kubernetes-sigs · mwhittington21 · Sep 25, 2025
diff --git a/docs/deploy/configurations.md b/docs/deploy/configurations.md
@@ -189,3 +189,4 @@ There are a set of key=value pairs that describe AWS load balancer controller fe
 | LBCapacityReservation                 | string                          | true         | Enable or disable the capacity reservation feature on ALB and NLB                                                                                                                                                                                                 |
 | EnableTCPUDPListenerType              | string                          | false        | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by  the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener`                                                                  |
 | EnhancedDefaultBehavior              | string                          | false        | Enable this feature to allow the controller to remove Provisioned Capacity or mTLS settings by removing the corresponding annotation.                                                                                                                             |
+| EnableDefaultTagsLowPriority          | string                          | false        | If enabled, tags supplied via `--default-tags` will be overridden by tags specified in other manners, like via annotations.                            |
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
@@ -376,6 +376,7 @@ controllerConfig:
   # ALBSingleSubnet: false
   # LBCapacityReservation: true
   # EnhancedDefaultBehavior: false
+  # EnableDefaultTagsLowPriority: false
 
 certDiscovery:
   allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope

diff --git a/main.go b/main.go
@@ -21,6 +21,7 @@ import (
 	"fmt"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"os"
+
 	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
 	"sigs.k8s.io/aws-load-balancer-controller/controllers/gateway"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
@@ -120,6 +121,7 @@ func main() {
 		infoLogger.Error(err, "unable to load controller config")
 		os.Exit(1)
 	}
+
 	appLogger := getLoggerWithLogLevel(controllerCFG.LogLevel)
 	ctrl.SetLogger(appLogger)
 	klog.SetLoggerWithOptions(appLogger, klog.ContextualLogger(true))

diff --git a/pkg/config/feature_gates.go b/pkg/config/feature_gates.go
@@ -28,6 +28,7 @@ const (
 	NLBGatewayAPI                 Feature = "NLBGatewayAPI"
 	ALBGatewayAPI                 Feature = "ALBGatewayAPI"
 	EnhancedDefaultBehavior       Feature = "EnhancedDefaultBehavior"
+	EnableDefaultTagsLowPriority  Feature = "EnableDefaultTagsLowPriority"
 )
 
 type FeatureGates interface {
@@ -72,6 +73,7 @@ func NewFeatureGates() FeatureGates {
 			ALBGatewayAPI:                 false,
 			EnableTCPUDPListenerType:      false,
 			EnhancedDefaultBehavior:       false,
+			EnableDefaultTagsLowPriority:  false,
 		},
 	}
 }

diff --git a/pkg/gateway/model/base_model_builder.go b/pkg/gateway/model/base_model_builder.go
@@ -2,6 +2,7 @@ package model
 
 import (
 	"context"
+
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/addon"
 	config2 "sigs.k8s.io/aws-load-balancer-controller/pkg/gateway"
@@ -42,7 +43,7 @@ func NewModelBuilder(subnetsResolver networking.SubnetsResolver,
 	backendSGProvider networking.BackendSGProvider, sgResolver networking.SecurityGroupResolver, enableBackendSG bool,
 	disableRestrictedSGRules bool, allowedCAARNs []string, supportedAddons []addon.Addon, logger logr.Logger) Builder {
 
-	gwTagHelper := newTagHelper(sets.New(lbcConfig.ExternalManagedTags...), lbcConfig.DefaultTags)
+	gwTagHelper := newTagHelper(sets.New(lbcConfig.ExternalManagedTags...), lbcConfig.DefaultTags, featureGates.Enabled(config.EnableDefaultTagsLowPriority))
 	subnetBuilder := newSubnetModelBuilder(loadBalancerType, trackingProvider, subnetsResolver, elbv2TaggingManager)
 	sgBuilder := newSecurityGroupBuilder(gwTagHelper, clusterName, enableBackendSG, sgResolver, backendSGProvider, logger)
 	lbBuilder := newLoadBalancerBuilder(loadBalancerType, gwTagHelper, clusterName)

diff --git a/pkg/gateway/model/gateway_tag_helper.go b/pkg/gateway/model/gateway_tag_helper.go
@@ -12,14 +12,16 @@ type tagHelper interface {
 }
 
 type tagHelperImpl struct {
-	externalManagedTags sets.Set[string]
-	defaultTags         map[string]string
+	externalManagedTags               sets.Set[string]
+	defaultTags                       map[string]string
+	additionalTagsOverrideDefaultTags bool
 }
 
-func newTagHelper(externalManagedTags sets.Set[string], defaultTags map[string]string) tagHelper {
+func newTagHelper(externalManagedTags sets.Set[string], defaultTags map[string]string, additionalTagsOverrideDefaultTags bool) tagHelper {
 	return &tagHelperImpl{
-		externalManagedTags: externalManagedTags,
-		defaultTags:         defaultTags,
+		externalManagedTags:               externalManagedTags,
+		defaultTags:                       defaultTags,
+		additionalTagsOverrideDefaultTags: additionalTagsOverrideDefaultTags,
 	}
 }
 
@@ -36,6 +38,9 @@ func (t *tagHelperImpl) getGatewayTags(lbConf elbv2gw.LoadBalancerConfiguration)
 		return nil, err
 	}
 
+	if t.additionalTagsOverrideDefaultTags {
+		return algorithm.MergeStringMap(annotationTags, t.defaultTags), nil
+	}
 	return algorithm.MergeStringMap(t.defaultTags, annotationTags), nil
 }
 

diff --git a/pkg/gateway/model/gateway_tag_helper_test.go b/pkg/gateway/model/gateway_tag_helper_test.go
@@ -0,0 +1,134 @@
+package model
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/util/sets"
+	elbv2gw "sigs.k8s.io/aws-load-balancer-controller/apis/gateway/v1beta1"
+)
+
+func Test_tagHelperImpl_getGatewayTags(t *testing.T) {
+	tests := []struct {
+		name                   string
+		defaultTags            map[string]string
+		specTags               map[string]string
+		defaultTagsLowPriority bool
+		want                   map[string]string
+		wantErr                bool
+	}{
+		{
+			name: "when defaultTagsLowPriority is false, default tags override spec tags",
+			defaultTags: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+			specTags: map[string]string{
+				"env": "dev",
+				"app": "web",
+			},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+				"app":  "web",
+			},
+		},
+		{
+			name: "when defaultTagsLowPriority is true, spec tags override default tags",
+			defaultTags: map[string]string{
+				"env":  "prod",
+				"team": "platform",
+			},
+			specTags: map[string]string{
+				"env": "dev",
+				"app": "web",
+			},
+			defaultTagsLowPriority: true,
+			want: map[string]string{
+				"env":  "dev",
+				"team": "platform",
+				"app":  "web",
+			},
+		},
+		{
+			name: "when no overlapping tags, order doesn't matter",
+			defaultTags: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+			},
+			specTags: map[string]string{
+				"app": "web",
+				"env": "dev",
+			},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+				"app":         "web",
+				"env":         "dev",
+			},
+		},
+		{
+			name:        "when defaultTags is empty, all spec tags are used",
+			defaultTags: map[string]string{},
+			specTags: map[string]string{
+				"app": "web",
+				"env": "dev",
+			},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"app": "web",
+				"env": "dev",
+			},
+		},
+		{
+			name: "when specTags is empty, all default tags are used",
+			defaultTags: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+			},
+			specTags:               map[string]string{},
+			defaultTagsLowPriority: false,
+			want: map[string]string{
+				"team":        "platform",
+				"cost-center": "123",
+			},
+		},
+		{
+			name: "when specTags contains external managed tag, returns error",
+			defaultTags: map[string]string{
+				"team": "platform",
+			},
+			specTags: map[string]string{
+				"external-tag": "value",
+			},
+			defaultTagsLowPriority: false,
+			want:                   nil,
+			wantErr:                true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			h := &tagHelperImpl{
+				externalManagedTags:               sets.New("external-tag"),
+				defaultTags:                       tt.defaultTags,
+				additionalTagsOverrideDefaultTags: tt.defaultTagsLowPriority,
+			}
+
+			lbConf := &elbv2gw.LoadBalancerConfiguration{}
+			if len(tt.specTags) > 0 {
+				lbConf.Spec.Tags = &tt.specTags
+			}
+
+			got, err := h.getGatewayTags(*lbConf)
+			if tt.wantErr {
+				assert.Error(t, err)
+			} else {
+				assert.NoError(t, err)
+				assert.Equal(t, tt.want, got)
+			}
+		})
+	}
+}
diff --git a/pkg/ingress/model_build_frontend_nlb_test.go b/pkg/ingress/model_build_frontend_nlb_test.go
@@ -15,6 +15,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/aws/services"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -987,7 +988,8 @@ func Test_buildFrontendNlbTags(t *testing.T) {
 				ingGroup:         tt.ingGroup,
 				annotationParser: annotations.NewSuffixAnnotationParser("alb.ingress.kubernetes.io"),
 				// Default implementation will return an empty map when no tags are specified
-				defaultTags: tt.defaultTags,
+				defaultTags:  tt.defaultTags,
+				featureGates: config.NewFeatureGates(),
 			}
 
 			got, err := task.buildFrontendNlbTags(context.Background(), nil)

diff --git a/pkg/ingress/model_build_listener.go b/pkg/ingress/model_build_listener.go
@@ -18,6 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/algorithm"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/annotations"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -102,6 +103,9 @@ func (t *defaultModelBuildTask) buildListenerTags(_ context.Context, ingList []C
 	if err != nil {
 		return nil, err
 	}
+	if t.featureGates.Enabled(config.EnableDefaultTagsLowPriority) {
+		return algorithm.MergeStringMap(ingGroupTags, t.defaultTags), nil
+	}
 	return algorithm.MergeStringMap(t.defaultTags, ingGroupTags), nil
 }
 

diff --git a/pkg/ingress/model_build_listener_rules.go b/pkg/ingress/model_build_listener_rules.go
@@ -9,6 +9,7 @@ import (
 	"github.com/pkg/errors"
 	networking "k8s.io/api/networking/v1"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/algorithm"
+	"sigs.k8s.io/aws-load-balancer-controller/pkg/config"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/k8s"
 	"sigs.k8s.io/aws-load-balancer-controller/pkg/model/core"
 	elbv2model "sigs.k8s.io/aws-load-balancer-controller/pkg/model/elbv2"
@@ -313,5 +314,8 @@ func (t *defaultModelBuildTask) buildListenerRuleTags(_ context.Context, ing Cla
 		return nil, err
 	}
 
+	if t.featureGates.Enabled(config.EnableDefaultTagsLowPriority) {
+		return algorithm.MergeStringMap(ingTags, t.defaultTags), nil
+	}
 	return algorithm.MergeStringMap(t.defaultTags, ingTags), nil
 }