Controller leaks Load Balancer when Service annotation service.beta.kubernetes.io/aws-load-balancer-type is added/removed #1254
Description
What happened:
The controller is leaking load balancers when the annotation service.beta.kubernetes.io/aws-load-balancer-type is updated (added or removed). This is not something usual, but it's a valid user flow that can lead to unexpected leaked resources.
Scenarios:
-
- Given a Service created without annotation
service.beta.kubernetes.io/aws-load-balancer-type, then updated to the annotationservice.beta.kubernetes.io/aws-load-balancer-type=nlb, a NLB will be created, and CLB will be leaked (and it's SGs)
- Given a Service created without annotation
-
- Given a Service created with annotation
service.beta.kubernetes.io/aws-load-balancer-type=nlb, then the annotation is removed, the controller will create a CLB and leak the NLB
- Given a Service created with annotation
What you expected to happen:
Options to discuss with community:
- Controller should not create a new load balancer when the annotation
service.beta.kubernetes.io/aws-load-balancer-typeis added or removed from existing services which already have load balancers - Controller should "recreate" (e.g. delete CLB and add NLB) when the annotation is
service.beta.kubernetes.io/aws-load-balancer-type
How to reproduce it (as minimally and precisely as possible):
CLB leak:
- Create a Service (without annotation
service.beta.kubernetes.io/aws-load-balancer-type - Add the annotation
service.beta.kubernetes.io/aws-load-balancer-type=nlb - Check in the AWS console that the NLB has been created
- Check in the AWS Console that the CLB has been leaked
Anything else we need to know?:
What is the expected option/behavior in this case considering there is no validation webhook available in CCM?
Environment:
- Kubernetes version (use
kubectl version): - Cloud provider or hardware configuration:
- OS (e.g. from /etc/os-release):
- Kernel (e.g.
uname -a): - Install tools:
- Others:
/kind bug