All Products
Search
Document Center

Container Service for Kubernetes:Use AlbConfigs to configure ALB listeners

Last Updated:Jun 17, 2024

You can set the Listeners parameter of an AlbConfig to configure listeners for an Application Load Balancer (ALB) instance. This topic describes the Listeners parameter and how to use an AlbConfig to create, modify, and update listeners.

Prerequisites

Listeners are created. For ACLs created in the ALB console to take effect, you need to associate the ALCs with listeners.

Description of the Listeners parameter

Terms

  • Object configuration file: a file that defines the configuration of a Kubernetes object.

  • Live object configuration file: an object configuration file that has been applied in a Kubernetes cluster.

  • last-applied-configuration: an annotation of a Kubernetes object. The annotation records the content of the most recent configuration of the object. The annotation is not updated in real-time when the configuration of the object is updated.

Update methods for the Listeners parameter

The Listeners parameter is of the array type. In most cases, you can update the Listeners parameter by replacing the fields in the array. When you update the Listeners parameter, the fields are replaced by the new fields you specify. The following table describes the rules.

No.

Condition

Result

The listener is in the object configuration file

The listener is in the live object configuration file

The listener is in the last-applied-configuration annotation

1

Yes

Yes

- (Irrelevant)

The listener is retained in the live object configuration file.

2

Yes

No

- (Irrelevant)

The listener is added to the live object configuration file.

3

No

- (Irrelevant)

Yes

The listener is deleted from the live object configuration file. However, the fields of the listener may be reset to the default settings.

4

No

Yes

No

The listener is deleted from the live object configuration file.

Examples

The following example shows the content of an object configuration file, a live object configuration file, and a last-applied-configuration annotation:

# The content of the object configuration file. 
  listeners:
  - port: 8001
    protocol: HTTP
  - port: 8003
    protocol: HTTP
  - port: 8005 # Add port 8005.
    protocol: HTTP

# The content of the live object configuration file. 
  listeners:
  - port: 8001
    protocol: HTTP
  - port: 8002  # Delete port 8002.
    protocol: HTTP
  - port: 8003
    protocol: HTTP
  - port: 8004  # Delete port 8004.
    protocol: HTTP
    
# The content of the last-applied-configuration annotation. 
  listeners:
  - port: 8001 
    protocol: HTTP
  - port: 8002  # Delete port 8002.
    protocol: HTTP
  - port: 8003
    protocol: HTTP

The following code block shows the configuration of the Listeners parameter after it is updated:

# The configuration of the Listeners parameter.
  listeners:
  - port: 8001
    protocol: HTTP
  - port: 8003
    protocol: HTTP
  - port: 8005
    protocol: HTTP
  • Port 8001 and port 8003 match Rule 1. Therefore, they are retained.

  • Port 8005 matches Rule 2. Therefore, it is added.

  • Port 8002 matches Rule 3. Therefore, it is deleted.

  • Port 8004 matches Rule 4. Therefore, it is deleted.

Create listeners

ALB instances use listeners to receive and forward external requests based on the application-layer information of the requests.

Run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. You can configure the port and protocol parameters to create a listener. The port and protocol parameters are the only identifiers of a listener. If you modify the port or protocol parameter, the system deletes the original listener and creates a listener based on the new configuration.

Note

HTTP is compatible with WebSocket. No additional configuration is required.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
  ...
  listeners:
    - port: 80
      protocol: HTTP # Valid values: HTTP, HTTPS, and QUIC. 
  ...

Specify certificates

If you want to enable encryption and authentication for an HTTPS listener when you create an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig that is used to configure the ALB instance. Then, specify a certificate ID in the certificates parameter of the AlbConfig.

If you do not specify a certificate in the parameter, no HTTPS listener is created when the system creates the ALB instance. The system waits until an Ingress is associated with the listener and the Ingress automatically discovers a certificate based on the domain name specified in the Ingress configuration.

For more information about how to configure certificates, see Use an ALB Ingress to configure certificates for an HTTPS listener.

Important

ALB uses the first certificate that you specify as the default certificate. ALB uses the default certificate to encrypt requests until the certificate expires or no longer meets the requirements. In this case, ALB uses other certificates to encrypt requests.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
  ...
  listeners:
  - caEnabled: false
    certificates:
    - CertificateId: 756****-cn-hangzhou # The certificate ID. 
      IsDefault: true
    port: 443
    protocol: HTTPS
  ...

Parameter

Description

CertificateId

The certificate ID. In this example, 756****-cn-hangzhou is specified. Specify the value of CertificateId based on the following description:

  • If the certificate is created in a region in China, set the value to 756****-cn-hangzhou. -cn-hangzhou is fixed content. You need to only replace 756****.

  • If the certificate is created in a region outside China, set the value to 756****-ap-southeast-1. -ap-southeast-1 is fixed content. You need to only replace 756****.

IsDefault

Specifies whether to set the certificate as the default certificate. In this example, true is specified. The certificate is set as the default certificate.

protocol

The protocol used by listeners. In this example, HTTPS is specified. The HTTPS protocol is used by listeners.

Configure a custom TLS security policy

If you want to configure a custom TLS security policy, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the securityPolicyId parameter to specify a security policy ID. You can specify a TLS security policy when you configure an HTTPS listener in an AlbConfig. Custom and default TLS security policies are supported. For more information, see TLS security policies.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
  ...
  listeners:
  - port: 443
    protocol: HTTPS
    securityPolicyId: tls_cipher_policy_1_1 # The security policy ID. 
  ...

Set the connection timeout period for listeners

If you want to set the connection timeout period for listeners, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the requestTimeout parameter.

If the backend server does not respond within the timeout period after a client sends a request to the server, ALB returns an HTTP 504 error code to the client.

  • Valid values for requestTimeout: 1 to 180. Unit: seconds.

  • Default value for requestTimeout: 60.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    requestTimeout: 60 # The connection timeout period for the listener. Valid values: 1 to 180. If you leave the parameter empty, the default value is used. 
  ...

Configure data compression

Data compression can reduce the size of files to improve transmission efficiency and network performance. If you want to configure data compression, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the gzipEnabled parameter to enable data compression for a listener. Brotli and Gzip are two commonly used compression algorithms.

  • Brotli supports all types of files.

  • Gzip supports the following types of files: text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

The following code block provides a sample AlbConfig configuration that disables data compression:

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    gzipEnabled: false # A value of true enables data compression for specific types of files. A value of false disables data compression. 
  ...

Preserve client IP addresses

To preserve client IP addresses, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the X-Forwarded-For parameter to enable client IP preservation.

Important

Only HTTP listeners and HTTPS listeners support this parameter.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
  ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForEnabled: true # A value of true enables client IP preservation. A value of false disables client IP preservation. 
  ...

Retrieve the listening protocol used by an ALB instance

If you want to retrieve the listening protocol used by an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the X-Forwarded-For parameter to retrieve the listening protocol used by the ALB instance.

Important

Only HTTP listeners and HTTPS listeners support this parameter.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForProtoEnabled: true # A value of true retrieves the listening protocol used by the ALB instance. A value of true does not retrieve the listening protocol used by the ALB instance. 
  ...

Retrieve the ID of an ALB instance

If you want to retrieve the ID of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the XForwardedForSLBIdEnabled parameter to retrieve the ID of the ALB instance.

Important

Only HTTP listeners and HTTPS listeners support this parameter.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForSLBIdEnabled: true # A value of true retrieves the ID of the ALB instance. A value of true does not retrieve the ID of the ALB instance. 
  ...

Retrieve the listening ports of an ALB instance

If you want to retrieve the listening ports of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the XForwardedForSLBPortEnabled parameter to retrieve the listening ports of the ALB instance.

Important

Only HTTP listeners and HTTPS listeners support this parameter.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForSLBPortEnabled: true # A value of true retrieves the listening ports of the ALB instance. A value of false does not retrieve the listening ports of the ALB instance. 
  ...

Specify a trusted proxy IP address

If you want to specify a trusted proxy IP address for an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Configure the XForwardedForClientSourceIpsEnabled parameter to allow the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. Then, configure the XForwardedForClientSourceIpsTrusted parameter to specify a list of trusted proxy IP addresses. This way, the ALB instance traverses the IP addresses in the X-Forwarded-For header from the rightmost IP address to the leftmost IP address. The first IP address that is not on the trusted IP address list is considered the client IP address. Requests from the client IP address are throttled.

Important

Only HTTP listeners and HTTPS listeners support this parameter.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForClientSourceIpsEnabled: true # A value of true allows the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you set the value to true, you must configure the XForwardedForClientSourceIpsTrusted parameter in a valid format. A value of false forbids the ALB instance from retrieving client IP addresses from the X-Forwarded-For header. 
      XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16  # Enter a valid IP address or CIDR block. This parameter takes effect only when XForwardedForClientSourceIpsEnabled is set to true. 
  ...

Configure network ACLs

If you want to configure network access control lists (ACLs) for the listeners of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the aclConfig parameter to enable network ACLs. This allows you to implement fine-grained access control on client requests. You can configure network ACLs to allow or deny access from specified IP addresses or CIDR blocks. For more information, see Use AlbConfigs to add and modify ACL rules.

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
  ...
  listeners:
  - port: 80
    protocol: HTTP
    aclConfig: # Enable network ACLs for the listener. 
      aclEntries:
      - 127.0.0.1/32 # The CIDR block that you want to add to the ACL rule for access control.
      aclType: White # The type of network ACL. Valid values: Black (blacklist) and White (whitelist). 
  ...

Delete a listener

An ALB instance may have multiple listeners. To delete a listener of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, delete the listener from the albconfig.spec.listeners parameter.

Important

Before you delete the listener, you must disassociate all Ingresses from the listener. Otherwise, you fail to delete the listener and the system prompts errors.

# Before deletion. 
  listeners:
  - port: 8001
    protocol: HTTP
  - port: 8002  # Delete listening port 8002. 
    protocol: HTTP

# After deletion. 
  listeners:
  - port: 8001
    protocol: HTTP