Controller redundantly attempts to add existing rules to the LB’s security groups #1222
Description
What happened:
After upgrading our EKS cluster to v1.33 (eks.9) we began seeing repeated error messages in CloudTrail logs such as:
Client.InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, TCP, from port: 443, to port: 443, ALLOW" already exists
Client.InvalidPermission.Duplicate: the specified rule "peer: 0.0.0.0/0, ICMP, type: 3, code: 4, ALLOW" already exists
[...]
The errors indicates the controller is attempting to re-apply security groups rules that are already created, leading to duplicate permissions errors.
What you expected to happen:
The controlled should detect existing rules and avoid attempting to re-add them to the load balancer's security group.
How to reproduce it (as minimally and precisely as possible):
1. Set up an AWS EKS cluster running v1.32 with pre-existing ELBs and associated security groups.
2. Upgrade the cluster to v1.33 (eks.9).
3. Observe CloudTrail logs for duplicate security group rule errors following the upgrade.
Anything else we need to know?:
Environment:
- Kubernetes version (use
kubectl version):v1.33.2-eks-931bdca - Cloud provider or hardware configuration: AWS EKS
- OS (e.g. from /etc/os-release): Amazon Linux 2
- Kernel (e.g.
uname -a):Linux ip-<IP>.eu-west-1.compute.internal 6.12.37 #1 SMP Thu Jul 24 23:20:53 UTC 2025 aarch64 aarch64 aarch64 GNU/Linux
/kind bug