An AlbConfig is a CustomResourceDefinition (CRD) that Container Service for Kubernetes (ACK) provides for the Application Load Balancer (ALB) Ingress controller. The ALB Ingress controller uses AlbConfigs to configure ALB instances and listeners. This topic describes how to create, modify, and update an AlbConfig, and how to enable Log Service.
Table of contents
Relationship among Services, Ingresses, and AlbConfigs
The ALB Ingress controller retrieves the changes to Ingresses from the API server and dynamically generates AlbConfig objects when Ingresses changes are detected. Then, the ALB Ingress controller performs the following operations in sequence: create ALB instances, configure listeners, create Ingress rules, and configure backend server groups. The Service, Ingress, and AlbConfig objects interact with each other in the following ways:
- A Service is an abstraction of an application that is deployed in a group of replicated pods.
- An Ingress contains reverse proxy rules. It controls to which Services HTTP or HTTPS requests are routed. For example, an Ingress routes requests to different Services based on the hosts and URLs in the requests.
- An AlbConfig object is a CustomResourceDefinition (CRD) object that the ALB Ingress controller uses to configure ALB instances and listeners. An AlbConfig object corresponds to one ALB instance.
An AlbConfig is used to configure an ALB instance. The ALB instance can be specified in forwarding rules of multiple Ingresses. Therefore, an AlbConfig can be associated with multiple Ingresses.
Create an AlbConfig
An AlbConfig is used to configure an ALB instance. If you want to configure multiple ALB instances, you must create multiple AlbConfigs. To create an AlbConfig, perform the following steps:
Create a file named alb-test.yaml and paste the following content to the file. The file is used to create an AlbConfig.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb-demo spec: config: name: alb-test addressType: Internet zoneMappings: - vSwitchId: vsw-uf6ccg2a9g71hx8go**** - vSwitchId: vsw-uf6nun9tql5t8nh15****
Parameter
Description
spec.config.name
The name of the ALB instance. This parameter is optional.
spec.config.addressType
The type of IP address that the ALB instance uses to provide services. This parameter is required. Valid values:
Internet: The ALB instance uses a public IP address. The domain name of the Ingress is resolved to the public IP address. Therefore, the ALB instance can be accessed over the Internet.
Intranet: The ALB instance uses a private IP address. The domain name of the Ingress is resolved to the private IP address. Therefore, the ALB instance is accessible only within the virtual private cloud (VPC) where the ALB instance is deployed.
spec.config.zoneMappings
The IDs of the vSwitches that are used by the ALB Ingress. This parameter is required. You must specify at least two vSwitch IDs and the vSwitches must be deployed in different zones of the VPC where your cluster resides. For more information about the regions and zones that are supported by ALB Ingresses, see Supported regions and zones.
Run the following command to create an AlbConfig:
kubectl apply -f alb-test.yaml
Expected output:
AlbConfig.alibabacloud.com/alb-demo created
Run the following command to query the automatically created AlbConfig:
kubectl -n kube-system get AlbConfig
Expected output:
NAME AGE alb-demo 87m
The following content shows the default configurations of an AlbConfig:
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb-demo # The name of the AlbConfig. spec: config: accessLogConfig: logProject: "" logStore: "" addressAllocatedMode: Dynamic addressType: Internet billingConfig: internetBandwidth: 0 internetChargeType: "" payType: PostPay deletionProtectionEnabled: true edition: Standard forceOverride: false zoneMappings: - vSwitchId: vsw-wz92lvykqj1siwvif**** # A vSwitch that is specified for the AlbConfig. You must specify two vSwitches. - vSwitchId: vsw-wz9mnucx78c7i6iog**** # A vSwitch that is specified for the AlbConfig. status: loadBalancer: dnsname: alb-s2em8fr9debkg5****.cn-shenzhen.alb.aliyuncs.com id: alb-s2em8fr9debkg5****
Update an AlbConfig
In Kubernetes, the kubectl apply
command overwrites the configurations of objects but the kubectl edit
command only adds configurations to objects. We recommend that you run the kubectl edit
command to modify ALB instances that are created by using AlbConfigs. To update an AlbConfig, perform the following steps:
Run the following command to query the name of the AlbConfig that you created:
kubectl -n kube-system get AlbConfig
Expected output:
NAME AGE alb-demo 87m
Run the following command to update the AlbConfig.
ImportantThe
kubectl apply
command overwrites the configurations of the AlbConfig. If the YAML file of the AlbConfig does not containlistener
settings, the update does not affect the existing listeners. If the YAML file contains listener settings, the existing listeners are reconciled based on the updated listener settings. Therefore, you need to specify all listeners that are in use, such as commonly used listeners that listen on ports 80 and 443.kubectl -n kube-system edit AlbConfig alb-demo ... spec: config: name: test # The new name that you want to use. ...
Use an IngressClass to associate an AlbConfig with an Ingress
You can associate an AlbConfig with an Ingress by using an IngressClass. To do this, you must first create an IngressClass.
Create a file named alb.yaml and add the following content to the file. The file is used to create an IngressClass.
Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: IngressClass metadata: name: alb spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb-demo
Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: alb spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb-demo
Run the following command to create an IngressClass:
kubectl apply -f alb.yaml
Expected output:
ingressclass.networking.k8s.io/alb created
To associate an AlbConfig with an Ingress, specify the alb IngressClass in the
ingressClassName
field of the Ingress YAML template.Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: cafe-ingress spec: ingressClassName: alb rules: - http: paths: # Configure a context path. - path: /tea backend: serviceName: tea-svc servicePort: 80 # Configure a context path. - path: /coffee backend: serviceName: coffee-svc servicePort: 80
Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress spec: ingressClassName: alb rules: - http: paths: # Configure a context path. - path: /tea pathType: ImplementationSpecific backend: service: name: tea-svc port: number: 80 # Configure a context path. - path: /coffee pathType: ImplementationSpecific backend: service: name: coffee-svc port: number: 80
Rename an ALB instance
To rename an ALB instance, run the following command. The change is automatically applied after you save the modification.
kubectl -n kube-system edit AlbConfig alb-demo
...
spec:
config:
name: test # The new name that you want to use.
...
Change the vSwitches that are specified in an AlbConfig
To change the vSwitches that are specified in an AlbConfig, run the following command. The change is automatically applied after you save the modification.
kubectl -n kube-system edit AlbConfig alb-demo
...
zoneMappings:
- vSwitchId: vsw-wz92lvykqj1siwvif****
- vSwitchId: vsw-wz9mnucx78c7i6iog****
...
Enable IPv6
When you create an ALB instance, you can set the addressIpVersion
parameter in the AlbConfig to DualStack
to enable IPv6.
The addressIpVerison
parameter is available only when you create an ALB instance. You cannot modify the parameter after the ALB instance is created.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
addressIpVersion: DualStack
...
Specify a custom TLS security policy
When you use an AlbConfig to configure HTTPS listeners, you can specify a TLS security policy. Custom TLS security policies and default TLS security policies are supported. For more information, see TLS security policies.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
#...
listeners:
- port: 443
protocol: HTTPS
securityPolicyId: tls_cipher_policy_1_1
#...
Enable Log Service to collect access logs
If you want to collect the access log of ALB Ingresses, set the logProject
and logStore
parameters in the AlbConfig.
Log Service projects must be manually created.
For more information about how to createLog Service projects
, see Manage projects.The name of the Logstore that you specify in the
logStore
parameter must start withalb_
. If the specifiedLogstore
does not exist, the system automatically creates one.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
accessLogConfig:
logProject: "k8s-log-xz92lvykqj1siwvif****"
logStore: "alb_****"
#...
After you save the modification to the AlbConfig configuration, you can go to the Log Service console and view the collected log in the specified Logstore.
Reuse an existing ALB instance
If you want to reuse an existing ALB instance, specify the ID of the ALB instance in the AlbConfig.
You can configure an AlbConfig to reuse a standard ALB instance. However, you cannot configure an AlbConfig to reuse a basic ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: reuse-alb
spec:
config:
id: ****
forceOverride: false # Specify whether to overwrite the existing listeners. If you set the value to true, the existing listeners are overwritten. If you set the value to false, the existing listeners are not overwritten.
Create and use multiple ALB instances
If you want an Ingress to use multiple ALB instances, specify different IngressClasses in the spec.ingressClassName
parameter of the Ingress YAML file.
Create a file named alb-demo2.yaml and copy the following content to the file:
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: demo spec: config: name: alb-demo2 # The name of an ALB instance. addressType: Internet # The ALB instance has a public IP address. zoneMappings: - vSwitchId: vsw-uf6ccg2a9g71hx8go**** - vSwitchId: vsw-uf6nun9tql5t8nh15****
Run the following command to create an AlbConfig:
kubectl apply -f alb-demo2.yaml
Expected output:
AlbConfig.alibabacloud.com/demo created
Create a file named alb.yaml and add the following content to the file. The file is used to create an IngressClass.
Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: IngressClass metadata: name: alb-demo2 spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: demo
Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: alb-demo2 spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: demo
Run the following command to create an IngressClass:
kubectl apply -f alb.yaml
Expected output:
ingressclass.networking.k8s.io/alb-demo2 created
Specify different ALB instances in the
ingressClassName
parameter of the Ingress YAML file.Clusters that run Kubernetes versions earlier than 1.19
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb-demo2 rules: - host: "" http: paths: - backend: serviceName: demo-service servicePort: 80 path: /hello pathType: ImplementationSpecific
Clusters that run Kubernetes 1.19 or later
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: demo namespace: default spec: ingressClassName: alb-demo2 rules: - host: "" http: paths: - backend: service: name: demo-service port: number: 80 path: /hello pathType: ImplementationSpecific
Set the connection timeout period for listeners
You can set the connection timeout period for listeners in the configuration of an AlbConfig. Valid values: 1 to 180. Unit: seconds. If no response is received from the backend server within the specified timeout period, ALB returns an HTTP 504 error code to the client. The default timeout period is 60 seconds. Example:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
requestTimeout: 60
...
Configure data compression
You can enable or disable data compression for listeners in an AlbConfig. Valid values of the gzipEnabled parameter:
true: compresses specific types of files.
false: does not compress files.
All file types support Brotli compression. The following file types support Gzip compression: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.
The following YAML template disables data compression:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
gzipEnabled: false
...
Preserve client IP addresses
You can set the X-Forwarded-For
header field in an AlbConfig to reserve client IP addresses. Valid values of XForwardedForEnabled:
true: enables client IP address preservation.
false: disables client IP address preservation.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForEnabled: true
#...
Retrieve the listening protocol used by the ALB instance
You can set the X-Forwarded-For
header field in an AlbConfig to retrieve the listening protocol used by the ALB instance. Valid values of XForwardedForProtoEnabled:
true: retrieves the listening protocol used by the ALB instance.
false: does not retrieve the listening protocol used by the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForProtoEnabled: true
...
Retrieve the ID of the ALB instance
You can set the SLB-ID
header field in an AlbConfig to retrieve the ID of the ALB instance. Valid values of XForwardedForSLBIdEnabled:
true: retrieves the ID of the ALB instance.
false: does not retrieve the ID of the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBIdEnabled: true
...
Retrieve the listening ports of the ALB instance
You can set the X-Forwarded-Port
header field in an AlbConfig to retrieve the listening ports of the ALB instance. Valid values of XForwardedForSLBPortEnabled:
true: retrieves the listening ports of the ALB instance.
false: does not retrieve the listening ports of the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBPortEnabled: true
...
Retrieve the port that a client uses to connect to the ALB instance
You can set the X-Forwarded-Client-Port
header field in an AlbConfig to retrieve the port that a client uses to connect to the ALB instance. Valid values of XForwardedForClientSrcPortEnabled:
true: retrieves the port that a client uses to connect to the ALB instance.
false: does not retrieve the port that a client uses to connect to the ALB instance.
Only HTTP listeners and HTTPS listeners support this parameter.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSrcPortEnabled: true
...
Configure network ACLs
You can configure an AlbConfig to enable network access control lists (ACLs) for the listeners of an ALB instance. You can configure network ACLs to allow or deny access from specified IP addresses or CIDR blocks. This allows you to implement fine-grained access control on client requests. For more information about network ACLs, see Access control.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: default
spec:
config:
#...
listeners:
- port: 80
protocol: HTTPS
aclConfig:
aclEntries:
- 127.0.0.1/32
aclType: White
#...
The following list describes some parameters that are specified in the preceding code block.
aclType: the type of network ACL. Valid values: Black (blacklist) and White (whitelist).
aclEntries: the CIDR block that you want to add to the ACL rule for access control. Example: 127.0.0.1/32.
Delete an ALB instance
An AlbConfig is used to configure an ALB instance. Therefore, you can delete an ALB instance by deleting the corresponding AlbConfig. Before you can delete an AlbConfig, you must delete all Ingresses that are associated with the AlbConfig.
kubectl -n kube-system delete AlbConfig alb-demo
Replace alb-demo
with the name of the AlbConfig that you want to delete.