IngressClass¶
Ingresses can be implemented by different controllers, often with different configuration. Each Ingress should specify a
class, a reference to an IngressClass resource that contains additional configuration including the name of the
controller that should implement the class. IngressClass resources contain an optional parameters field. This can be
used to reference additional implementation-specific configuration for this class.
For the AWS Load Balancer controller, the implementation-specific configuration is
IngressClassParams in the elbv2.k8s.aws API group.
Example
- specify controller as ingress.k8s.aws/albto denote Ingresses should be managed by AWS Load Balancer Controller.apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: awesome-class spec: controller: ingress.k8s.aws/alb
- specify additional configurations by referencing an IngressClassParams resource.
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: awesome-class spec: controller: ingress.k8s.aws/alb parameters: apiGroup: elbv2.k8s.aws kind: IngressClassParams name: awesome-class-cfg
You can mark a particular IngressClass as the default for your cluster. Setting the
ingressclass.kubernetes.io/is-default-class annotation to true on an IngressClass resource will ensure that new
Ingresses without an ingressClassName field specified will be assigned this default IngressClass.
Deprecated kubernetes.io/ingress.class annotation¶
Before the IngressClass resource and ingressClassName field were added in Kubernetes 1.18, Ingress classes were
specified with a kubernetes.io/ingress.class annotation on the Ingress. This annotation was never formally defined,
but was widely supported by Ingress controllers.
The newer ingressClassName field on Ingresses is a replacement for that annotation, but is not a direct equivalent.
While the annotation was generally used to reference the name of the Ingress controller that should implement the
Ingress, the field is a reference to an IngressClass resource that contains additional Ingress configuration, including
the name of the Ingress controller.
disable kubernetes.io/ingress.class annotation
In order to maintain backwards-compatibility, kubernetes.io/ingress.class annotation is still supported currently.
You can enforce IngressClass resource adoption by disabling the kubernetes.io/ingress.class annotation via --disable-ingress-class-annotation controller flag.
IngressClassParams¶
EKS Auto Mode users
If you are using EKS Auto Mode, please see the EKS Auto Mode documentation for key differences between the load balancing capability of EKS Auto Mode and the open source load balancer controller.
IngressClassParams is a CRD specific to the AWS Load Balancer Controller, which can be used along with IngressClass’s parameter field. You can use IngressClassParams to enforce settings for a set of Ingresses.
Example
- with scheme & ipAddressType & tags
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: awesome-class spec: scheme: internal ipAddressType: dualstack tags: - key: org value: my-org
- with loadBalancerName
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: awesome-class spec: loadBalancerName: name-1
- with namespaceSelector
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: awesome-class spec: namespaceSelector: matchLabels: team: team-a
- with IngressGroup
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: awesome-class spec: group: name: my-group
- with loadBalancerAttributes
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: awesome-class spec: loadBalancerAttributes: - key: deletion_protection.enabled value: "true" - key: idle_timeout.timeout_seconds value: "120"
- with subnets.ids
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: awesome-class spec: subnets: ids: - subnet-xxx - subnet-123
- with subnets.tags
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: subnets: tags: kubernetes.io/role/internal-elb: - "1" myKey: - myVal0 - myVal1
- with certificateArn
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: certificateArn: ['arn:aws:acm:us-east-1:123456789:certificate/test-arn-1','arn:aws:acm:us-east-1:123456789:certificate/test-arn-2']
- with minimumLoadBalancerCapacity.capacityUnits
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: minimumLoadBalancerCapacity: capacityUnits: 1000
- with targetType
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: targetType: ip
- with sslRedirectPort
    apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: sslRedirectPort: '443'- with IPv4IPAMPoolId
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: ipamConfiguration: ipv4IPAMPoolId: ipam-pool-000000000
- with PrefixListsIDs (not recommended, use prefixListsIDs instead)
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: PrefixListsIDs: - pl-00000000 - pl-11111111
- with prefixListsIDs
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: PrefixListsIDs: - pl-00000000 - pl-11111111
- with listeners
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: listeners: - protocol: HTTPS port: 443 listenerAttributes: - key: routing.http.response.server.enabled value: "false"
- with wafv2AclName
apiVersion: elbv2.k8s.aws/v1beta1 kind: IngressClassParams metadata: name: class2048-config spec: wafv2AclName: "web-acl-name-1"
 
- with IPv4IPAMPoolId
IngressClassParams specification¶
spec.loadBalancerName¶
loadBalancerName is an optional setting.
Cluster administrators can use the loadBalancerName field to specify name of the load balancer that will be provisioned by the controller.
- If loadBalancerNameis set, one load balancer perIngressClasswill be provisioned. LBC will ignore thealb.ingress.kubernetes.io/load-balancer-nameannotation.
- If loadBalancerNameis not set, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/load-balancer-name annotationto specify name of the load balancer.
spec.namespaceSelector¶
namespaceSelector is an optional setting that follows general Kubernetes
label selector
semantics.
Cluster administrators can use the namespaceSelector field to restrict the namespaces of Ingresses that are allowed to specify the IngressClass.
- If namespaceSelectorspecified, only Ingresses in selected namespaces can use IngressClasses with this parameter. The controller will refuse to reconcile for Ingresses that violatesnamespaceSelector.
- If namespaceSelectorun-specified, all Ingresses in any namespace can use IngressClasses with this parameter.
spec.group¶
group is an optional setting.  The only available sub-field is group.name.
Cluster administrators can use group.name field to denote the groupName for all Ingresses belong to this IngressClass.
- If group.namespecified, all Ingresses with this IngressClass will belong to the same IngressGroup specified and result in a single ALB. Ifgroup.nameis not specified, Ingresses with this IngressClass can use the older / legacyalb.ingress.kubernetes.io/group.nameannotation to specify their IngressGroup. Ingresses that belong to the same IngressClass can form different IngressGroups via that annotation.
spec.scheme¶
scheme is an optional setting. The available options are internet-facing or internal.
Cluster administrators can use the scheme field to restrict the scheme for all Ingresses that belong to this IngressClass.
- If schemespecified, all Ingresses with this IngressClass will have the specified scheme.
- If schemeun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/scheme annotationto specify scheme.
spec.inboundCIDRs¶
Cluster administrators can use the optional inboundCIDRs field to specify the CIDRs that are allowed to access the load balancers that belong to this IngressClass.
If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/inbound-cidrs annotation.
spec.certificateArn¶
Cluster administrators can use the optional certificateARN field to specify the ARN of the certificates for all Ingresses that belong to IngressClass with this IngressClassParams.
If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/certificate-arn annotation.
spec.sslPolicy¶
Cluster administrators can use the optional sslPolicy field to specify the SSL policy for the load balancers that belongs to this IngressClass.
If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/ssl-policy annotation.
spec.sslRedirectPort¶
Cluster administrators can use the optional sslRedirectPort field to specify the SSL redirect port for the load balancers that belongs to this IngressClass.
If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/ssl-redirect annotation.
spec.subnets¶
Cluster administrators can use the optional subnets field to specify the subnets for the load balancers that belong to this IngressClass.
They may specify either ids or tags. If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/subnets annotation annotation.
spec.subnets.ids¶
If ids is specified, it must be a set of at least one resource ID of a subnet in the VPC. No two subnets may be in the same availability zone.
spec.subnets.tags¶
If tags is specified, it is a map of tag filters. The filters will match subnets in the VPC for which
each listed tag key is present and has one of the corresponding tag values.
Unless the SubnetsClusterTagCheck feature gate is disabled, subnets without a cluster tag and with the cluster tag for another cluster will be excluded.
Within any given availability zone, subnets with a cluster tag will be chosen over subnets without, then the subnet with the lowest-sorting resource ID will be chosen.
spec.ipAddressType¶
ipAddressType is an optional setting. The available options are ipv4, dualstack, or dualstack-without-public-ipv4.
Cluster administrators can use ipAddressType field to restrict the ipAddressType for all Ingresses that belong to this IngressClass.
- If ipAddressTypespecified, all Ingresses with this IngressClass will have the specified ipAddressType.
- If ipAddressTypeun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/ip-address-typeannotation to specify ipAddressType.
spec.tags¶
tags is an optional setting.
Cluster administrators can use tags field to specify the custom tags for AWS resources provisioned for all Ingresses belong to this IngressClass.
- If tagsis set, AWS resources provisioned for all Ingresses with this IngressClass will have the specified tags.
- You can also use controller-level flag --default-tagsoralb.ingress.kubernetes.io/tagsannotation to specify custom tags. These tags will be merged together based on tag-key. If same tag-key appears in multiple sources, the priority is as follows:- controller-level flag --default-tagswill have the highest priority.
- spec.tagsin IngressClassParams will have the middle priority.
- alb.ingress.kubernetes.io/tagsannotation will have the lowest priority.
 
- controller-level flag 
spec.targetType¶
targetType is an optional setting. The available options are instance or ip.
This defines the target type of target groups for all Ingresses that belong to IngressClass with this IngressClassParams.
If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/target-type annotation.
spec.loadBalancerAttributes¶
loadBalancerAttributes is an optional setting.
Cluster administrators can use loadBalancerAttributes field to specify the Load Balancer Attributes that should be applied to the load balancers that belong to this IngressClass. You can specify the list of load balancer attribute name and the desired value in the spec.loadBalancerAttributes field.
- If loadBalancerAttributesis set, the attributes defined will be applied to the load balancer that belong to this IngressClass. If you specify invalid keys or values for the load balancer attributes, the controller will fail to reconcile ingresses belonging to the particular ingress class.
- If loadBalancerAttributesun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/load-balancer-attributesannotation to specify the load balancer attributes.
spec.minimumLoadBalancerCapacity¶
Cluster administrators can use the optional minimumLoadBalancerCapacity field to specify the capacity reservation for the load balancers that belong to this IngressClass.
They may specify capacityUnits. If the field is specified, LBC will ignore the alb.ingress.kubernetes.io/minimum-load-balancer-capacity annotation annotation.
spec.minimumLoadBalancerCapacity.capacityUnits¶
If capacityUnits is specified, it must be to valid positive value greater than 0. If set to 0, the LBC will reset the capacity reservation for the load balancer.
spec.ipamConfiguration¶
ipamConfiguration is an optional setting.
Cluster administrators can use ipamConfiguration field to specify the IPv4 IPAM Pool ID which will be used by your load balancer to assign IP addresses.
- If ipamConfigurationis set. Theipv4IPAMPoolIdyou choose will be the preferred source of public IPv4 addresses. If the pool is depleted, IPv4 addresses will be assigned by AWS. To remove the IPAM pool from your ALB, removespec.ipamConfigurationfrom the IngressClass definition.
- If ipamConfigurationun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/ipam-ipv4-pool-idannotation specify the IPv4 IPAM Pool ID.
spec.PrefixListsIDs¶
We accept either spec.prefixListsIDs or spec.PrefixListsIDs. Specify both is not allowed. But spec.PrefixListsIDs is not recommended, use spec.prefixListsIDs instead.
PrefixListsIDs is an optional setting.
Cluster administrators can use PrefixListsIDs field to specify the managed prefix lists that are allowed to access the load balancers that belong to this IngressClass. You can specify the list of prefix list IDs in the spec.PrefixListsIDs field.
- If PrefixListsIDsis set, the prefix lists defined will be applied to the load balancer that belong to this IngressClass. If you specify invalid prefix list IDs, the controller will fail to reconcile ingresses belonging to the particular ingress class.
- If PrefixListsIDsun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/security-group-prefix-listsannotation to specify the load balancer prefix lists.
spec.prefixListsIDs¶
prefixListsIDs is an optional setting.
Cluster administrators can use prefixListsIDs field to specify the managed prefix lists that are allowed to access the load balancers that belong to this IngressClass. You can specify the list of prefix list IDs in the spec.prefixListsIDs field.
- If prefixListsIDsis set, the prefix lists defined will be applied to the load balancer that belong to this IngressClass. If you specify invalid prefix list IDs, the controller will fail to reconcile ingresses belonging to the particular ingress class.
- If prefixListsIDsun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/security-group-prefix-listsannotation to specify the load balancer prefix lists.
spec.listeners¶
listeners is an optional setting.
Note
Adding listeners in the classparam specification does not automatically create listeners on your load balancers. To create listeners, you must explicitly define the listen ports in your ingress configurations. The classparam spec.listeners are only used to set attributes for the listeners that you define in your ingresses.
Cluster administrators can use Listeners field to specify the Listener Attributes for multiple load balancer listeners associated with this IngressClass. For each listener entry in the list, the desired attributes and their values are specified in the listenerAttributes field. Each listener is uniquely identified by its port and protocol fields, which determine which listener the attributes should be applied to.
- If listenersis set, the defined attributes will be applied to the corresponding load balancer listeners based on port and protocol matching. Note that using invalid keys or values will cause the controller to fail when reconciling ingresses in this IngressClass.
- If Listenersun-specified, Ingresses with this IngressClass can continue to usealb.ingress.kubernetes.io/listener-attributes.${Protocol}-{Port}annotation to specify the listener attributes.
spec.wafv2AclArn¶
Cluster administrators can use the optional wafv2AclArn field to specify ARN for the Amazon WAFv2 web ACL.
Only Regional WAFv2 is supported.
When this param is absent or empty, the controller will keep LoadBalancer WAFv2 settings unchanged. To disable WAFv2, explicitly set the annotation value to 'none'.
spec.wafv2AclName¶
Cluster administrators can use the optional wafv2AclName field to specify name of the Amazon WAFv2 web ACL.
Only Regional WAFv2 is supported.
When this param is absent or empty, the controller will keep LoadBalancer WAFv2 settings unchanged. To disable WAFv2, explicitly set the param value to 'none'.
    If the field is specified, LBC will ignore the 'alb.ingress.kubernetes.io/wafv2-acl-name' annotation.
Resource Cleanup Order¶
When cleaning up AWS Load Balancer Controller resources, it's important to follow the correct order of deletion to avoid orphaned resources. The recommended order is:
- Delete the Ingresses first
- Delete the IngressClass and IngressClassParams last
If you delete the IngressClass before the Ingresses that reference it, the Ingresses will become orphaned and cannot be cleaned up until the ingressClassName is manually removed from their manifests. This is because the AWS Load Balancer Controller's validating webhook requires a valid IngressClass to be present when processing Ingress resources.
Warning
Deleting IngressClass resources before their associated Ingresses can result in orphaned resources that require manual cleanup. Always delete Ingresses first to ensure proper resource cleanup.