Time out while deleting Security Group

[andreambrosioBS]

Every time we delete an ingress of type alb, if the sg is also being managed by the load balancer controller, we get a couple of errors saying that there as a timeout deleting the SG.

aws-load-balancer-controller-548d884fcf-2qt7s aws-load-balancer-controller {"level":"info","ts":"2025-07-22T12:02:59Z","logger":"controllers.ingress","msg":"deleting securityGroup","securityGroupID":"sg-xxxxxxxxxxxxxxxxxx"}
aws-load-balancer-controller-548d884fcf-2qt7s aws-load-balancer-controller {"level":"error","ts":"2025-07-22T12:03:10Z","msg":"Reconciler error","controller":"ingress","object":{"name":"XXXXXX"},"namespace":"","name":"XXXXXXXX","reconcileID":"b281e993-dfa6-451e-863c-bd7a6f0e7fe2","error":"failed to delete securityGroup: timed out waiting for the condition"}
aws-load-balancer-controller-548d884fcf-2qt7s aws-load-balancer-controller {"level":"error","ts":"2025-07-22T12:03:21Z","msg":"Reconciler error","controller":"ingress","object":{"name":"XXXXX"},"namespace":"","name":"XXXXXXXXX","reconcileID":"e83ee3c8-2e10-42ac-9119-650364208340","error":"failed to delete securityGroup: timed out waiting for the condition"}
aws-load-balancer-controller-548d884fcf-2qt7s aws-load-balancer-controller {"level":"info","ts":"2025-07-22T12:03:23Z","logger":"controllers.ingress","msg":"deleting securityGroup","securityGroupID":"sg-xxxxxxxxxxxxxxxxxx"}
aws-load-balancer-controller-548d884fcf-2qt7s aws-load-balancer-controller {"level":"info","ts":"2025-07-22T12:03:29Z","logger":"controllers.ingress","msg":"deleted securityGroup","securityGroupID":"sg-xxxxxxxxxxxxxxxxxx"}

Looking at the cloudtrail logs, the security groups is not able to be deleted for some time because it still has dependent resources. After a couple of seconds the SG is deleted, I guess AWS is waiting for the LB to be completely deleted.
It usually takes about 30s to delete the SG, and we get a timeout error every 10s.

My question is is this normal behavior?
If it is, why is this an error, an not a warning?
Can we increase the timeout value for resource deletion? I checked the documentation but did not find any way to do this.

We want to create some alerts based on the prometheus metric reconcile error rate, but this will throw a lot of false positives.

[wweiwei-li]

Hey

1. yes, it is expected behavior.
2. Returning an error is necessary. it's the mechanism that triggers the controller to retry the operation later.
3. Right now, we don't have a configurable option to increase the timeout. It has to change the constant value in code.

[andreambrosioBS]

Ok thank you. Need to find a way then to ignore these expected errors

[bennysp]

Having the same issue. Any workaround? In my case, Rancher is creating the ingress as part of it's helm deployment, but when destroying Rancher, the ingress hangs and cannot be deleted for the same reasons reported here.

[zac-nixon]

Hi @bennysp, if you're seeing longer latency than 30 seconds, please update to v2.13.3+.
https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.13.3

In general, 30 seconds or less is the "normal" latency to tear down all the LB and SG.

[bennysp]

@zac-nixon sorry, I should have specified. I am seeing this on 2.13.4 and maybe my issue is slightly different? It deletes it but then reconcile kicks in and continues to try and delete it event though the security group is already deleted in AWS (confirmed). If it would stop after the first delete, then I believe we would not see this "hang".

{"level":"info","ts":"2025-08-11T15:01:05Z","logger":"controllers.ingress","msg":"deleting securityGroup","securityGroupID":"sg-08ae8ccda07b7ad13"}                                                                                            │
│ {"level":"info","ts":"2025-08-11T15:01:09Z","logger":"controllers.ingress","msg":"deleted securityGroup","securityGroupID":"sg-08ae8ccda07b7ad13"}           
│ {"level":"error","ts":"2025-08-11T15:03:10Z","msg":"Reconciler error","controller":"ingress","object":{"name":"rancher","namespace":"cattle-system"},"namespace":"cattle-system","name":"rancher","reconcileID":"90299ff6-8a6d-4f31-90de-03417 │
│ 0d492c3","error":"failed to delete securityGroup: timed out waiting for the condition"}

I will continue to look more on my end.