You can use Alibaba Cloud Server Load Balancer (SLB) to access services.

Background information

If you specify an existing SLB instance for your cluster that uses Cloud Controller Manager (CCM) of V1.9.3 or later, CCM does not configure listeners for this SLB instance. You can set the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: "true" to enable CCM to configure listeners for this SLB instance. Alternatively, you can manually configure listeners for this SLB instance.

You can run the following command to check the CCM version:
root@master # kubectl get pod -n kube-system -o yaml|grep image:|grep cloud-con|uniq

  image: registry-vpc.cn-hangzhou.aliyuncs.com/acs/cloud-controller-manager-amd64:v1.9.3

Notes

  • If the type of a service is LoadBalancer, CCM creates or configures an SLB instance for the service, including resources such as the SLB instance, listener, and VServer group.
  • If the type of a service is not LoadBalancer, CCM does not configure an SLB instance for the service. If you change the type setting of a service from Type=LoadBalancer to Type! =LoadBalancer, CCM deletes the SLB instance that has been created for the service. If the SLB instance is an existing SLB instance specified by the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id, CCM does not delete the SLB instance.
  • Automatic configuration update

    CCM uses a declarative API to automatically update the configurations of an SLB instance based on the service configurations if certain conditions are met. If you modify the configurations of the SLB instance in the SLB console, the modification may be overwritten when CCM updates the configurations. The modification is not overwritten only in the scenario where the SLB instance is an existing SLB instance specified by you and the annotation service.beta.kubernetes.io/alicloud-loadbalancer-force-override-listeners is set to false. We recommend that you do not modify the configurations of an SLB instance in the SLB console if the SLB instance is created and maintained by CCM.

  • You can specify an existing SLB instance for a service, or enable CCM to create an SLB instance for a service. The SLB instances specified or created with these two methods are managed in different ways.
    Existing SLB instance
    • Only SLB instances created in the SLB console can be reused. SLB instances created by CCM cannot be reused.
    • If you want to reuse an internal SLB instance, the SLB instance must be deployed in the same Virtual Private Cloud (VPC) network as the Kubernetes cluster.
    • Set the annotation for the service to service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id.
    • SLB configurations

      CCM uses this existing SLB instance and configures the SLB instance based on other annotations. CCM creates multiple VServer groups for this SLB instance. When the nodes of your cluster change, CCM updates the nodes in the VServer groups accordingly.

    • Listener configurations

      Whether CCM configures listeners for this SLB instance depends on the setting of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners. If this annotation is set to false, CCM does not configure listeners for this SLB instance. If this annotation is set to true, CCM tries to update listeners for this SLB instance based on the service configurations.

    • SLB instance deletion

      When the service is deleted, CCM does not delete the existing SLB instance specified by the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id.

    SLB instance managed by CCM
    • CCM can automatically create and configure resources such as the SLB instance, listener, and VServer groups for a service based on the service configurations. All these resources are managed by CCM. We recommend that you do not manually modify the configurations of these resources in the SLB console. If the configurations are modified, CCM will restore the configurations to those declared by the service at the next reconciliation. This may cause unexpected results.
    • SLB instance deletion

      When the service is deleted, CCM deletes the SLB instance.

  • Backend server updates
    • CCM automatically updates the VServer group for the SLB instance of a service. When the endpoint of the service changes or nodes in the cluster change, CCM updates the VServer group accordingly.
    • If spec.externalTrafficPolicy is set to Cluster for a service, CCM adds all nodes of the cluster to the VServer group for the SLB instance. CCM will not do so if you have specified the VServer group for the service by setting BackendLabel. SLB limits the number of SLB instances to which an Elastic Compute Service (ECS) instance can be attached. This quota is consumed in a shorter period than average if CCM adds the VServer group in the preceding way. When the quota is used up, service reconciliation fails. To resolve this issue, you can set spec.ExternalTrafficPoilcy to Local for a service.
    • If spec.externalTrafficPoilcy is set to Local for a service, CCM adds only the nodes where the pods of the service are located to the VServer group of the SLB instance. This can reduce the speed of quota consumption. In addition, Layer-4 source IP addresses can be retained in this mode.
    • CCM does not add the master node of the cluster to the VServer group for the SLB instance.
    • If a node is drained or marked as unschedulable by the kubectl drain or kubectl cordon command, CCM removes the node from a VServer group of the SLB instance. To remove a node, set service.beta.kubernetes.io/alibaba-cloud-loadbalancer-remove-unscheduled-backend to On.
      Note For versions earlier than v1.9.3.164-g2105d2e-aliyun, CCM removes the unschedulable node from the VServer group of the SLB instance.
  • VPC routing
    A node in a cluster is mapped to a route entry of a route table. A VPC network supports up to 48 route entries. If the number of cluster nodes exceeds 48, submit a ticket to request a quota increase for the VPC service.
    Note In the ticket, you can describe your request to modify the parameter vpc_quota_route_entrys_num. This increases the maximum number of custom route entries that can be created in one route table.
    For more information about the limits on VPC, see Limits.

    To check the VPC quotas, go to the Quota Management page in the VPC console.

  • Limits on SLB
    • If the type of a service is LoadBalancer, CCM creates or configures an SLB instance for the service. By default, you can retain up to 60 SLB instances per account. To create more than 60 SLB instances, submit a ticket to request a quota increase for the SLB service.
      Note In the ticket, you can describe your request to modify the parameter slb_quota_instances_num. This increases the maximum number of SLB instances that can be retained per account.
    • CCM adds ECS instances to the VServer group of an SLB instance based on the service configurations.
      • By default, an ECS instance can be added to up to 50 VServer groups. To add the ECS instance to more VServer groups, submit a ticket to request a quota increase for the SLB service.
        Note In the ticket, you can describe your request to modify the parameter slb_quota_backendservers_num. This increases the maximum number of VServer groups to which an ECS instance can be added.
      • By default, up to 200 backend servers can be attached to an SLB instance. To attach more backend servers to the SLB instance, submit a ticket to request a quota increase for the SLB service.
        Note In the ticket, you can describe your request to modify the parameter slb_quota_backendservers_num. This increases the maximum number of backend servers that can be attached to an SLB instance.
    • CCM creates listeners based on the ports specified for a service. By default, you can add up to 50 listeners to an SLB instance. To add more listeners, submit a ticket to request a quota increase for the SLB service.
      Note In the ticket, you can describe your request to modify the parameter slb_quota_listeners_num. This increases the maximum number of listeners that can be added to an SLB instance.
    • For more information about the limits on SLB, see Limits.

      To check the SLB quotas, go to the Quota Management page in the SLB console.

Use the command line

Method 1:

  1. Create an NGINX application by using the command line.
    root@master # kubectl run nginx --image=registry.aliyuncs.com/acs/netdia:latest
    root@master # kubectl get po 
    NAME                                   READY     STATUS    RESTARTS   AGE
    nginx-2721357637-dvwq3                 1/1       Running   1          6s
  2. Create a service for the NGINX application and set the service type to LoadBalancer to expose the NGINX service to the Internet through an SLB instance.
    root@master # kubectl expose deployment nginx --port=80 --target-port=80 --type=LoadBalancer
    root@master # kubectl get svc
    NAME                  CLUSTER-IP      EXTERNAL-IP      PORT(S)                        AGE
    nginx                 172.19.XX.XX    101.37.XX.XX     80:31891/TCP                   4s
  3. Visit http://101.37.XX.XX in a browser to access the NGINX application.

Method 2:

  1. Copy the following YAML code to the nginx-svc.yml file and save the file:
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        run: nignx
      name: nginx-01
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  2. Run the following command to create an NGINX application:
    kubectl apply -f nginx-svc.yml
  3. Run the following command to expose the NGINX service to the public network:
    root@master # kubectl get service
    NAME           TYPE           CLUSTER-IP      EXTERNAL-IP      PORT(S)        AGE9d
    ngi-01nx       LoadBalancer   172.19.XX.XX    101.37.XX.XX     80:32325/TCP   3h
  4. Visit http://101.37.XX.XX in a browser to access the NGINX application.

Use the Kubernetes dashboard

  1. Copy the following YAML code to the nginx-svc.yml file and save the file:
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        run: nginx
      name: http-svc
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  2. Log on to the Container Service for Kubernetes console. In the left-side navigation pane, choose Clusters > Clusters. On the Clusters page that appears, find the cluster that you want to manage, and choose More > Dashboard in the Actions column for the cluster. The Kubernetes dashboard page appears.
  3. Click CREATE to create an application.
    Create an application
  4. Click the CREATE FROM FILE tab. Select the file nginx-svc.yml.
  5. Click UPLOAD.
    An NGINX service of the LoadBalancer type is created for the NGINX application.The service name is http-svc.
  6. In the left-side navigation pane, select the default namespace and click Services.
    You can find the new service http-svc and its public endpoint http://114.55.XX.XX:80.
    Access the service
  7. Enter the endpoint in a browser to access the NGINX service.

Use the Container Service for Kubernetes console

  1. Log on to the Container Service console.
  2. Select the required cluster and namespace, and click Create from Template.
    Create a deployment
  3. Select Custom in Sample Template and copy the following code to the Template section:
    apiVersion: v1
    kind: Service
    metadata:
      labels:
        run: nginx
      name: ngnix
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  4. Click Create.
  5. Click Kubernetes Dashboard to check the creation progress on the Kubernetes dashboard page.
    Kubernetes dashboard
  6. Alternatively, choose Ingresses and Load Balancing > Services in the left-side navigation pane, and select the required cluster and namespace to check the deployed service.
    Deploy a service

References

Alibaba Cloud SLB supports a variety of parameters. For example, you can configure the health check, billing method, and SLB instance type.

Annotations

Alibaba Cloud allows you to use SLB features by specifying annotations.

  • Create a public SLB instance
    apiVersion: v1
    kind: Service
    metadata:
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Create an internal SLB instance
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Create an HTTP-based SLB instance
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Create an HTTPS-based SLB instance

    Create a certificate in the Alibaba Cloud SLB console, make a note of the certificate ID, and then use the following annotations to create an HTTPS-based SLB instance.

    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Limit the bandwidth of an SLB instance
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-charge-type: "paybybandwidth"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth: "100"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Set the SLB instance specification
    For more information about SLB instance specifications, see CreateLoadBalancer. You can configure the annotation in the following example to create an SLB instance with the required specification or update the specification of an existing SLB instance.
    Notice If you modify the SLB specifications in the SLB console, the modified specifications may be overwritten by CCM. Proceed with caution.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec: "slb.s1.small"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Use an existing SLB instance
    • By default, listeners of an existing SLB instance are not overwritten. To forcibly overwrite listeners of an existing SLB instance, set service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners to true.
      Note Listeners of an existing SLB instance are not overwritten by default because of the following two reasons:
      • If a service is bound to an existing listener, forcing an overwrite of the listener may cause a service interruption.
      • CCM supports limited VServer group configurations and cannot process complex configurations. If you have complex VServer group configuration requirements, you can configure the listener in the console without overwriting the listener.
      In either case, we recommend that you do not forcibly overwrite the listener. If the listener port of the existing SLB instance is no longer in use, you can forcibly overwrite the listener.
    • Currently, you cannot attach additional tags to an existing SLB instance by using the annotation annotation: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "${YOUR_LOADBALACER_ID}"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Use an existing SLB instance and forcibly overwrite listeners of the SLB instance
    When you forcibly overwrite the existing listener, if a listener port conflict occurs, the existing listener is deleted.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "${YOUR_LOADBALACER_ID}"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: "true"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Use backend labels to specify the worker nodes as backend servers

    Separate multiple labels with commas (,). Example: "k1=v1,k2=v2". A node must match all specified labels before you can add the node as a backend server.

    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-backend-label: "failure-domain.beta.kubernetes.io/zone=ap-southeast-5a"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Set the session persistence period for a TCP-based SLB instance
    • The annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-persistence-time applies only to TCP listeners.
    • If an SLB instance has multiple TCP listeners, the setting takes effect for all the TCP listeners.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-persistence-timeout: "1800"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Enable session persistence and set Cookie Handling Options to Insert cookie for an HTTP-based or HTTPS-based SLB instance
    • Only HTTP-based and HTTPS-based SLB instances support this setting.
    • If an SLB instance has multiple HTTP or HTTPS listeners, the setting takes effect for all the HTTP or HTTPS listeners.
    • All annotations specified in the following example are required if you want to configure session persistence based on cookie inserting.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session: "on"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type: "insert"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie-timeout: "1800"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Configure session persistence based on the server cookie for an HTTP-based or HTTPS-based SLB instance
    • Only HTTP-based and HTTPS-based SLB instances support this setting.
    • If an SLB instance has multiple HTTP or HTTPS listeners, the setting takes effect for all the HTTP or HTTPS listeners.
    • All annotations specified in the following example are required if you want to configure session persistence based on the server cookie.
    • The cookie specified by the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie can contain only letters, digits, underscores (_), and hyphens (-).
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session: "on"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type: "server"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie: "${YOUR_COOKIE}"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Specify the primary and secondary zones when you create an SLB instance
    • SLB instances in some regions do not support primary and secondary zones, such as ap-southeast-5.
    • After you create the SLB instance, these zones cannot be changed.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-master-zoneid: "ap-southeast-5a"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-slave-zoneid: "ap-southeast-5a"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Use the nodes where pods are located as backend servers

    By default, externalTrafficPolicy is set to Cluster for a service. In the Cluster mode, all nodes in the cluster are used as backend servers. You can set externalTrafficPolicy to Local for a service. Therefore, only nodes where pods are located are used as backend servers.

    In the Local mode, you must set the scheduling policy to Weighted Round-Robin (wrr).

    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler: "wrr"
      name: nginx
      namespace: default
    spec:
      externalTrafficPolicy: Local
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Create an SLB instance that runs in a Virtual Private Cloud (VPC) network
    • To create an SLB instance that runs in a VPC network, all annotations specified in the following example are required.
    • Internal SLB instances support the VPC and classic networks. For more information, see SLB instance overview.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-network-type: "vpc"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Create an SLB instance that is billed by bandwidth
    • Only public SLB instances support billing by bandwidth.
    • All annotations specified in the following example are required if you want to create an SLB instance that is billed by bandwidth.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth: "45"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-charge-type: "paybybandwidth"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Create an SLB instance with the health check feature enabled
    • Create a TCP- based SLB instance with the health check feature enabled
      • The health check feature is enabled for TCP listeners and cannot be disabled. The annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag is invalid.
      • To create a TCP-based SLB instance with the health check feature enabled, all annotations specified in the following example are required.
      apiVersion: v1
      kind: Service
      metadata:
        annotations:
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type: "tcp"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout: "8"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold: "4"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold: "4"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "3"
        name: nginx
        namespace: default
      spec:
        ports:
        - port: 80
          protocol: TCP
          targetPort: 80
        selector:
          run: nginx
        type: LoadBalancer
    • Create an HTTP-based SLB instance with the health check feature enabled

      To create an HTTP-based SLB instance with the health check feature enabled, all annotations specified in the following example are required.

      apiVersion: v1
      kind: Service
      metadata:
        annotations:
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag: "on"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type: "http"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-uri: "/test/index.html"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold: "4"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold: "4"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-timeout: "10"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval: "3"
          service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80"
        name: nginx
        namespace: default
      spec:
        ports:
        - port: 80
          protocol: TCP
          targetPort: 80
        selector:
          run: nginx
        type: LoadBalancer
  • Set the scheduling algorithm for an SLB instance
    • rr (default): Requests are sequentially distributed to backend servers.
    • wrr: Backend servers with higher weights receive more requests than those with lower weights.
    • wlc: Requests are forwarded based on the weight and load of each backend server. The load is the number of connections to a backend server. If the weights are the same, backend servers with fewer connections receive more requests than those with more connections.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler: "wlc"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Create an SLB instance with the access control feature enabled
    • Create an access control list (ACL) in the Alibaba Cloud SLB console, make a note of the ACL ID, and then use the following annotations to create an SLB instance with the access control feature enabled.
    • A whitelist allows only access from specific IP addresses. A blacklist restricts only access from specific IP addresses.
    • Before you use this feature, make sure that the CloudControllerManage component uses the latest version. Log on to the . In the left-side navigation pane, choose Clusters > Clusters. On the Clusters page that appears, find the cluster that you want to manage, and choose More > Manage System Components in the Actions column for the cluster. On the Components page that appears, find the Cloud Controller Manager component, and click Upgrade.Manage system components
    • All annotations specified in the following example are required if you want to create an SLB instance with the access control feature enabled.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status: "on"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-id: "${YOUR_ACL_ID}"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-type: "white"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Specify a VSwitch for an SLB instance
    • Search for the ID of the target VSwitch in the Alibaba Cloud VPC console. Then, specify the VSwitch for an SLB instance by using the required annotations.
    • All annotations specified in the following example are required if you want to specify a VSwitch for an SLB instance.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type: "intranet"
       service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id: "${YOUR_VSWITCH_ID}"
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 443
        protocol: TCP
        targetPort: 443
      selector:
        run: nginx
      type: LoadBalancer
  • Configure port forwarding for an SLB instance
    • Port forwarding enables an SLB instance to forward requests from an HTTP port to an HTTPS port.
    • Create a certificate in the Alibaba Cloud SLB console, make a note of the certificate ID, and then use the following annotations to configure port forwarding for an SLB instance.
    • All annotations specified in the following example are required if you want to configure port forwarding for an SLB instance.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "https:443,http:80"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-forward-port: "80:443"
      name: nginx
      namespace: default
    spec:
      ports:
      - name: https
        port: 443
        protocol: TCP
        targetPort: 443
      - name: http
        port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Attach additional tags to an SLB instance

    Separate multiple tags with commas (,), for example, "k1=v1,k2=v2".

    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags: "Key1=Value1,Key2=Value2" 
      name: nginx
      namespace: default
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        run: nginx
      type: LoadBalancer
  • Detach the backend servers in the SchedulingDisabled state from the SLB instance
    You can run the kubectl cordon and kubectl drain commands to set the node to the SchedulingDisabled state. The default value of service.beta.kubernetes.io/alibaba-cloud-loadbalancer-remove-unscheduled-backend is off. Nodes in the Unscheduleable state will not be removed from the SLB backend server group. To detach backend servers in the SchedulingDisabled state from the SLB instance, set service.beta.kubernetes.io/alibaba-cloud-loadbalancer-remove-unscheduled-backend to on.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-remove-unscheduled-backend: "on"
      name: nginx
    spec:
      externalTrafficPolicy: Local
      ports:
      - name: http
        port: 30080
        protocol: TCP
        targetPort: 80
      selector:
        app: nginx
      type: LoadBalancer
  • Mount pods to an SLB backend server
    You can set annotation:service.beta.kubernetes.io/backend-type to "eni" to mount pods to an SLB backend server in the Terway ENI network mode. This helps to improve the forwarding performance.
      apiVersion: v1
      kind: Service
      metadata:
        annotations:
          service.beta.kubernetes.io/backend-type: "eni"
        name: nginx
      spec:
        ports:
        - name: http
          port: 30080
          protocol: TCP
          targetPort: 80
        selector:
          app: nginx
        type: LoadBalancer
  • Create an IPv6 SLB instance
    • The kube-proxy mode must be set to IPVS.
    • The assigned IPv6 address can be used only in an IPv6 network.
    • You cannot change the IP address type after you create the IPv6 SLB instance.
    apiVersion: v1
    kind: Service
    metadata:
      annotations:
        service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version: "ipv6"
      name: nginx
    spec:
      ports:
      - port: 80
        protocol: TCP
        targetPort: 80
      selector:
        app: nginx
      type: LoadBalancer
Note
  • The values of the annotations are case sensitive.
  • Since September 11, 2019, the annotation field has been updated from alicloud to alibaba-cloud.

    Example:

    Before the update: service.beta.kubernetes.io/alicloud-loadbalancer-id

    After the update: service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id

    The system is compatible with the writing format of alicloud. You do not need to make any changes.

Annotation Type Description Default value Supported version
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port String The listening port. Separate multiple ports with commas (,), for example, https:443,http:80 None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type String The type of the SLB instance. Valid values: internet and intranet. internet V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-slb-network-type String The network type of the SLB instance. Valid values: classic and vpc.

Set the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-address-type to intranet if you want to specify vpc as the network type.

classic V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-charge-type String The billing method of the SLB instance. Valid values: paybytraffic and paybybandwidth. paybytraffic V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id String The ID of the SLB instance. You can specify an existing SLB instance by setting the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id. By default, if you specify an existing SLB instance, the listeners of the SLB instance are not overwritten. To forcibly overwrite the listeners, set the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners to true. None V1.9.3.81-gca19cd4-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-backend-label String The labels for specifying the worker nodes to be added as backend servers of the SLB instance. None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-spec String The type of the SLB instance. For more information, see CreateLoadBalancer. None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-persistence-timeout String The session persistence time. Unit: seconds.

This annotation applies only to TCP listeners. Valid values: 0 to 3600.

The default value is 0 and specifies that session persistence is disabled.

For more information, see CreateLoadBalancerTCPListener.

0 V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session String Specifies whether to enable session persistence. Valid values: on and off.
Note This annotation applies only to HTTP and HTTPS listeners.

For more information, see CreateLoadBalancerHTTPListener and CreateLoadBalancerHTTPSListener.

off V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type String The method used to handle the cookie. Valid values:
  • insert: inserts a cookie.
  • server: rewrites a cookie.
Note
  • This annotation applies only to HTTP and HTTPS listeners.
  • You must specify this annotation if the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session is set to on.

For more information, see CreateLoadBalancerHTTPListener and CreateLoadBalancerHTTPSListener.

None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie-timeout String The cookie timeout period. Unit: seconds. Valid values: 1 to 86,400.
Note You must specify this annotation if the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session is set to on and the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type is set to insert.

For more information, see CreateLoadBalancerHTTPListener and CreateLoadBalancerHTTPSListener.

None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cookie String The cookie configured on the backend server.

The cookie must be 1 to 200 characters in length. It can contain only ASCII letters and digits. It cannot contain commas (,), semicolons (;), or spaces. It cannot start with a dollar sign ($).

Note

You must specify this annotation if the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session is set to on and the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-sticky-session-type is set to server.

For more information, see CreateLoadBalancerHTTPListener and CreateLoadBalancerHTTPSListener.

None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-master-zoneid String The ID of the zone of the primary backend server. None V1.9.3.10-gfb99107-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-slave-zoneid String The ID of the zone of the secondary backend server. None V1.9.3.10-gfb99107-aliyun and later versions
externalTrafficPolicy String The policy for adding nodes as backend servers. Valid values:
  • Cluster: adds all nodes as backend servers.
  • Local: adds the nodes where pods are located as backend servers.
Cluster V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners String Specifies whether to overwrite the listeners of an existing SLB instance that is specified. false: The listeners of the existing SLB instance are not overwritten. V1.9.3.81-gca19cd4-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-bandwidth String The bandwidth of the SLB instance. This annotation applies only to public SLB instances. 50 V1.9.3.10-gfb99107-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id String The ID of the certificate used on Alibaba Cloud. You must upload the certificate. None V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-flag String Specifies whether to enable the health check feature. Valid values: on and off.
  • For TCP listeners, the default value is on, and cannot be changed.
  • For HTTP listeners, the default value is off.
off: This annotation is not required for TCP listeners. By default, the health check feature is enabled for TCP listeners and cannot be disabled. V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-type String The type of health checks. Valid values: tcp and http.

For more information, see CreateLoadBalancerTCPListener.

tcp V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-uri String The URI used for health checks.
Note This annotation is not required when the type of health checks is set to TCP.

For more information, see CreateLoadBalancerTCPListener.

None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-port String The port used for health checks. Valid values:
  • -520: uses the backend port number configured for the listener.
  • 1-65535: the backend port number used for health checks.

For more information, see CreateLoadBalancerTCPListener.

None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-healthy-threshold String The number of times for which a backend server consecutively passes health checks before the backend server is declared to be healthy and the health check state is changed from fail to success.

Valid values: 2 to 10.

For more information, see CreateLoadBalancerTCPListener.

3 V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-unhealthy-threshold String The number of times for which a backend server consecutively fails health checks before the backend server is declared to be failed and the health check state is changed from fail to success. Valid values:

2 to 10

For more information, see CreateLoadBalancerTCPListener.

3 V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval String The interval between two consecutive health checks. Unit: seconds.

Valid values: 1 to 50.

For more information, see CreateLoadBalancerTCPListener.

2 V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout String The timeout period for waiting for a health check response. Unit: seconds. This annotation applies to TCP health checks. If a backend server does not respond within the specified timeout period, the server fails the health check.

Valid values: 1 to 300.

Note If the value of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout is less than that of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval, the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-connect-timeout is invalid. In this case, the value of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval is used as the timeout period.

For more information, see CreateLoadBalancerTCPListener.

5 V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-timeout String The timeout period for waiting for a health check response. Unit: seconds. This annotation applies to HTTP health checks. If a backend server does not respond within the specified timeout period, the server fails the health check.

Valid values: 1 to 300.

Note If the value of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-timeout is less than that of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval, the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-timeout is invalid. In this case, the value of the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-interval is used as the timeout period.

For more information, see CreateLoadBalancerTCPListener.

5 V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-domain String The domain name used for health checks.
  • $_ip: the internal IP address of the backend server. If you do not specify this annotation or you set it to $_ip, the SLB instance uses the internal IP address of each backend server as the domain name for health checks.
  • domain: The domain name must be 1 to 80 characters in length. It can contain only letters, digits, periods (.), and hyphens (-).
None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-health-check-httpcode String The HTTP status code that specifies that a health check is successful. Separate multiple HTTP status codes with commas (,). Valid values:
  • http_2xx
  • http_3xx
  • http_4xx
  • http_5xx
Default value: http_2xx.
http_2xx V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-scheduler String The algorithm used to distribute network traffic. Valid values: wrr, wlc, and rr.
  • wrr: Backend servers with higher weights receive more requests than those with lower weights.
  • wlc: Requests are forwarded based on the weight and load of each backend server. The load is the number of connections to a backend server. If the weights are the same, backend servers with fewer connections receive more requests than those with more connections.
  • rr (default): Requests are sequentially distributed to backend servers.
rr V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status String Specifies whether to enable the access control feature. Valid values: on and off. off V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-id String The ID of the access control list (ACL) to which the listener is bound. This annotation is required if the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status is set to on. None V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-type String The type of the ACL.

Valid values: white and black.

  • white: specifies the ACL as a whitelist. Only requests from the IP addresses or classless inter-domain routing (CIDR) blocks in the ACL are forwarded. Whitelists are applicable in scenarios where you want to allow only specific IP addresses to access an application. Risks may arise if you specify the ACL as a whitelist. After a whitelist is set, the SLB instance forwards only requests from the IP addresses in the whitelist. If you enable a whitelist without any IP addresses specified in the ACL, the SLB listener will forward all access requests.
  • black: specifies the ACL as a blacklist. All requests from the IP addresses or CIDR blocks in the ACL are rejected. Blacklists are applicable in scenarios where you want to forbid specific IP addresses from accessing an application. If a blacklist is set without any IP addresses specified in the ACL, the SLB instance will forward all requests. This annotation is required if the annotation service.beta.kubernetes.io/alibaba-cloud-loadbalancer-acl-status is set to on.
None V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-vswitch-id String The ID of the VSwitch to which the SLB instance belongs. To specify this annotation, you must set the annotation service.beta.kubernetes.io/alicloud-loadbalancer-address-type to intranet. None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-forward-port String Specifies that HTTP requests are forwarded to the denoted HTTPS port. Example: 80:443 None V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-additional-resource-tags String The tags to be attached to the SLB instance. Separate multiple tags with commas (,). Example: "k1=v1,k2=v2" None V1.9.3 and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-remove-unscheduled-backend String Detaches the SchedulingDisabled backend server from the SLB instance. Valid values: on and off. off V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/backend-type String Allows you to mount pods to the SLB backend server in the Terway ENI network mode by setting the annotation to "eni". This helps to improve the forwarding performance. Valid value: eni. None V1.9.3.164-g2105d2e-aliyun and later versions
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-ip-version String The type of the IP address of the SLB instance. Valid values: ipv4 and ipv6 ipv4 V1.9.3.220-g24b1885-aliyun and later versions