Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS ELB-related annotations for Kubernetes Services (as of v1.12.0)

AWS Service annotations

  • service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval (in minutes)
  • service.beta.kubernetes.io/aws-load-balancer-access-log-enabled (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name
  • service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix
  • service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags (comma-separated list of key=value)
  • service.beta.kubernetes.io/aws-load-balancer-backend-protocol (http|https|ssl|tcp)
  • service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout (in seconds)
  • service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout (in seconds, default 60)
  • service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-extra-security-groups (comma-separated list)
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold
  • service.beta.kubernetes.io/aws-load-balancer-internal (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
  • service.beta.kubernetes.io/aws-load-balancer-ssl-cert (IAM or ACM ARN)
  • service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy
  • service.beta.kubernetes.io/aws-load-balancer-ssl-ports (default '*')
  • service.beta.kubernetes.io/aws-load-balancer-type: nlb
@KIVagant

This comment has been minimized.

Copy link

KIVagant commented May 17, 2017

@dod38fr

This comment has been minimized.

Copy link

dod38fr commented May 29, 2017

Thanks for the list.

aws-load-balancer-internal annotation value is only used as a boolean. Why is 0.0.0.0/0 shown as a default value ?

@tuannvm

This comment has been minimized.

Copy link

tuannvm commented Oct 17, 2017

To add additional tags for ELB, reference:

service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags
@srossross-tableau

This comment has been minimized.

Copy link

srossross-tableau commented Nov 15, 2017

Do you know how I can do ssl termination? I e. if service.beta.kubernetes.io/aws-load-balancer-backend-protocol is set to https, then the "Load Balancer Protocol" and the "Instance Protocol" are both set to https. I would like the "Instance Protocol" to remain http.

@tommyo

This comment has been minimized.

Copy link

tommyo commented Nov 16, 2017

@srossross-tableau
service.beta.kubernetes.io/aws-load-balancer-backend-protocol is for the Instance protocol. The 2 ssl annotations are for the load balancer settings. What you want looks something like this:

    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:...."
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
@downneck

This comment has been minimized.

Copy link

downneck commented Jan 5, 2018

@srossross-tableau @tommyo

service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*" will terminate ssl on all ports. if your LB is going to be serving any ports without ssl termination (http, ssh, etc.) you want aws-load-balancer-ssl-ports to list only the ports that will terminate ssl (eg. 443)

@c4m4

This comment has been minimized.

Copy link

c4m4 commented Feb 16, 2018

Why there is no tag to say what subnet to use?

@jryberg

This comment has been minimized.

Copy link

jryberg commented Feb 28, 2018

@c4m4, did you figure that one out? I'm also looking to select a specific subnet per load balancer.

@aprisniak

This comment has been minimized.

Copy link

aprisniak commented Mar 5, 2018

How can I redirect to https?

@edify42

This comment has been minimized.

Copy link

edify42 commented Mar 7, 2018

@aprisniak You can with an Ingress definition which can do a HTTP 301/302.

Not sure if there's a nice way to do HTTPS redirects with an ALB type AWS LB

@mt-inside

This comment has been minimized.

Copy link

mt-inside commented Apr 9, 2018

Do you have an updated version of this? It would be useful. E.g. in 1.9+ there's an option to make an NLB.
https://kubernetes.io/docs/concepts/services-networking/service/#network-load-balancer-support-on-aws-alpha

   metadata:
      name: my-service
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
@claylaut

This comment has been minimized.

Copy link

claylaut commented May 22, 2018

How can I enable sticky sessions?

@dorsegal

This comment has been minimized.

Copy link

dorsegal commented May 24, 2018

Do you know how to add extra security groups?

@seh

This comment has been minimized.

Copy link

seh commented May 29, 2018

NB: At present, service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled is not honored for NLBs.

@codrinbucur

This comment has been minimized.

Copy link

codrinbucur commented Aug 23, 2018

Is there an option to automatically deploy the LB in multiple availability zones? Or could the "aws-load-balancer-cross-zone-load-balancing-enabled=true" create the additional availability zones' instances?

@ksemaev

This comment has been minimized.

Copy link

ksemaev commented Aug 29, 2018

@mt-inside have you found any updated info?

@cdenneen

This comment has been minimized.

Copy link

cdenneen commented Aug 30, 2018

@mgoodness Agree with @dod38fr the 0.0.0.0/0 annotation shouldn't be used anymore as it's very confusing.
Also @dod38fr while it's a boolean you can't use a boolean if you try true it fails... must be 'true'

@tomweston

This comment has been minimized.

Copy link

tomweston commented Dec 17, 2018

Has anyone had any luck using the following annotations on AWS Classic ELB’s:

service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix

No matter what values I give them, they don’t seem to register, forget the ELB to go into a pending state and never deploy.
Attaching certs works fine though 🙂

service.beta.kubernetes.io/aws-load-balancer-ssl-cert
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment