Configuration dictionary for annotations and AlbConfig - Container Service for Kubernetes

You can use the AlbConfig custom resource to customize your ALB instance configuration. This topic describes all supported Ingress annotations and AlbConfig fields, including their descriptions and usage.

Index

Annotation fields

Feature category	Ingress annotation configuration
Annotation YAML	Annotation YAML example
ALB Ingress configuration	Health check
Listener or protocol configuration	Listener Protocol used by backend service
Traffic forwarding rule configuration	Redirection Phased release Cross-domain Custom forwarding
Advanced configuration	Slow start Priority Session persistence Connection draining Load balancing IPv6 attachment for backend server group
Other	Other

AlbConfig fields

Field category	Field links
AlbConfig YAML	Full AlbConfig YAML
AlbConfig	AlbConfig AlbConfigSpec
ALB instance	LoadBalancerSpec
Listener configuration	ListenerSpec[]
Virtual switch	ZoneMapping
Simple Log Service	AccessLogConfig
QUIC listener	QuicConfig
Certificate configuration	Certificate
Access control	AclConfig
Tracing Analysis	AccessLogTracingConfig
X-Forwarded- configuration	XForwardedForConfig
Custom header in logs	LogConfig
Reserved fields	BillingConfig ModificationProtectionConfig AlbConfigStatus LoadBalancerStatus ListenerStatus AppliedCertificate

Annotation YAML example

This example shows how to use annotations to configure an ALB instance in an Ingress resource. For details about each annotation, see the following sections.

Expand to view the Annotation YAML example for Ingress

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-ingress
  annotations:
    alb.ingress.kubernetes.io/healthcheck-enabled: "true"
    alb.ingress.kubernetes.io/healthcheck-path: "/"
    alb.ingress.kubernetes.io/healthcheck-protocol: "HTTP"
    alb.ingress.kubernetes.io/healthcheck-httpversion: "HTTP1.1"
    alb.ingress.kubernetes.io/healthcheck-method: "HEAD"
    alb.ingress.kubernetes.io/healthcheck-code: "http_2xx"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "2"
    alb.ingress.kubernetes.io/healthy-threshold-count: "3"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
    alb.ingress.kubernetes.io/conditions.service-a: | # The service referenced here must exist in the cluster. Its name must match the service name in the backend field of the rule.
     [{
       "type": "Path",
       "pathConfig": {
           "values": [
              "~*^/pathvalue1", # Add ~* before a regular expression to mark it as such. The part after ~* is the actual regular expression.
              "/pathvalue2" # Do not add ~* before an exact match.
           ]
       }
      }]
    alb.ingress.kubernetes.io/order: "1"
    alb.ingress.kubernetes.io/canary: "true"
    alb.ingress.kubernetes.io/canary-by-header: "location"
    alb.ingress.kubernetes.io/canary-by-header-value: "hz"
    ... ...
spec:
  ingressClassName: alb
  rules:
  - http:
      paths:
      # Configure context path
      - path: /tea
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      # Configure context path
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

Annotations supported by Ingress

You can add annotations to your Ingress resources as needed.

Health check

Annotation	Description
alb.ingress.kubernetes.io/healthcheck-enabled	Enable health checks for the backend server group. For a configuration example, see Configure health check. `true`: Enable `false`: Disable Default: `false`.
alb.ingress.kubernetes.io/healthcheck-path	Health check path. Default: `/`.
alb.ingress.kubernetes.io/healthcheck-protocol	Protocol used for health checks. `HTTP`: Use HTTP. Send HEAD or GET requests to simulate browser access and verify application health. `HTTPS`: Use HTTPS. Send HEAD or GET requests to simulate browser access and verify application health. `TCP`: Use TCP. Send SYN handshake packets to verify if the server port is active. `GRPC`: Use gRPC. Send POST or GET requests to verify application health. Default: `HTTP`.
alb.ingress.kubernetes.io/healthcheck-httpversion	HTTP version. Applies only when `healthcheck-protocol` is `HTTP` or `HTTPS`. `HTTP1.0` `HTTP1.1` Default: `HTTP1.1`.
alb.ingress.kubernetes.io/healthcheck-method	Health check method. `HEAD` `POST` `GET` Default: `HEAD`. Important Select `POST` or `GET` when `healthcheck-protocol` is `GRPC`.
alb.ingress.kubernetes.io/healthcheck-httpcode	Health check status codes. A backend server is considered healthy only if the probe request succeeds and returns one of these status codes. Enter one or more of the following options, separated by commas: `http_2xx` `http_3xx` `http_4xx` `http_5xx` Default: `http_2xx`.
alb.ingress.kubernetes.io/healthcheck-code	Health check status codes. A backend server is considered healthy only if the probe request succeeds and returns one of these status codes. If both `healthcheck-httpcode` and this field are set, this field takes precedence. Valid values depend on the value of `healthcheck-protocol`: `HTTP or HTTPS`: Enter one or more of the following options, separated by commas: `http_2xx` `http_3xx` `http_4xx` `http_5xx` Default: `http_2xx`. `GRPC`: Range: [0, 99]. Default: `0`. Supports up to 20 ranges, separated by commas.
alb.ingress.kubernetes.io/healthcheck-timeout-seconds	Health check timeout period, in seconds (s). Range: [1, 300]. Default: `5`.
alb.ingress.kubernetes.io/healthcheck-interval-seconds	Interval between health checks, in seconds (s). Range: [1, 50]. Default: `2`.
alb.ingress.kubernetes.io/healthy-threshold-count	Number of successful health checks required to mark a backend server as healthy. Range: [2, 10]. Default: `3`.
alb.ingress.kubernetes.io/unhealthy-threshold-count	Number of failed health checks required to mark a backend server as unhealthy. Range: [2, 10]. Default: `3`.
alb.ingress.kubernetes.io/healthcheck-connect-port	Port used for health checks. Default: `0`. Note `0` indicates the health check uses the backend server's port.

Redirection

Annotation

Description

alb.ingress.kubernetes.io/ssl-redirect

Redirect HTTP requests to HTTPS (port 443) using HTTP status code 308. For a configuration example, see Configure HTTP-to-HTTPS redirection.

true: Redirect to HTTPS.
false: Do not redirect to HTTPS.

Default: false.

Protocol used by backend service

Annotation

Description

alb.ingress.kubernetes.io/backend-protocol

Protocol used by the backend server group. For a configuration example, see Support for HTTPS and gRPC protocols on backend servers.

http: Use HTTP.
https: Use HTTPS.
grpc: Use gRPC.

Default: http.

Note

Supported backend protocols per listener type:

HTTP listeners support HTTP and HTTPS.
HTTPS listeners support HTTP, HTTPS, and gRPC.
QUIC listeners support HTTP.

Rewrite

Annotation	Description
alb.ingress.kubernetes.io/rewrite-target	Target path for path rewriting. For a configuration example, see Rewrite path.

Listener

Annotation

Description

alb.ingress.kubernetes.io/listen-ports

Ports and protocols for listeners associated with the Ingress resource. For a configuration example, see Configure custom listener ports.

Specify the listener protocols and ports you want to associate with the Ingress rules (examples below):

'[{"HTTP": 80}]' : Associate with HTTP listener on port 80.
'[{"HTTPS": 443}]' : Associate with HTTPS listener on port 443.
'[{"QUIC": 443}]' : Associate with QUIC listener on port 443.
'[{"HTTP": 80}, {"HTTPS": 443}]' : Associate with HTTP listener on port 80 and HTTPS listener on port 443.
'[{"HTTPS": 443}, {"QUIC": 443}]' : Associate with HTTPS listener on port 443 and QUIC listener on port 443.

Slow start

Annotation

Description

alb.ingress.kubernetes.io/slow-start-enabled

Enable slow start. When enabled, ALB Ingress gradually shifts traffic to newly added pods in a Service backend. This avoids CPU and memory spikes during pod startup. For a configuration example, see Backend slow start.

true: Enable
false: Disable

Default: disabled.

alb.ingress.kubernetes.io/slow-start-duration

Time, in seconds (s), for traffic to ramp up after slow start completes. Longer durations mean slower ramp-up.

Range: [30, 900].

Default: 30.

Priority

Annotation

Description

alb.ingress.kubernetes.io/order

Relative priority of the forwarding rule. Lower numbers indicate higher priority. For a configuration example, see Configure forwarding rule priority.

Range: [1, 1000].

Default: 10.

Phased release

Annotation	Description
alb.ingress.kubernetes.io/canary	Enable canary phased release. For step-by-step instructions, see Implement phased release with ALB Ingress. `true`: Enable `false`: Disable Default: `false`.
alb.ingress.kubernetes.io/canary-by-header	Request header used to trigger canary routing.
alb.ingress.kubernetes.io/canary-by-header-value	Header value that triggers canary routing.
alb.ingress.kubernetes.io/canary-by-cookie	Cookie used to trigger canary routing.
alb.ingress.kubernetes.io/canary-weight	Percentage of requests routed to the specified service (integer from 0 to 100). For step-by-step instructions, see Canary weight.

Session persistence

Annotation	Description
alb.ingress.kubernetes.io/sticky-session	Enable session persistence for the backend server group. For a configuration example, see Enable session persistence with annotations. `true`: Enable session persistence. `false`: Disable session persistence. Default: `false`.
alb.ingress.kubernetes.io/sticky-session-type	Type of session persistence. `Insert`: Insert cookie mode. ALB inserts a cookie into the response on the client's first visit. `Server`: Rewrite cookie mode. ALB rewrites the existing cookie if the user has defined one. Default: `Insert`.
alb.ingress.kubernetes.io/cookie-timeout	Session persistence timeout period, in seconds (s). Range: [1, 86400]. Default: `1000`.
alb.ingress.kubernetes.io/cookie	Custom cookie value. Type: string. Default: `""`.

Connection draining

Annotation

Description

alb.ingress.kubernetes.io/connection-drain-enabled

Enable connection draining. When enabled, ALB Ingress maintains normal traffic flow for a period after a backend pod enters the Terminating state or fails health checks. After the timeout expires, connections break. This prevents business disruption from sudden backend removal. For details, see Connection draining.

true: Enable connection draining.
false: Disable connection draining.

Default: disabled.

alb.ingress.kubernetes.io/connection-drain-timeout

Connection draining timeout period, in seconds (s).

Range: [0, 900].

Default: 300.

Load balancing

Annotation

Description

alb.ingress.kubernetes.io/backend-scheduler

Load balancing algorithm for the backend server group. For a configuration example, see Specify load balancing algorithm for backend server group.

wrr: Weighted round-robin. Higher weights increase the probability of being selected.
wlc: Weighted least connections. With equal weights, servers with fewer current connections have higher selection probability.
sch: Source IP hash. Requests from the same source IP go to the same backend server.
uch: URL hash. Requests with identical URL parameters go to the same backend server.

Default: wrr.

alb.ingress.kubernetes.io/backend-scheduler-uch-value

URL hash parameter used when the load balancing algorithm is uch.

Cross-domain

Annotation	Description
alb.ingress.kubernetes.io/enable-cors	Enable cross-origin resource sharing (CORS) configuration. For a configuration example, see CORS configuration. `true`: Enable CORS. `false`: Disable CORS. Default: `false`.
alb.ingress.kubernetes.io/cors-allow-origin	Origins allowed to make cross-domain requests. Default: `*`.
alb.ingress.kubernetes.io/cors-expose-headers	List of headers exposed to the client.
alb.ingress.kubernetes.io/cors-allow-methods	HTTP methods allowed for cross-domain requests. Enter one or more of the following options: `GET` `POST` `PUT` `DELETE` `HEAD` `OPTIONS` `PATCH` Default: `"GET, PUT, POST, DELETE, PATCH, OPTIONS"`.
alb.ingress.kubernetes.io/cors-allow-credentials	Allow credentials in cross-domain requests. `true`: Allow credentials. `false`: Carrying is not permitted. Default: `true`.
alb.ingress.kubernetes.io/cors-max-age	Maximum time, in seconds (s), that preflight responses are cached in browsers. Range: [-1, 172800]. Default: `172800`. Note `-1` means infinite cache time.
alb.ingress.kubernetes.io/cors-allow-headers	List of headers allowed in cross-domain requests. Default: `"DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"`.

Custom forwarding

Annotation	Description
alb.ingress.kubernetes.io/actions.{svcName}	Custom forwarding action. For step-by-step instructions, see Define custom forwarding rules for ALB Ingress.
alb.ingress.kubernetes.io/conditions.{svcName}	Custom forwarding condition.
alb.ingress.kubernetes.io/rule-direction.{svcName}	Custom forwarding direction. `Request`: Apply custom forwarding when receiving requests. `Response`: Apply custom forwarding when sending responses. Default: `Request`.

IPv6 attachment for backend server group

Annotation

Description

alb.ingress.kubernetes.io/enable-ipv6

Enable IPv6 attachment for the backend server group. For a configuration example, see Attach IPv6 addresses to backend server groups.

true: Enable.
false: Disable.

Default: false.

Other

Annotation	Description
alb.ingress.kubernetes.io/backend-keepalive	Enable persistent connections to backend servers. For a configuration example, see Persistent connections to backend servers. Default: `false`.
alb.ingress.kubernetes.io/traffic-limit-qps	Requests-per-second (QPS) rate limiting. Range: [1, 1000000].
alb.ingress.kubernetes.io/use-regex	Allow regular expressions in the Path field. Applies only to Prefix path types. Default: `false`.

AlbConfig fields

An AlbConfig custom resource describes an ALB instance and its listeners. This section provides a complete AlbConfig example. For details about each field, see the following sections.

Expand to view the full AlbConfig YAML

apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
  name: alb-config-example
spec:
  # Set ALB instance properties based on your needs.
  config:
    id: ""   # ALB instance ID. Leave empty to create a new instance.
    name: alb-instance-name       
    addressAllocatedMode: Fixed
    addressType: Internet
    ipv6AddressType: Intranet
    addressIpVersion: IPv4
    resourceGroupId: ""
    edition: Standard
    deletionProtectionEnabled: false
    forceOverride: false
    listenerForceOverride: false
    zoneMappings:            # Virtual switches.
      - vSwitchId: vsw-uf6ccg2a9g71hx8go****
        zoneId: "" 
        allocationId:   eip-asdfas****         
        eipType: ""
      - vSwitchId: vsw-uf6nun9tql5t8nh15****
        zoneId: ""      
        allocationId: "eip-xxxx"
        eipType: ""
    securityGroupids:           
      - sg-uf6blkp8************ # Security group ID.
      - sg-djladhla************ # Security group ID.
    accessLogConfig:        # Simple Log Service.
      logProject: ""
      logStore: "alb_******"    
    billingConfig:           
      internetBandwidth: 0
      internetChargeType: ""
      payType: ""
      bandWidthPackageId: "cbwp-xxx" 
    modificationProtectionConfig:
      reason: ""
      status: ""
    tags:
      - key: example-key
        value: example-value
  listeners:
    # Set listener properties based on your needs.
    - port: 80
      protocol: HTTP         # HTTP: Use HTTP. HTTPS: Use HTTPS. QUIC: Use QUIC.
      gzipEnabled: null
      http2Enabled: null
      securityPolicyId: ""
      idleTimeout: 15
      loadBalancerId: ""
      description: "Listener description"
      caEnabled: false
      requestTimeout: 60
      quicConfig:
        quicUpgradeEnabled: false
        quicListenerId: ""
      defaultActions: []
      caCertificates: []
      certificates: []
      xForwardedForConfig:     # X-Forwarded- configuration.
        XForwardedForClientCertSubjectDNEnabled: false
        XForwardedForProtoEnabled: false
        XForwardedForClientCertIssuerDNEnabled: false
        XForwardedForSLBIdEnabled: false
        XForwardedForClientSrcPortEnabled: false
        XForwardedForClientCertFingerprintEnabled: false
        XForwardedForEnabled: true
        XForwardedForProcessingMode: append
        XForwardedForHostEnabled: false
        XForwardedForSLBPortEnabled: false
        XForwardedForClientCertClientVerifyEnabled: false
        XForwardedForClientCertSubjectDNAlias: ""
        XForwardedForClientCertClientVerifyAlias: ""
        XForwardedForClientCertIssuerDNAlias: ""
        XForwardedForClientCertFingerprintAlias: ""
        XForwardedForClientSourceIpsEnabled: false
        XForwardedForClientSourceIpsTrusted: ""
      logConfig:
        accessLogRecordCustomizedHeadersEnabled: false
        accessLogTracingConfig:
          tracingEnabled: false
          tracingSample: 100
          tracingType: Zipkin
      aclConfig:
        aclName: ""
        aclType: Black
        aclEntries: []
        aclIds: []
status:
  loadBalancer:
    dnsname: ""
    id: ""
    listeners:
      portAndProtocol: ""
      certificates:
        certificateId: ""
        isDefault: false

AlbConfig

Field	Data type	Description
apiVersion	Fixed value	APIVersion defines the versioned schema for this object. Fixed value: `alibabacloud.com/v1`.
kind	Fixed value	Kind indicates the REST resource this object represents. Fixed value: `AlbConfig`.
metadata	ObjectMeta	Standard metadata for objects. For more information, see metadata.
spec	AlbConfigSpec	List of parameters that describe ALB instance and listener properties.
status	AlbConfigStatus	After reconciliation, the instance status writes to `status`. The value reflects the current instance status.

AlbConfigSpec

Field	Data type	Description
config	LoadBalancerSpec	Properties of the ALB instance.
listeners	ListenerSpec[]	Properties of listeners under the instance.

LoadBalancerSpec

Field	Data type	Description
id	string	ALB instance ID. Fill in to enable reuse mode. Leave empty to let the controller create a new ALB instance. For step-by-step instructions, see Create an AlbConfig. Default: `""`.
name	string	ALB instance name. Default: Auto-generated using this pattern: `k8s-{namespace}-{name}-{hashCode}`.
addressAllocatedMode	enum	Address allocation mode for the ALB instance. `Dynamic`: At least one IP per zone. IPs scale automatically with traffic. Supports up to 1 million QPS. `Fixed`: Exactly one fixed IP per zone. Limited elasticity. Supports up to 100,000 QPS. Default: `Fixed`.
addressType	enum	IPv4 address type for the ALB instance. `Internet`: Public mode. Automatically gets a public domain name. `Intranet`: Private mode. Default: `Internet`.
ipv6AddressType	enum	IPv6 address type for the ALB instance. Does not need to match the IPv4 address type. `Internet`: Public mode. Automatically gets a public domain name. `Intranet`: Private mode. Default: `Intranet`.
addressIpVersion	enum	Whether the ALB instance supports dual-stack. `IPv4`: IPv4 only. `DualStack`: Dual-stack. Supports both IPv4 and IPv6. Default: `IPv4`.
resourceGroupId	string	ID of the resource group that owns the instance. Default: `""`.
edition	enum	Feature edition of the instance. You cannot change the edition in reuse mode. `Standard`: Standard Edition. `StandardWithWaf`: WAF Enhanced Edition. See Protect services with ALB WAF Enhanced Edition. Default: `Standard`.
deletionProtectionEnabled	bool	Reserved field. Do not modify.
forceOverride	bool	Force override instance properties in reuse mode. `true`: Force override. `false`: Do not force override. `null`: Do not force override. Default: `false`.
listenerForceOverride	bool	Force override listener properties in reuse mode. `true`: Force override. `false`: Do not force override. `null`: Do not force override. Default: `null`.
zoneMappings	ZoneMapping[]	Zones and EIP configurations.
accessLogConfig	AccessLogConfig	Log collection.
billingConfig	BillingConfig	Billing method.
modificationProtectionConfig	ModificationProtectionConfig	Configuration read-only mode.
tags	Tag[]	Instance tags.
securityGroupIds	string[]	Security group IDs for the ALB instance. For details, see Configure security groups with AlbConfig.

ZoneMapping

Field	Data type	Description
vSwitchId	string	(Required) ID of the virtual switch. Default: `""`.
zoneId	string	Zone of the virtual switch. Keep the default value. Default: `""`.
allocationId	string	Elastic IP (EIP) ID. For a configuration example, see Configure ALB instances with AlbConfig. Default: `"eip-xxxx"`.
eipType	string	Reserved field. Do not modify.

AccessLogConfig

Field

Data type

Description

logProject

string

Name of the Simple Log Service project.

Default: "".

logStore

string

Name of the Simple Log Service Logstore. Must start with alb_. If the Logstore does not exist, it is created automatically. For a configuration example, see Enable access logs for Simple Log Service.

Default: "alb_****".

BillingConfig

Field	Data type	Description
internetBandwidth	int	Reserved field. Do not modify.
internetChargeType	string	Reserved field. Do not modify.
payType	enum	Reserved field. Do not modify.
bandWidthPackageId	string	ID of the Internet Shared Bandwidth package to attach. You cannot detach after attaching. For a configuration example, see Internet Shared Bandwidth package configuration. Default: `"cbwp-xxx"`.

ModificationProtectionConfig

Field	Data type	Description
reason	string	Reserved field.
status	string	Reserved field.

Tag

Field

Data type

Description

key

string

Key of the tag.

Default: "".

value

string

Value of the tag.

Default: "".

ListenerSpec

Field	Data type	Description
gzipEnabled	bool	Enable data compression. For a configuration example, see Use data compression. `true`: Enable compression. `false`: Disable compression. `null`: Enable compression. Default: `null`.
http2Enabled	bool	Enable HTTP/2 protocol. `true`: Enable HTTP/2. `false`: Disable HTTP/2. `null`: Enable HTTP/2. Default: `null`.
port	int	(Required) Port used by the listener. Default: `0`.
protocol	enum	(Required) Protocol used by the listener. `HTTP`: Use HTTP. `HTTPS`: Use HTTPS. `QUIC`: Use QUIC.
securityPolicyId	string	ID of the TLS security policy. Default: `""`.
idleTimeout	int	Idle connection timeout period, in seconds (s). Range: [1, 600]. Default: `15`. Note A value of 0 uses the default.
loadBalancerId	string	Reserved field. Do not modify.
description	string	Name of the listener. Default: Auto-generated using this pattern: `ingress-auto-listener-{port}`.
caEnabled	bool	Enable mutual authentication. `true`: Enable mutual authentication. `false`: Disable mutual authentication. Default: `false`.
requestTimeout	int	Request timeout period, in seconds (s). Range: [1, 600]. Default: `60`.
quicConfig	QuicConfig	QUIC listener configuration.
defaultActions	Action[]	Reserved field. Do not modify.
caCertificates	Certificate[]	Root CA certificate for the listener.
certificates	Certificate[]	Server certificate for the listener.
xForwardedForConfig	XForwardedForConfig	X-Forwarded- configuration.
logConfig	LogConfig	Logging configuration for the listener.
aclConfig	AclConfig	Access control.

QuicConfig

Field

Data type

Description

quicUpgradeEnabled

bool

Enable QUIC upgrade. In scenarios where QUIC and HTTPS listeners work together, this field associates or disassociates them. For step-by-step instructions, see Use QUIC listeners to support HTTP/3.

true: Enable QUIC upgrade and associate QUIC with HTTPS.
false: Disable QUIC upgrade and do not associate QUIC with HTTPS.

Default: false.

quicListenerId

string

HTTPS listener associated with the QUIC listener.

Default: "".

Certificate

Field

Data type

Description

IsDefault

bool

Set this certificate as the default. For step-by-step instructions, see Configure HTTPS certificates for encrypted communication.

true: Set as default.
false: Do not set as default.

Default: false.

Important

You can set only one certificate as default.

CertificateId

string

CertIdentifier for the certificate.

Default: "".

XForwardedForConfig

Field	Data type	Description
XForwardedForClientCertSubjectDNEnabled	bool	Add the `X-Forwarded-Clientcert-subjectdn` header to HTTP messages forwarded by the ALB instance. This preserves the owner information of the client certificate. `true`: Add the (field). `false`: Do not add the field. Default: `false`.
XForwardedForProtoEnabled	bool	Add the `X-Forwarded-Proto` header to HTTP messages forwarded by the ALB instance. This records the listener protocol used by the ALB instance. `true`: A field is added. `false`: You can omit the field. Default: `false`.
XForwardedForClientCertIssuerDNEnabled	bool	Add the `X-Forwarded-Clientcert-issuerdn` header to HTTP messages forwarded by the ALB instance. This preserves the issuer information of the client certificate. `true`: Adds the field. `false`: You can omit the field. Default: `false`.
XForwardedForSLBIdEnabled	bool	Add the `X-Forwarded-For-SLB-ID` header to HTTP messages forwarded by the ALB instance. This records the ID of the ALB instance. `true`: Adds the field. `false`: No field is added. Default: `false`.
XForwardedForClientSrcPortEnabled	bool	Add the `X-Forwarded-Client-Port` header to HTTP messages forwarded by the ALB instance. This preserves the client's port information. `true`: Adds a field. `false`: Does not add the field. Default: `false`.
XForwardedForClientCertFingerprintEnabled	bool	Add the `X-Forwarded-Clientcert-fingerprint` header to HTTP messages forwarded by the ALB instance. This preserves the fingerprint of the client certificate. `true`: Adds a field. `false`: You do not add the field. Default: `false`.
XForwardedForEnabled	bool	The `X-Forwarded-For` field is added to the request headers of HTTP messages that are forwarded by an ALB instance to preserve the originating IP address of the client. Currently, you cannot disable this feature by setting the value to `false`. To disable this feature or use enhanced functions, upgrade ALB Ingress Controller to version 2.15.0 or later and use `XForwardedForProcessingMode`.
XForwardedForProcessingMode	string	`append`: If the original request does not contain an X-Forwarded-For header, ALB creates one with the client IP address. Otherwise, ALB appends the client IP address to the existing X-Forwarded-For header before sending it to the backend server. `remove`: ALB removes the X-Forwarded-For header from the request before sending it to the backend server. `preserve`: ALB does not modify the X-Forwarded-For header in the request before sending it to the backend server. If both `XForwardedForEnabled` and `XForwardedForProcessingMode` are configured in `XForwardedForConfig`, `XForwardedForProcessingMode` takes precedence. The ALB instance listener will append, remove, or preserve the X-Forwarded-For header based on the configured value.
XForwardedForHostEnabled	bool	Add the `X-Forwarded-Host` header to HTTP messages forwarded by the ALB instance. This gets the domain name used by the client to access the SLB instance.
XForwardedForSLBPortEnabled	bool	Add the `X-Forwarded-Port` header to HTTP messages forwarded by the ALB instance. This records the listener port of the ALB instance. `true`: Add the (field). `false`: Does not add fields. Default: `false`.
XForwardedForClientCertClientVerifyEnabled	bool	Add the `X-Forwarded-Clientcert-clientverify` header to HTTP messages forwarded by the ALB instance. This preserves the verification result of the client certificate. `true`: Adds a field. `false`: The field is not added. Default: `false`.
XForwardedForClientCertSubjectDNAlias	string	Custom field name. Replaces the `X-Forwarded-Clientcert-subjectdn` header name with the entered value. The `XForwardedForClientCertSubjectDNEnabled` field adds this header. This field takes effect only when `XForwardedForClientCertSubjectDNEnabled` is `true`. Default: `""`.
XForwardedForClientCertClientVerifyAlias	string	Custom field name. Replaces the `X-Forwarded-Clientcert-clientverify` header name with the entered value. The `XForwardedForClientCertClientVerifyEnabled` field adds this header. This field takes effect only when `XForwardedForClientCertClientVerifyEnabled` is `true`. Default: `""`.
XForwardedForClientCertIssuerDNAlias	string	Custom field name. Replaces the `X-Forwarded-ClientCert-IssuerDN` header name with the entered value. The `XForwardedForClientCertIssuerDNEnabled` field adds this header. This field takes effect only when `XForwardedForClientCertIssuerDNEnabled` is `true`. Default: `""`.
XForwardedForClientCertFingerprintAlias	string	Custom field name. Replaces the `X-Forwarded-Client-Cert-Fingerprint` header name with the entered value. The `XForwardedForClientCertFingerprintEnabled` field adds this header. This field takes effect only when `XForwardedForClientCertFingerprintEnabled` is `true`. Default: `""`.
XForwardedForClientSourceIpsEnabled	bool	Allow ALB to find the originating client IP from the `X-Forwarded-For` header. `true`: Allow. You must also configure `XForwardedForClientSourceIpsTrusted` with a valid value. `false`: Disallow. Default: `false`.
XForwardedForClientSourceIpsTrusted	string	Specify trusted proxy IP addresses. Enter valid IP addresses or CIDR blocks, separated by semicolons (`;`), with no spaces. This field takes effect only when `XForwardedForClientSourceIpsEnabled` is `true`. Set the trusted IP list to `0.0.0.0/0`: Gets the leftmost address from the `X-Forwarded-For` header, which is the originating client IP address. Set the trusted IP list to `proxy1 IP; proxy2 IP,..`: Gets the first address from the right that is not in the list and uses it as the originating client IP address. Example: `192.168.x.x;192.168.x.x/16`

AclConfig

Field	Data type	Description
aclName	string	Name of the associated ACL policy in AclEntry mode. For step-by-step instructions, see Configure ACL for access control. Default: `""`.
aclType	enum	Access control mode. `Black`: Blacklist mode. Blocks access from specific IP addresses. `White`: Whitelist mode. Allows access only from specific IP addresses.
aclEntries	string	Access policy entries. Default: `""`. Important Do not use `aclEntries` and `aclIds` at the same time. For more information, see Configure ACL for access control.
aclIds	string	List of existing policy IDs to associate. Default: `""`.

LogConfig

Field

Data type

Description

accessLogRecordCustomizedHeadersEnabled

bool

Use custom headers in the access logs of the ALB instance.

true: Use custom headers.
false: Do not use custom headers.

Default: false.

accessLogTracingConfig

AccessLogTracingConfig

Configuration parameters for Tracing Analysis. For step-by-step instructions, see Enable Xtrace for Tracing Analysis with AlbConfig.

AccessLogTracingConfig

Field	Data type	Description
tracingEnabled	bool	Specifies whether to enable the Tracing Analysis feature. `true`: Enable Tracing Analysis. `false`: Disable Tracing Analysis. Default: `false`.
tracingSample	int	Tracing Analysis sample rate, in units of `0.01%`. Range: [1, 10000].
tracingType	enum	Sampling algorithm for Tracing Analysis. `Zipkin`: Use the Zipkin algorithm.

AlbConfigStatus

Important

The following fields are reserved for ALB Ingress to record status. Do not modify these fields: AlbConfigStatus, LoadBalancerStatus, ListenerStatus, and AppliedCertificate.

Field

Output

Description

loadBalancer

LoadBalancerStatus

Reserved field. Do not modify.

Status of the ALB instance.

LoadBalancerStatus

Field	Output	Description
dnsname	string	Reserved field. Do not modify. DNS address of the ALB instance.
id	string	Reserved field. Do not modify. ID of the ALB instance.
listeners	ListenerStatus	Reserved field. Do not modify. Listener properties of the ALB instance.

ListenerStatus

Field

Output

Description

portAndProtocol

string

Reserved field. Do not modify.

Port and protocol used by the listener.

certificates

AppliedCertificate

Reserved field. Do not modify.

Certificate associated with the listener.

AppliedCertificate

Field

Output

Description

certificateId

string

Reserved field. Do not modify.

CertIdentifier of the certificate.

isDefault

bool

Reserved field. Do not modify.

Whether the certificate is the default certificate.

References

For more information about specific settings in AlbConfig, see Configure ALB instances with AlbConfig.
For more information about using ALB Ingress annotations, see Advanced usage of ALB Ingress.