The Listeners field in an AlbConfig is used to configure listeners for an Application Load Balancer (ALB). This topic describes the Listeners field and explains how to create, modify, and update listeners using an AlbConfig.
Prerequisites
Create two vSwitches in different zones. Ensure that the vSwitches are in the same VPC as the cluster and are in zones that support ALB. For more information, see Create and manage vSwitches.
The ALB Ingress controller is installed in the cluster. For more information, see Manage the ALB Ingress controller.
NoteTo use an ALB Ingress to access Services deployed in an ACK dedicated cluster, you need to first grant the cluster the permissions required by the ALB Ingress controller. For more information, see Grant an ACK dedicated cluster access to the ALB Ingress controller.
The AlbConfig resource has been created. For more information, see Create AlbConfig.
Listeners Field Description
Terminology
Object configuration file: A file that defines and describes Kubernetes objects. It contains the specifications and configuration information of the object.
Existing object configuration file: An object configuration file that is already applied to a Kubernetes cluster.
last-applied-configuration field: An annotation field in Kubernetes objects that records the last applied configuration information of the object. This field is not updated in real time when the object's configuration changes.
Listeners Field Update Method
The Listeners field is an array-type configuration that is typically updated by replacement. When you update the Listeners field, the new configuration completely replaces the existing configuration. The following table provides more information.
Ordinal number | Conditions | Result | ||
Is the object in the object configuration file? | Is the object in the existing object configuration file? | Is the object in the last-applied-configuration field? | ||
① | Yes | Yes | - (Not applicable) | Apply the values from the object configuration file to the existing configuration file to update specific fields of the existing object. |
② | Yes | No | - (Not applicable) | Use the values from the object configuration file to create a new object instead of updating the existing object's configuration. |
③ | No | - (Not applicable) | Yes | Remove a field from the existing object configuration file. This means the field is deleted from the existing object configuration, and it might be reset to its default value. |
④ | No | Yes | No | Indicates removing a field from the existing object configuration file. |
Example Description
The following code blocks show example configurations for the Listeners field in the object configuration file, the existing object configuration file, and the last-applied-configuration field:
# The object configuration file provides the following desired configuration values.
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005 # Add 8005
protocol: HTTP
# The existing object configuration file shows the configuration of the actual existing object.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete 8002
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8004 # Delete 8004
protocol: HTTP
# last-applied-configuration records the object's last applied configuration.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete 8002
protocol: HTTP
- port: 8003
protocol: HTTPThe Listeners field of the AlbConfig is updated as follows:
# Result of the Listeners configuration file
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005
protocol: HTTP8001 and 8003 meet condition ① and are retained.
8005 meets condition ② and is added.
8002 meets condition ③ and is deleted.
8004 meets condition ④ and is deleted.
Create Listeners
A listener is the top-level entry point for an ALB instance to process traffic. It enables the ALB instance to intelligently distribute traffic based on application layer information.
Console
You can set the port and protocol parameters in an AlbConfig to create a listener. The port and protocol parameters are the unique properties of a listener. If you modify the port, protocol, or other listener properties, the system deletes the original listener and creates a new one.
The HTTP protocol automatically supports WebSocket. No special configuration is required.
Log on to the Container Service console. In the navigation pane on the left, choose Clusters.
On the Clusters page, click the name of the target cluster. Then, in the left navigation pane, choose .
On the Resource Object Browser tab, enter AlbConfig in the search box and click the AlbConfig result.
In the AlbConfig panel, find the target AlbConfig resource, which is named alb by default. Click Edit YAML in the Actions column.
In the View YAML panel, add the
spec.listeners.portandspec.listeners.protocolfields. Then, click OK.
kubectl
You can set the port and protocol parameters in an AlbConfig to create a listener. The port and protocol parameters are the unique properties of a listener. If you modify the port, protocol, or other listener properties, the system deletes the original listener and creates a new one.
Run the command
kubectl edit albconfig <Albconfig_Name>.NoteThe HTTP protocol automatically supports WebSocket. No special configuration is required.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb-demo spec: config: ... listeners: - port: 80 protocol: HTTP # Options for protocol are HTTP, HTTPS, and QUIC. ...
Specify certificates
To enable encryption and identity verification for the HTTPS protocol, run the kubectl edit albconfig <AlbConfig_Name> command. In the AlbConfig, set the certificates parameter to the ID of a certificate. This assigns the certificate to the listener to encrypt and decrypt HTTPS traffic.
If you do not specify a certificate in the configuration, the listener is not immediately created with the ALB. Instead, the listener is created after an Ingress is associated and a certificate is automatically discovered based on the domain name.
For more information, see Configure HTTPS certificates for encrypted communication.
ALB sets the first certificate as the default certificate. ALB uses other certificates for request encryption only if the default certificate expires or is no longer applicable.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
...
listeners:
- caEnabled: false
certificates:
- CertificateId: 756****-cn-hangzhou # Certificate ID.
IsDefault: true
port: 443
protocol: HTTPS
...Specify a TLS security policy
You can run the command kubectl edit albconfig <Albconfig_Name>. In the AlbConfig resource, set the securityPolicyId parameter to a security policy ID. When you configure an HTTPS listener in an AlbConfig, you can specify a TLS security policy. TLS security policies include custom policies and the default policy. For more information, see TLS security policy.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
...
listeners:
- port: 443
protocol: HTTPS
securityPolicyId: tls_cipher_policy_1_1 # Security policy ID.
...Set the listener request timeout
Run the kubectl edit albconfig <Albconfig_Name> command. In the AlbConfig, set the requestTimeout parameter to specify the request timeout for the listener. This prevents clients from waiting too long for unresponsive requests.
The request timeout is the maximum time that Server Load Balancer (SLB) waits for a response from a backend server after it receives a client request. If no response is returned within this time, the SLB instance stops waiting and returns an HTTP 504 error to the client.
The timeout value is in seconds. The value must be an integer from 1 to 600. To use a longer timeout, you can request a quota increase in the Quota Center.
If you do not set the request timeout, the default value of 60 seconds is used.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
requestTimeout: 60 # Set the connection request timeout for the listener. Valid values: 1 to 600. If omitted, the default timeout of 60 seconds applies.
...Set listener tags
Run the kubectl edit albconfig <Albconfig_Name> command. Then, in the AlbConfig file, use the tags parameter to add tags to the listener. The following code block shows a configuration example.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default1
spec:
config:
name: alb-test1
addressType: Internet
zoneMappings:
- vSwitchId: vsw-rj9qsvwfjcmtbyvt0xxx
- vSwitchId: vsw-rj99o3wge24iq2ehtxxx
listeners:
- port: 80
protocol: HTTP
tags:
- key: "key"
value: "value1"Use data compression
Data compression is an optimization technique that reduces the amount of data transferred to improve network transmission efficiency and performance. Run the kubectl edit albconfig <Albconfig_Name> command. In the AlbConfig, set the gzipEnabled parameter to enable or disable data compression for a listener. Brotli and Gzip are two widely used compression algorithms.
Brotli compresses all content types.
Gzip compresses the following content types: text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.
Data compression is triggered only if the value of
Content-Lengthin the response header exceeds 1024 bytes.
The following YAML example shows how to disable data compression.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
gzipEnabled: false # true compresses specific file types. false disables compression for all file types.
...Get the originating client IP address
When an ALB instance forwards a request to a backend service, it adds the client source IP address to the HTTP request header.
This parameter is supported only by HTTP and HTTPS listeners.
XForwardedForEnabled is enabled by default and cannot be disabled.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForEnabled: true
...Retrieve the listener protocol
If this feature is enabled, ALB adds the listener protocol to the HTTP request header when it forwards a request to a backend service. The valid values for XForwardedForProtoEnabled are as follows:
true: Retrieves the listener protocol.false: Does not retrieve the listener protocol.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForProtoEnabled: true
...Get Listener SLB Instance ID
Run the kubectl edit albconfig <Albconfig_Name> command. In the AlbConfig, you can retrieve the SLB instance ID using the XForwardedForSLBIdEnabled header field.
This parameter can be configured only for HTTP and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBIdEnabled: true # true: Get the SLB instance ID. false: Do not get the SLB instance ID.
...Get the listening port
Run the kubectl edit albconfig <Albconfig_Name> command. You can use the XForwardedForSLBPortEnabled field in the AlbConfig to retrieve the listening port of the instance.
This parameter is supported only by HTTP and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBPortEnabled: true # true: Retrieves the listening port of the SLB instance. false: The port is not retrieved.
...Specify Trusted Proxy IP Addresses
Run the kubectl edit albconfig <Albconfig_Name> command. In the AlbConfig, use the XForwardedForClientSourceIpsEnabled configuration item to allow Application Load Balancer (ALB) to retrieve the real client IP address from the X-Forwarded-For header field. Use the XForwardedForClientSourceIpsTrusted configuration item to specify a group of trusted proxy IP addresses. ALB traverses the IP address list in the X-Forwarded-For field from right to left and selects the first IP address that is not in the trusted IP address list as the client source IP address. This IP address is used for scenarios such as source IP-based rate limiting.
This parameter can be configured only for HTTP and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSourceIpsEnabled: true # true indicates that ALB is allowed to find the real client IP address from the X-Forwarded-For header field. In this case, configure XForwardedForClientSourceIpsTrusted with correctly formatted content. false indicates that ALB is not allowed to find the real client IP address from the X-Forwarded-For header field.
XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16 # Enter IP addresses or CIDR blocks in the correct format, separated by semicolons. Do not add spaces between IP addresses or CIDR blocks. This parameter takes effect only when XForwardedForClientSourceIpsEnabled is set to true.
...Set access control
Run the kubectl edit albconfig <Albconfig_Name> command. In the AlbConfig, use the aclConfig parameter to enable access control for an ALB listener. This lets you precisely control client requests and manage request forwarding. You can restrict specific IP addresses by setting inbound allow or deny rules. For more information about access control configuration options, see Configure ACLs for access control.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
aclConfig: # Enable access control for the ALB listener.
aclEntries:
- 127.0.0.1/32 # Specify the CIDR block for the access control entry. The CIDR block must be complete.
aclType: White # Set the listener's ACL type to Black or White.
...Delete a listener
An instance can have multiple listeners. To delete a listener, run the kubectl edit albconfig <Albconfig_Name> command and remove the listener from the albconfig.spec.listeners field.
Before you delete a listener, you must remove all associated Ingresses. Otherwise, the deletion fails and an error is reported.
# Configuration before deleting the listener.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete the listener on port 8002.
protocol: HTTP
# Configuration after deleting the listener.
listeners:
- port: 8001
protocol: HTTP