An AlbConfig is a Custom Resource Definition (CRD) provided by the ALB Ingress Controller that is used to configure Application Load Balancer (ALB) instances and listeners. This topic describes how to create, modify, and update an AlbConfig, and how to enable Simple Log Service.
Scope
The ALB Ingress controller is installed in the cluster. For more information, see Manage the ALB Ingress controller.
NoteTo use an ALB Ingress to access Services deployed in an ACK dedicated cluster, you need to first grant the cluster the permissions required by the ALB Ingress controller. For more information, see Authorize an ACK dedicated cluster to access the ALB Ingress controller.
You have created two vSwitches in different zones. The vSwitches must be in the same VPC as the cluster and in zones supported by ALB. For more information, see Create and manage a vSwitch.
Precautions
We recommend that you use the
kubectl editcommand to directly modify or update resource configurations. If you must use thekubectl applycommand to modify or update resources, first run thekubectl diffcommand to preview the changes before you run thekubectl applycommand. Ensure that the changes are as expected, and then run thekubectl applycommand to apply the changes to the Kubernetes cluster.If you use the Flannel network plug-in, the backend service of the ALB Ingress supports only the NodePort and LoadBalancer service types.
Create an AlbConfig
Each AlbConfig corresponds to one ALB instance. To use multiple ALB instances, you must create multiple AlbConfigs. The following steps describe how to create an AlbConfig.
If you select the Create New or Use Existing option for ALB Cloud-native Gateway Instance Source when you install the ALB Ingress Controller component, the Controller automatically creates an AlbConfig resource named "alb" and an IngressClass resource named "alb".
Create a file named `alb.yaml` and copy the following content to the file. You can then use this file to create an AlbConfig.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb spec: config: name: alb addressType: Internet zoneMappings: - vSwitchId: vsw-uf6ccg2a9g71hx8go**** # Replace with the IDs of at least two vSwitches that are in different zones within the VPC where the cluster resides. allocationId: eip-asdfas**** # Replace with your EIP ID. By default, a public IP address is automatically assigned. - vSwitchId: vsw-uf6nun9tql5t8nh15**** # Replace with the IDs of at least two vSwitches that are in different zones within the VPC where the cluster resides. allocationId: eip-dpfmss**** # Replace with your EIP ID. listeners: - port: 80 protocol: HTTPParameter
Description
spec.config.nameThe name of the ALB instance.
spec.config.addressTypeThe address type of the ALB instance. Valid values:
Internet(default): The ALB instance has a public IP address. The domain name is resolved to the public IP address. The instance can be accessed over the Internet.Intranet: The ALB instance has only a private IP address. The domain name is resolved to the private IP address. The instance can be accessed only within its VPC.
ImportantThe
addressTypeparameter is parsed only when you create an ALB instance. Updates to this parameter do not take effect.spec.config.zoneMappingsvSwitchId: The ID of the vSwitch used by the ALB Ingress.Specify the IDs of at least two vSwitches in different zones. The zones must be supported by ALB. For more information about the supported zones, see Regions and zones supported by ALB.
The vSwitches and the cluster must be in the same VPC.
ImportantFor regions with a single zone, you need to specify only one vSwitch ID.
The
zoneMappingsparameter is parsed only when you create an ALB instance. Updates to this parameter do not take effect.
allocationId: You can specify the ID of the EIP on which the public-facing ALB instance depends in zoneMappings.If you do not specify an EIP ID, a public IP address is automatically assigned. The system automatically creates a pay-as-you-go Border Gateway Protocol (BGP) (multi-line) EIP with basic security protection and associates the EIP with the ALB instance. For more information about billing, see Billing overview of ALB.
You can specify the ID of an existing EIP and associate it with the new ALB instance.
ImportantYou can associate only purchased pay-by-traffic EIPs that are not added to an Internet Shared Bandwidth instance.
The EIPs allocated in different zones for the same ALB instance must be of the same type.
When you install the ALB Ingress Controller component for a cluster, you can choose to create a default AlbConfig. Except for
vSwitchID, the other parameters in the AlbConfig are created with the following default configurations.Run the following command to create the AlbConfig:
kubectl apply -f alb.yamlExpected output:
AlbConfig.alibabacloud.com/alb createdRun the following command to view the AlbConfig resource:
kubectl get AlbConfigExpected output:
NAME ALBID DNSNAME PORT&PROTOCOL CERTID AGE alb alb-****** alb-******.<regionID>.alb.aliyuncs.com 28mNoteAfter you create an HTTPS listener and configure a certificate for it, content is displayed in the
PORT&PROTOCOLandCERTIDcolumns. These columns are empty by default.
Reuse an existing ALB instance
If you want to reuse an existing ALB instance, you must specify the instance ID when you create the AlbConfig. The existing ALB instance must be a Standard or WAF-enabled instance that was created in the Application Load Balancer (ALB) console. Basic ALB instances cannot be reused. An instance can be reused by only one cluster, and you cannot reuse the same ALB instance for multiple clusters.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: reuse-alb
spec:
config:
id: **** # The ID of the Standard or WAF-enabled ALB instance created in the ALB console.
forceOverride: false
listenerForceOverride: falseThe following table describes the parameters.
Parameter | Description |
|
Important When you reuse an ALB instance, do not manually modify listener names. This prevents listeners from being incorrectly managed or unmanaged by ACK. Listeners created or updated by an AlbConfig are managed by ACK, and their names are in the |
| Specifies whether to forcibly overwrite the properties of the ALB instance when you reuse the instance.
|
| Specifies whether to forcibly overwrite the properties of the listeners when you reuse the instance.
|
Configure an Internet Shared Bandwidth instance
After you enable this feature, you can associate an Internet Shared Bandwidth instance with an ALB instance using an AlbConfig.
This feature takes effect only when the network type of the ALB instance is Internet. For more information about how to purchase an Internet Shared Bandwidth instance, see Create and manage an Internet Shared Bandwidth instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
name: alb
addressType: Internet
edition: Standard
zoneMappings:
- vSwitchId: vsw-2vcqeyvwsnd***
- vSwitchId: vsw-2vcbhjlqu7y***
billingConfig:
bandWidthPackageId: cbwp-2vcjucp49otd8qolhm*** # The ID of the Internet Shared Bandwidth instance.Update an AlbConfig
For an ALB instance that is created using an AlbConfig, you can use the kubectl edit command to update the instance configuration. The following steps describe how to update an AlbConfig.
Run the following command to view the name of the AlbConfig:
kubectl get AlbConfigExpected output:
NAME ALBID DNSNAME PORT&PROTOCOL CERTID AGE alb alb-****** alb-******.<regionID>.alb.aliyuncs.com 28mRun the following command to modify the AlbConfig:
kubectl edit albconfig <ALBCONFIG_NAME> # Replace <ALBCONFIG_NAME> with the name of the AlbConfig.In the AlbConfig configuration file, update the relevant content. For example, you can modify the
spec.config.namefield to change the name of the ALB instance tonew_alb.... spec: config: name: new_alb # The updated name. ...
Use an IngressClass to associate an AlbConfig with an Ingress
The ALB Ingress uses a native Kubernetes IngressClass resource to associate an AlbConfig with an Ingress. This association is achieved by setting specific parameters in the IngressClass resource.
Create a file named `ingress_class.yaml`, copy the following content to the file, and then use the file to create an IngressClass.
Clusters of v1.19 and later
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: alb spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb # The name of the AlbConfig associated with the IngressClass.Clusters earlier than v1.19
apiVersion: networking.k8s.io/v1beta1 kind: IngressClass metadata: name: alb spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: albRun the following command to create the IngressClass:
kubectl apply -f ingress_class.yamlExpected output:
ingressclass.networking.k8s.io/alb createdCreate a file named `ingress.yaml` and copy the following content to the file. Use the
ingressClassNameparameter to specify the IngressClass named `alb` to associate with the AlbConfig.Clusters of v1.19 and later
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress spec: ingressClassName: alb # The name of the IngressClass associated with the Ingress. rules: - http: paths: # Configure the context path. - path: /tea pathType: ImplementationSpecific backend: service: name: tea-svc port: number: 80 # Configure the context path. - path: /coffee pathType: ImplementationSpecific backend: service: name: coffee-svc port: number: 80Clusters earlier than v1.19
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: cafe-ingress spec: ingressClassName: alb rules: - http: paths: # Configure the context path. - path: /tea backend: serviceName: tea-svc servicePort: 80 # Configure the context path. - path: /coffee backend: serviceName: coffee-svc servicePort: 80Run the following command to create the Ingress:
kubectl apply -f ingress.yamlExpected output:
ingress.networking.k8s.io/cafe-ingress created
After you complete these steps, the IngressClass is used to associate the AlbConfig with the Ingress.
Create and use multiple ALB instances
If you want to use multiple ALB instances at the same time, specify different IngressClasses in the spec.ingressClassName field of the Ingress resources to associate the Ingresses with different ALB instances.
Create a file named `alb-2.yaml`, copy the following content to the file, and then use the file to create an AlbConfig.
apiVersion: alibabacloud.com/v1 kind: AlbConfig metadata: name: alb-2 spec: config: name: alb-2 # The name of the ALB instance. addressType: Internet # The ALB instance has a public IP address. zoneMappings: - vSwitchId: vsw-uf6ccg2a9g71hx8go**** # The ID of the vSwitch. - vSwitchId: vsw-uf6nun9tql5t8nh15****Run the following command to create the AlbConfig:
kubectl apply -f alb-2.yamlExpected output:
AlbConfig.alibabacloud.com/alb-2 createdCreate a file named `ingress_class2.yaml`, copy the following content to the file, and then use the file to create an IngressClass.
Clusters of v1.19 and later
apiVersion: networking.k8s.io/v1 kind: IngressClass metadata: name: alb-2 spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb-2 # The name of the AlbConfig associated with the IngressClass.Clusters earlier than v1.19
apiVersion: networking.k8s.io/v1beta1 kind: IngressClass metadata: name: alb-2 spec: controller: ingress.k8s.alibabacloud/alb parameters: apiGroup: alibabacloud.com kind: AlbConfig name: alb-2 # The name of the AlbConfig associated with the IngressClass.Run the following command to create the IngressClass:
kubectl apply -f ingress_class2.yamlExpected output:
ingressclass.networking.k8s.io/alb-2 createdCreate a file named `ingress2.yaml` and copy the following content to the file. Use the
ingressClassNameparameter to specify a different ALB instance. In the following example,alb-2is specified in theingressClassNamefield to associate the Ingress with the IngressClass named `alb-2` and the ALB instance named `alb-2` that is associated with the IngressClass.Clusters of v1.19 and later
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: cafe-ingress2 spec: ingressClassName: alb-2 rules: - http: paths: # Configure the context path. - path: /tea pathType: ImplementationSpecific backend: service: name: tea-svc port: number: 80 # Configure the context path. - path: /coffee pathType: ImplementationSpecific backend: service: name: coffee-svc port: number: 80Clusters earlier than v1.19
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: cafe-ingress2 spec: ingressClassName: alb-2 rules: - http: paths: # Configure the context path. - path: /tea backend: serviceName: tea-svc servicePort: 80 # Configure the context path. - path: /coffee backend: serviceName: coffee-svc servicePort: 80Run the following command to create the Ingress:
kubectl apply -f ingress2.yamlExpected output:
ingress.networking.k8s.io/cafe-ingress2 created
Use IPv6 addresses
When you create an ALB instance, you can enable dual-stack by setting the addressIpVersion field to DualStack. This enables support for both IPv4 and IPv6.
The addressIpVersion parameter is parsed only when you create an AlbConfig. Updates to this parameter do not take effect.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
addressIpVersion: DualStack # Enable dual-stack.
...Specify a TLS security policy
When you configure an HTTPS listener in an AlbConfig, you can specify a TLS security policy. TLS security policies include custom policies and system default policies. For more information, see TLS security policies.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
#...
listeners:
- port: 443
protocol: HTTPS
securityPolicyId: tls_cipher_policy_1_1 # The ID of the specified security policy.
#...Enable access logs in Simple Log Service
If you want the ALB Ingress to collect access logs, you can specify logProject and logStore in the AlbConfig.
When you created the cluster, you chose to automatically create a Simple Log Service project or use an existing one. Log on to the Container Service management console and choose Cluster List in the navigation pane on the left.On the Cluster List page, click the name of the target cluster and then choose Cluster Information in the navigation pane on the left. On the Basic Information tab, you can view the Simple Log Service Project that is associated with the cluster.
The name of the
logStoremust start withalb_. If the specifiedlogStoredoes not exist, it is automatically created.When you reuse an existing ALB instance and want to enable Simple Log Service through the AlbConfig, you must set the
forceOverridefield totrueto forcibly overwrite the ALB instance properties. For more information, see Reuse an existing ALB instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
accessLogConfig:
logProject: "k8s-log-xz92lvykqj1siwvif****"
logStore: "alb_****"
#...On the Basic Information tab, click the name to the right of Simple Log Service Project to view the collected access logs.
Delete an AlbConfig
Each AlbConfig corresponds to one ALB instance. Therefore, if an ALB instance was created using an AlbConfig, you can delete the ALB instance by deleting the AlbConfig.
Before you delete an AlbConfig, you must delete all of its associated Ingress resources.
Run the following command to delete an AlbConfig:
kubectl delete AlbConfig <AlbConfig_NAME> # Replace <AlbConfig_NAME> with the name of the AlbConfig.Delete the AlbConfig for a reused ALB instance
If you choose to reuse an existing ALB instance when you create an AlbConfig, the instance is not created by the AlbConfig. Therefore, deleting the AlbConfig does not delete the ALB instance. To delete the AlbConfig for a reused ALB instance, perform the following steps.
Run the
kubectl editcommand to modify the AlbConfig and delete all of its listeners. To do this, delete all entries under thespec.listenersfield.ImportantPerform this operation if the version of the ALB Ingress Controller component installed in your cluster is v2.10.0-aliyun.1 or earlier. Otherwise, skip this step.
Run the following command to delete the AlbConfig:
ImportantBefore you delete an AlbConfig, you must delete all of its associated Ingress resources.
kubectl delete AlbConfig <AlbConfig_NAME> # Replace <AlbConfig_NAME> with the name of the AlbConfig.
Update the Listeners field
Terms
Object configuration file: A file used to define and describe a Kubernetes object. It contains the specifications and configuration information of the object.
Existing object configuration file: An object configuration file that has been applied to a Kubernetes cluster.
last-applied-configuration field: An annotation field in a Kubernetes object that records the last applied configuration of the object. It is not updated in real time as the object configuration changes.
Update method for the Listeners field
The Listeners field is an array-type configuration that is typically updated by replacement. When you update the Listeners field, the new configuration completely replaces the existing configuration. For more information, see the following table:
Ordinal number | Condition | Result | ||
Is the object in the object configuration file? | Is the object in the existing object configuration file? | Is the object in the last-applied-configuration field? | ||
① | Yes | Yes | - (Not applicable) | The values from the object configuration file are applied to the existing configuration file to update specific fields of the existing object. |
② | Yes | No | - (Not applicable) | The values from the object configuration file are used to create a new object instead of updating the configuration of an existing object. |
③ | No | Not applicable | Yes | A field is removed from the existing object configuration file. This means the field is deleted from the existing object configuration. The field may be reset to its default value. |
④ | No | Yes | No | A field is removed from the existing object configuration file. |
Example
The following code shows sample configurations of the Listeners field in the object configuration file, the existing object configuration file, and the last-applied-configuration field:
# The object configuration file provides the following expected configuration values.
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005 # Add 8005.
protocol: HTTP
# The existing object configuration file shows the configuration of the existing object.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete 8002.
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8004 # Delete 8004.
protocol: HTTP
# The last-applied-configuration records the last applied configuration of the object.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete 8002.
protocol: HTTP
- port: 8003
protocol: HTTPThe Listeners field of the AlbConfig is updated to the following result:
# The result of the Listeners configuration file.
listeners:
- port: 8001
protocol: HTTP
- port: 8003
protocol: HTTP
- port: 8005
protocol: HTTPPorts 8001 and 8003 meet condition ① and are retained.
Port 8005 meets condition ② and is added.
Port 8002 meets condition ③ and is deleted.
Port 8004 meets condition ④ and is deleted.
Create listeners
Listeners are the top-level entry points that an ALB instance uses to process traffic. An ALB instance can open ports to accept client requests only after you create listeners.
You can set port and protocol in the AlbConfig to create the corresponding listener. If you modify the port, protocol, or other listener properties, the system deletes the original listener and creates a new one to replace it.
Listeners can use three application-layer protocols: HTTP, HTTPS, and QUIC.
You can use multiple listeners with different protocols at the same time. However, you must configure an annotation in the Ingress resource to ensure that the Ingress applies to multiple listeners simultaneously. For more information, see Configure custom listener ports.
Create an HTTP listener
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP # The valid values for protocol are HTTP, HTTPS, and QUIC.
...The HTTP protocol is automatically compatible with WebSocket. No special settings are required.
Create an HTTPS listener
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 443
protocol: HTTPS
...When you use an HTTPS listener, you must configure a certificate. For more information, see Configure an HTTPS certificate to achieve encrypted communication.
Create a QUIC listener
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 443
protocol: QUIC
...Using a QUIC listener allows clients to access services using the HTTP/3 protocol. For more information about using QUIC listeners, see Use a QUIC listener to support the HTTP/3 protocol.
Specify a certificate
When you configure an ALB, run the kubectl edit albconfig <Albconfig_Name> command to enable encryption and identity verification for the HTTPS protocol. In the AlbConfig, set the certificates parameter to the ID of the certificate that you want the listener to use. This certificate is used to encrypt and decrypt HTTPS traffic.
If you do not specify a certificate in the configuration, the listener is not created when the ALB is created. Instead, the listener is created only after an Ingress is associated and a certificate is automatically discovered based on the domain name.
For more information about configuring certificates, see Configure an HTTPS certificate for encrypted communication.
ALB sets the first certificate as the default certificate. ALB uses other certificates for request encryption only if the default certificate expires or is no longer in use.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb-demo
spec:
config:
...
listeners:
- caEnabled: false
certificates:
- CertificateId: 756****-cn-hangzhou # The certificate ID.
IsDefault: true
port: 443
protocol: HTTPS
...Set the listener request timeout period
You can set the request timeout period for a listener in the AlbConfig. The value is specified in seconds and can range from 1 to 600. If a backend server fails to respond within the timeout period, the Application Load Balancer (ALB) instance stops waiting and returns an HTTP 504 error code to the client. If you do not specify a timeout period, the default value of 60 seconds is used. The following is a sample YAML file.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
requestTimeout: 40 # If you do not enter a value, the default timeout period is 60 seconds.
...Use the data compression feature
When this feature is enabled, the Application Load Balancer (ALB) instance compresses specific file types. Valid values for gzipEnabled:
true: Compresses specific file types.false: Does not compress any file types.
Compression algorithms: If a client supports both the Brotli and Gzip compression algorithms, ALB prioritizes the more efficient Brotli algorithm. The Brotli algorithm can compress all file types. The Gzip algorithm can compress file types such as text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json.
Compression conditions: Compression is performed if the
Content-Lengthin the response header exceeds 1024 bytes and theAccept-Encodingin the client request header includes a supported algorithm.
The following is a sample YAML file for enabling data compression:
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
gzipEnabled: true
...Obtain the originating client IP address
After you enable this feature, the ALB instance adds a field that contains the client's originating IP address to the HTTP request header when it forwards requests to the backend service. Valid values for XForwardedForEnabled:
true: Obtains the client's originating IP address.false: Does not obtain the client's originating IP address.
You can configure this parameter only for HTTP and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
#...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForEnabled: true # XForwardedForEnabled cannot be disabled.
#...Obtain the client port
When this feature is enabled, the Application Load Balancer (ALB) instance adds a field containing the client port to the HTTP request header when forwarding requests to a backend service. Valid values for XForwardedForClientSrcPortEnabled are:
true: Retrieves the client port.false: Does not retrieve the client port.
You can configure this parameter only for HTTP and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSrcPortEnabled: true
...Obtain the listener protocol of the ALB instance
When you enable this feature, the ALB instance adds a field that contains the listener protocol to the HTTP request header when it forwards requests to a backend service. Valid values for XForwardedForProtoEnabled:
true: Retrieves the listener protocol of the instance.false: Does not retrieve the listener protocol of the instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForProtoEnabled: true
...Obtain the ID of the ALB instance
When this feature is enabled, the ALB instance adds a field that contains its ID to the HTTP request header when it forwards requests to backend services. Valid values for XForwardedForSLBIdEnabled are:
true: Retrieve the ID of the SLB instance.false: Does not add the instance ID to the request header.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBIdEnabled: true
...Obtain the listener port of the ALB instance
After you enable this feature, the ALB instance adds a field containing the listener port to the HTTP request header when it forwards requests to a backend service. Valid values for XForwardedForSLBPortEnabled:
true: Retrieves the listener port of the instance.false: Does not retrieve the listener port of the instance.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForSLBPortEnabled: true
...Specify trusted proxy server IP addresses
In an AlbConfig, use the XForwardedForClientSourceIpsEnabled configuration item to allow the ALB instance to obtain the client's originating IP address from the X-Forwarded-For header field. Use the XForwardedForClientSourceIpsTrusted configuration item to specify a set of trusted proxy server IP addresses. The ALB instance traverses the IP address list in the X-Forwarded-For field in reverse order and selects the first IP address that is not on the trusted IP address list as the client's actual IP address.
For example, if the value of the X-Forwarded-For field is <originating client IP address, proxy IP-1, proxy IP-2>, you can enter proxy IP-1 and proxy IP-2 in XForwardedForClientSourceIpsTrusted to obtain the originating client IP address.
You can configure this parameter only for HTTP and HTTPS listeners.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
...
listeners:
- port: 80
protocol: HTTP
xForwardedForConfig:
XForwardedForClientSourceIpsEnabled: true # true indicates that ALB is allowed to find the originating client IP address from the X-Forwarded-For header field. In this case, you must configure XForwardedForClientSourceIpsTrusted with content in the correct format. false indicates that ALB is not allowed to find the originating client IP address from the X-Forwarded-For header field.
XForwardedForClientSourceIpsTrusted: 192.168.x.x;192.168.x.x/16 # Enter IP addresses or CIDR blocks in the valid format and separate them with semicolons (;). Do not add spaces between the IP addresses or CIDR blocks. This parameter takes effect only when XForwardedForClientSourceIpsEnabled is set to true.
...Configure ACL-based access control
You can use an AlbConfig to enable the access control feature for an ALB listener. This lets you precisely control client requests and manage request forwarding by setting inbound allow or deny rules. For more information about access control lists (ACLs), see Configure an ACL to implement access control.
apiVersion: alibabacloud.com/v1
kind: AlbConfig
metadata:
name: alb
spec:
config:
#...
listeners:
- port: 80
protocol: HTTP
aclConfig:
aclEntries:
- 127.0.0.1/32
aclType: White
#...The following table describes the fields.
aclType: Specifies the type of ACL for the listener. Valid values areBlackfor a blacklist andWhitefor a whitelist.aclEntries: The CIDR blocks for the access control entries, such as 127.0.0.1/32.
Delete a listener
An instance can have multiple listeners. To delete a listener, run the kubectl edit albconfig <Albconfig_Name> command and remove the listener from the albconfig.spec.listeners field of the AlbConfig.
Before you delete a listener, you must remove all Ingresses associated with it. Otherwise, the listener cannot be deleted and an error is reported.
# Configuration before deleting the listener.
listeners:
- port: 8001
protocol: HTTP
- port: 8002 # Delete the 8002 listener.
protocol: HTTP
# Configuration after deleting the listener.
listeners:
- port: 8001
protocol: HTTPFAQ
An error is reported when you save the AlbConfig YAML file: alb: listener port number must between [1:65535], or you should set listen port explicitly in listener config.
Cause
In the spec.listener section of the AlbConfig YAML file, the - symbol marks the start of a listener configuration. In the incorrect example on the left, three - symbols are used, which defines three separate listeners. The error occurs because the port configuration is missing for the certificates associated with the last - symbol.
Solution
Each listener configuration must start with a single -. In the corrected example on the right, the - before certificates is removed. This includes the certificate configuration within the HTTPS: 443 listener configuration.
Incorrect example that causes an error: | Corrected example: |