Skip to content

AWS Load Balancer controller configuration options

This document covers configuration of the AWS Load Balancer controller

AWS API Access

To perform operations, the controller must have required IAM role capabilities for accessing and provisioning ALB resources. There are many ways to achieve this, such as loading AWS_ACCESS_KEY_ID/AWS_SECRET_ACCESS_KEY as environment variables or using kube2iam.

Refer to the installation guide for installing the controller in your kubernetes cluster and for the minimum required IAM permissions.

Setting Ingress Resource Scope

You can limit the ingresses ALB ingress controller controls by combining following two approaches:

Limiting ingress class

Setting the --ingress-class argument constrains the controller's scope to ingresses with matching kubernetes.io/ingress.class annotation. This is especially helpful when running multiple ingress controllers in the same cluster. See Using Multiple Ingress Controllers for more details.

An example of the container spec portion of the controller, only listening for resources with the class "alb", would be as follows.

spec:
  containers:
  - args:
    - --ingress-class=alb

Now, only ingress resources with the appropriate annotation are picked up, as seen below.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: echoserver
  namespace: echoserver
  annotations:
    kubernetes.io/ingress.class: "alb"
spec:
    ...

If the ingress class is not specified, the controller will reconcile Ingress objects without the ingress class specified or ingress class alb.

Limiting Namespaces

Setting the --watch-namespace argument constrains the controller's scope to a single namespace. Ingress events outside of the namespace specified are not be seen by the controller.

An example of the container spec, for a controller watching only the default namespace, is as follows.

spec:
  containers:
  - args:
    - --watch-namespace=default

Currently, you can set only 1 namespace to watch in this flag. See this Kubernetes issue for more details.

Controller command line flags

The --cluster-name flag is mandatory and the value must match the name of the kubernetes cluster. If you specify an incorrect name, the subnet auto-discovery will not work.

Flag Type Default Description
aws-api-throttle AWS Throttle Config default value throttle settings for AWS APIs, format: serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst
aws-max-retries int 10 Maximum retries for AWS APIs
aws-region string instance metadata AWS Region for the kubernetes cluster
aws-vpc-id string instance metadata AWS VPC ID for the Kubernetes cluster
cluster-name string Kubernetes cluster name
enable-leader-election boolean true Enable leader election for controller manager. Enabling this will ensure there is only one active controller manager.
enable-pod-readiness-gate-inject boolean true If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods.
enable-shield boolean true Enable Shield addon for ALB
enable-waf boolean true Enable WAF addon for ALB
enable-wafv2 boolean true Enable WAF V2 addon for ALB
ingress-class string Name of the ingress class this controller satisfies
ingress-max-concurrent-reconciles int 3 Maximum number of concurrently running reconcile loops for ingress
kubeconfig string in-cluster config Path to the kubeconfig file containing authorization and API server information
leader-election-id string aws-load-balancer-controller-leader Name of the leader election ID to use for this controller
leader-election-namespace string Name of the leader election ID to use for this controller
log-level string info Set the controller log level - info, debug
metrics-bind-addr string :8080 The address the metric endpoint binds to
service-max-concurrent-reconciles int 3 Maximum number of concurrently running reconcile loops for service
sync-period duration 1h0m0s Period at which the controller forces the repopulation of its local object stores
targetgroupbinding-max-concurrent-reconciles int 3 Maximum number of concurrently running reconcile loops for targetGroupBinding
watch-namespace string Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched.
webhook-bind-port int 9443 The TCP port the Webhook server binds to

Default throttle config

WAF Regional:^AssociateWebACL|DisassociateWebACL=0.5:1,WAF Regional:^GetWebACLForResource|ListResourcesForWebACL=1:1,WAFV2:^AssociateWebACL|DisassociateWebACL=0.5:1,WAFV2:^GetWebACLForResource|ListResourcesForWebACL=1:1

Instance metadata

If running on EC2, the default values are obtained from the instance metadata service.