This topic describes the annotations that are supported by Application Load Balancer (ALB) Ingresses and the usage of AlbConfig fields. You can use the annotations to configure forwarding rules, session persistence, and health checks.
Annotations supported by ALB Ingresses
You can add annotations to ALB Ingresses to configure ALB-relevant settings.
Create a health check task for an address pool
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/healthcheck-enabled |
| false | Specifies whether to enable health checks for backend server groups. |
alb.ingress.kubernetes.io/healthcheck-path | string | / | The path to which health check requests are sent. |
alb.ingress.kubernetes.io/healthcheck-protocol |
| HTTP | The protocol that is used for health checks. |
alb.ingress.kubernetes.io/healthcheck-method |
| HEAD | The health check method. |
alb.ingress.kubernetes.io/healthcheck-httpcode | http_2xx, http_3xx, http_4xx, and http_5xx | http_2xx | The status codes used for health checks. You can select one or more of the following status codes: http_2xx, http_3xx, http_4xx, and http_5xx. |
alb.ingress.kubernetes.io/healthcheck-timeout-seconds | 1~300 | 5 | The health check timeout period in seconds. |
alb.ingress.kubernetes.io/healthcheck-interval-seconds | 1~50 | 2 | The health check interval. |
alb.ingress.kubernetes.io/healthy-threshold-count | 2~10 | 3 | The number of times that a server needs to consecutively pass health checks before it is considered healthy. |
alb.ingress.kubernetes.io/unhealthy-threshold-count | 2~10 | 3 | The number of times that a server needs to consecutively fail health checks before it is considered unhealthy. |
alb.ingress.kubernetes.io/healthcheck-connect-port | 0~65535 | 0 | The port used for health checks. If you set the value to 0, the port of a backend server is used for health checks. |
Redirect
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/ssl-redirect |
| false | Specifies whether to redirect HTTP requests (301) to HTTPS requests (443). |
Backend protocol
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/backend-protocol |
| http |
|
Rewrite
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/rewrite-target | string | None | The path that overwrites the path in requests. |
Listeners
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/listen-ports |
|
| Associates listener ports with protocols. |
Priorities
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/order | 1~1000 | 10 | The priorities of forwarding rules. |
Canary
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/canary |
| false | Specifies whether to route requests to the canary. |
alb.ingress.kubernetes.io/canary-by-header | string | None | The header of the requests that are routed to the canary. |
alb.ingress.kubernetes.io/canary-by-header-value | string | None | The value of the header of the requests that are routed to the canary. |
alb.ingress.kubernetes.io/canary-by-cookie | string | None | The cookie of the requests that are routed to the canary. |
alb.ingress.kubernetes.io/canary-weight | string | None | The percentage of requests that are sent to the canary. The value is an integer that ranges from 0 to 100. |
Session persistence
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/sticky-session |
| false | Specifies whether to enable session persistence. |
alb.ingress.kubernetes.io/sticky-session-type |
| Insert | The method that is used to handle a cookie. |
alb.ingress.kubernetes.io/cookie-timeout | 1~86400 | 1000 | The session persistence timeout period in seconds. |
Load balancing
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/backend-scheduler |
| wrr | The load balancing algorithm. |
alb.ingress.kubernetes.io/backend-scheduler-uch-value | string | None | This annotation is available when the load balancing algorithm is set to uch. |
Cross-origin resource sharing (CORS)
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/enable-cors |
| false | Specifies whether to enable CORS. |
alb.ingress.kubernetes.io/cors-allow-origin | string | * | The origins from which you want to allow cross-domain requests. |
alb.ingress.kubernetes.io/cors-expose-headers | stringArray | None | The headers that can be exposed. |
alb.ingress.kubernetes.io/cors-allow-methods | Select one or more of the following values:
|
| The methods of cross-domain requests that are allowed. |
alb.ingress.kubernetes.io/cors-allow-credentials |
| true | Specifies whether to allow credentials in requests. |
alb.ingress.kubernetes.io/cors-max-age | -1 to 172800 (seconds) | 172800 | The maximum cache time of preflight requests in the browser. |
alb.ingress.kubernetes.io/cors-allow-headers | stringArray |
| The headers of cross-domain requests that are allowed. |
Custom forwarding
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/actions.{svcName} | json | None | The custom forwarding actions. |
alb.ingress.kubernetes.io/conditions.{svcName} | json | None | The custom forwarding conditions. |
alb.ingress.kubernetes.io/rule-direction.{svcName} |
| Request | The custom forwarding direction. |
Others
Annotation | Valid value | Default value | Description |
alb.ingress.kubernetes.io/backend-keepalive |
| false | Specifies whether to enable persistent TCP connections. |
alb.ingress.kubernetes.io/traffic-limit-qps | 1~100000 | None | QPS throttling. |
alb.ingress.kubernetes.io/use-regex |
| false | Specifies whether regular expressions can be used in the Path field. This annotation is valid only when the path type is Prefix. |
AlbConfig fields
An AlbConfig is a CustomResourceDefinition (CRD) used to describe an ALB instance and its listeners. The following tables describe the relevant fields.
Albconfig
Field | Valid value | Default value | Description |
apiVersion | alibabacloud.com/v1 | None | The API version of the object. |
kind | AlbConfig | None | The REST resource corresponding to the object. |
metadata | None | The metadata of the object. For more information, see metadata. | |
spec | None | A list of parameters used to describe the attributes of the ALB instance and its listeners. | |
status | None | The status of the ALB instance is written to the |
AlbConfigSpec
Field | Valid value | Default value | Description |
config | None | The attributes of the ALB instance. | |
listeners | None | The attributes of the listeners of the ALB instance. |
LoadBalancerSpec
Field | Valid value | Default value | Description |
id | string | "" | The ID of the ALB instance. The ALB instance can be reused if an instance ID is specified. |
name | string | k8s-{namespace}-{name}-{hashCode} | The name of the ALB instance. |
addressAllocatedMode |
| Dynamic | The address mode of the ALB instance. |
addressType |
| Internet | The network type of the IPv4 CIDR block of the ALB instance. |
ipv6AddressType |
| Intranet | The network type of the IPv6 CIDR block of the ALB instance. |
addressIpVersion |
| IPv4 | The version of the protocol. |
resourceGroupId | string | Default resource group | The ID of the resource group to which the ALB instance belongs. |
edition |
| Standard | The feature version of the ALB instance. |
deletionProtectionEnabled | *bool | null | A reserved field. This field is not adjustable. |
forceOverride | *bool | false | Specifies whether to forcefully overwrite the attributes of the ALB instance in reuse mode. |
listenerForceOverride | *bool | null | Specifies whether to forcefully overwrite the attributes of the listeners in reuse mode. |
zoneMappings | None | The zone and Elastic IP Address (EIP) configuration. | |
accessLogConfig | None | The log collection configuration. | |
billingConfig | None | The billing method. | |
modificationProtectionConfig | None | The configuration of the configuration read-only mode. | |
tags | None | The tags of the ALB instance. |
ZoneMapping
Field | Valid value | Default value | Description |
vSwitchId | string | "" | Required. The ID of the vSwitch. |
zoneId | string | "" | Automatically specified. The zone of the vSwitch. |
allocationId | string | "" | The ID of the EIP. |
eipType | string | "" | A reserved field. |
AccessLogConfig
Field | Valid value | Default value | Description |
logStore | string | "" | The name of the Simple Log Service Logstore. |
logProject | string | "" | The name of the Simple Log Service project. |
BillingConfig
Field | Valid value | Default value | Description |
internetBandwidth | int | 0 | A reserved field. |
internetChargeType | string | "" | A reserved field. |
payType | PostPay | PostPay | The billing method. |
bandWidthPackageId | string | "" | The ID of the associated Internet Shared Bandwidth instance. You cannot disassociate the Internet Shared Bandwidth instance. |
ModificationProtectionConfig
Field | Valid value | Default value | Description |
reason | string | "" | A reserved field. |
status | string | "" | A reserved field. |
Tag
Field | Valid value | Default value | Description |
key | "" | "" | The key of the label. |
value | "" | "" | The value of the label. |
ListenerSpec
Field | Valid value | Default value | Description |
gzipEnabled |
| null | Specifies whether to enable compression. |
http2Enabled |
| null | Specifies whether to use HTTP/2. |
port |
| 0 | Required. The listening port. |
protocol |
| "" | Required. The listener protocol. |
securityPolicyId | string | "" | The ID of the TLS security policy. |
idleTimeout | int | 60 | The idle connection timeout period. Note A value of 0 indicates that the default value is used. |
loadBalancerId | string | "" | A reserved field. |
description | string |
| The name of the listener. |
caEnabled | bool | false | A reserved field. |
requestTimeout | int | 60 | The timeout period of requests. |
quicConfig | The QUIC listener configuration. | ||
defaultActions | Action | null | A reserved field. |
caCertificates | null | A reserved field. | |
certificates | null | The server certificate of the listener. | |
xForwardedForConfig | None | The configuration of the XForward header. | |
logConfig | LogConfig | None | A reserved field. |
aclConfig | None | The access control configuration. |
QuicConfig
Field | Valid value | Default value | Description |
quicUpgradeEnabled | bool | false | Specifies whether to enable QUIC upgrades. |
quicListenerId | string | "" | The QUIC listener. |
Certificate
Field | Valid value | Default value | Description |
IsDefault | bool | false | Specifies whether the current certificate is the default certificate. Note Each service or system can have only one default certificate. |
CertificateId | string | "" | The ID of the certificate. |
XForwardedForConfig
Field | Valid value | Default value | Description |
XForwardedForClientCertSubjectDNAlias | string | "" | The name of the custom header. This field is valid only when |
XForwardedForClientCertSubjectDNEnabled | bool | false | Specifies whether to use the |
XForwardedForProtoEnabled | bool | false | Specifies whether to use the |
XForwardedForClientCertIssuerDNEnabled | bool | false | Specifies whether to use the |
XForwardedForSLBIdEnabled | bool | false | Specifies whether to use the |
XForwardedForClientSrcPortEnabled | bool | false | Specifies whether to use the |
XForwardedForClientCertFingerprintEnabled | bool | false | Specifies whether to use the |
XForwardedForEnabled | bool | false | Specifies whether to use the |
XForwardedForSLBPortEnabled | bool | false | Specifies whether to use the |
XForwardedForClientCertClientVerifyAlias | string | "" | The name of the custom header. This field is valid only when |
XForwardedForClientCertIssuerDNAlias | string | "" | The name of the custom header. This field is valid only when |
XForwardedForClientCertFingerprintAlias | string | "" | The name of the custom header. This field is valid only when |
XForwardedForClientCertClientVerifyEnabled | bool | false | Specifies whether to use the |
AclConfig
Field | Valid value | Default value | Description |
aclName | string | None | The name of the network ACL in AclEntry mode. |
aclType |
| "" | The type of the network ACL, which can be blacklist or whitelist. |
aclEntries | string | null | The ACL rules. |
aclIds | stringArray | null | The IDs of existing network ACLs. |
AlbConfigStatus
Field | Output | Default value | Description |
loadBalancer | None | The status of the ALB instance. |
LoadBalancerStatus
Field | Output | Default value | Description |
dnsname | string | None | The DNS address of the ALB instance. |
id | string | None | The ID of the ALB instance. |
listeners | None | The attributes of the listeners. |
ListenerStatus
Field | Output | Example | Description |
portAndProtocol | string | 80/HTTP | The listener and protocol configuration. |
certificates | None | The associated certificates. |
AppliedCertificate
Field | Output | Example | Description |
certificateId | string | xxxx-cn-hangzhou | The ID of the certificate. |
isDefault | bool | true | Specifies whether the certificate is the default certificate. |
References
ALB Ingresses meet the requirements of cloud-native applications for high elasticity and large-scale Layer 7 traffic management. For more information, see Access Services by using an ALB Ingress.
For more information about how to use the annotations of ALB Ingresses, see Advanced ALB Ingress configurations.