You can set the Listeners parameter of an AlbConfig to configure listeners for an Application Load Balancer (ALB) instance. This topic describes the Listeners parameter and how to use an AlbConfig to create, modify, and update listeners.
Prerequisites
Listeners are created. For ACLs created in the ALB console to take effect, you need to associate the ALCs with listeners.
Description of the Listeners parameter
Terms
Object configuration file: a file that defines the configuration of a Kubernetes object.
Live object configuration file: an object configuration file that has been applied in a Kubernetes cluster.
last-applied-configuration: an annotation of a Kubernetes object. The annotation records the content of the most recent configuration of the object. The annotation is not updated in real-time when the configuration of the object is updated.
Update methods for the Listeners parameter
The Listeners parameter is of the array type. In most cases, you can update the Listeners parameter by replacing the fields in the array. When you update the Listeners parameter, the fields are replaced by the new fields you specify. The following table describes the rules.
No. | Condition | Result | ||
The listener is in the object configuration file | The listener is in the live object configuration file | The listener is in the last-applied-configuration annotation | ||
1 | Yes | Yes | - (Irrelevant) | The listener is retained in the live object configuration file. |
2 | Yes | No | - (Irrelevant) | The listener is added to the live object configuration file. |
3 | No | - (Irrelevant) | Yes | The listener is deleted from the live object configuration file. However, the fields of the listener may be reset to the default settings. |
4 | No | Yes | No | The listener is deleted from the live object configuration file. |
Examples
The following example shows the content of an object configuration file, a live object configuration file, and a last-applied-configuration annotation:
# The content of the object configuration file.
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005 # Add port 8005.
protocol: HTTP
# The content of the live object configuration file.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete port 8002.
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8004 # Delete port 8004.
protocol: HTTP
# The content of the last-applied-configuration annotation.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete port 8002.
protocol: HTTP
- port: 8003
protocol: HTTPThe following code block shows the configuration of the Listeners parameter after it is updated:
# The configuration of the Listeners parameter.
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005
protocol: HTTPPort 8001 and port 8003 match Rule 1. Therefore, they are retained.
Port 8005 matches Rule 2. Therefore, it is added.
Port 8002 matches Rule 3. Therefore, it is deleted.
Port 8004 matches Rule 4. Therefore, it is deleted.
Create listeners
ALB instances use listeners to receive and forward external requests based on the application-layer information of the requests.
Run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. You can configure the port and protocol parameters to create a listener. The port and protocol parameters are the only identifiers of a listener. If you modify the port or protocol parameter, the system deletes the original listener and creates a listener based on the new configuration.
HTTP is compatible with WebSocket. No additional configuration is required.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
...
listeners:
- port: 80
protocol: HTTP # Valid values: HTTP, HTTPS, and QUIC.
...Specify certificates
If you want to enable encryption and authentication for an HTTPS listener when you create an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig that is used to configure the ALB instance. Then, specify a certificate ID in the certificates parameter of the AlbConfig.
If you do not specify a certificate in the parameter, no HTTPS listener is created when the system creates the ALB instance. The system waits until an Ingress is associated with the listener and the Ingress automatically discovers a certificate based on the domain name specified in the Ingress configuration.
For more information about how to configure certificates, see Use an ALB Ingress to configure certificates for an HTTPS listener.
ALB uses the first certificate that you specify as the default certificate. ALB uses the default certificate to encrypt requests until the certificate expires or no longer meets the requirements. In this case, ALB uses other certificates to encrypt requests.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
...
listeners:
- caEnabled: false
certificates:
- CertificateId: 756****-cn-hangzhou # The certificate ID.
IsDefault: true
port: 443
protocol: HTTPS
...Parameter | Description |
CertificateId | The certificate ID. In this example, 756****-cn-hangzhou is specified. Specify the value of CertificateId based on the following description:
|
IsDefault | Specifies whether to set the certificate as the default certificate. In this example, true is specified. The certificate is set as the default certificate. |
protocol | The protocol used by listeners. In this example, HTTPS is specified. The HTTPS protocol is used by listeners. |
Configure a custom TLS security policy
If you want to configure a custom TLS security policy, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the securityPolicyId parameter to specify a security policy ID. You can specify a TLS security policy when you configure an HTTPS listener in an AlbConfig. Custom and default TLS security policies are supported. For more information, see TLS security policies.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
...
listeners:
- port: 443
protocol: HTTPS
securityPolicyId: tls_cipher_policy_1_1 # The security policy ID.
...Set the connection timeout period for listeners
If you want to set the connection timeout period for listeners, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the requestTimeout parameter.
If the backend server does not respond within the timeout period after a client sends a request to the server, ALB returns an HTTP 504 error code to the client.
Valid values for requestTimeout: 1 to 180. Unit: seconds.
Default value for requestTimeout: 60.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
requestTimeout: 60 # The connection timeout period for the listener. Valid values: 1 to 180. If you leave the parameter empty, the default value is used.
...Configure data compression
Data compression can reduce the size of files to improve transmission efficiency and network performance. If you want to configure data compression, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the gzipEnabled parameter to enable data compression for a listener. Brotli and Gzip are two commonly used compression algorithms.
Brotli supports all types of files.
Gzip supports the following types of files: text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.
The following code block provides a sample AlbConfig configuration that disables data compression:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
gzipEnabled: false # A value of true enables data compression for specific types of files. A value of false disables data compression.
...Preserve client IP addresses
To preserve client IP addresses, run the kubectl edit albconfig <Albconfig_Name> command to modify an AlbConfig. Then, configure the X-Forwarded-For parameter to enable client IP preservation.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForEnabled: true # A value of true enables client IP preservation. A value of false disables client IP preservation.
...Retrieve the listening protocol used by an ALB instance
If you want to retrieve the listening protocol used by an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the X-Forwarded-For parameter to retrieve the listening protocol used by the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForProtoEnabled: true # A value of true retrieves the listening protocol used by the ALB instance. A value of true does not retrieve the listening protocol used by the ALB instance.
...Retrieve the ID of an ALB instance
If you want to retrieve the ID of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the XForwardedForSLBIdEnabled parameter to retrieve the ID of the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBIdEnabled: true # A value of true retrieves the ID of the ALB instance. A value of true does not retrieve the ID of the ALB instance.
...Retrieve the listening ports of an ALB instance
If you want to retrieve the listening ports of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the XForwardedForSLBPortEnabled parameter to retrieve the listening ports of the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBPortEnabled: true # A value of true retrieves the listening ports of the ALB instance. A value of false does not retrieve the listening ports of the ALB instance.
...Specify a trusted proxy IP address
If you want to specify a trusted proxy IP address for an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Configure the XForwardedForClientSourceIpsEnabled parameter to allow the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. Then, configure the XForwardedForClientSourceIpsTrusted parameter to specify a list of trusted proxy IP addresses. This way, the ALB instance traverses the IP addresses in the X-Forwarded-For header from the rightmost IP address to the leftmost IP address. The first IP address that is not on the trusted IP address list is considered the client IP address. Requests from the client IP address are throttled.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSourceIpsEnabled: true # A value of true allows the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you set the value to true, you must configure the XForwardedForClientSourceIpsTrusted parameter in a valid format. A value of false forbids the ALB instance from retrieving client IP addresses from the X-Forwarded-For header.
XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16 # Enter a valid IP address or CIDR block. This parameter takes effect only when XForwardedForClientSourceIpsEnabled is set to true.
...Configure network ACLs
If you want to configure network access control lists (ACLs) for the listeners of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, configure the aclConfig parameter to enable network ACLs. This allows you to implement fine-grained access control on client requests. You can configure network ACLs to allow or deny access from specified IP addresses or CIDR blocks. For more information, see Use AlbConfigs to add and modify ACL rules.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
aclConfig: # Enable network ACLs for the listener.
aclEntries:
- 127.0.0.1/32 # The CIDR block that you want to add to the ACL rule for access control.
aclType: White # The type of network ACL. Valid values: Black (blacklist) and White (whitelist).
...Delete a listener
An ALB instance may have multiple listeners. To delete a listener of an ALB instance, run the kubectl edit albconfig <Albconfig_Name> command to modify the AlbConfig used to configure the ALB instance. Then, delete the listener from the albconfig.spec.listeners parameter.
Before you delete the listener, you must disassociate all Ingresses from the listener. Otherwise, you fail to delete the listener and the system prompts errors.
# Before deletion.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete listening port 8002.
protocol: HTTP
# After deletion.
listeners:
- port: 8001
protocol: HTTP