All Products
Search

This Product

    Container Service for Kubernetes:Use AlbConfigs to configure ALB instances

    Document Center

    Container Service for Kubernetes:Use AlbConfigs to configure ALB instances

    Last Updated:Aug 28, 2023

    An AlbConfig is a CustomResourceDefinition (CRD) that Container Service for Kubernetes (ACK) provides for the Application Load Balancer (ALB) Ingress controller. The ALB Ingress controller uses AlbConfigs to configure ALB instances and listeners. This topic describes how to create, modify, and update an AlbConfig, and how to enable Log Service.

    Table of contents

    Relationship among Services, Ingresses, and AlbConfigs

    The ALB Ingress controller retrieves the changes to Ingresses from the API server and dynamically generates AlbConfig objects when Ingresses changes are detected. Then, the ALB Ingress controller performs the following operations in sequence: create ALB instances, configure listeners, create Ingress rules, and configure backend server groups. The Service, Ingress, and AlbConfig objects interact with each other in the following ways:

    • A Service is an abstraction of an application that is deployed in a group of replicated pods.
    • An Ingress contains reverse proxy rules. It controls to which Services HTTP or HTTPS requests are routed. For example, an Ingress routes requests to different Services based on the hosts and URLs in the requests.
    • An AlbConfig object is a CustomResourceDefinition (CRD) object that the ALB Ingress controller uses to configure ALB instances and listeners. An AlbConfig object corresponds to one ALB instance.
    ALB Ingress

    An AlbConfig is used to configure an ALB instance. The ALB instance can be specified in forwarding rules of multiple Ingresses. Therefore, an AlbConfig can be associated with multiple Ingresses.

    Create an AlbConfig

    An AlbConfig is used to configure an ALB instance. If you want to configure multiple ALB instances, you must create multiple AlbConfigs. To create an AlbConfig, perform the following steps:

    1. Create a file named alb-test.yaml and paste the following content to the file. The file is used to create an AlbConfig. 

      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    name: alb-test
    addressType: Internet
    zoneMappings:
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****
    - vSwitchId: vsw-uf6nun9tql5t8nh15****

      Parameter

      Description

      spec.config.name

      The name of the ALB instance. This parameter is optional.

      spec.config.addressType

      The type of IP address that the ALB instance uses to provide services. This parameter is required. Valid values:

      • Internet: The ALB instance uses a public IP address. The domain name of the Ingress is resolved to the public IP address. Therefore, the ALB instance can be accessed over the Internet.

      • Intranet: The ALB instance uses a private IP address. The domain name of the Ingress is resolved to the private IP address. Therefore, the ALB instance is accessible only within the virtual private cloud (VPC) where the ALB instance is deployed.

      spec.config.zoneMappings

      The IDs of the vSwitches that are used by the ALB Ingress. This parameter is required. You must specify at least two vSwitch IDs and the vSwitches must be deployed in different zones of the VPC where your cluster resides. For more information about the regions and zones that are supported by ALB Ingresses, see Supported regions and zones.

    2. Run the following command to create an AlbConfig: 

      kubectl apply -f alb-test.yaml

      Expected output:

      AlbConfig.alibabacloud.com/alb-demo created

    3. Run the following command to query the automatically created AlbConfig: 

      kubectl -n kube-system get AlbConfig

      Expected output:

      NAME       AGE
alb-demo   87m

      The following content shows the default configurations of an AlbConfig:

      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo                      # The name of the AlbConfig. 
spec:
  config:
    accessLogConfig:
      logProject: ""
      logStore: ""
    addressAllocatedMode: Dynamic
    addressType: Internet
    billingConfig:
      internetBandwidth: 0
      internetChargeType: ""
      payType: PostPay
    deletionProtectionEnabled: true
    edition: Standard
    forceOverride: false
    zoneMappings:
    - vSwitchId: vsw-wz92lvykqj1siwvif****        # A vSwitch that is specified for the AlbConfig. You must specify two vSwitches. 
    - vSwitchId: vsw-wz9mnucx78c7i6iog****        # A vSwitch that is specified for the AlbConfig. 
status:
  loadBalancer:
    dnsname: alb-s2em8fr9debkg5****.cn-shenzhen.alb.aliyuncs.com
    id: alb-s2em8fr9debkg5****

    Update an AlbConfig

    In Kubernetes, the kubectl apply command overwrites the configurations of objects but the kubectl edit command only adds configurations to objects. We recommend that you run the kubectl edit command to modify ALB instances that are created by using AlbConfigs. To update an AlbConfig, perform the following steps:

    1. Run the following command to query the name of the AlbConfig that you created: 

      kubectl -n kube-system get AlbConfig

      Expected output:

      NAME AGE
alb-demo 87m

    2. Run the following command to update the AlbConfig.

      Important

      The kubectl apply command overwrites the configurations of the AlbConfig. If the YAML file of the AlbConfig does not contain listener settings, the update does not affect the existing listeners. If the YAML file contains listener settings, the existing listeners are reconciled based on the updated listener settings. Therefore, you need to specify all listeners that are in use, such as commonly used listeners that listen on ports 80 and 443. 

      kubectl -n kube-system edit AlbConfig alb-demo
...
 spec:
 config:
 name: test # The new name that you want to use. 
...

    Use an IngressClass to associate an AlbConfig with an Ingress

    You can associate an AlbConfig with an Ingress by using an IngressClass. To do this, you must first create an IngressClass.

    1. Create a file named alb.yaml and add the following content to the file. The file is used to create an IngressClass.

      Clusters that run Kubernetes versions earlier than 1.19

      apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb-demo

      Clusters that run Kubernetes 1.19 or later

      apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: alb-demo

    2. Run the following command to create an IngressClass: 

      kubectl apply -f alb.yaml

      Expected output:

      ingressclass.networking.k8s.io/alb created

    3. To associate an AlbConfig with an Ingress, specify the alb IngressClass in the ingressClassName field of the Ingress YAML template.

      Clusters that run Kubernetes versions earlier than 1.19

      apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: cafe-ingress
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Configure a context path. 
      - path: /tea
        backend:
          serviceName: tea-svc
          servicePort: 80
      # Configure a context path. 
      - path: /coffee
        backend:
          serviceName: coffee-svc
          servicePort: 80

      Clusters that run Kubernetes 1.19 or later

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress 
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Configure a context path. 
      - path: /tea
        pathType: ImplementationSpecific
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      # Configure a context path. 
      - path: /coffee
        pathType: ImplementationSpecific
        backend:
          service:
            name: coffee-svc
            port: 
              number: 80

    Rename an ALB instance

    To rename an ALB instance, run the following command. The change is automatically applied after you save the modification. 

    kubectl -n kube-system edit AlbConfig alb-demo
...
  spec:
    config:
      name: test   # The new name that you want to use. 
...

    Change the vSwitches that are specified in an AlbConfig

    To change the vSwitches that are specified in an AlbConfig, run the following command. The change is automatically applied after you save the modification. 

    kubectl -n kube-system edit AlbConfig alb-demo
...
  zoneMappings:
    - vSwitchId: vsw-wz92lvykqj1siwvif****
    - vSwitchId: vsw-wz9mnucx78c7i6iog****
...

    Enable IPv6

    When you create an ALB instance, you can set the addressIpVersion parameter in the AlbConfig to DualStack to enable IPv6.

    Important

    The addressIpVerison parameter is available only when you create an ALB instance. You cannot modify the parameter after the ALB instance is created. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    addressIpVersion: DualStack
    ...

    Specify a custom TLS security policy

    When you use an AlbConfig to configure HTTPS listeners, you can specify a TLS security policy. Custom TLS security policies and default TLS security policies are supported. For more information, see TLS security policies. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    #...
  listeners:
  - port: 443
    protocol: HTTPS
    securityPolicyId: tls_cipher_policy_1_1
  #...

    Enable Log Service to collect access logs

    If you want to collect the access log of ALB Ingresses, set the logProject and logStore parameters in the AlbConfig.

    Note

    • Log Service projects must be manually created. For more information about how to create Log Service projects, see Manage projects.

    • The name of the Logstore that you specify in the logStore parameter must start with alb_. If the specified Logstore does not exist, the system automatically creates one. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-demo
spec:
  config:
    accessLogConfig:
      logProject: "k8s-log-xz92lvykqj1siwvif****"
      logStore: "alb_****"
    #...

    After you save the modification to the AlbConfig configuration, you can go to the Log Service console and view the collected log in the specified Logstore.

    Reuse an existing ALB instance

    If you want to reuse an existing ALB instance, specify the ID of the ALB instance in the AlbConfig.

    Important

    You can configure an AlbConfig to reuse a standard ALB instance. However, you cannot configure an AlbConfig to reuse a basic ALB instance. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: reuse-alb
spec:
  config:
    id: ****
    forceOverride: false   # Specify whether to overwrite the existing listeners. If you set the value to true, the existing listeners are overwritten. If you set the value to false, the existing listeners are not overwritten.

    Create and use multiple ALB instances

    If you want an Ingress to use multiple ALB instances, specify different IngressClasses in the spec.ingressClassName parameter of the Ingress YAML file.

    1. Create a file named alb-demo2.yaml and copy the following content to the file: 

      apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: demo
spec:
  config:
    name: alb-demo2        # The name of an ALB instance. 
    addressType: Internet  # The ALB instance has a public IP address. 
    zoneMappings:
    - vSwitchId: vsw-uf6ccg2a9g71hx8go****
    - vSwitchId: vsw-uf6nun9tql5t8nh15****

    2. Run the following command to create an AlbConfig: 

      kubectl apply -f alb-demo2.yaml

      Expected output:

      AlbConfig.alibabacloud.com/demo created

    3. Create a file named alb.yaml and add the following content to the file. The file is used to create an IngressClass.

      Clusters that run Kubernetes versions earlier than 1.19

      apiVersion: networking.k8s.io/v1beta1
kind: IngressClass
metadata:
  name: alb-demo2
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: demo

      Clusters that run Kubernetes 1.19 or later

      apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: alb-demo2
spec:
  controller: ingress.k8s.alibabacloud/alb
  parameters:
    apiGroup: alibabacloud.com
    kind: AlbConfig
    name: demo

    4. Run the following command to create an IngressClass: 

      kubectl apply -f alb.yaml

      Expected output:

      ingressclass.networking.k8s.io/alb-demo2 created

    5. Specify different ALB instances in the ingressClassName parameter of the Ingress YAML file.

      Clusters that run Kubernetes versions earlier than 1.19

      apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb-demo2
  rules:
    - host: ""
      http:
        paths:
          - backend:
              serviceName: demo-service
              servicePort: 80
            path: /hello
            pathType: ImplementationSpecific

      Clusters that run Kubernetes 1.19 or later

      apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: demo
  namespace: default
spec:
  ingressClassName: alb-demo2
  rules:
    - host: ""
      http:
        paths:
          - backend:
             service:
              name: demo-service
              port:
                number: 80
            path: /hello
            pathType: ImplementationSpecific

    Set the connection timeout period for listeners

    You can set the connection timeout period for listeners in the configuration of an AlbConfig. Valid values: 1 to 180. Unit: seconds. If no response is received from the backend server within the specified timeout period, ALB returns an HTTP 504 error code to the client. The default timeout period is 60 seconds. Example: 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    requestTimeout: 60
  ...

    Configure data compression

    You can enable or disable data compression for listeners in an AlbConfig. Valid values of the gzipEnabled parameter:

    • true: compresses specific types of files.

    • false: does not compress files.

    Note

    All file types support Brotli compression. The following file types support Gzip compression: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.

    The following YAML template disables data compression:

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    gzipEnabled: false
  ...

    Preserve client IP addresses

    You can set the X-Forwarded-For header field in an AlbConfig to reserve client IP addresses. Valid values of XForwardedForEnabled:

    • true: enables client IP address preservation.

    • false: disables client IP address preservation.

    Note

    Only HTTP listeners and HTTPS listeners support this parameter. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    #...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForEnabled: true
  #...

    Retrieve the listening protocol used by the ALB instance

    You can set the X-Forwarded-For header field in an AlbConfig to retrieve the listening protocol used by the ALB instance. Valid values of XForwardedForProtoEnabled:

    • true: retrieves the listening protocol used by the ALB instance.

    • false: does not retrieve the listening protocol used by the ALB instance.

    Note

    Only HTTP listeners and HTTPS listeners support this parameter. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForProtoEnabled: true
  ...

    Retrieve the ID of the ALB instance

    You can set the SLB-ID header field in an AlbConfig to retrieve the ID of the ALB instance. Valid values of XForwardedForSLBIdEnabled:

    • true: retrieves the ID of the ALB instance.

    • false: does not retrieve the ID of the ALB instance.

    Note

    Only HTTP listeners and HTTPS listeners support this parameter. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForSLBIdEnabled: true
  ...

    Retrieve the listening ports of the ALB instance

    You can set the X-Forwarded-Port header field in an AlbConfig to retrieve the listening ports of the ALB instance. Valid values of XForwardedForSLBPortEnabled:

    • true: retrieves the listening ports of the ALB instance.

    • false: does not retrieve the listening ports of the ALB instance.

    Note

    Only HTTP listeners and HTTPS listeners support this parameter. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForSLBPortEnabled: true
  ...

    Retrieve the port that a client uses to connect to the ALB instance

    You can set the X-Forwarded-Client-Port header field in an AlbConfig to retrieve the port that a client uses to connect to the ALB instance. Valid values of XForwardedForClientSrcPortEnabled:

    • true: retrieves the port that a client uses to connect to the ALB instance.

    • false: does not retrieve the port that a client uses to connect to the ALB instance.

    Note

    Only HTTP listeners and HTTPS listeners support this parameter. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
    ...
  listeners:
  - port: 80
    protocol: HTTP
    xForwardedForConfig:
      XForwardedForClientSrcPortEnabled: true
  ...

    Configure network ACLs

    You can configure an AlbConfig to enable network access control lists (ACLs) for the listeners of an ALB instance. You can configure network ACLs to allow or deny access from specified IP addresses or CIDR blocks. This allows you to implement fine-grained access control on client requests. For more information about network ACLs, see Access control. 

    apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: default
spec:
  config:
   #...
  listeners:
  - port: 80
    protocol: HTTPS
    aclConfig:
      aclEntries:
      - 127.0.0.1/32
      aclType: White
  #...

    The following list describes some parameters that are specified in the preceding code block.

    • aclType: the type of network ACL. Valid values: Black (blacklist) and White (whitelist).

    • aclEntries: the CIDR block that you want to add to the ACL rule for access control. Example: 127.0.0.1/32.

    Delete an ALB instance

    An AlbConfig is used to configure an ALB instance. Therefore, you can delete an ALB instance by deleting the corresponding AlbConfig. Before you can delete an AlbConfig, you must delete all Ingresses that are associated with the AlbConfig. 

    kubectl -n kube-system delete AlbConfig alb-demo

    Replace alb-demo with the name of the AlbConfig that you want to delete.