Deletion of ingresses and ingress classes do not get eventual consistency if the ingress class is deleted first

[james-alford-ln]

Bug Description

Deletion of ingresses and ingress classes do not get eventual consistency if the ingress class is deleted first.

The ingress is orphaned and cannot be cleaned up until the line ingressClassName: test-ingress-class is removed from the ingress manifest.

This differs from behaviour using nginx ingress where the ingresses can be removed post ingress class deletion without issue

Steps to Reproduce

deploy.yaml

apiVersion: v1
kind: Pod
metadata:
  name: test-pod
  namespace: default
  labels:
    app.kubernetes.io/name: test-pod
spec:
  containers:
  - name: nginx
    image: nginx:stable
    ports:
      - containerPort: 80
        name: http-web-svc

---
apiVersion: v1
kind: Service
metadata:
  name: test-service
  namespace: default
spec:
  selector:
    app.kubernetes.io/name: test-pod
  ports:
  - name: http-web-svc
    protocol: TCP
    port: 80
    targetPort: http-web-svc

---
apiVersion: elbv2.k8s.aws/v1beta1
kind: IngressClassParams
metadata:
  name: test-ingress-class-params
spec:
  certificateArn: []
  group:
    name: test-ingress-class-params
  inboundCIDRs:
    - 10.0.0.0/8
  ipAddressType: ipv4
  loadBalancerAttributes: []
  scheme: internal
  subnets:
    ids:
      - subnet-1
      - subnet-2
      - subnet-3
  targetType: ip

---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: test-ingress-class
  namespace: default
spec:
  controller: ingress.k8s.aws/alb
  parameters:
    apiGroup: elbv2.k8s.aws
    kind: IngressClassParams
    name: test-ingress-class-params
    scope: Cluster

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
  labels:
    app.kubernetes.io/name: ingress
  annotations:
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-redirect: '443'
spec:
  ingressClassName: test-ingress-class
  rules:
    - host: subdomain.domain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: test-service
                port:
                  number: 80

Steps

$ kubectl apply -f deploy.yaml 

# Check status of objects that were deployed

$ kubectl get ingressclass/test-ingress-class
NAME                 CONTROLLER            PARAMETERS                                                   AGE
test-ingress-class   ingress.k8s.aws/alb   IngressClassParams.elbv2.k8s.aws/test-ingress-class-params   47s

$ kubectl get ingressclassparams/test-ingress-class-params
NAME                        GROUP-NAME                  SCHEME     IP-ADDRESS-TYPE   AGE
test-ingress-class-params   test-ingress-class-params   internal   ipv4              53s

$ kubectl get ingress/test-ingress
NAME           CLASS                HOSTS                  ADDRESS   PORTS   AGE
test-ingress   test-ingress-class   subdomain.domain.com             80      65s

# Delete the ingress class
kubectl delete ingressclass/test-ingress-class

# Check status of objects that were deployed/deleted

$ kubectl get ingressclass/test-ingress-class
Error from server (NotFound): ingressclasses.networking.k8s.io "test-ingress-class" not found

$ kubectl get ingress/test-ingress
NAME           CLASS                HOSTS                  ADDRESS   PORTS   AGE
test-ingress   test-ingress-class   subdomain.domain.com             80      2m15s

$ kubectl get ingressclassparams/test-ingress-class-params
NAME                        GROUP-NAME                  SCHEME     IP-ADDRESS-TYPE   AGE
test-ingress-class-params   test-ingress-class-params   internal   ipv4              2m23s

# Delete the ingress

$ kubectl delete ingress/test-ingress
ingress.networking.k8s.io "test-ingress" deleted

# Check if ingress is deleted (it is still present)

$ kubectl get ingress/test-ingress
NAME           CLASS                HOSTS                  ADDRESS   PORTS   AGE
test-ingress   test-ingress-class   subdomain.domain.com             80      3m39s


# Message on the orphaned ingress

Warning  FailedLoadGroupID  2m4s                    ingress  failed load groupID due to invalid ingress class: IngressClass.networking.k8s.io "test-ingress-class" not found

# Message in aws-load-balancer-controller logs

{"level":"error","ts":"2025-09-17T07:56:22Z","msg":"Reconciler error","controller":"ingress","object":{"name":"test-ingress-class-params"},"namespace":"","name":"test-ingress-class-params","reconcileID":"572594d7-65bd-4e81-9057-2117f8ff9999","error":"admission webhook \"vingress.elbv2.k8s.aws\" denied the request: invalid ingress class: IngressClass.networking.k8s.io \"test-ingress-class\" not found"}

Expected Behavior
Ingress to be removed

Actual Behavior
The ingress is still present after delete request sent, warning seen in the ingress referring to ingress class not found and aws load balancer controller gets an error from admission webhook (invalid ingress class)

Regression
Was the functionality working correctly in a previous version ? [Yes / No]
If yes, specify the last version where it worked as expected

Current Workarounds

Delete line ingressClassName: test-ingress-class from each ingress spec

Environment
Chart - aws-load-balancer-controller-1.13.4
EKS - 1.31

Possible Solution (Optional)

Contribution Intention (Optional)

• Yes, I'm willing to submit a PR to fix this issue
• No, I cannot work on a PR at this time

Additional Context

[shraddhabang]

@james-alford-ln Thank you for bringing this to our attention. Yes we dont have any finalizers implementation done for Ingress ClassParamas. We understand your frustration. We will update our docs to reflect the right order of deletion. We welcome any community contribution to fix this.

[praddy26]

/assign

[stevehipwell]

@zac-nixon I don't think the issue should be closed based on a documentation change. This is a pretty common scenario in K8s and it seems like something that the controller could handle.