An AlbConfig is a CustomResourceDefinition (CRD) that Container Service for Kubernetes (ACK) provides for the Application Load Balancer (ALB) Ingress controller. The ALB Ingress controller uses AlbConfigs to configure ALB instances and listeners. This topic describes how to create, modify, and update an AlbConfig, and how to enable Simple Log Service (SLS).
Table of contents
ALB instance configurations | |
Listener configurations |
Prerequisites
The ALB Ingress controller is installed in the cluster. For more information, see Manage the ALB Ingress controller.
NoteTo use an ALB Ingress to access Services deployed in an ACK dedicated cluster, you need to first grant the cluster the permissions required by the Application Load Balancer (ALB) Ingress controller. For more information, see Authorize an ACK dedicated cluster to access the ALB Ingress controller.
Two vSwitches that reside in different zones are created and deployed in the same virtual private cloud (VPC) as the ACK cluster. For more information, see Create and manage a vSwitch.
A kubectl client is connected to the ACK cluster. For more information, see Obtain the kubeconfig file of a cluster and use kubectl to connect to the cluster.
Usage notes
To modify or update resource configurations, we recommend that you use the
kubectl editcommand. If you need to use thekubectl applycommand to modify or update resources, you must first run thekubectl diffcommand to preview the changes and make sure that the changes are as expected before you run thekubectl applycommand. Then, run thekubectl applycommand to apply the changes to the resources in your cluster.The NGINX Ingress controller of earlier versions cannot recognize the
spec:ingressClassNamefield in the Ingress resource. If both NGINX Ingresses and ALB Ingresses are configured in your ACK cluster, the ALB Ingresses may be reconciled by an earlier version of the NGINX Ingress controller. To avoid this problem, update the NGINX Ingress controller at the earliest opportunity or use annotations to specify the IngressClasses of ALB Ingresses. For more information, see Update the NGINX Ingress controller or Advanced ALB Ingress configurations.
Create an AlbConfig
An AlbConfig is used to configure an ALB instance. If you want to configure multiple ALB instances, you must create multiple AlbConfigs. To create an AlbConfig, perform the following steps:
When you install the ALB Ingress controller, if you select Create or Select Existing for the Gateway Source parameter, the controller automatically creates an AlbConfig named alb and an IngressClass named alb.
Create a file named alb.yaml and copy the following content to the file. The file is used to create an AlbConfig.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb spec: config: name: alb addressType: Internet zoneMappings: - vSwitchId: vsw-uf6ccg2a9g71hx8go**** # Replace the value with the ID of the vSwitch that you want to use. - vSwitchId: vsw-uf6nun9tql5t8nh15**** listeners: - port: 80 protocol: HTTPParameter
Description
spec.config.nameThe name of the ALB instance.
spec.config.addressTypeThe type of IP address that the ALB instance uses to provide services. Valid values:
Internet: The ALB instance uses a public IP address. The domain name of the Ingress is resolved to the public IP address. Therefore, the ALB instance can be accessed over the Internet. This is the default value.Intranet: The ALB instance uses a private IP address. The domain name of the Ingress is resolved to the private IP address. Therefore, the ALB instance is accessible only within the virtual private cloud (VPC) where the ALB instance is deployed.
ImportantThe
addressTypeparameter in an AlbConfig takes effect only when you create the AlbConfig. This parameter does not take effect when you update the AlbConfig.spec.config.zoneMappingsThe IDs of the vSwitches used by the ALB Ingress. If you want to specify vSwitches in a region that contains multiple zones, you must specify at least two vSwitch IDs in different zones. If you want to specify vSwitches in a region that contains only one zone, you can specify only one vSwitch ID. The specified vSwitch must be deployed in a zone supported by the ALB instance and deployed in the same VPC as the cluster. For more information about the regions and zones supported by ALB Ingresses, see Regions and zones in which ALB is available.
ImportantIf you want to specify vSwitches in a region that contains multiple zones, you must specify at least two vSwitch IDs in different zones.
The
zoneMappingsparameter in an AlbConfig takes effect only when you create the AlbConfig. This parameter does not take effect when you update the AlbConfig.
When you install the ALB Ingress controller for a cluster, you can create a default AlbConfig. The parameters of the default AlbConfig use the following settings, except for the
vSwitchIDparameter.Run the following command to create an AlbConfig:
kubectl apply -f alb.yamlExpected output:
AlbConfig.alibabacloud.com/alb createdRun the following command to query the AlbConfig:
kubectl get AlbConfigExpected output:
NAME ALBID DNSNAME PORT&PROTOCOL CERTID AGE alb alb-****** alb-******.<regionID>.alb.aliyuncs.com 28mNoteIf you configure HTTP listeners and certificates, the
PORT&PROTOCOLandCERTIDparameters are not empty. Otherwise, the parameters are empty in the output.
Reuse an existing ALB instance
If you want to reuse an existing ALB instance, specify the ID of the ALB instance in the AlbConfig. You can reuse a standard ALB instance or a Web Application Firewall (WAF)-enabled ALB instance that is created in the ALB console. You cannot reuse a basic ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: reuse-alb
spec:
config:
id: **** # The ID of the standard ALB instance or WAF-enabled ALB instance that is created in the SLB console.
forceOverride: false
listenerForceOverride: falseThe following table describes the parameters.
Parameter | Description |
|
Important If an ALB instance is reused, we recommend that you do not modify the listener names. Otherwise, the listeners cannot be managed by ACK. The listeners created or updated by using AlbConfigs are managed by ACK, and their names are in the |
| Specifies whether to forcefully overwrite ALB instance attributes when the ALB instance is reused. Valid values:
|
| Specifies whether to forcefully overwrite listener attributes when the ALB instance is reused. Valid values:
|
Update an AlbConfig
To update an ALB instance created by using an AlbConfig, we recommend that you use the kubectl edit command. To update an AlbConfig, perform the following steps:
Run the following command to query the name of the AlbConfig that you want to update:
kubectl get AlbConfigExpected output:
NAME ALBID DNSNAME PORT&PROTOCOL CERTID AGE alb alb-****** alb-******.<regionID>.alb.aliyuncs.com 28mRun the following command to modify the AlbConfig:
kubectl edit albconfig alb # Replace alb with the name of your AlbConfig.Update the AlbConfig configuration file based on your business requirements. For example, you can update the
spec.config.nameparameter to change the name of the ALB instance tonew_alb.... spec: config: name: new_alb # The new name of the ALB instance. ...
Use an IngressClass to associate an AlbConfig with an Ingress
You can associate an AlbConfig with an ALB Ingress by using an IngressClass. To do this, specify the AlbConfig in the IngressClass configurations.
Create a file named ingress_class.yaml and copy the following content to the file:
Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: alb spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb # The name of the AlbConfig that you want to associate.Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: IngressClass metadata: name: alb spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: albRun the following command to create an IngressClass:
kubectl apply -f ingress_class.yamlExpected output:
ingressclass.networking.k8s.io/alb createdCreate a file named ingress.yaml and copy the following content to the file: Set the
ingressClassNameparameter to the alb IngressClass.Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress spec: ingressClassName: alb # Specify the name of the IngressClass that is used to associate the Ingress. rules: - http: paths: # Configure a context path. - path: /tea pathType: ImplementationSpecific backend: service: name: tea-svc port: number: 80 # Configure a context path. - path: /coffee pathType: ImplementationSpecific backend: service: name: coffee-svc port: number: 80Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: cafe-ingress spec: ingressClassName: alb rules: - http: paths: # Configure a context path. - path: /tea backend: serviceName: tea-svc servicePort: 80 # Configure a context path. - path: /coffee backend: serviceName: coffee-svc servicePort: 80Run the following command to create an Ingress:
kubectl apply -f ingress.yamlExpected output:
ingress.networking.k8s.io/cafe-ingress created
After you complete the preceding steps, you can use the IngressClass to associate the AlbConfig with the Ingress.
Create and use multiple ALB instances
If you want to share an Ingress among multiple ALB instances, specify different IngressClasses in the spec.ingressClassName parameter in the Ingress configuration file.
Create a file named alb-2.yaml and copy the following content to the file:
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb-2 spec: config: name: alb-2 # The name of an ALB instance. addressType: Internet # The ALB instance uses a public IP address. zoneMappings: - vSwitchId: vsw-uf6ccg2a9g71hx8go**** # The ID of the vSwitch that you want to use. - vSwitchId: vsw-uf6nun9tql5t8nh15****Run the following command to create an AlbConfig:
kubectl apply -f alb-2.yamlExpected output:
AlbConfig.alibabacloud.com/alb-2 createdCreate a file named ingress_class2.yaml and copy the following content to the file. The file is used to create an IngressClass.
Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: alb-2 spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb-2 # The name of the AlbConfig that you want to associate.Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: IngressClass metadata: name: alb-2 spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb-2 # The name of the AlbConfig that you want to associate.Run the following command to create an IngressClass:
kubectl apply -f ingress_class2.yamlExpected output:
ingressclass.networking.k8s.io/alb-2 createdCreate a file named ingress2.yaml and copy the following content to the file. You can use the
ingressClassNameparameter to specify different ALB instances that you want to associate with the Ingress. In the following example, theingressClassNameparameter is set toalb-2. This associates the Ingress with the alb-2 IngressClass, which is associated with the alb-2 ALB instance.Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress2 spec: ingressClassName: alb-2 rules: - http: paths: # Configure a context path. - path: /tea pathType: ImplementationSpecific backend: service: name: tea-svc port: number: 80 # Configure a context path. - path: /coffee pathType: ImplementationSpecific backend: service: name: coffee-svc port: number: 80Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: cafe-ingress2 spec: ingressClassName: alb-2 rules: - http: paths: # Configure a context path. - path: /tea backend: serviceName: tea-svc servicePort: 80 # Configure a context path. - path: /coffee backend: serviceName: coffee-svc servicePort: 80Run the following command to create an Ingress:
kubectl apply -f ingress2.yamlExpected output:
ingress.networking.k8s.io/cafe-ingress2 created
Enable IPv6
When you use an AlbConfig to create an ALB instance, you can set the addressIpVersion parameter to DualStack to enable IPv4/IPv6 dual stack.
The addressIpVerison parameter in an AlbConfig takes effect only when you create the AlbConfig. This parameter does not take effect when you update the AlbConfig.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
addressIpVersion: DualStack # Enable IPv4/IPv6 dual stack.
...Specify a custom TLS security policy
When you use an AlbConfig to configure HTTPS listeners, you can specify a TLS security policy. Custom TLS security policies and default TLS security policies are supported. For more information, see TLS security policies.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
#...
listeners:
- port: 443
protocol: HTTPS
securityPolicyId: tls_cipher_policy_1_1 # Specify the ID of the security group.
#...Enable SLS to collect access logs
If you want to collect the access logs of ALB Ingresses, set the logProject and logStore parameters in the AlbConfig configuration.
If you configure a new or existing SLS project for your cluster when you create the cluster, you can perform the following steps to view the project. Log on to the ACK console. In the left-side navigation pane, click Clusters. On the Clusters page, click the name of your cluster. In the left-side navigation pane of the cluster details page, click Cluster Information. On the Cluster Resources tab, you can view the SLS project that is associated with the cluster.
The value of the
logStoreparameter must start withalb_. If the specifiedLogstoredoes not exist, a new Logstore with the specified name is created.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
accessLogConfig:
logProject: "k8s-log-xz92lvykqj1siwvif****"
logStore: "alb_****"
#...On the Cluster Resources tab, you can click the project name on the right side of Log Service Project to view the collected logs in the SLS console.
Delete an ALB instance
An AlbConfig is used to configure an ALB instance. Therefore, you can delete an ALB instance by deleting the corresponding AlbConfig.
Before you can delete an AlbConfig, you must delete all Ingresses that are associated with the AlbConfig.
Run the following command to delete the AlbConfig:
kubectl delete AlbConfig <AlbConfig_NAME> # Replace <AlbConfig_NAME> with the name of the AlbConfig that you want to delete.Delete the AlbConfig of a reused ALB instance
If you delete the AlbConfig of a reused ALB instance, the ALB instance is not deleted. To delete the AlbConfig of a reused ALB instance, perform the following steps:
Run the
kubectl editcommand to modify the AlbConfig to delete all entries of thespec.listenersparameter. This way, all the listeners specified in the AlbConfig are deleted.ImportantIf the version of the ALB Ingress controller installed in your cluster is later than 2.10.0-aliyun.1, skip this step.
Run the following command to delete the AlbConfig:
ImportantBefore you can delete an AlbConfig, you must delete all Ingresses that are associated with the AlbConfig.
kubectl delete AlbConfig <AlbConfig_NAME> # Replace <AlbConfig_NAME> with the name of the AlbConfig that you want to delete.
Create listeners
ALB instances use listeners to receive and forward external requests based on the application-layer information of the requests. An ALB instance listens for requests from clients only after you create a listener for the ALB instance.
To create a listener, set the port and protocol parameters in the AlbConfig. If you modify the port, protocol, or other parameters of a listener, the original listener is deleted and a new listener is created based on the modified parameters.
A listener supports the following protocols at the application layer: HTTP, HTTPS, and Quick UDP Internet Connections (QUIC).
You can configure multiple listeners that use different protocols at the same time. In this case, you must add the required annotations to the Ingress configurations to specify multiple listening ports. For more information, see Configure custom listening ports.
Create an HTTP listener
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP # Valid values: HTTP, HTTPS, and QUIC.
...HTTP is compatible with WebSocket. No additional configuration is required.
Create an HTTPS listener
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 443
protocol: HTTPS
...You need to configure certificates for an HTTPS listener. For more information, see Configure certificates to encrypt communication on HTTPS ports.
Create a QUIC listener
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 443
protocol: QUIC
...QUIC listeners can receive requests from clients that use the HTTP/3 protocol. For more information, see Use QUIC listeners to support HTTP/3.
Set the connection timeout period for listeners
You can set the connection timeout period for listeners in the configurations of an AlbConfig. Valid values: 1 to 180. Unit: seconds. If no response is received from the backend server within the specified timeout period, ALB returns an HTTP 504 error code to the client. If you do not specify the connection timeout period, the default timeout period (60 seconds) is used. The following YAML file is an example:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
requestTimeout: 40 # The default timeout period is 60 seconds.
...Configure data compression
After you enable this feature, the ALB instance compresses specific types of files. Valid values of the gzipEnabled parameter:
true: compresses specific types of files.false: does not compress files.
All file types support Brotli compression. The following file types support Gzip compression: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.
The following YAML file is an example:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
gzipEnabled: true
...Preserve client IP addresses
After you enable this feature, the ALB instance adds a parameter that specifies the client IP address to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForEnabled parameter:
true: enables client IP address preservation.false: disables client IP address preservation.
This parameter is available for HTTP listeners and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
#...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForEnabled: true
#...Retrieve the port that a client uses to connect to an ALB instance
After you enable this feature, the ALB instance adds a parameter that specifies the client port to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForClientSrcPortEnabled parameter:
true: retrieves the port that a client uses to connect to the ALB instance.false: does not retrieve the port that a client uses to connect to the ALB instance.
This parameter is available for HTTP listeners and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSrcPortEnabled: true
...Retrieve the listener protocols used by an ALB instance
After you enable this feature, the ALB instance adds a parameter that specifies the listener protocols used by the ALB instance to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForProtoEnabled parameter:
true: retrieves the listener protocols used by the ALB instance.false: does not retrieve the listener protocols used by the ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForProtoEnabled: true
...Retrieve the ID of an ALB instance
After you enable this feature, the ALB instance adds a parameter that specifies the ID of the ALB instance to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForSLBIdEnabled parameter:
true: retrieves the ID of the ALB instance.false: does not retrieve the ID of the ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBIdEnabled: true
...Retrieve the listening ports of an ALB instance
After you enable this feature, the ALB instance adds a parameter that specifies the listening ports of the ALB instance to the HTTP request header when forwarding the request to the backend application. Valid values of the XForwardedForSLBPortEnabled parameter:
true: retrieves the listener ports of the ALB instance.false: does not retrieve the listener ports of the ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBPortEnabled: true
...Specify the IP address of a trusted proxy server
You can specify the XForwardedForClientSourceIpsEnabled parameter in the configurations of an AlbConfig to enable the ALB instance to retrieve client IP addresses from the X-Forwarded-For header field. You can use the XForwardedForClientSourceIpsTrusted parameter to specify a list of trusted proxy server IP addresses. This way, the ALB instance traverses the IP addresses in the X-Forwarded-For header field from the rightmost IP address to the leftmost IP address. The first IP address that is not on the trusted IP address list is considered the client IP address.
For example, if the value of X-Forwarded-For is <client IP, proxy server IP-1, proxy server IP-2>, you can specify proxy server IP-1 and proxy server IP-2 in the XForwardedForClientSourceIpsTrusted parameter. This way, the ALB instance can retrieve client IP addresses.
This parameter is available for HTTP listeners and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSourceIpsEnabled: true # A value of true allows the ALB instance to retrieve client IP addresses from the X-Forwarded-For header. If you set the value to true, you must configure the XForwardedForClientSourceIpsTrusted parameter in a valid format. A value of false forbids the ALB instance from retrieving client IP addresses from the X-Forwarded-For header.
XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16 # Enter a valid IP address or CIDR block. This parameter takes effect only when XForwardedForClientSourceIpsEnabled is set to true.
...Configure network ACLs
You can configure an AlbConfig to enable network access control lists (ACLs) for the listeners of an ALB instance. You can configure network ACLs to allow or deny access from specific IP addresses or CIDR blocks. This allows you to implement fine-grained access control on client requests. For more information, see Configure ACLs.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
#...
listeners:
- port: 80
protocol: HTTP
aclConfig:
aclEntries:
- 127.0.0.1/32
aclType: White
#...Parameters:
aclType: the type of network ACL. Valid values:Black(blacklist) andWhite(whitelist).aclEntries: the CIDR block that you want to add to the ACL rule for access control. Example: 127.0.0.1/32.