LoadBalancerConfig
LoadBalancerConfiguration¶
Top Level Fields¶
MergingMode¶
mergingMode
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
mergingMode: prefer-gateway-class
Defines the merge behavior when both the Gateway and GatewayClass have a defined LoadBalancerConfiguration. This field is only honored for the configuration attached to the GatewayClass.
Options: - prefer-gateway-class - When merging configuration from both Gateway and GatewayClass, value conflicts are resolved by using the GatewayClass configuration. - prefer-gateway - When merging configuration from both Gateway and GatewayClass, value conflicts are resolved by using the Gateway configuration.
Default prefer-gateway-class
LoadBalancerName¶
loadBalancerName
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
loadBalancerName: foo
Defines the name of the LB to provision. If unspecified, it will be automatically generated.
Default Autogenerate Name
Scheme¶
scheme
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
scheme: internal
Defines the LoadBalancer Scheme.
- internal
- the LB is only accessible within the VPC.
- internet-facing
- the LB is accessible via the public internet.
Default internal
IpAddressType¶
ipAddressType
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
ipAddressType: dualstack
Define what IP Address Type to use.
- ipv4
- Only publish IPv4 address(es)
- dualstack
- Publish both IPv4 and IPv6 address(es)
- dualstack-without-public-ipv4
- Publish private IPv4 address(es) and public IPv6 address(es)
- Only applicable to ALB Gateways
Default ipv4
EnforceSecurityGroupInboundRulesOnPrivateLinkTraffic¶
enforceSecurityGroupInboundRulesOnPrivateLinkTraffic
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
enforceSecurityGroupInboundRulesOnPrivateLinkTraffic: on
Indicates whether to evaluate inbound security group rules for traffic sent to a Network Load Balancer through Amazon Web Services PrivateLink.
Valid options are on
and off
Only applicable to NLB Gateways.
Default on
CustomerOwnedIpv4Pool¶
customerOwnedIpv4Pool
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
customerOwnedIpv4Pool: coip-1234
The ID of the customer-owned address for Application Load Balancers on Outposts pool.
Only applicable to ALB Gateways.
Default no value
IPv4IPAMPoolId¶
ipv4IPAMPoolId
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
ipv4IPAMPoolId: ipam-1234
The IPAM pool ID used for IPv4 Addresses on the ALB.
Only applicable to ALB Gateways.
Default no value
LoadBalancerSubnets¶
loadBalancerSubnets
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
loadBalancerSubnets:
- identifier: subnet-1234
An optional list of subnet configurations to be used in the LB. This value takes precedence over subnet loadBalancerSubnetsSelector
if both are selected.
See SubnetConfiguration for more more details
Default Use Subnet Discovery
LoadBalancerSubnetsSelector¶
loadBalancerSubnetsSelector
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
loadBalancerSubnetsSelector:
key1:
- k1
- k2
- k3
The subnets in the load balancer's VPC where each tag specified in the map key contains one of the values in the corresponding value list.
Default Use Subnet Discovery
ListenerConfigurations¶
listenerConfigurations
A list of Listener Configurations. See the ListenerConfiguration
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
listenerConfigurations:
- protocolPort: TCP:80
defaultCertificate: my-cert
- protocolPort: TCP:81
defaultCertificate: my-cert1
Default Empty list
SecurityGroups¶
securityGroups
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
securityGroups:
- "sg1"
- "sg2"
If you specify this annotation, you need to configure the security groups on your Node/Pod to allow inbound traffic from the load balancer.
You could also set the manage-backend-security-group-rules
if you want the controller to manage the access rules.
Both name or ID of securityGroups are supported. Name matches a Name
tag, not the groupName
attribute.
Default
The controller will automatically create one security group, the security group will be attached to the LoadBalancer and allow access from SourceRanges
and SecurityGroupPrefixes
to each Listener port.
Also, the securityGroups for Node/Pod will be modified to allow inbound traffic from this securityGroup.
SecurityGroupPrefixes¶
securityGroupPrefixes
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
securityGroupPrefixes:
- "pl1"
- "pl2"
An optional list of prefixes that are allowed to access the LB.
Default Empty list
SourceRanges¶
sourceRanges
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
sourceRanges:
- "2001:db8::/32"
- "127.0.0.1/24"
An optional list of CIDRs that are allowed to access the LB.
Default Empty list
VpcId¶
vpcId
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
vpcId: vpc-1234
The VPC ID of LoadBalancer
Default Autodetect VPC from Cluster VPC
LoadBalancerAttributes¶
loadBalancerAttributes
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
loadBalancerAttributes:
- key: k1
value: v1
- key: k2
value: v2
The attributes to apply to an LB. See the ELB documentation for a full list of attributes
Default Empty list
Tags¶
tags
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
tags:
tag-k1: v1
tag-k2: v2
The tags to apply to an LB.
Default No tags
EnableICMP¶
enableICMP
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
enableICMP: true
Enables the creation of security group rules to the managed security group to allow explicit ICMP traffic for Path MTU discovery for IPv4 and dual-stack VPCs
Only applies to Network LoadBalancers.
Default false
ManageBackendSecurityGroupRules¶
manageBackendSecurityGroupRules
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
manageBackendSecurityGroupRules: true
Specify whether you want the controller to configure security group rules on the Node/Pod for traffic access when you specify securityGroups
Default false
MinimumLoadBalancerCapacity¶
minimumLoadBalancerCapacity
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
minimumLoadBalancerCapacity:
capacityUnits: 100000
Define the capacity reservation for LoadBalancers
Default No capacity reservation
ListenerConfiguration¶
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
listenerConfigurations:
- protocolPort: TCP:80
defaultCertificate: my-cert
certificates: [arn-1, arn2, arn3]
sslPolicy: ELBSecurityPolicy-2016-08
alpnPolicy: HTTP1Only
ProtocolPort¶
protocolPort
The identifier for the listener on load balancer. It should be of the form PROTOCOL:PORT
Default No default, not an optional field.
DefaultCertificate¶
defaultCertificate
The default cert ARN.
Default No cert
Certificates¶
certificates
A list of cert ARNs to accept on this listener.
Default Empty list
SslPolicy¶
sslPolicy
The security policy that defines which protocols and ciphers are supported for secure listeners [HTTPS or TLS listener].
See the documentation for more information ALB NLB
Default ELBSecurityPolicy-2016-08
ALPNPolicy¶
alpnPolicy
An optional string that allows you to configure ALPN policies on your Load Balancer.
See the documentation for more details: ALPN
Possible values: - HTTP1Only - Negotiate only HTTP/1.. The ALPN preference list is http/1.1, http/1.0. - HTTP2Only - Negotiate only HTTP/2. The ALPN preference list is h2. - HTTP2Optional - Prefer HTTP/1. over HTTP/2 (which can be useful for HTTP/2 testing). The ALPN preference list is http/1.1, http/1.0, h2. - HTTP2Preferred - Prefer HTTP/2 over HTTP/1.*. The ALPN preference list is h2, http/1.1, http/1.0. - None - Do not negotiate ALPN.
Only applies to Network LoadBalancer Gateways.
Default None
MutualAuthentication¶
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
listenerConfigurations:
- protocolPort: TCP:80
defaultCertificate: my-cert
certificates: [arn-1, arn2, arn3]
mutualAuthentication:
advertiseTrustStoreCaNames: "off"
ignoreClientCertificateExpiry: true
mode: verify
trustStore: ts-1234
mutualAuthentication
Define the mutual authentication configuration information. Using MutualAuthenticationAttributes
See the documentation for more information mTLS
Only applies to Application LoadBalancer Gateways.
Default No MTLS
ListenerAttributes¶
listenerAttributes
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
listenerConfigurations:
- protocolPort: TCP:80
defaultCertificate: my-cert
certificates: [arn-1, arn2, arn3]
listenerAttributes:
- key: k1
value: v1
- key: k2
value: v2
Define the attributes for the listener.
See ListenerAttributes for a complete list.
Default Empty list
MutualAuthenticationAttributes¶
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
listenerConfigurations:
- protocolPort: TCP:80
defaultCertificate: my-cert
certificates: [arn-1, arn2, arn3]
mutualAuthentication:
advertiseTrustStoreCaNames: "off"
ignoreClientCertificateExpiry: true
mode: verify
trustStore: ts-1234
AdvertiseTrustStoreCaNames¶
advertiseTrustStoreCaNames
Whether trust store CA certificate names are advertised. Supported values are "on" and "off"
Default "off"
IgnoreClientCertificateExpiry¶
ignoreClientCertificateExpiry
Whether expired client certificates are ignored.
Default False
MutualAuthenticationMode¶
mode
The client certificate handling method
Possible values: - verify - When you use mutual TLS verify mode, Application Load Balancer performs X.509 client certificate authentication for clients when a load balancer negotiates TLS connections - passthrough - When you use mutual TLS passthrough mode, Application Load Balancer sends the whole client certificate chain to the target using HTTP headers. Then, by using the client certificate chain, you can implement corresponding load balancer authentication and target authorization logic in your application. - off - mTLS is not enabled.
Default Off
TrustStore¶
trustStore
The Name or ARN of the trust store.
Default Empty string
SubnetConfiguration¶
apiVersion: gateway.k8s.aws/v1beta1
kind: LoadBalancerConfiguration
metadata:
name: example-config
namespace: echoserver
spec:
loadBalancerSubnets:
- identifier: "my-subnet"
eipAllocation: "eip-1234"
privateIPv4Allocation: "127.0.0.1"
ipv6Allocation: "69e1:9570:c975:1af1:8073:384c:5aae:53c6"
sourceNatIPv6Prefix: "2001:db8::/32"
Identifier¶
identifier
The name or ID of the subnet
Default Empty string
EIPAllocation¶
eipAllocation
The EIP name for this subnet.
Only applies to Network LoadBalancer Gateways.
Default Empty string
PrivateIPv4Allocation¶
privateIPv4Allocation
The private ipv4 address to assign to this subnet.
Only applies to Network LoadBalancer Gateways.
Default Empty string
IPv6Allocation¶
ipv6Allocation
The ipv6 address to assign to this subnet.
Only applies to Network LoadBalancer Gateways.
Default Empty string
SourceNatIPv6Prefix¶
sourceNatIPv6Prefix
The IPv6 prefix to use for source NAT. Specify an IPv6 prefix (/80 netmask) from the subnet CIDR block or auto_assigned to use an IPv6 prefix selected at random from the subnet CIDR block.
Only applies to Network LoadBalancer Gateways.
Default Empty string