AWS Load Balancer Controller v2.13.3 incorrectly sets TargetGroup port to 0 despite Ingress/Service specifying valid port #4238
Description
Bug Description
The AWS Load Balancer Controller v2.13.3 is failing to create ALB Target Groups, reporting a ValidationError: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1. This occurs even though the associated Kubernetes Ingress and Service resources explicitly define a valid backend port (e.g., 8080).
The LBC's own internal "model" (as logged) shows that it is attempting to create the AWS Target Group with port: 0, and also setting ports[{"protocol":"TCP","port":0}] in the networking.ingress section of the TargetGroupBinding model, despite correctly identifying serviceRef.port: 8080.
Steps to Reproduce
- We are using EKS cluster with version 1.33
- Installed AWS Load Balancer Controller v2.13.3.
- Tried to deploy an application with helm using below command -
helm upgrade -i my-app ./ -f envs/stg-values.yaml -n my-appwhere
service.yaml:
apiVersion: v1
kind: Service
metadata:
name: my-app
namespace: my-app
labels:
app.kubernetes.io/name: my-app
app.kubernetes.io/instance: my-app
spec:
type: ClusterIP
ports:
- port: 8080
targetPort: 8080
protocol: TCP
name: http
selector:
app.kubernetes.io/name: my-app
app.kubernetes.io/instance: my-app
ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-app
namespace: my-app
labels:
helm.sh/chart: my-app-0.1.0
app.kubernetes.io/name: my-app
app.kubernetes.io/instance: my-app
app.kubernetes.io/version: "1.16.0"
app.kubernetes.io/managed-by: Helm
annotations:
cert-manager.io/cluster-issuer: xxxxx-xxx
# meta.helm.sh/release-name: my-app # These are generated, not typically in source
# meta.helm.sh/release-namespace: my-app
spec:
ingressClassName: alb
tls:
- hosts:
- "abc.xxxxxx.com"
secretName: icon-tls
rules:
- host: "abc.xxxxxx.com"
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: my-app
port:
number: 8080
Expected Behavior
The AWS Load Balancer Controller should successfully create an ALB Target Group with Port: 8080 (or the corresponding targetPort of the service if alb.ingress.kubernetes.io/target-type: ip was used, but given targetType: instance, it should use the Service.port).
Actual Behavior
The AWS Load Balancer Controller logs show an attempt to create the Target Group with port: 0, leading to a ValidationError from the AWS API.
Error Output (from LBC logs):
> {"level":"info","ts":"2025-06-18T05:57:59Z","logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"my-app/my-app\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-xxxxxxic-xxxxxxic-9dbf8cb661\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"80\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":80,\"protocol\":\"HTTP\",\"defaultActions\":[{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}}]}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"80:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/80/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources::ElasticLoadBalancingV2::TargetGroup/my-app/my-app-my-app:8080/status/targetGroupARN\"}}]}}],\"conditions\":[{\"field\":\"host-header\",\"hostHeaderConfig\":{\"values\":[\"abc.xxxxxx.com\"]}},{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":[\"/\"]}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-xxxxxxic-xxxxxxic-197ad4dfda\",\"type\":\"application\",\"scheme\":\"internal\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-03xxxxxxa24f0xxx6\"},{\"subnetID\":\"subnet-05b01a3c1f0c301f6\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"},\"sg-0c2xxxxxx771xxx4b\"]}}},\"AWS::ElasticLoadBalancingV2::TargetGroup\":{\"my-app/my-app-my-app:8080\":{\"spec\":{\"name\":\"k8s-xxxxxxic-xxxxxxic-5390b5336d\",\"targetType\":\"instance\",\"port\":0,\"protocol\":\"HTTP\",\"protocolVersion\":\"HTTP1\",\"ipAddressType\":\"ipv4\",\"healthCheckConfig\":{\"port\":\"traffic-port\",\"protocol\":\"HTTP\",\"path\":\"/\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"my-app/my-app-my-app:8080\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-xxxxxxic-xxxxxxic-5390b5336d\",\"namespace\":\"my-app\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/my-app/my-app-my-app:8080/status/targetGroupARN\"},\"targetType\":\"instance\",\"serviceRef\":{\"name\":\"my-app\",\"port\":8080},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":\"sg-0c2xxxxxx771xxx4b\"}}],\"ports\":[{\"protocol\":\"TCP\",\"port\":0}]}]},\"ipAddressType\":\"ipv4\",\"vpcID\":\"vpc-xxxxxxxx4963xx\"}}}}}}}"}
> {"level":"info","ts":"2025-06-18T05:58:00Z","logger":"controllers.ingress","msg":"creating targetGroup","stackID":"my-app/my-app","resourceID":"my-app/my-app-my-app:8080"}
> {"level":"error","ts":"2025-06-18T05:58:00Z","msg":"Reconciler error","controller":"ingress","object":{"name":"my-app","namespace":"my-app"},"namespace":"my-app","name":"my-app","reconcileID":"818b11e3-efcc-467c-b74a-4146902dea95","error":"operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: c757faa0-0e96-485c-aa3e-f0d720087ff9, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1"}
Regression
Was the functionality working correctly in a previous version ? [Yes / No]
If yes, specify the last version where it worked as expected
Current Workarounds
Environment
- AWS Load Balancer controller version:
v2.13.3 - Kubernetes version:
v1.33 - Using EKS (yes/no), if so version?:
yesv1.33 - Using Service or Ingress:
both - AWS region:
us-east-2 - How was the aws-load-balancer-controller installed:
one for now- If helm was used then please show output of
helm ls -A | grep -i aws-load-balancer-controlleralb-controller alb-controller 2 2025-06-18 00:30:41.906182 +0530 IST deployed aws-load-balancer-controller-1.13.3 v2.13.3
- If helm was used then please show output of
helm get values -n alb-controller alb-controllerUSER-SUPPLIED VALUES:
clusterName: xxxx-us-xxx-eks
region: us-east-2
serviceAccount:
create: false
name: aws-load-balancer-controller
vpcId: vpc-xxxxxxxx4963xx - If helm was not used, then copy/paste the exact command used to install the controller, including flags and options.
- If helm was used then please show output of
- Current state of the Controller configuration:
kubectl -n <controllernamespace> describe deployment aws-load-balancer-controllerk describe deployment -n alb-controller alb-controller-aws-load-balancer-controller
Name: alb-controller-aws-load-balancer-controller
Namespace: alb-controller
CreationTimestamp: Mon, 16 Jun 2025 17:23:42 +0530
Labels: app.kubernetes.io/instance=alb-controller
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=aws-load-balancer-controller
app.kubernetes.io/version=v2.13.3
helm.sh/chart=aws-load-balancer-controller-1.13.3
Annotations: deployment.kubernetes.io/revision: 2
meta.helm.sh/release-name: alb-controller
meta.helm.sh/release-namespace: alb-controller
Selector: app.kubernetes.io/instance=alb-controller,app.kubernetes.io/name=aws-load-balancer-controller
Replicas: 2 desired | 2 updated | 2 total | 2 available | 0 unavailable
StrategyType: RollingUpdate
MinReadySeconds: 0
RollingUpdateStrategy: 25% max unavailable, 25% max surge
Pod Template:
Labels: app.kubernetes.io/instance=alb-controller
app.kubernetes.io/name=aws-load-balancer-controller
Annotations: prometheus.io/port: 8080
prometheus.io/scrape: true
Service Account: aws-load-balancer-controller
Containers:
aws-load-balancer-controller:
Image: public.ecr.aws/eks/aws-load-balancer-controller:v2.13.3
Ports: 9443/TCP, 8080/TCP
Host Ports: 0/TCP, 0/TCP
Args:
--cluster-name=xxxx-us-xxx-eks
--ingress-class=alb
--aws-region=us-east-2
--aws-vpc-id=vpc-xxxxxxxx4963xx
Liveness: http-get http://:61779/healthz delay=30s timeout=10s period=10s #success=1 #failure=2
Readiness: http-get http://:61779/readyz delay=10s timeout=10s period=10s #success=1 #failure=2
Environment:
Mounts:
/tmp/k8s-webhook-server/serving-certs from cert (ro)
Volumes:
cert:
Type: Secret (a volume populated by a Secret)
SecretName: aws-load-balancer-tls
Optional: false
Priority Class Name: system-cluster-critical
Node-Selectors:
Tolerations:
Conditions:
Type Status Reason
Available True MinimumReplicasAvailable
Progressing True NewReplicaSetAvailable
OldReplicaSets: alb-controller-aws-load-balancer-controller-5f6b449996 (0/0 replicas created)
NewReplicaSet: alb-controller-aws-load-balancer-controller-c855585d5 (2/2 replicas created)
Events: - Current state of the Ingress/Service configuration:
-
kubectl describe ingressclasseskubectl describe ingressclasses
Name: alb
Labels: app.kubernetes.io/instance=alb-controller
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=aws-load-balancer-controller
app.kubernetes.io/version=v2.13.3
helm.sh/chart=aws-load-balancer-controller-1.13.3
Annotations: meta.helm.sh/release-name: alb-controller
meta.helm.sh/release-namespace: alb-controller
Controller: ingress.k8s.aws/alb
Events: -
kubectl describe ing -n my-app my-appName: my-app
Labels: app.kubernetes.io/instance=my-app
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=my-app
app.kubernetes.io/version=1.16.0
helm.sh/chart=my-app-0.1.0
Namespace: my-app
Address:
Ingress Class: alb
Default backend:
TLS:
icon-tls terminates abc.xxxxxx.com
Rules:
Host Path Backends
abc.xxxxxx.com
/ my-app:8080 (10.0.152.88:8080)
Annotations: alb.ingress.kubernetes.io/target-group-attributes: port=8080
cert-manager.io/cluster-issuer: xxxxx-xxx
meta.helm.sh/release-name: my-app
meta.helm.sh/release-namespace: my-app
Events:
Type Reason Age From Message
Normal CreateCertificate 43m cert-manager-ingress-shim Successfully created Certificate "icon-tls"
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 1a5780b4-e2b0-4ee2-8e58-68242d09e778, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: c96414e6-984a-4d66-a375-f0283ce77b32, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 7f0c86fc-0516-4c8a-94cd-7d23a3557ce5, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 5afcf5b4-1c38-4caf-9046-0f76c23537fd, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: a9209e18-2af9-403f-a6f5-a06faebb3d4e, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: d109b076-a8b6-4999-88a2-4576b19aa26c, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 29470bad-1881-444d-8c7a-c1bd4c3aaaab, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: c40345b2-5052-4f4e-a3c2-4b007819ce11, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 43m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: a27fdfef-5254-4d8d-a006-5ff14afb9f2b, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 31m (x9 over 42m) ingress (combined from similar events): Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: b5f0a683-b442-4181-b859-6f9d657bd696, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 21m ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 5688dedb-7e69-4fb3-80cb-346f828d9a92, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1
Warning FailedDeployModel 4m22s ingress Failed deploy model due to operation error Elastic Load Balancing v2: CreateTargetGroup, https response error StatusCode: 400, RequestID: 9e8a4201-8a08-49bb-bde2-46608d721f3c, api error ValidationError: 1 validation error detected: Value '0' at 'port' failed to satisfy constraint: Member must have value greater than or equal to 1 -
kubectl describe svc -n my-app my-appName: my-app
Namespace: my-app
Labels: app.kubernetes.io/instance=my-app
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=my-app
app.kubernetes.io/version=1.16.0
helm.sh/chart=my-app-0.1.0
Annotations: meta.helm.sh/release-name: my-app
meta.helm.sh/release-namespace: my-app
Selector: app.kubernetes.io/instance=my-app,app.kubernetes.io/name=my-app
Type: ClusterIP
IP Family Policy: SingleStack
IP Families: IPv4
IP: 172.20.76.31
IPs: 172.20.76.31
Port: http 8080/TCP
TargetPort: 8080/TCP
Endpoints: 10.0.152.88:8080
Session Affinity: None
Internal Traffic Policy: Cluster
Events:
-
Possible Solution (Optional)
Contribution Intention (Optional)
- Yes, I'm willing to submit a PR to fix this issue
- No, I cannot work on a PR at this time
Additional Context
kubectl get ingress my-apss -n my-apss -o yamlconfirmsport: number: 8080is present in the deployed Ingress resource.
helm template my-apss ./ -f envs/prod-values.yaml -n my-apssalso showsport: number: 8080in the templated Ingress.