You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guide/service/annotations.md
+24-12Lines changed: 24 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,7 +11,7 @@
11
11
## Annotations
12
12
!!!warning
13
13
These annotations are specific to the kubernetes [service resources reconciled](#lb-type) by the AWS Load Balancer Controller. Although the list was initially derived from the k8s in-tree `kube-controller-manager`, this
14
-
documentation is not an accurate reference for the services reconciled by the in-tree controller.
14
+
documentation is not an accurate reference for the services reconciled by the in-tree controller.
|[service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix](#deprecated-attributes)| string || deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)|
30
30
|[service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled](#deprecated-attributes)| boolean | false | deprecated, in favor of [aws-load-balancer-attributes](#load-balancer-attributes)|
|[service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules](#manage-backend-sg-rules)| boolean | true | If `service.beta.kubernetes.io/aws-load-balancer-security-groups` is specified, this must also be explicitly specified otherwise it defaults to `false`. |
Traffic Routing can be controlled with following annotations:
@@ -70,7 +71,7 @@ Traffic Routing can be controlled with following annotations:
70
71
71
72
!!!tip
72
73
This annotation specifies the controller used to provision LoadBalancers (as specified in [legacy-cloud-provider](#legacy-cloud-provider)). Refer to [lb-scheme](#lb-scheme) to specify whether the LoadBalancer is internet-facing or internal.
73
-
74
+
74
75
!!!note ""
75
76
- [Deprecated] For type `nlb-ip`, the controller will provision an NLB with targets registered by IP address. This value is supported for backwards compatibility.
76
77
- For type `external`, the NLB target type depends on the [nlb-target-type](#nlb-target-type) annotation.
@@ -242,11 +243,11 @@ for proxy protocol v2 configuration.
242
243
!!!warning ""
243
244
Only attributes defined in the annotation will be updated. To unset any AWS defaults(e.g. Disabling access logs after having them enabled once), the values need to be explicitly set to the original values(`access_logs.s3.enabled=false`) and omitting them is not sufficient.
244
245
Custom attributes set in this annotation's config map will be overriden by annotation-specific attributes. For backwards compatibility, existing annotations for the individual load balancer attributes get precedence in case of ties.
245
-
246
+
246
247
!!!note ""
247
248
- If `deletion_protection.enabled=true` is in the annotation, the controller will not be able to delete the NLB during reconciliation. Once the attribute gets edited to `deletion_protection.enabled=false` during reconciliation, the deployer will force delete the resource.
248
249
- Please note, if the deletion protection is not enabled via annotation (e.g. via AWS console), the controller still deletes the underlying resource.
249
-
250
+
250
251
!!!example
251
252
- enable access log to s3
252
253
```
@@ -272,7 +273,7 @@ for proxy protocol v2 configuration.
- <aname="ssl-domains">`service.beta.kubernetes.io/aws-load-balancer-ssl-domains`</a> specifies the domain names for the NLB to which you want auto-discover the SSL certs.
390
+
391
+
!!!note ""
392
+
When both the [ssl-cert](#ssl-cert) and [ssl-domains](#ssl-domains) are specified, `service.beta.kubernetes.io/aws-load-balancer-ssl-cert` annotation
393
+
takes precedence over the `service.beta.kubernetes.io/aws-load-balancer-ssl-domains`.
- <aname="ssl-ports">`service.beta.kubernetes.io/aws-load-balancer-ssl-ports`</a> specifies the frontend ports with TLS listeners.
389
401
390
402
!!!note ""
@@ -434,7 +446,7 @@ Load balancer access can be controlled via following annotations:
434
446
This annotation will be ignored in case preserve client IP is not enabled.
435
447
- preserve client IP is disabled by default for `IP` targets
436
448
- preserve client IP is enabled by default for `instance` targets
437
-
449
+
438
450
!!!warning ""
439
451
Preserve client IP has no effect on traffic converted from IPv4 to IPv6 and on traffic converted from IPv6 to IPv4. The source IP of this type of traffic is always the private IP address of the Network Load Balancer.
440
452
- This could cause the clients that have their traffic converted to bypass the specified CIDRs that are allowed to access the NLB.
@@ -495,7 +507,7 @@ Load balancer access can be controlled via following annotations:
- <aname="manage-backend-sg-rules">`service.beta.kubernetes.io/aws-load-balancer-manage-backend-security-group-rules`</a> specifies whether the controller should automatically add the ingress rules to the instance/ENI security group.
500
512
501
513
!!!warning ""
@@ -506,7 +518,7 @@ Load balancer access can be controlled via following annotations:
- <aname="update-security-settings">`service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic`</a> specifies whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink.
521
+
- <aname="update-security-settings">`service.beta.kubernetes.io/aws-load-balancer-inbound-sg-rules-on-private-link-traffic`</a> specifies whether to apply security group rules to traffic sent to the load balancer through AWS PrivateLink.
510
522
511
523
!!!example
512
524
```
@@ -517,8 +529,8 @@ Load balancer access can be controlled via following annotations:
517
529
## Legacy Cloud Provider
518
530
The AWS Load Balancer Controller manages Kubernetes Services in a compatible way with the AWS cloud provider's legacy service controller.
519
531
520
-
- For users on v2.5.0+, The AWS LBC provides a mutating webhook for service resources to set the `spec.loadBalancerCLass` field for Serive of type LoadBalancer, effectively making the AWS LBC the default controller for Service of type LoadBalancer.
532
+
- For users on v2.5.0+, The AWS LBC provides a mutating webhook for service resources to set the `spec.loadBalancerCLass` field for Serive of type LoadBalancer, effectively making the AWS LBC the default controller for Service of type LoadBalancer.
521
533
Users can disable this feature and revert to using the AWS Cloud Controller Manager as the default service controller by setting the helm chart value `enableServiceMutatorWebhook` to false with `--set enableServiceMutatorWebhook=false` .
522
534
- For users on older versions, the annotation `service.beta.kubernetes.io/aws-load-balancer-type` is used to determine which controller reconciles the service. If the annotation value is `nlb-ip` or `external`,
523
-
recent versions of the legacy cloud provider ignore the Service resource so that the AWS LBC can take over. For all other values of the annotation, the legacy cloud provider will handle the service.
535
+
recent versions of the legacy cloud provider ignore the Service resource so that the AWS LBC can take over. For all other values of the annotation, the legacy cloud provider will handle the service.
524
536
Note that this annotation should be specified during service creation and not edited later. Support for the annotation was added to the legacy cloud provider in Kubernetes v1.20, and is backported to v1.18.18+ and v1.19.10+.
0 commit comments