Kubernetes - Loadbalancer annotations
Available annotations for Kubernetes load balancers by cloud provider
This page lists the available annotations for Kubernetes Loadbalancer Services for each supported Cloud Provider.
Cloud Provider Annotations
AWS
The Annotations for the AWS Loadbalancer services.
| Annotation | Type | Description |
|---|---|---|
service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval | (in minutes) | |
service.beta.kubernetes.io/aws-load-balancer-access-log-enabled | boolean | |
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name | ||
service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix | ||
service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags | (comma-separated list of key=value) | |
service.beta.kubernetes.io/aws-load-balancer-backend-protocol | http, https | |
service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled | boolean | |
service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout | (in seconds) | |
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout | (in seconds, default 60) | |
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled | (true | |
service.beta.kubernetes.io/aws-load-balancer-extra-security-groups | (comma-separated list) | |
service.beta.kubernetes.io/aws-load-balancer-healthcheck-healthy-threshold | ||
service.beta.kubernetes.io/aws-load-balancer-healthcheck-interval | ||
service.beta.kubernetes.io/aws-load-balancer-healthcheck-timeout | ||
service.beta.kubernetes.io/aws-load-balancer-healthcheck-unhealthy-threshold | ||
service.beta.kubernetes.io/aws-load-balancer-internal | boolean | |
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol | * | |
service.beta.kubernetes.io/aws-load-balancer-ssl-cert | (IAM or ACM ARN) | |
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy | ||
service.beta.kubernetes.io/aws-load-balancer-ssl-ports | (default *) | |
service.beta.kubernetes.io/aws-load-balancer-type | nlb | |
service.beta.kubernetes.io/aws-load-balancer-subnets | comma seperated list of subnets this loadbalancer will join |
DigitalOcean
The Annotations for the DigitalOcean Loadbalancer services. See also digitalocean-cloud-controller-manager documentation.
| Annotation | Type | Description |
|---|---|---|
service.beta.kubernetes.io/do-loadbalancer-name | string | Specifies a custom name for the Load Balancer. |
service.beta.kubernetes.io/do-loadbalancer-protocol | tcp, http, https, http2, http3 | The default protocol for DigitalOcean Load Balancers. Defaults to tcp |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-port | port | The service port used to check if a backend droplet is healthy. Defaults to the first port in a service. |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-path | string | The path used to check if a backend droplet is healthy. Defaults to "/" |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-protocol | tcp, http, https | The health check protocol to use to check if a backend droplet is healthy |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-check-interval-seconds | number between 3 and 300 | The number of seconds between between two consecutive health checks. |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-response-timeout-seconds | number between 3 and 300 | The number of seconds the Load Balancer instance will wait for a response until marking a health check as failed |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-unhealthy-threshold | number between 2 and 10 | The number of times a health check must fail for a backend Droplet to be marked "unhealthy" and be removed from the pool for the given service |
service.beta.kubernetes.io/do-loadbalancer-healthcheck-healthy-threshold | number | The number of times a health check must pass for a backend Droplet to be marked "healthy" for the given service and be re-added to the pool. |
service.beta.kubernetes.io/do-loadbalancer-http-ports | Specify which ports of the loadbalancer should use the HTTP protocol. | |
service.beta.kubernetes.io/do-loadbalancer-tls-ports | Specify which ports of the loadbalancer should use the HTTPS protocol. | |
service.beta.kubernetes.io/do-loadbalancer-tls-passthrough | boolean | Use TLS Passthrough |
service.beta.kubernetes.io/do-loadbalancer-certificate-id | string | Specifies the certificate ID used for https |
service.beta.kubernetes.io/do-loadbalancer-hostname | string | Specifies the hostname used for the Service status.Hostname instead of assigning status.IP directly |
service.beta.kubernetes.io/do-loadbalancer-size-unit | number | Specifies the number of nodes to create the load balancer with |
service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-type | none, cookies | Specifies which stick session type the loadbalancer should use |
service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-cookie-name | string | Specifies what cookie name to use for the DO load balancer sticky session |
service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-cookie-ttl | number | Specifies the TTL of cookies used for loadbalancer sticky sessions. |
service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https | boolean | Indicates whether or not http traffic should be redirected to https. |
service.beta.kubernetes.io/do-loadbalancer-disable-lets-encrypt-dns-records | boolean | Specifies whether automatic DNS record creation should be disabled when a Let's Encrypt cert is added to a load balancer. |
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol | boolean | Indicates whether PROXY protocol should be enabled |
service.beta.kubernetes.io/do-loadbalancer-enable-backend-keepalive | boolean | Indicates whether HTTP keepalive connections should be enabled to backend target droplets |
service.kubernetes.io/do-loadbalancer-disown | boolean | Indicates whether the managed load-balancer should be disowned |
service.beta.kubernetes.io/do-loadbalancer-http-idle-timeout-seconds | number | Specifies the HTTP idle timeout configuration in seconds |
service.beta.kubernetes.io/do-loadbalancer-deny-rules | format {type}:{source} (ex. ip:1.2.3.4,cidr:2.3.0.0/16) | Specifies the comma seperated DENY firewall rules for the load-balancer |
service.beta.kubernetes.io/do-loadbalancer-allow-rules | {type}:{source} | Specifies the comma seperated ALLOW firewall rules for the load-balancer |
Hetzner
The Annotations for the Hetzner Loadbalancer services. See also hcloud-cloud-controller-manager documentation.
| Annotation | Type | Description |
|---|---|---|
load-balancer.hetzner.cloud/ipv6-disabled | boolean | Disables the use of IPv6 for the Load Balancer.Set this annotation if you use external-dns.Default: false. |
load-balancer.hetzner.cloud/name | string | The name of the Load Balancer. The name will be visible inthe Hetzner Cloud API console. |
load-balancer.hetzner.cloud/disable-public-network | boolean | Disables the public network of the Hetzner CloudLoad Balancer. It will still have a public network assigned, but all traffic is routed over the private network. |
load-balancer.hetzner.cloud/disable-private-ingress | boolean | Disables the use of the private network foringress. |
load-balancer.hetzner.cloud/use-private-ip | boolean | Configures the Load Balancer to use the private IP forLoad Balancer server targets. |
load-balancer.hetzner.cloud/hostname | string | Specifies the hostname of the Load Balancer. This will be used as ingress address instead of the Load Balancer IP addresses if specified. |
load-balancer.hetzner.cloud/protocol | tcp, http, https | Specifies the protocol of the service. Default: tcp |
load-balancer.hetzner.cloud/algorithm-type | round_robin, least_connections | Specifies the algorithm type of the Load Balancer. Default: round_robin. |
load-balancer.hetzner.cloud/type | lb11 | Specifies the type of the Load Balancer. Default: lb11. |
load-balancer.hetzner.cloud/location | Specifies the location where the Load Balancer will becreated in.Changing the location to a different value after the load balancer wascreated has no effect. In order to move a load balancer to a differentlocation it is necessary to delete and re-create it. Note, that thiswill lead to the load balancer getting new public IPs assigned.Mutually exclusive with network-zone. | |
load-balancer.hetzner.cloud/network-zone | Specifies the network zone where the Load Balancer will becreated in.Changing the network zone to a different value after the load balancerwas created has no effect. In order to move a load balancer to adifferent network zone it is necessary to delete and re-create it. Note,that this will lead to the load balancer getting new public IPsassigned.Mutually exclusive with location. | |
load-balancer.hetzner.cloud/node-selector | Can be set to restrict which Nodes are added as targets to the Load Balancer. It accepts a Kubernetes label selector string, using either theset-based or equality-based formats.If the selector can not be parsed, the targets in the Load Balancer are notupdated and an Event is created with the error message. | |
load-balancer.hetzner.cloud/uses-proxyprotocol | Specifies if the Load Balancer services shoulduse the proxy protocol.Default: false. | |
load-balancer.hetzner.cloud/http-cookie-name | string | Specifies the cookie name when using HTTP or HTTPS as protocol. |
load-balancer.hetzner.cloud/http-cookie-lifetime | number | Specifies the lifetime of the HTTP cookie. |
load-balancer.hetzner.cloud/certificate-type | uploaded, managed | Defines the type of certificate the LoadBalancer should use. |
load-balancer.hetzner.cloud/http-certificates | string | A comma separated list of IDs or Names of Certificates assigned to the service. HTTPS only. |
load-balancer.hetzner.cloud/http-managed-certificate-name | string | Contains the names of the managed certificate to create by the Cloud Controller manager. |
load-balancer.hetzner.cloud/http-managed-certificate-domains | string | Contains a coma separated list of thedomain names of the managed certificate. All domains are used to create a single managed certificate. |
load-balancer.hetzner.cloud/http-redirect-http | boolean | Create a redirect from HTTP to HTTPS. HTTPS only. |
load-balancer.hetzner.cloud/http-sticky-sessions | Enables the sticky sessions feature of HetznerCloud HTTP Load Balancers.Default: false. | |
load-balancer.hetzner.cloud/health-check-protocol | Sets the protocol the health check should beperformed over.Possible values: tcp, http, httpsDefault: tcp. | |
load-balancer.hetzner.cloud/health-check-port | Specifies the port the health check is be performedon. | |
load-balancer.hetzner.cloud/health-check-interval | Specifies the interval in which time we performa health check in seconds. | |
load-balancer.hetzner.cloud/health-check-timeout | Specifies the timeout of a single health check. | |
load-balancer.hetzner.cloud/health-check-retries | Specifies the number of time a health check isretried until a target is marked as unhealthy. | |
load-balancer.hetzner.cloud/health-check-http-domain | Specifies the domain we try to access whenperforming the health check. | |
load-balancer.hetzner.cloud/health-check-http-path | Specifies the path we try to access whenperforming the health check. | |
load-balancer.hetzner.cloud/health-check-http-validate-certificate | Specifies whether the healthcheck should validate the SSL certificate that comes from the targetnodes. | |
load-balancer.hetzner.cloud/http-status-codes | A comma separated list of HTTP statuscodes which we expect. |
OpenStack
| Annotation | Type | Description |
|---|---|---|
service.beta.kubernetes.io/openstack-internal-load-balancer | boolean | indicate that we want an internal loadbalancer service |
loadbalancer.openstack.org/floating-network-id | string | indicates that it will create a floating IP for the external loadbalancer service on the specified floating network id |
loadbalancer.openstack.org/floating-subnet-id | string | The external network subnet used to create floating IP for the load balancer VIP. |
loadbalancer.openstack.org/floating-subnet | string | A name pattern (glob or regexp if starting with ~) for the external network subnet used to create floating IP for the load balancer VIP |
loadbalancer.openstack.org/floating-subnet-tags | string | ags for the external network subnet used to create floating IP for the load balancer VIP |
loadbalancer.openstack.org/class | string | Optional loadbalancer class name |
loadbalancer.openstack.org/proxy-protocol | boolean | Enable proxy protocol |
loadbalancer.openstack.org/connection-limit | number | The maximum number of connections per second allowed for the listener. Positive integer or -1 for unlimited (default) |
loadbalancer.openstack.org/keep-floatingip | boolean | If 'true', the floating IP will NOT be deleted. Default is 'false'. |
Last updated on