Upgrading from 2.8.3 to 2.11.0 triggers changes in listener rules. #4064
Description
I am trying to update aws-load-balancer-controller from v2.8.3 to v2.11.0, upgrade is smooth but as soon as pods with new version is deployed, I see all the listener attributes for ALB changes with below messages, but confirmed there is nothing that actually changes, but there are entries in cloudtrail as well, mentioning there was ModifyRule event happend.
{"level":"info","ts":"<timestamp>","logger":"controllers.ingress","msg":"modified listener rule","stackID":"stackId","resourceID":"443:28","arn":"<ListenerARN>"}
- Can someone confirm on what are these changes is it related to listenerAttributes support added in v2.10.1 or something else?
Activity
shraddhabang commentedon Feb 19, 2025
I don't think updating the listener attributes should result in modifying the listener rules as long as there is no changes done to the rules on ingress. I think the reason could be something else. Did you update rules by any chance?
kashya2 commentedon Feb 19, 2025
Actually there were no rule changes and we just upgraded from version v2.8.3 to v2.11.0 and as soon as new version pod is deployed it triggers rules changes but again there are no actual changes in rules, but somehow in logs it shows "Modified Listener rule"
kashya2 commentedon Mar 3, 2025
We tried this in another environment and its same behaviour there as well, this time we exported the listener rules before the upgrade and did the upgrade (modified listener rules was triggered) and compared with the latest listener rules and it was same.
Also thought of configuring AWS Config to confirm the changes but listener rules are not supported as of now.
s-marinkovic commentedon Mar 4, 2025
Hi @shraddhabang ,
I have the same issue as @kashya2 described. Updated aws-load-balancer-controller from v2.9.1 to v2.11.0 and in the logs i see the ModifyRule events with following error:
api error ValidationError: A rule can only have '5' condition valuesMy questions are:
Can you please check this, because we won't rollout update to our other environments until this issue is present.
Update:
We had in different configuration update of conditions and it had indeed more than 5 values in total. So there is no issue with 2.11.0 .
kashya2 commentedon Mar 10, 2025
Any updates on this, tested again and got same results.
usamaahmadkhan commentedon May 21, 2025
Faced same issue upgrading from 2.8.z to 2.13.1.
Looks like it doesn't check if the resource needs modification or not and print's the
modifying listener rule|target group bindingsevery-time it reconciles. This gives a wrong impression that a resource will actually be modified on AWS.We need a refactor of logs to avoid misdirection.
shraddhabang commentedon May 22, 2025
@usamaahmadkhan We do check for any drifts for example before we modify any resource in controller. Would you provide logs to see check if there are any drifts?
usamaahmadkhan commentedon May 23, 2025
@shraddhabang This is the test I ran; Upgraded the deployment:
Looks like the check doesn't exist for listener rule and targetgroupbindings. Can u verify?
shraddhabang commentedon Jun 11, 2025
Hey @usamaahmadkhan , Thank you for your patience.
I have found the problem. Its a small bug in our code but does not really affect anyone. We basically do a drift check before modifying any resource. For rules, we check if the actions are modified or not but we dont check the order of those actions. It seems you are using weighted tgs on rules. this means you are forwarding to two target groups with weight 0 and 100. When the reconcile happens, we build an object. This object for actions may have these two forward tgs in different order than the SDK rules object. The code mistakenly assumes that something is changed and calls modify rules. But in reality the order of actions does not matter, its same config only. Hence you dont see anything changed even after the modification calls. We will fix this bug on our side. But to address your concern, this does not cause any problem to current configuration.