a simple service below:

apiVersion: v1
kind: Service
metadata:
  name: wordpress-mysql
  labels:
    app: wordpress
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-ip-address-type: dualstack
spec:
  ipFamilyPolicy: PreferDualStack
  ports:
    - port: 3306
  selector:
    app: wordpress
  type: LoadBalancer

The CCM does create the dualstack NLB as expected 🚀

$ kubectl -n myns get svc/wordpress-mysql -o yaml | yq .status.loadBalancer.ingress
- hostname: <id>.elb.us-east-1.amazonaws.com

$ nslookup <id>.elb.us-east-1.amazonaws.com
# nslookup shows both public IPv4 EIP and IPv6 GUA addresses

$ aws elbv2 describe-load-balancers --names=<nlb-id> --query='LoadBalancers[0].[Type,IpAddressType,Scheme]'
[
    "network",
    "dualstack",
    "internet-facing"
]

[nrb]

/test pull-cloud-provider-aws-test

[nrb]

/test pull-cloud-provider-aws-test

[nrb]

/test pull-cloud-provider-aws-check

[nrb]

/test pull-cloud-provider-aws-test
/test pull-cloud-provider-aws-check

[nrb]

@kmala I'm going to do some manual testing with this PR starting today before I mark it as ready for review, but would you be able to give it a look by any chance?

[nrb]

I've updated the change to only use the Kubernetes API fields in service.Spec rather than annotations. I think this keeps the implementation straightforward, and there should be nothing in this PR that blocks us from adding support for more granular settings via annotations in the future.

[nrb]

govulncheck notice will be resolved by pulling kubernetes/kubernetes#136820 in during a kube bumpl.

[kmala]

nit: if we are passing the entire service then we can skip passing other params like service name, annotation right?

[tthvo]

I just have a few questions 🙏 But overall, I think we are having great progress!

[tthvo]

We should consider/allow IPv6 CIDRs when updating the instance's security groups (to allow traffic from NLB), right? IIUC, there are 2 types of CIDRs here:

• sourceRangeCidrs: Already defined on line 2396-2405
• subnetCidrs: IPv6 CIDRs can be extracted from subnet info returned by AWS.

[tthvo]

I guess that means we need to update the following functions to set the Ipv6Range field correctly?

cloud-provider-aws/pkg/providers/v1/aws_loadbalancer.go

Line 957 in b6c9d76

func (c *Cloud) updateInstanceSecurityGroupsForNLB(ctx context.Context, lbName string, instances map[InstanceID]*ec2types.Instance, subnetCIDRs []string, clientCIDRs []string, portMappings []nlbPortMapping) error {

cloud-provider-aws/pkg/providers/v1/aws_loadbalancer.go

Line 1049 in b6c9d76

func (c *Cloud) updateInstanceSecurityGroupForNLBTraffic(ctx context.Context, sgID string, sgPerms IPPermissionSet, ruleDesc string, protocol string, ports sets.Set[int32], cidrs []string) error {

[tthvo]

I wonder if we can:

• Place this validation in pkg/providers/v1/aws_validations.go
• Additionally, we should add a validation that only allows dualstack settings (i.e. ipFamilies: [IPv4, IPv6], ipFamilyPolicy: RequireDualStack) when LB type is NLB.

WDYT?

[nrb]

Yep, makes sense.

[tthvo]

Maybe, we should mention what would happen if the secondary family is removed? Like what will be the state of:

• The Load Balancer
• The Security Groups (those for LB and those for instances)
• Target Group
• (Optional) Listeners

[tthvo]

nit: The list indentation is a lot more than usual. Let's format it a bit 😁

[damdo]

/retest

[damdo]

/test pull-cloud-provider-aws-e2e-kubetest2-quick

[damdo]

/test pull-cloud-provider-aws-e2e-kubetest2-quick

[nrb]

/test pull-cloud-provider-aws-test

[nrb]

Current e2e failure is legit - the provisioned cluster is not set up for IPv6.

   STEP: creating LoadBalancer service in Kubernetes @ 03/03/26 17:45:37.338
  I0303 17:45:37.386843 32011 loadbalancer.go:508] Unexpected error: 
      <*errors.errorString | 0xc000321140>: 
      failed to create LoadBalancer Service "lbconfig-test-clb-ds": Service "lbconfig-test-clb-ds" is invalid: spec.ipFamilies[1]: Invalid value: "IPv6": not configured on this cluster
      {
          s: "failed to create LoadBalancer Service \"lbconfig-test-clb-ds\": Service \"lbconfig-test-clb-ds\" is invalid: spec.ipFamilies[1]: Invalid value: \"IPv6\": not configured on this cluster",
      }
  [FAILED] in [It] - /home/prow/go/src/k8s.io/cloud-provider-aws/tests/e2e/loadbalancer.go:508 @ 03/03/26 17:45:37.387
  STEP: Destroying namespace "cloud-provider-aws-593" for this suite. @ 03/03/26 17:45:37.387
  << Timeline 

Will work on getting support for that plumbed in to kubetest-ec2.

[k8s-ci-robot]

@nrb: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-cloud-provider-aws-e2e	2dd0dac	link	true	/test pull-cloud-provider-aws-e2e

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.