Merge pull request #3661 from rgs1/fix-default-for-aws-load-balancer-manage-backend-security-group-rules

k8s-ci-robot · web-flow · commit 4ffee8db9946 · 2024-05-01T16:47:22.000-07:00
Docs: clarify behavior for `manage-backend-security-group-rules`
diff --git a/docs/guide/service/annotations.md b/docs/guide/service/annotations.md
@@ -50,7 +50,7 @@
 | [service.beta.kubernetes.io/aws-load-balancer-target-node-labels](#target-node-labels)           | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-attributes](#load-balancer-attributes)             | stringMap               |                           |                                                        |
 | [service.beta.kubernetes.io/aws-load-balancer-security-groups](#security-groups)                 | stringList              |                           |                                                        | 
-| [service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true                      |                                                        |
+| [service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)  | boolean    | true                      | If `service.beta.kubernetes.io/aws-load-balancer-security-groups` is specified, this must also be explicitly specified otherwise it defaults to `false`. |
 | [service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic](#update-security-settings)         | string                  |                           |                                                                                   
 
 ## Traffic Routing
@@ -499,7 +499,7 @@ Load balancer access can be controlled via following annotations:
 - <a name="manage-backend-sg-rules">`service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules`</a> specifies whether the controller should automatically add the ingress rules to the instance/ENI security group.
 
     !!!warning ""
-        If you disable the automatic management of security group rules for an NLB, you will need to manually add appropriate ingress rules to your EC2 instance or ENI security groups to allow access to the traffic and health check ports.
+        If you disable the automatic management of security group rules for an NLB (e.g.: by setting `service.beta.kubernetes.io/aws-load-balancer-security-groups`), you will need to manually add appropriate ingress rules to your EC2 instance or ENI security groups to allow access to the traffic and health check ports.
 
     !!!example
         ```
