Missing "aws-load-balancer-extra-security-groups" annotation

[dcodix]

Is your feature request related to a problem?
It is. We were trying to migrate from the standard controller to the aws-load-balancer-controller and we are hitting a wall right now.
In the other controller there is this annotation "aws-load-balancer-extra-security-groups" that seems to have been dropped here (or I am failing to make it work).

We are using that annotation to attach to all our LBs a pre-created SG which would open the R53 healthchecks. We are doing it this way because we are using the aws managed prefix list, otherwise we could not list all the IPs needed for the r53 healthchecks to work.

With this controller we don't seem to be able to do so. We still want the "main" SG to be controller by the controller, but we need to add the extra SG managed outside of k8s.

Describe the solution you'd like
Just add the functionality for the annotation aws-load-balancer-extra-security-groups

Describe alternatives you've considered
If we cannot do this we might need either:

1. Not use this controller and go back to the standard controller which supports the annotation.
2. Write some mini controller that runs in paralel to this that will just discover and attach the SG to the LB given some annotation.

[andreybutenko]

Hi @dcodix, thanks for the question! At this time, the AWS Load Balancer Controller does not support this type of annotation.

We do have two related annotations to specify the security groups to attach. However, these replace the controller-managed security group, rather than attaching additional security groups.

• For Ingress ALB: alb-ingress.kubernetes.io/security-groups
• For Service NLB: service.beta.kubernetes.io/aws-load-balancer-security-groups

We are open to a contribution for this annotation :)

/kind feature

[omerap12]

Perhaps I can take this :) @andreybutenko

[omerap12]

/assign

[andreybutenko]

@omerap12 Awesome, thanks for working on this :) Post here if you need anything!

[dcodix]

Thanks to both @omerap12 and @andreybutenko ! I was also writing something, but I had to stop because of work,...
Just wanted to let you know tho, that once I had something written, and I was doing changes on the docs, I saw there is already an annotation aws-load-balancer-security-group-prefix-lists which might be exactly what I need!
I did not try to use that one, so I am not sure, but the reason I was attaching an extra SG is just because I had one SG pre-created with a prefix-list.

I will test this soon, and let you know if it solves my particular problem, but even if it works, it may still be a good idea to be able able to add the extra SG for other use cases ?

[dcodix]

Sorry I clicked to create the PR by accident.

[omerap12]

Hey @dcodix @andreybutenko ,
I think too that to be able to add an extra SG is a good idea.