kubernetes-sigs · hintofbasil · Apr 22, 2021 · Apr 22, 2021 · Apr 22, 2021 · Apr 21, 2022
diff --git a/controllers/ingress/group_controller.go b/controllers/ingress/group_controller.go
@@ -43,6 +43,7 @@ const (
 // NewGroupReconciler constructs new GroupReconciler
 func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder,
 	finalizerManager k8s.FinalizerManager, networkingSGManager networkingpkg.SecurityGroupManager,
+	vpcEndpointServiceManager networkingpkg.VPCEndpointServiceManager,
 	networkingSGReconciler networkingpkg.SecurityGroupReconciler, subnetsResolver networkingpkg.SubnetsResolver,
 	controllerConfig config.ControllerConfig, backendSGProvider networkingpkg.BackendSGProvider, logger logr.Logger) *groupReconciler {
 
@@ -60,7 +61,7 @@ func NewGroupReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder
 		controllerConfig.DefaultSSLPolicy, backendSGProvider, controllerConfig.EnableBackendSecurityGroup, controllerConfig.DisableRestrictedSGRules, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), logger)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
 	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler,
-		controllerConfig, ingressTagPrefix, logger)
+		vpcEndpointServiceManager, controllerConfig, ingressTagPrefix, logger)
 	classLoader := ingress.NewDefaultClassLoader(k8sClient)
 	classAnnotationMatcher := ingress.NewDefaultClassAnnotationMatcher(controllerConfig.IngressConfig.IngressClass)
 	manageIngressesWithoutIngressClass := controllerConfig.IngressConfig.IngressClass == ""

diff --git a/controllers/service/service_controller.go b/controllers/service/service_controller.go
@@ -35,6 +35,7 @@ const (
 
 func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorder record.EventRecorder,
 	finalizerManager k8s.FinalizerManager, networkingSGManager networking.SecurityGroupManager,
+	vpcEndpointServiceManager networking.VPCEndpointServiceManager,
 	networkingSGReconciler networking.SecurityGroupReconciler, subnetsResolver networking.SubnetsResolver,
 	vpcInfoProvider networking.VPCInfoProvider, controllerConfig config.ControllerConfig, logger logr.Logger) *serviceReconciler {
 
@@ -45,7 +46,7 @@ func NewServiceReconciler(cloud aws.Cloud, k8sClient client.Client, eventRecorde
 	modelBuilder := service.NewDefaultModelBuilder(annotationParser, subnetsResolver, vpcInfoProvider, cloud.VpcID(), trackingProvider,
 		elbv2TaggingManager, controllerConfig.FeatureGates, controllerConfig.ClusterName, controllerConfig.DefaultTags, controllerConfig.ExternalManagedTags, controllerConfig.DefaultSSLPolicy, controllerConfig.FeatureGates.Enabled(config.EnableIPTargetType), serviceUtils)
 	stackMarshaller := deploy.NewDefaultStackMarshaller()
-	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, controllerConfig, serviceTagPrefix, logger)
+	stackDeployer := deploy.NewDefaultStackDeployer(cloud, k8sClient, networkingSGManager, networkingSGReconciler, vpcEndpointServiceManager, controllerConfig, serviceTagPrefix, logger)
 	return &serviceReconciler{
 		k8sClient:         k8sClient,
 		eventRecorder:     eventRecorder,

diff --git a/docs/guide/ingress/annotations.md b/docs/guide/ingress/annotations.md
@@ -57,6 +57,10 @@ You can add annotations to kubernetes Ingress and Service objects to customize t
 |[alb.ingress.kubernetes.io/actions.${action-name}](#actions)|json|N/A|Ingress|N/A|
 |[alb.ingress.kubernetes.io/conditions.${conditions-name}](#conditions)|json|N/A|Ingress|N/A|
 |[alb.ingress.kubernetes.io/target-node-labels](#target-node-labels)|stringMap|N/A|Ingress,Service|N/A|
+|[alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-enabled](#endpoint-service-enable)|boolean|false|
+|[alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-acceptance-required](#endpoint-service-acceptance)|boolean||
+|[alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals](#endpoint-allowed-principals)|stringList||
+|[alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-private-dns-name](#endpoint-private-dns)|string||
 
 ## IngressGroup
 IngressGroup feature enables you to group multiple Ingress resources together.
@@ -74,7 +78,7 @@ By default, Ingresses don't belong to any IngressGroup, and we treat it as a "im
 
     !!!warning "Security Risk"
         IngressGroup feature should only be used when all Kubernetes users with RBAC permission to create/modify Ingress resources are within trust boundary.
-
+        
         If you turn your Ingress to belong a "explicit IngressGroup" by adding `group.name` annotation,
         other Kubernetes users may create/modify their Ingresses to belong to the same IngressGroup, and can thus add more rules or overwrite existing rules with higher priority to the ALB for your Ingress.
 
@@ -86,7 +90,7 @@ By default, Ingresses don't belong to any IngressGroup, and we treat it as a "im
         ```
 
 - <a name="group.order">`alb.ingress.kubernetes.io/group.order`</a> specifies the order across all Ingresses within IngressGroup.
-
+    
     !!!note ""
         - You can explicitly denote the order using a number between -1000 and 1000
         - The smaller the order, the rule will be evaluated first. All Ingresses without an explicit order setting get order value as 0
@@ -101,26 +105,26 @@ By default, Ingresses don't belong to any IngressGroup, and we treat it as a "im
 Traffic Listening can be controlled with the following annotations:
 
 - <a name="listen-ports">`alb.ingress.kubernetes.io/listen-ports`</a> specifies the ports that ALB listens on.
-
+    
     !!!note "Merge Behavior"
         `listen-ports` is merged across all Ingresses in IngressGroup.
-
+            
         - You can define different listen-ports per Ingress, Ingress rules will only impact the ports defined for that Ingress.
         - If same listen-port is defined by multiple Ingress within IngressGroup, Ingress rules will be merged with respect to their group order within IngressGroup.
 
     !!!note "Default"
         - defaults to `'[{"HTTP": 80}]'` or `'[{"HTTPS": 443}]'` depending on whether `certificate-arn` is specified.
 
-    !!!warning ""
+    !!!warning "" 
         You may not have duplicate load balancer ports defined.
-
+    
     !!!example
         ```
         alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS": 443}, {"HTTP": 8080}, {"HTTPS": 8443}]'
         ```
-
+  
 - <a name="ssl-redirect">`alb.ingress.kubernetes.io/ssl-redirect`</a> enables SSLRedirect and specifies the SSL port that redirects to.
-
+  
     !!!note "Merge Behavior"
         `ssl-redirect` is exclusive across all Ingresses in IngressGroup.
 
@@ -143,7 +147,7 @@ Traffic Listening can be controlled with the following annotations:
         ```
 
 - <a name="customer-owned-ipv4-pool">`alb.ingress.kubernetes.io/customer-owned-ipv4-pool`</a> specifies the customer-owned IPv4 address pool for ALB on Outpost.
-
+    
     !!!warning ""
         This annotation should be treated as immutable. To remove or change coIPv4Pool, you need to recreate Ingress.
 
@@ -203,7 +207,7 @@ Traffic Routing can be controlled with following annotations:
         alb.ingress.kubernetes.io/backend-protocol: HTTPS
         ```
 
-- <a name="backend-protocol-version">`alb.ingress.kubernetes.io/backend-protocol-version`</a> specifies the application protocol used to route traffic to pods. Only valid when HTTP or HTTPS is used as the backend protocol.
+- <a name="backend-protocol-version">`alb.ingress.kubernetes.io/backend-protocol-version`</a> specifies the application protocol used to route traffic to pods. Only valid when HTTP or HTTPS is used as the backend protocol. 
 
     !!!example
         - HTTP2
@@ -236,7 +240,7 @@ Traffic Routing can be controlled with following annotations:
         ARN can be used in forward action(both simplified schema and advanced schema), it must be an targetGroup created outside of k8s, typically an targetGroup for legacy application.
     !!!note "use ServiceName/ServicePort in forward Action"
         ServiceName/ServicePort can be used in forward action(advanced schema only).
-
+    
     !!!warning ""
         [Auth related annotations](#authentication) on Service object will only be respected if a single TargetGroup in is used.
 
@@ -297,24 +301,24 @@ Traffic Routing can be controlled with following annotations:
                           name: use-annotation
         ```
 
-- <a name="conditions">`alb.ingress.kubernetes.io/conditions.${conditions-name}`</a> Provides a method for specifying routing conditions **in addition to original host/path condition on Ingress spec**.
-
-    The `conditions-name` in the annotation must match the serviceName in the Ingress rules.
+- <a name="conditions">`alb.ingress.kubernetes.io/conditions.${conditions-name}`</a> Provides a method for specifying routing conditions **in addition to original host/path condition on Ingress spec**. 
+    
+    The `conditions-name` in the annotation must match the serviceName in the Ingress rules. 
     It can be a either real serviceName or an annotation based action name when servicePort is `use-annotation`.
-
+    
     !!!warning "limitations"
         General ALB limitations applies:
 
         1. Each rule can optionally include up to one of each of the following conditions: host-header, http-request-method, path-pattern, and source-ip. Each rule can also optionally include one or more of each of the following conditions: http-header and query-string.
-
+            
         2. You can specify up to three match evaluations per condition.
-
+            
         3. You can specify up to five match evaluations per rule.
-
+        
         Refer [ALB documentation](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-listeners.html#rule-condition-types) for more details.
 
     !!!example
-        - rule-path1:
+        - rule-path1: 
             - Host is www.example.com OR anno.example.com
             - Path is /path1
         - rule-path2:
@@ -455,7 +459,7 @@ Access control for LoadBalancer can be controlled with following annotations:
         - if same listen-port is defined by multiple Ingress within IngressGroup, inbound-cidrs should only be defined on one of the Ingress.
 
     !!!note "Default"
-
+        
         - `0.0.0.0/0` will be used if the IPAddressType is "ipv4"
         - `0.0.0.0/0` and `::/0` will be used if the IPAddressType is "dualstack"
 
@@ -506,7 +510,7 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
         ```
         alb.ingress.kubernetes.io/auth-type: cognito
         ```
-
+        
 - <a name="auth-idp-cognito">`alb.ingress.kubernetes.io/auth-idp-cognito`</a> specifies the cognito idp configuration.
 
     !!!tip ""
@@ -518,7 +522,7 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
         ```
 
 - <a name="auth-idp-oidc">`alb.ingress.kubernetes.io/auth-idp-oidc`</a> specifies the oidc idp configuration.
-
+    
     !!!tip ""
         You need to create an [secret](https://kubernetes.io/docs/concepts/configuration/secret/) within the same namespace as Ingress to hold your OIDC clientID and clientSecret. The format of secret is as below:
         ```yaml
@@ -538,12 +542,12 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
         ```
 
 - <a name="auth-on-unauthenticated-request">`alb.ingress.kubernetes.io/auth-on-unauthenticated-request`</a> specifies the behavior if the user is not authenticated.
-
+	
 	!!!info "options:"
         * **authenticate**: try authenticate with configured IDP.
         * **deny**: return an HTTP 401 Unauthorized error.
         * **allow**: allow the request to be forwarded to the target.
-
+    
     !!!example
         ```
         alb.ingress.kubernetes.io/auth-on-unauthenticated-request: authenticate
@@ -557,7 +561,7 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
 	    * **profile**
 	    * **openid**
 	    * **aws.cognito.signin.user.admin**
-
+	
     !!!example
         ```
         alb.ingress.kubernetes.io/auth-scope: 'email openid'
@@ -569,7 +573,7 @@ ALB supports authentication with Cognito or OIDC. See [Authenticate Users Using
         ```
         alb.ingress.kubernetes.io/auth-session-cookie: custom-cookie
         ```
-
+        
 - <a name="auth-session-timeout">`alb.ingress.kubernetes.io/auth-session-timeout`</a> specifies the maximum duration of the authentication session, in seconds
 
     !!!example
@@ -680,7 +684,7 @@ SSL support can be controlled with following annotations:
     !!!tip ""
         The first certificate in the list will be added as default certificate. And remaining certificate will be added to the optional certificate list.
         See [SSL Certificates](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#https-listener-certificates) for more details.
-
+   
     !!!tip "Certificate Discovery"
         TLS certificates for ALB Listeners can be automatically discovered with hostnames from Ingress resources. See [Certificate Discovery](cert_discovery.md) for instructions.
 
@@ -693,7 +697,7 @@ SSL support can be controlled with following annotations:
             ```
             alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-west-2:xxxxx:certificate/cert1,arn:aws:acm:us-west-2:xxxxx:certificate/cert2,arn:aws:acm:us-west-2:xxxxx:certificate/cert3
             ```
-
+        
 - <a name="ssl-policy">`alb.ingress.kubernetes.io/ssl-policy`</a> specifies the [Security Policy](https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html#describe-ssl-policies) that should be assigned to the ALB, allowing you to control the protocol and ciphers.
 
     !!!example
@@ -712,7 +716,7 @@ Custom attributes to LoadBalancers and TargetGroups can be controlled with follo
     !!!note ""
         - If `deletion_protection.enabled=true` is in annotation, the controller will not be able to delete the ALB during reconciliation. Once the attribute gets edited to `deletion_protection.enabled=false` during reconciliation, the deployer will force delete the resource.
         - Please note, if the deletion protection is not enabled via annotation (e.g. via AWS console), the controller still deletes the underlying resource.
-
+    
     !!!example
         - enable access log to s3
             ```
@@ -766,7 +770,7 @@ The AWS Load Balancer Controller automatically applies following tags to the AWS
 In addition, you can use annotations to specify additional tags
 
 - <a name="tags">`alb.ingress.kubernetes.io/tags`</a> specifies additional tags that will be applied to AWS resources created.
-  In case of target group, the controller will merge the tags from the ingress and the backend service giving precedence
+  In case of target group, the controller will merge the tags from the ingress and the backend service giving precedence 
   to the values specified on the service when there is conflict.
 
     !!!example
@@ -802,3 +806,10 @@ In addition, you can use annotations to specify additional tags
         ```alb.ingress.kubernetes.io/shield-advanced-protection: 'true'
         ```
 
+## VPC Endpoint Service
+A VPC Endpoint Service can be attached to a controlled loadbalancer via the following annotations:
+
+- <a name="endpoint-service-enable">``alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-enabled`</a> specifies whether to create a VPC Endpoint Service or not.  The `--enable-endpoint-service` flag must also be set.
+- <a name="endpoint-service-acceptance">``alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-acceptance-required`</a> specifies whether requests to attach an Endpoint to the Endpoint Service require manual acceptance.
+- <a name="endpoint-allowed-principals">``alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals`</a> is a list of principals from which an Endpoint can be attached to this Endpoint Service.
+- <a name="endpoint-private-dns">``alb.ingress.kubernetes.io/aws-load-balancer-endpoint-service-private-dns-name`</a> is the private DNS name given to the Endpoint Service.  This will need to be verifies through a valid DNS record.
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -47,6 +47,10 @@
 | [service.beta.kubernetes.io/aws-load-balancer-target-node-labels](#target-node-labels)           | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-attributes](#load-balancer-attributes)             | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true                      |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-endpoint-service-enabled](#endpoint-service-enable)| boolean                 | false                     |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-endpoint-service-acceptance-required](#endpoint-service-acceptance)| boolean |                           |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals](#endpoint-allowed-principals)| stringList |                         |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-endpoint-service-private-dns-name](#endpoint-private-dns)| string            |                           |                                                        |
 
 ## Traffic Routing
 Traffic Routing can be controlled with following annotations:
@@ -430,6 +434,17 @@ Load balancer access can be controlled via following annotations:
         service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules: "false"
         ```
 
+## VPC Endpoint Service
+A VPC Endpoint Service can be attached to a controlled loadbalancer via the following annotations:
+
+- <a name="endpoint-service-enable">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-enabled`</a> specifies whether to create a VPC Endpoint Service or not.  The `--enable-endpoint-service` flag must also be set.
+
+- <a name="endpoint-service-acceptance">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-acceptance-required`</a> specifies whether requests to attach an Endpoint to the Endpoint Service require manual acceptance.
+
+- <a name="endpoint-allowed-principals">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-allowed-principals`</a> is a list of principals from which an Endpoint can be attached to this Endpoint Service.
+
+- <a name="endpoint-private-dns">`service.beta.kubernetes.io/aws-load-balancer-endpoint-service-private-dns-name`</a> is the private DNS name given to the Endpoint Service.  This will need to be verified through a valid DNS record.
+
 ## Legacy Cloud Provider
 The AWS Load Balancer Controller manages Kubernetes Services in a compatible way with the legacy aws cloud provider. The annotation `service.beta.kubernetes.io/aws-load-balancer-type` is used to determine which controller reconciles the service. If the annotation value is `nlb-ip` or `external`, legacy cloud provider ignores the service resource (provided it has the correct patch) so that the AWS Load Balancer controller can take over. For all other values of the annotation, the legacy cloud provider will handle the service. Note that this annotation should be specified during service creation and not edited later.