Instantly share code, notes, and snippets.

Embed
What would you like to do?
AWS ELB-related annotations for Kubernetes Services (as of v1.12.0)

AWS Service annotations

  • service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval (in minutes)
  • service.beta.kubernetes.io/aws-load-balancer-access-log-enabled (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name
  • service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix
  • service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags (comma-separated list of key=value)
  • service.beta.kubernetes.io/aws-load-balancer-backend-protocol (http|https|ssl|tcp)
  • service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout (in seconds)
  • service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout (in seconds, default 60)
  • service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-extra-security-groups (comma-separated list)
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout
  • service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold
  • service.beta.kubernetes.io/aws-load-balancer-internal (true|false)
  • service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
  • service.beta.kubernetes.io/aws-load-balancer-ssl-cert (IAM or ACM ARN)
  • service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy
  • service.beta.kubernetes.io/aws-load-balancer-ssl-ports (default '*')
  • service.beta.kubernetes.io/aws-load-balancer-type: nlb
@KIVagant

This comment has been minimized.

Show comment
Hide comment

KIVagant commented May 17, 2017

@dod38fr

This comment has been minimized.

Show comment
Hide comment
@dod38fr

dod38fr May 29, 2017

Thanks for the list.

aws-load-balancer-internal annotation value is only used as a boolean. Why is 0.0.0.0/0 shown as a default value ?

dod38fr commented May 29, 2017

Thanks for the list.

aws-load-balancer-internal annotation value is only used as a boolean. Why is 0.0.0.0/0 shown as a default value ?

@tuannvm

This comment has been minimized.

Show comment
Hide comment
@tuannvm

tuannvm Oct 17, 2017

To add additional tags for ELB, reference:

service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags

tuannvm commented Oct 17, 2017

To add additional tags for ELB, reference:

service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags
@srossross-tableau

This comment has been minimized.

Show comment
Hide comment
@srossross-tableau

srossross-tableau Nov 15, 2017

Do you know how I can do ssl termination? I e. if service.beta.kubernetes.io/aws-load-balancer-backend-protocol is set to https, then the "Load Balancer Protocol" and the "Instance Protocol" are both set to https. I would like the "Instance Protocol" to remain http.

srossross-tableau commented Nov 15, 2017

Do you know how I can do ssl termination? I e. if service.beta.kubernetes.io/aws-load-balancer-backend-protocol is set to https, then the "Load Balancer Protocol" and the "Instance Protocol" are both set to https. I would like the "Instance Protocol" to remain http.

@tommyo

This comment has been minimized.

Show comment
Hide comment
@tommyo

tommyo Nov 16, 2017

@srossross-tableau
service.beta.kubernetes.io/aws-load-balancer-backend-protocol is for the Instance protocol. The 2 ssl annotations are for the load balancer settings. What you want looks something like this:

    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:...."
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"

tommyo commented Nov 16, 2017

@srossross-tableau
service.beta.kubernetes.io/aws-load-balancer-backend-protocol is for the Instance protocol. The 2 ssl annotations are for the load balancer settings. What you want looks something like this:

    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:...."
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
@downneck

This comment has been minimized.

Show comment
Hide comment
@downneck

downneck Jan 5, 2018

@srossross-tableau @tommyo

service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*" will terminate ssl on all ports. if your LB is going to be serving any ports without ssl termination (http, ssh, etc.) you want aws-load-balancer-ssl-ports to list only the ports that will terminate ssl (eg. 443)

downneck commented Jan 5, 2018

@srossross-tableau @tommyo

service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "*" will terminate ssl on all ports. if your LB is going to be serving any ports without ssl termination (http, ssh, etc.) you want aws-load-balancer-ssl-ports to list only the ports that will terminate ssl (eg. 443)

@c4m4

This comment has been minimized.

Show comment
Hide comment
@c4m4

c4m4 Feb 16, 2018

Why there is no tag to say what subnet to use?

c4m4 commented Feb 16, 2018

Why there is no tag to say what subnet to use?

@jryberg

This comment has been minimized.

Show comment
Hide comment
@jryberg

jryberg Feb 28, 2018

@c4m4, did you figure that one out? I'm also looking to select a specific subnet per load balancer.

jryberg commented Feb 28, 2018

@c4m4, did you figure that one out? I'm also looking to select a specific subnet per load balancer.

@aprisniak

This comment has been minimized.

Show comment
Hide comment
@aprisniak

aprisniak Mar 5, 2018

How can I redirect to https?

aprisniak commented Mar 5, 2018

How can I redirect to https?

@edify42

This comment has been minimized.

Show comment
Hide comment
@edify42

edify42 Mar 7, 2018

@aprisniak You can with an Ingress definition which can do a HTTP 301/302.

Not sure if there's a nice way to do HTTPS redirects with an ALB type AWS LB

edify42 commented Mar 7, 2018

@aprisniak You can with an Ingress definition which can do a HTTP 301/302.

Not sure if there's a nice way to do HTTPS redirects with an ALB type AWS LB

@mt-inside

This comment has been minimized.

Show comment
Hide comment
@mt-inside

mt-inside Apr 9, 2018

Do you have an updated version of this? It would be useful. E.g. in 1.9+ there's an option to make an NLB.
https://kubernetes.io/docs/concepts/services-networking/service/#network-load-balancer-support-on-aws-alpha

   metadata:
      name: my-service
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"

mt-inside commented Apr 9, 2018

Do you have an updated version of this? It would be useful. E.g. in 1.9+ there's an option to make an NLB.
https://kubernetes.io/docs/concepts/services-networking/service/#network-load-balancer-support-on-aws-alpha

   metadata:
      name: my-service
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
@claylaut

This comment has been minimized.

Show comment
Hide comment
@claylaut

claylaut May 22, 2018

How can I enable sticky sessions?

claylaut commented May 22, 2018

How can I enable sticky sessions?

@dorsegal

This comment has been minimized.

Show comment
Hide comment
@dorsegal

dorsegal May 24, 2018

Do you know how to add extra security groups?

dorsegal commented May 24, 2018

Do you know how to add extra security groups?

@seh

This comment has been minimized.

Show comment
Hide comment
@seh

seh May 29, 2018

NB: At present, service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled is not honored for NLBs.

seh commented May 29, 2018

NB: At present, service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled is not honored for NLBs.

@codrinbucur

This comment has been minimized.

Show comment
Hide comment
@codrinbucur

codrinbucur Aug 23, 2018

Is there an option to automatically deploy the LB in multiple availability zones? Or could the "aws-load-balancer-cross-zone-load-balancing-enabled=true" create the additional availability zones' instances?

codrinbucur commented Aug 23, 2018

Is there an option to automatically deploy the LB in multiple availability zones? Or could the "aws-load-balancer-cross-zone-load-balancing-enabled=true" create the additional availability zones' instances?

@ksemaev

This comment has been minimized.

Show comment
Hide comment
@ksemaev

ksemaev Aug 29, 2018

@mt-inside have you found any updated info?

ksemaev commented Aug 29, 2018

@mt-inside have you found any updated info?

@cdenneen

This comment has been minimized.

Show comment
Hide comment
@cdenneen

cdenneen Aug 30, 2018

@mgoodness Agree with @dod38fr the 0.0.0.0/0 annotation shouldn't be used anymore as it's very confusing.
Also @dod38fr while it's a boolean you can't use a boolean if you try true it fails... must be 'true'

cdenneen commented Aug 30, 2018

@mgoodness Agree with @dod38fr the 0.0.0.0/0 annotation shouldn't be used anymore as it's very confusing.
Also @dod38fr while it's a boolean you can't use a boolean if you try true it fails... must be 'true'

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment