Inconsistency across docs/code for aws-load-balancer-manage-backend-security-group-rules

[rgs1]

In the annotations docs it says that aws-load-balancer-manage-backend-security-group-rules defaults to true:

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blame/main/docs/guide/service/annotations.md#L52

[service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true          

However in the security docs the writing implies that it needs to be explicitly set:

https://github.com/kubernetes-sigs/aws-load-balancer-controller/blame/main/docs/deploy/security_groups.md#L64

- To enable managing backend security group rules, apply an additional annotation to Ingress and Service resources.
  - For Ingress resources, set the `alb.ingress.kubernetes.io/manage-backend-security-group-rules` annotation to `true`.
  - For Service resources, set the `service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules` annotation to `true`.

To make things consistent we either need to document that the annotation defaults to false or make the default actually true. Making it true by default is probably the desired path for most setups.

[rgs1]

Ok I see the issue now, it's true by default if aws-load-balancer-security-groups is not set. If aws-load-balancer-security-groups is set, then you must specifically opt in. I'll update the docs to make this more clear.

[oliviassss]

@rgs1, yes your understanding is correct. If the user specifies the self-managed SG through aws-load-balancer-security-groups annotation, the controller by default won't manage the backend sg rules. You can also check here for more details
https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/deploy/security_groups/