Component overview
The ALB Ingress Controller is based on Alibaba Cloud Application Load Balancer (ALB) and provides powerful Ingress traffic management. It is compatible with Nginx Ingress, supports complex business routing and automatic certificate discovery, and handles HTTP, HTTPS, and QUIC protocols. This makes it ideal for cloud-native applications that require high elasticity and large-scale Layer 7 traffic processing.
The ALB Ingress Controller watches the API server for changes to Ingress resources, dynamically generates an AlbConfig, and then creates or updates the required ALB instances, listeners, forwarding rules, and backend server groups. You can deploy this component in your Container Service for Kubernetes (ACK) cluster to manage Ingress traffic by configuring ALB Ingress resources.
Release notes
April 2026
Version | Release date | Changes | Impact |
v2.20.0 | April 16, 2026 | New features: Allows setting accessLogRecordCustomizedHeadersEnabled to false by specifying accessLogRecordCustomizedHeadersAllowDisable: true in the logConfig of ListenerSpec. The webhook now prevents the deletion of Service or Secret resources used by an ALB Ingress. A validation check is added for webhooks: when the path type is Prefix, the path cannot contain the wildcard character *.
Enhancements: Reduces the controller memory footprint. The controller now uses EndpointSlice instead of Endpoint for endpoint discovery by default. Reduces the wait time for asynchronous server group tasks.
Bug fixes: Fixes an issue where a change to the ALB resource group ID in AlbConfig did not take effect. Fixes an issue where an invalid forwarding configuration could cause the controller to panic when using custom forwarding rules.
| This upgrade has no impact on your workloads. |
January 2026
Version | Release date | Changes | Impact |
v2.19.0 | January 7, 2026 | New features Enhancements Improved the error message for listener creation failures caused by an expired certificate. Improved controller reconciliation performance. Enhanced the validation webhook to check for the following: The format of the SourceIP field in custom forwarding conditions. Whether the value of the AclType field is black or white. An ingress backend that specifies service.name but not service.port.
Added a webhook check to verify if an ingress is an ALB ingress.
Bug fixes Fixed a bug that prevented tags on an ALB instance from being removed when the tags field is deleted from the AlbConfig. Fixed a rare bug that could cause the controller to panic when a service is deleted.
| This upgrade does not affect your services. |
July 2025
Version number | Release date | Description | Impact |
v2.18.0-aliyun.1 | July 4, 2025 | Instance managed mode is enabled by default. You cannot manually modify the listeners and forwarding rules in the ALB console for ALB instances that are automatically created by AlbConfig. This restriction applies only to new ALB instances created after you upgrade to this version. Existing and reused instances are unaffected. You can now specify a default certificate in an AlbConfig object by using the defaultCertificate field. Improved the priority sorting logic for forwarding rules and removed the global uniqueness requirement for the order field. Fixed a controller panic caused by flow control during asynchronous task API queries. Fixed an issue where an access control list (ACL) applied to only one listener when an HTTPS listener and a QUIC listener shared the same port. Implemented a fixed waiting interval for readinessGate checks on unready pods. Improved the validation logic in the admission webhook for forwarding actions that do not include a terminating action.
| This upgrade has no impact on your services. |
March 2025
Version | Release date | Changes | Impact |
v2.17.2-aliyun.1 | March 31, 2025 | Fixed a server group reconciliation failure that caused a port-not-found error when Ingress rules in multiple namespaces pointed to Services with the same name but different ports. Fixed an invalid parameter error when querying IPv4 addresses in an IPv6 dual-stack cluster. Increased the maximum number of security groups that can be added or removed in a single batch API call from 4 to 9. Skipped API calls when no additional tags are required.
| This upgrade has no impact on your services. |
v2.17.1-aliyun.1 | March 18, 2025 | | This upgrade has no impact on your services. |
v2.16.0-aliyun.1 | March 4, 2025 |
Important Starting from this version, persistent connection is enabled by default for newly created server groups. Existing server groups are not affected. Before you upgrade, confirm whether this behavior change impacts your services. Enabled persistent connection by default for new server groups. Added support for assigning custom tags to listeners. Added support for disabling the cross-Availability Zone capability for server groups. Improved overall Service reconciliation performance. Optimized the timing of ReadinessGate status updates for Pods. A Pod's status is now updated only after all associated server groups are successfully updated. Added validation to prevent incorrect canary configurations. Adding a canary annotation directly to an Ingress now triggers an error and preserves the original forwarding rules. For canary releases, use either two separate Ingresses or custom forwarding actions.
| This upgrade has no impact on your services. |
January 2025
Version | Release date | Changes | Impact |
v2.15.2-aliyun.1 | January 24, 2025 | In a listener's XForwardedForConfig, you can configure XForwardedForProcessingMode to set the processing mode for the X-Forwarded-For header, and set XForwardedForHostEnabled to enable the X-Forwarded-Host request header. Fixed an issue where the component fails to start when ValidatingWebhookConfiguration does not exist. Fixed an issue where Webhook validation fails when alb.ingress.kubernetes.io/healthcheck-httpcode is configured with multiple values. Added a check for forwarding actions that do not include the FinalType type. Optimized the calculation of clientToken when you create an ALB instance.
| |
v2.15.0-aliyun.1 | January 6, 2025 | The ValidatingWebhook is now enabled by default to precheck AlbConfig and Ingress configurations. Supports AScript programmable scripts. The rate-limiting feature now supports fixed responses. The ssl-redirect and rate-limiting features are now compatible. Session persistence for server groups now supports custom cookies. Supports configuring security groups for new ALB instances. (Effective from 00:00:00 on February 25, 2025, UTC+8) Improved error messages for listener conflicts. The controller now sends event notifications for inconsistencies between TLS certificate configurations and forwarding rule certificates. The controller now validates associated resources, such as bandwidth plans. The gRPC protocol now supports certificate configuration in AlbConfig. Fixed an issue where the tag feature in AlbConfig could not be used after the creator tag feature was enabled. Fixed an issue where Service reconciliation continuously reported errors in some scenarios. Fixed an issue where an incorrect AlbConfig configuration caused the component to crash.
| This upgrade does not affect your services. |
May 2024
Version | Release date | Changes | Impact |
v2.13.1-aliyun.1 | May 10, 2024 | The controller now sends an event when an AlbConfig is not associated with an Ingress. Fixed a server group creation failure caused by a namespace starting with a number or a long namespace or service name.
| This upgrade does not affect your services. |