Annotations
Service annotations
Annotations
Traffic Routing
Traffic Routing can be controlled with following annotations:
service.beta.kubernetes.io/aws-load-balancer-namespecifies the custom name to use for the load balancer. Name longer than 32 characters will be treated as an error.service.beta.kubernetes.io/aws-load-balancer-typespecifies the load balancer type. This controller reconciles those service resources with this annotation set to eithernlb-iporexternal.service.beta.kubernetes.io/aws-load-balancer-nlb-target-typespecifies the target type to configure for NLB. You can choose betweeninstanceandip.instancemode will route traffic to all EC2 instances within cluster on the NodePort opened for your service. The kube-proxy on the individual worker nodes sets up the forwarding of the traffic from the NodePort to the pods behind the service.ipmode will route traffic directly to the pod IP. In this mode, AWS NLB sends traffic directly to the Kubernetes pods behind the service, eliminating the need for an extra network hop through the worker nodes in the Kubernetes cluster.
service.beta.kubernetes.io/aws-load-balancer-subnetsspecifies the Availability Zone the NLB will route traffic to. See Network Load Balancers for more details.service.beta.kubernetes.io/aws-load-balancer-alpn-policyallows you to configure the ALPN policies on the load balancer.service.beta.kubernetes.io/aws-load-balancer-target-node-labelsspecifies which nodes to include in the target group registration forinstancetarget type.service.beta.kubernetes.io/aws-load-balancer-eip-allocationsspecifies a list of elastic IP address configuration for an internet-facing NLB.service.beta.kubernetes.io/aws-load-balancer-private-ipv4-addressesspecifies a list of private IPv4 addresses for an internal NLB.service.beta.kubernetes.io/aws-load-balancer-ipv6-addressesspecifies a list of IPv6 addresses for an dualstack NLB.service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discoveryenables the creation of security group rules to the managed security group to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs. Creates a rule for each source range ifservice.beta.kubernetes.io/load-balancer-source-rangesis present.
Traffic Listening
Traffic Listening can be controlled with following annotations:
service.beta.kubernetes.io/aws-load-balancer-ip-address-typespecifies the IP address type of NLB.
Support UDP-based services over IPv6
You can configure dualstack NLB to support UDP-based services over IPv6 via the following annotations:
service.beta.kubernetes.io/aws-load-balancer-enable-prefix-for-ipv6-source-nat specifies whether Prefix for IPv6 source NAT is enabled or not. UDP-based support can be enabled for dualstack NLBs only if Prefix for IPv6 source NAT is enabled.
service.beta.kubernetes.io/aws-load-balancer-source-nat-ipv6-prefixes specifies a list of IPv6 prefixes that should be used for IPv6 source NATing.
Resource attributes
NLB resource attributes can be controlled via the following annotations:
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol specifies whether to enable proxy protocol v2 on the target group. Set to '*' to enable proxy protocol v2. This annotation takes precedence over the annotation
service.beta.kubernetes.io/aws-load-balancer-target-group-attributesfor proxy protocol v2 configuration.service.beta.kubernetes.io/aws-load-balancer-target-group-attributesspecifies the Target Group Attributes to be configured.service.beta.kubernetes.io/aws-load-balancer-attributesspecifies Load Balancer Attributes that should be applied to the NLB.service.beta.kubernetes.io/aws-load-balancer-listener-attributes.${Protocol}-${Port}specifies listener attributes that should be applied to the listener.service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listenerallows creation of TCP_UDP listener type when the service defines a TCP and UDP port on the same port number.
!!!note "" - To change the default from false to true, use the controller flag --feature-gates=EnableTCPUDPListener=true to allow creation of TCP_UDP listeners for all services. !!!example - Allow for the creation of TCP_UDP listeners for a service.
service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener: "true"
the following annotations are deprecated in v2.3.0 release in favor of service.beta.kubernetes.io/aws-load-balancer-attributes
service.beta.kubernetes.io/aws-load-balancer-multi-cluster-target-groupAllows you to share the created Target Group ARN with other Load Balancer Controller managed clusters.This feature does not offer any Deletion Protection. Deleting the service will still delete the Target Group. If you need to support Target Groups shared with multiple clusters, it's recommended to use an out-of-band Target Group that is not managed by a Load Balancer Controller.
- It is not recommended to change this value frequently, if ever. The recommended way to set this value is on creation of the service.
service.beta.kubernetes.io/aws-load-balancer-multi-cluster-target-group: "true"
AWS Resource Tags
The AWS Load Balancer Controller automatically applies following tags to the AWS resources it creates (NLB/TargetGroups/Listener/ListenerRule):
elbv2.k8s.aws/cluster: ${clusterName}service.k8s.aws/stack: ${stackID}service.k8s.aws/resource: ${resourceID}
In addition, you can use annotations to specify additional tags
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tagsspecifies additional tags to apply to the AWS resources.
Health Check
Health check on target groups can be configured with following annotations:
service.beta.kubernetes.io/aws-load-balancer-healthcheck-protocolspecifies the target group health check protocol.service.beta.kubernetes.io/aws-load-balancer-healthcheck-portspecifies the TCP port to use for target group health check.service.beta.kubernetes.io/aws-load-balancer-healthcheck-pathspecifies the http path for the health check in case of http/https protocol.service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-thresholdspecifies the consecutive health check successes required before a target is considered healthy.service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-thresholdspecifies the consecutive health check failures before a target gets marked unhealthy.service.beta.kubernetes.io/aws-load-balancer-healthcheck-intervalspecifies the interval between consecutive health checks.service.beta.kubernetes.io/aws-load-balancer-healthcheck-success-codesspecifies the http success codes for the health check in case of http/https protocol.service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeoutspecifies the target group health check timeout. The target has to respond within the timeout for a successful health check.
TLS
You can configure TLS support via the following annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-certspecifies the ARN of one or more certificates managed by the AWS Certificate Manager.service.beta.kubernetes.io/aws-load-balancer-ssl-portsspecifies the frontend ports with TLS listeners.service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policyspecifies the Security Policy for NLB frontend connections, allowing you to control the protocol and ciphers.service.beta.kubernetes.io/aws-load-balancer-backend-protocolspecifies whether to use TLS for the backend traffic between the load balancer and the kubernetes pods.
Access control
Load balancer access can be controlled via following annotations:
service.beta.kubernetes.io/load-balancer-source-rangesspecifies the CIDRs that are allowed to access the NLB.service.beta.kubernetes.io/aws-load-balancer-security-group-prefix-listsspecifies the managed prefix lists that are allowed to access the NLB.service.beta.kubernetes.io/aws-load-balancer-schemespecifies whether the NLB will be internet-facing or internal. Valid values areinternal,internet-facing. If not specified, default isinternal.service.beta.kubernetes.io/aws-load-balancer-internalspecifies whether the NLB will be internet-facing or internal.service.beta.kubernetes.io/aws-load-balancer-security-groupsspecifies the frontend securityGroups you want to attach to an NLB.
service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rulesspecifies whether the controller should automatically add the ingress rules to the instance/ENI security group.service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-trafficspecifies whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink.
Capacity Unit Reservation
Load balancer capacity unit reservation can be configured via following annotations:
service.beta.kubernetes.io/aws-load-balancer-minimum-load-balancer-capacityspecifies the Capacity Unit Reservation to be configured.
Legacy Cloud Provider
The AWS Load Balancer Controller manages Kubernetes Services in a compatible way with the AWS cloud provider's legacy service controller.
- For users on v2.5.0+, The AWS LBC provides a mutating webhook for service resources to set the
spec.loadBalancerCLassfield for Serive of type LoadBalancer, effectively making the AWS LBC the default controller for Service of type LoadBalancer. Users can disable this feature and revert to using the AWS Cloud Controller Manager as the default service controller by setting the helm chart valueenableServiceMutatorWebhookto false with--set enableServiceMutatorWebhook=false. - For users on older versions, the annotation
service.beta.kubernetes.io/aws-load-balancer-typeis used to determine which controller reconciles the service. If the annotation value isnlb-iporexternal, recent versions of the legacy cloud provider ignore the Service resource so that the AWS LBC can take over. For all other values of the annotation, the legacy cloud provider will handle the service. Note that this annotation should be specified during service creation and not edited later. Support for the annotation was added to the legacy cloud provider in Kubernetes v1.20, and is backported to v1.18.18+ and v1.19.10+.