Help Center/ Cloud Container Engine/ User Guide/ Networking/ Ingresses/ LoadBalancer Ingresses/ Configuring Advanced LoadBalancer Ingress Functions Using Annotations
Updated on 2025-08-19 GMT+08:00
View PDF
Share

Configuring Advanced LoadBalancer Ingress Functions Using Annotations

You can add annotations to a YAML file for more advanced ingress functions. This section describes the annotations that can be used when you create a LoadBalancer ingress.

Indexes

Category

Ingress Annotation

Load balancer configuration

Port or protocol configuration

Advanced features of ELB listeners

Forwarding policy

In a cluster, multiple ingresses can share a listener, allowing them to use the same port on a single load balancer. If two ingresses have different listener configurations, the listener configuration of the earlier ingress (known as the first route) will be used. For details about how to check the first route, see How Can I Determine Which Ingress the Listener Settings Have Been Applied To?

This case involves the following scenarios:

Ensure that the configurations of different listeners for various ingresses are synchronized.

Basic Configurations for Interconnecting with ELB

Application scenarios and use cases:
Table 1 Annotations for interconnecting with ELB

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.class

String

Select a proper load balancer type.

Options:

Default: union

v1.9 or later

kubernetes.io/ingress.class

String
  • cce: A proprietary LoadBalancer ingress is used.
  • nginx: indicates that Nginx Ingress is used. This option is available only after NGINX Ingress Controller is installed. For details, see Creating an Nginx Ingress Using kubectl.

    Multiple NGINX Ingress Controller add-ons can be installed in a single cluster if the add-on version is 2.5.4 or later. In this case, the value of this parameter must be the controller name customized during controller installation, indicating that the ingress is managed by that specific controller.

This parameter is mandatory when you create an ingress. The default value is cce.

For clusters of v1.23 or later, use the parameter ingressClassName. For details, see Creating a LoadBalancer Ingress Using kubectl.

Only clusters of v1.21 or earlier

kubernetes.io/elb.port

String

This parameter indicates the external port registered with the address of the LoadBalancer Service.

The value ranges from 1 to 65535. The default value is 80 for HTTP and 443 for HTTPS.

NOTE:

Some ports on a shared load balancer are highly risky and blocked by default, for example, port 21.

v1.9 or later

kubernetes.io/elb.id

String

When associating only existing load balancers, you can use either this parameter or kubernetes.io/elb.ip. If they conflict, kubernetes.io/elb.id will take precedence.

This parameter indicates the ID of a load balancer.

How to obtain:

Log in to the ELB console and click the load balancer name. On the Summary tab of the load balancer details page, find the ID field and copy it.

v1.9 or later

kubernetes.io/elb.ip

String

When associating only existing load balancers, you can use either this parameter or kubernetes.io/elb.id. If they conflict, kubernetes.io/elb.id will take precedence.

This parameter indicates the IP address of a load balancer.

When creating an ingress, specify a public or private IP address for a shared load balancer. For a dedicated load balancer, only a private IP address can be specified.

v1.9 or later

kubernetes.io/elb.autocreate

Table 23 object

Mandatory when load balancers are automatically created.

Example:

  • Automatically created dedicated load balancer with an EIP bound:

    '{"type":"public","bandwidth_name":"cce-bandwidth-1741230802502","bandwidth_chargemode":"bandwidth","bandwidth_size":5,"bandwidth_sharetype":"PER","eip_type":"5_bgp","available_zone":["*****"],"elb_virsubnet_ids":["*****"],"l7_flavor_name":"L7_flavor.elb.pro.max","l4_flavor_name":"","vip_subnet_cidr_id":"*****"}'

  • Automatically created dedicated load balancer with no EIP bound:

    '{"type":"inner","available_zone":["*****"],"elb_virsubnet_ids":["*****"],"l7_flavor_name":"L7_flavor.elb.pro.max","l4_flavor_name":"","vip_subnet_cidr_id":"*****"}'

  • Automatically created shared load balancer with an EIP bound:

    '{"type":"public","bandwidth_name":"cce-bandwidth-1551163379627","bandwidth_chargemode":"bandwidth","bandwidth_size":5,"bandwidth_sharetype":"PER","eip_type":"5_bgp","name":"james"}'

  • Automatically created shared load balancer with no EIP bound:

    '{"type":"inner", "name": "A-location-d-test"}'

v1.9 or later

kubernetes.io/elb.enterpriseID

String

Optional when load balancers are automatically created.

This parameter is available in clusters of v1.15 or later. In clusters earlier than v1.15, load balancers are created in the default project by default.

This parameter indicates the ID of the enterprise project in which the ELB load balancer will be created.

If this parameter is not specified or is set to 0, resources will be bound to the default enterprise project.

How to obtain:

Log in to the EPS console, click the name of the target enterprise project. On the enterprise project details page, find the ID field and copy the ID.

v1.15 or later

kubernetes.io/elb.subnet-id

String

Optional when load balancers are automatically created.

ID of the subnet where the cluster is located. The value can contain 1 to 100 characters.

  • Mandatory when a cluster of v1.11.7-r0 or earlier is to be automatically created.
  • Optional for clusters of a version later than v1.11.7-r0.

Mandatory for clusters of a version earlier than v1.11.7-r0

Discarded in clusters of a version later than v1.11.7-r0

Configuring ELB Certificates

For details about application scenarios and use cases, see Configuring an HTTPS Certificate for a LoadBalancer Ingress.

Table 2 ELB certificate annotations

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.tls-certificate-ids

String

ELB certificate IDs, which are separated by comma (,). The list length is greater than or equal to 1. The first ID in the list is the server certificate, and the other IDs are SNI certificates in which a domain name must be contained.

How to obtain: Log in to the ELB console and choose Certificates. In the load balancer list, copy the ID under the target certificate name.

v1.19.16-r2, v1.21.5-r0, v1.23.3-r0, or later

kubernetes.io/elb.tls-ciphers-policy

String

The default value is tls-1-2, which is the default security policy used by the listener and takes effect only when HTTPS is used.

Options:

  • tls-1-0
  • tls-1-1
  • tls-1-2
  • tls-1-2-strict
  • tls-1-0-with-1-3 (dedicated load balancer)
  • tls-1-2-fs (dedicated load balancer)
  • tls-1-2-fs-with-1-3 (dedicated load balancer)

For details of cipher suites for each security policy, see Table 3.

Clusters of v1.17.17 or later

kubernetes.io/elb.security_policy_id

String

The ID of the custom security group policy on ELB. Obtain it on the ELB console. This field takes effect only when HTTPS is used and has a higher priority than the default security policy.

For details about how to create and update a custom security policy, see TLS Security Policy.

Clusters of v1.17.17 or later

Adding Resource Tags

For details about application scenarios and use cases, see Automatically Creating a Load Balancer While Creating an Ingress.

Table 3 Annotations

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.tags

String

Add resource tags to a load balancer. This parameter can be configured only when a load balancer is automatically created.

A tag is in the format of "key=value". Use commas (,) to separate multiple tags.

v1.23.11-r0, v1.25.6-r0, v1.27.3-r0, or later

Using HTTP/2

For details about application scenarios and use cases, see Configuring HTTP/2 for a LoadBalancer Ingress.

Table 4 Annotations for using HTTP/2

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.http2-enable

String

Whether HTTP/2 is enabled. Request forwarding using HTTP/2 improves the access performance between your application and the load balancer. However, the load balancer still uses HTTP/1.x to forward requests to the backend server.

Options:

  • true: enabled
  • false: disabled (default value)

Note: HTTP/2 can be enabled or disabled only when the listener uses HTTPS. This parameter is invalid and defaults to false when the listener protocol is HTTP.

v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, v1.28.3-r0, or later

Interconnecting with HTTPS/gRPC Backend Services

For details about application scenarios and use cases, see Configuring HTTPS Backend Services for a LoadBalancer Ingress and Configuring gRPC Backend Services for a LoadBalancer Ingress.

Table 5 Annotations for interconnecting with HTTPS backend services

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.pool-protocol

String

To interconnect with HTTPS backend services, set this parameter to https.

v1.23.8, v1.25.3, or later

To interconnect with GRPC backend services, set this parameter to grpc.

v1.23.10-r20, v1.25.5-r20, v1.27.2-r20, v1.28.1-r0, or later

Configuring Timeout for an Ingress

For details about application scenarios and use cases, see Configuring Timeout for a LoadBalancer Ingress.

Table 6 Annotations for configuring timeout of an ingress

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.keepalive_timeout

String

Timeout for client connections. If there are no requests reaching the load balancer during the timeout duration, the load balancer will disconnect the connection from the client and establish a new connection when there is a new request.

The value ranges from 0 to 4000 (in seconds). The default value is 60.

Dedicated load balancers: v1.19.16-r30, v1.21.10-r10, v1.23.8-r10, v1.25.3-r10, or later

Shared load balancers: v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, v1.28.3-r0, or later

kubernetes.io/elb.client_timeout

String

Timeout for waiting for a request from a client. There are two cases:

  • If the client fails to send a request header to the load balancer during the timeout duration, the request will be interrupted.
  • If the interval between two consecutive request bodies reaching the load balancer is greater than the timeout duration, the connection will be disconnected.

The value ranges from 1 to 300 (in seconds). The default value is 60.

kubernetes.io/elb.member_timeout

String

Timeout for waiting for a response from a backend server. After a request is forwarded to the backend server, if the backend server does not respond within the duration specified by member_timeout, the load balancer will stop waiting and return HTTP 504 Gateway Timeout.

The value ranges from 1 to 300 (in seconds). The default value is 60.

Configuring a Slow Start

For details about application scenarios and use cases, see Configuring a Slow Start for a LoadBalancer Ingress.

Table 7 Annotations for configuring a slow start

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.slowstart

String

Duration of slow start, in seconds.

The slow start duration ranges from 30 to 1200.

  • This configuration applies only to dedicated load balancers.
  • This parameter is valid only when the allocation policy of the target Service is weighted round robin (WRR) and sticky session is disabled.
NOTE:

The load balancer linearly increases the proportion of requests to backend servers in slow start mode. When the configured slow start duration elapses, the load balancer sends full share of requests to backend servers and exits the slow start mode.

v1.23 or later

Configuring Grayscale Release

For details about application scenarios and use cases, see Configuring Grayscale Release for a LoadBalancer Ingress.

Table 8 Annotations for configuring grayscale release

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.canary

String

Grayscale release status for an ingress. If this parameter is set to true, the implementation of grayscale release varies depending on annotation configurations.

Option: true

  • This configuration applies only to dedicated load balancers.
  • If this parameter is set to true, the configuration cannot be deleted or modified.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.canary-weight

String

Weight of a grayscale release. After this parameter is configured, the ingress will be grayscale released based on the weight.

  • The value is a positive integer ranging from 0 to 100. It is a percentage of traffic for routing.
  • This parameter is mandatory when an ingress is grayscale released by weight.
  • Do not configure this parameter with other grayscale release functions.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.session-affinity-mode

String

After weight-based grayscale release is enabled, configure sticky session.

This parameter can only be set to HTTP_COOKIE for grayscale release.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/

elb.session-affinity-option

String

Sticky session timeout after sticky session is enabled for weight-based grayscale release.

The parameter value is a JSON string in the following format:

{"persistence_timeout": "1440"}

Parameters:

  • Timeout range: 1 to 1440
  • Default value: 1440

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.canary-by-header

String

Key of an ingress header used for grayscale release, indicating the name of a request header. This parameter must be used with kubernetes.io/elb.canary-by-header-value.

Parameters:

Enter 1 to 40 characters. Only letters, digits, hyphens (-), and underscores (_) are allowed.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.canary-by-header-value

String

Value of an ingress header used for grayscale release. This parameter must be used with kubernetes.io/elb.canary-by-header.

The parameter value is an array in JSON format, for example:

'{"values":["a","b"]}'

Parameters:

  • Array length: At least one value must be configured.
    • If domain names and paths are configured for an ingress forwarding policy, a maximum of eight values can be configured.
    • If only paths are configured for an ingress forwarding policy, a maximum of nine values can be configured.
  • Enter 1 to 128 characters. Asterisks (*) and question marks (?) are allowed, but spaces and double quotation marks are not allowed. An asterisk can match zero or more characters, and a question mark can match one character.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.canary-by-cookie

String

Key of cookie-based grayscale release, indicating the name of a request cookie. This parameter must be used with kubernetes.io/elb.canary-by-cookie-value.

Parameters:

Enter 1 to 100 characters, including letters, digits, and other characters (!%'"()*+,./:=?@^\\-_`~).

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.canary-by-cookie-value

String

Value of cookie-based grayscale release. This parameter must be used with kubernetes.io/elb.canary-by-cookie.

The parameter value is an array in JSON format, for example:

'{"values":["a","b"]}'

Parameters:

  • Array length: At least one value must be configured.
    • If domain names and paths are configured for an ingress forwarding policy, a maximum of eight values can be configured.
    • If only paths are configured for an ingress forwarding policy, a maximum of nine values can be configured.
  • Enter 1 to 100 characters, including letters, digits, and other characters (!%'"()*+,./:=?@^\\-_`~). Spaces are not allowed.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.canary-related-ingress-uid

String

UID of the original ingress associated with the grayscale release ingress, which is used to display the association between the original ingress and the grayscale release ingress.

● Format: character string

● Value: metadata.uid of the original ingress

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

Blocklist/Trustlist

For details about application scenarios and use cases, see Configuring a Blocklist/Trustlist Access Policy for a LoadBalancer Ingress.

Table 9 Annotations for ELB access control

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.acl-id

String
  • If this parameter is not specified, CCE does not modify access control on the ELB.
  • If this parameter is left empty, all IP addresses are allowed to access the load balancer.
  • If this parameter is set to the IP address group ID of the load balancer, access control is enabled and you need to configure an IP address blocklist or trustlist for the load balancer. Additionally, you need to configure both kubernetes.io/elb.acl-status and kubernetes.io/elb.acl-type.
    NOTE:

    For clusters of v1.25.16-r10, v1.27.16-r10, v1.28.15-r0, v1.29.10-r0, v1.30.6-r0, v1.31.1-r0, or later, when using a dedicated load balancer, you can select a maximum of five IP address groups at a time, separated by commas (,).

    How to obtain:

    Log in to the ELB console, choose Elastic Load Balance > IP Address Groups, and copy the ID of the target IP address group. For details, see Creating an IP Address Group.

v1.23.12-r0, v1.25.7-r0, v1.27.4-r0, v1.28.2-r0, or later

kubernetes.io/elb.acl-status

String

Access control status. This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. Options:

  • on or true: Access control is enabled.
  • off or false: Access control is disabled.

v1.23.12-r0, v1.25.7-r0, v1.27.4-r0, v1.28.2-r0, or later

kubernetes.io/elb.acl-type

String

IP address list type. This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. Options:

  • black: indicates a blocklist. The selected IP address group cannot access the load balancer.
  • white: indicates a trustlist. Only the selected IP address group can access the load balancer.

v1.23.12-r0, v1.25.7-r0, v1.27.4-r0, v1.28.2-r0, or later

Configuring a Range of Listening Ports

A custom listening port can be configured for an ingress. In this way, both ports 80 and 443 can be exposed.

For details about application scenarios and use cases, see Configuring a Range of Listening Ports for a LoadBalancer Ingress.

Table 10 Annotations for a custom listening port

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.listen-ports

String

Create multiple listening ports for an ingress. The port number ranges from 1 to 65535.

The following is an example for JSON characters:

kubernetes.io/elb.listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
  • Only the listening ports that comply with both HTTP and HTTPS are allowed.
  • This function is available only for newly created ingresses in clusters of a version earlier than v1.23.18-r10, v1.25.16-r0, v1.27.16-r0, v1.28.13-r0, v1.29.8-r0, or v1.30.4-r0. Additionally, after you configure multiple listening ports, the annotations cannot be modified or deleted. In clusters of v1.23.18-r10, v1.25.16-r0, v1.27.16-r0, v1.28.13-r0, v1.29.8-r0, v1.30.4-r0, or later, the annotations can be modified and deleted.
  • If both kubernetes.io/elb.listen-ports and kubernetes.io/elb.port are configured, kubernetes.io/elb.listen-ports takes a higher priority.
  • Ingress configuration items such as the blocklist, trustlist, and timeout concurrently take effect on multiple listening ports. When HTTP/2 is enabled for an ingress, HTTP/2 takes effect only on the HTTPS port.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

Configuring an HTTP/HTTPS Header

For details about application scenarios and use cases, see Configuring an HTTP/HTTPS Header for a LoadBalancer Ingress.

Table 11 Annotations for configuring an HTTP/HTTPS header

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.x-forwarded-port

String

A load balancer can obtain the port number of a listener using X-Forwarded-Port and transmit the port number to the packets of the backend server.

  • true: Enable the function of obtaining a listener port number.
  • false: Disable the function of obtaining a listener port number.

v1.23.13-r0, v1.25.8-r0, v1.27.5-r0, v1.28.3-r0, or later

kubernetes.io/elb.x-forwarded-for-port

String

A load balancer can obtain a client port number for requests using X-Forwarded-For-Port and transmit the port number to the packets of the backend server.

  • true: Enable the function of obtaining a client port number for requests.
  • false: Disable the function of obtaining a client port number for requests.

kubernetes.io/elb.x-forwarded-host

String
  • true: Enable the function of rewriting X-Forwarded-Host. Then, the X-Forwarded-Host header will be rewritten using the Host header of the client request and transmitted to backend servers.
  • false: Disable the function of rewriting X-Forwarded-Host. Then, the X-Forwarded-Host header of the client will be transmitted to backend servers.

kubernetes.io/elb.x-real-ip

String
  • true: Enable the function of rewriting X-Real-IP. The source IP address of the client will be written into the X-Real-IP header and transmitted to the backend servers.
  • false: Disable the function of rewriting X-Real-IP. The X-Real-IP header of the client will be transmitted to the backend servers.

v1.25.16-r30, v1.27.16-r30, v1.28.15-r20, v1.29.13-r0, v1.30.10-r0, v1.31.6-r0, v1.32.1-r0, or later

Enabling GZIP

For details about application scenarios and use cases, see Configuring GZIP Data Compression for a LoadBalancer Ingress.

Table 12 Annotations for enabling GZIP

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.gzip-enabled

String

LoadBalancer ingresses support data compression, which reduces the size of files to be transferred, improves file transfer efficiency, and reduces the bandwidth needed for the transmission.

If this function is enabled, specific files will be compressed. If you do not enable this function, files will not be compressed. By default, data compression is disabled.

The files in the following format can be compressed:

  • Brotli can compress all file formats.
  • GZIP can compress the files of the following types: text/xml, text/plain, text/css, application/javascript, application/x-javascript, application/rss+xml, application/atom+xml, application/xml, and application/json

This function is available only for HTTP/HTTPS listeners of dedicated load balancers. If the advanced configuration for enabling data compression or the target annotation is deleted, the ELB configuration will not be modified.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

Configuring URL Redirection

For details about application scenarios and use cases, see Configuring URL Redirection for a LoadBalancer Ingress.

Table 13 Annotations for configuring URL redirection

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.redirect-url

String

URL for redirection.

Format:

  • HTTPS ingresses: valid URLs starting with https://, for example, https://example.com/
  • HTTP ingresses: valid URLs starting with http:// or https://, for example, https://example.com/

Parameter: This configuration takes effect on all forwarding rules of a single ingress. After the configuration is deleted, the target URL redirection rule will be automatically cleared.

Either this annotation or the annotation of a grayscale release can be configured.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

kubernetes.io/elb.redirect-url-code

String

Code returned after an ingress is redirected to a URL.

Format: The return code can be 301, 302, 303, 307, or 308.

Parameter: The default value is 301.

Configuring URL Rewriting

For details about application scenarios and use cases, see Configuring URL Rewriting for a LoadBalancer Ingress.

Table 14 Annotations for configuring URL rewriting

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.rewrite-target

String

Information about the rewritten path.

Format: A proper rule matching a regular expression must start with a slash (/).

Parameter: This configuration takes effect on the URL of a single ingress matching the regular expression. After the configuration is deleted, the target URL rewriting rule will be automatically cleared.

Either this annotation or the annotation of a grayscale release can be configured.

v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later

Redirecting HTTP to HTTPS

For details about application scenarios and use cases, see Redirecting HTTP to HTTPS for a LoadBalancer Ingress.

Table 15 Annotations for redirecting HTTP to HTTPS

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.ssl-redirect

String

Whether to enable redirection from HTTP to HTTPS.

Format: The value can be true or false.

Parameter: true indicates that redirection is enabled. If the value is false or the parameter is unavailable, redirection is disabled.

NOTE:

Either this annotation or the annotation of a grayscale release can be configured.

If a dedicated load balancer is used, the cluster version must be v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later.

Configuring the Priorities of Forwarding Rules

When ingresses use the same load balancer listener, forwarding rules can be prioritized based on the following rules:

  • Forwarding rules of different ingresses: The rules are sorted based on the priorities (ranging from 1 to 1000) of the kubernetes.io/elb.ingress-order annotation. A smaller value indicates a higher priority.
  • Forwarding rules of an ingress: If the kubernetes.io/elb.rule-priority-enabled annotation is set to true, the forwarding rules are sorted based on the sequence in which they are added during ingress creation. A forwarding rule added earlier indicates a higher priority. If the kubernetes.io/elb.rule-priority-enabled annotation is not configured, the default sorting of the forwarding rules on the load balancer will be used.

If the preceding annotations are not configured, the default sorting of the forwarding rules on the load balancer will be used, regardless of whether the forwarding rules are of the same ingress or different ingresses under the same load balancer listener.

For details about application scenarios and use cases, see Configuring the Priorities of Forwarding Rules for LoadBalancer Ingresses.

Table 16 Annotations for configuring the priorities of forwarding rules

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.ingress-order

String

Specifies the sequence of forwarding rules of different ingresses. The value ranges from 1 to 1000. A smaller value indicates a higher priority. The priority of a forwarding rule must be unique under the same load balancer listener.

This parameter is available only for dedicated load balancers.

NOTE:
  • When this annotation is configured, the kubernetes.io/elb.rule-priority-enabled annotation is enabled by default. The forwarding rules of each ingress will be sorted.
  • CCE sorts all forwarding policies for a given listener based on the order of the ingresses and the forwarding policy settings within those ingresses. The configured value does not correspond to the priority of the load balancer forwarding policy.

v1.23.15-r0, v1.25.10-r0, v1.27.7-r0, v1.28.5-r0, v1.29.1-r10, or later

kubernetes.io/elb.rule-priority-enabled

String

This parameter can only be set to true, indicating to sort the forwarding rules of an ingress. The priorities of the forwarding rules are determined based on the sequence in which they are added during ingress creation. A forwarding rule added earlier indicates a higher priority.

If this parameter is not configured, the default sorting of the forwarding rules on the load balancer will be used. After this parameter is enabled, it cannot be disabled.

This parameter is available only for dedicated load balancers.

Configuring a Custom Header Forwarding Policy

For details about application scenarios and use cases, see Configuring a Custom Header Forwarding Policy for a LoadBalancer Ingress.

Table 17 Annotations for configuring a custom header forwarding policy

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.headers.${svc_name}

String

Custom header of the Service associated with an ingress. ${svc_name} is the Service name.

Format: a JSON string, for example, {"key": "test", "values": ["value1", "value2"]}

  • A key-value pair represents the key and value of a custom header. You can configure up to nine values. However, if a header with the key host is specified, only eight values can be configured.

    Enter 1 to 40 characters for a key. Only letters, digits, hyphens (-), and underscores (_) are allowed.

    Enter 1 to 128 characters for a value. Asterisks (*) and question marks (?) are allowed, but spaces and double quotation marks are not allowed. An asterisk can match zero or more characters, and a question mark can match one character.

  • Either a custom header or grayscale release can be configured.
  • Enter 1 to 51 characters for ${svc_name}.

v1.23.16-r0, v1.25.11-r0, v1.27.8-r0, v1.28.6-r0, v1.29.2-r0, or later

Configuring a Custom EIP

For details about application scenarios and use cases, see Configuring a Custom EIP for a LoadBalancer Ingress.

Table 18 Annotations of custom EIP configurations

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.custom-eip-id

String

ID of the custom EIP, which can be seen on the EIP console.

The EIP must be bindable.

v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, v1.30.1-r0, or later

Configuring Cross-Origin Access

For details about application scenarios and use cases, see Configuring Cross-Origin Access for LoadBalancer Ingresses.

Table 19 Annotations for configuring cross-origin access

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.cors-allow-origin

Array[string]

Specify Access-Control-Allow-Origin for the origin that can be accessed.

Options:

  • Wildcard (*): indicates that all domain names can be accessed.
  • Domain names: start with http:// or https://. Level-1 wildcard domain names are supported. The format is http(s)://example.com or http(s)://example.com:port, where the port number ranges from 1 to 65535.

    You can enter multiple values by separating them with commas (,).

v1.23.18-r10, v1.25.16-r0, v1.27.16-r0, v1.28.13-r0, v1.29.8-r0, v1.30.4-r0, or later

kubernetes.io/elb.cors-allow-headers

Array[string]

Specify Access-Control-Allow-Headers for allowed request headers. You can enter multiple values by separating them with commas (,).

kubernetes.io/elb.cors-expose-headers

Array[string]

Specify Access-Control-Expose-Headers for custom response headers that can be accessed by a cross-origin request. This allows you to retrieve non-standard response headers using client-side JavaScript code. You can enter multiple values by separating them with commas (,).

kubernetes.io/elb.cors-allow-methods

Array[string]

Specify Access-Control-Allow-Methods for allowed HTTP request methods.

You can enter multiple values by separating them with commas (,).

kubernetes.io/elb.cors-allow-credentials

String

Specify Access-Control-Allow-Credentials to control the sending of credentials (such as cookies).

Options:

  • true: Credentials can be sent.
  • false: Credentials cannot be sent.

Once configured, the settings cannot be deleted. To remove the configuration, use kubernetes.io/elb.cors-disabled to delete all cross-origin settings.

kubernetes.io/elb.cors-max-age

String

Specify Access-Control-Max-Age for the cache duration of a CORS pre-check request. Unit: second. Value range: -1 to 172800

Properly configure this parameter based on service requirements. If the value is too low, pre-check requests may happen frequently. If the value is too high, the CORS policy may not take effect immediately.

kubernetes.io/elb.cors-disabled

String

Specify whether to disable all cross-origin settings. Options:

  • true: disables all cross-origin settings. The parameter values in the YAML file will not be deleted, but all cross-origin settings will not take effect.
  • false: default value, indicating that the cross-origin settings take effect based on your settings.

Configuring Advanced Forwarding Rules

For details about application scenarios and use cases, see Configuring an Advanced Forwarding Policy for a LoadBalancer Ingress.

Table 20 Annotations for advanced forwarding rules

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.conditions.${svc_name}

String

Configure an advanced forwarding rule. ${svc_name} indicates the Service name, which can contain a maximum of 51 characters.

If the annotation value is set to [], the advanced forwarding rule will be deleted.

The annotation value is a JSON array. For details, see Table 4.

NOTICE:
  • Due to ELB API restrictions, a kubernetes.io/elb.conditions.{svcName} can contain a maximum of 10 key-value pairs.
  • The rules in a condition array are connected by an AND relationship, while the values in the same rule block are connected by an OR relationship. For example, if both Method and QueryString are configured, the target traffic can be distributed only when both rules are met. However, if the Method value is GET or POST, the target traffic can be distributed only when both rules are met and the Method value must be GET or POST.

v1.23.18-r10, v1.25.16-r0, v1.27.16-r0, v1.28.13-r0, v1.29.8-r0, v1.30.4-r0, or later

Configuring Advanced Forwarding Actions

For details about application scenarios and use cases, see Configuring an Advanced Forwarding Policy for a LoadBalancer Ingress.

Table 21 Annotations for configuring advanced forwarding actions

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.actions.${svc_name}

String

Advanced forwarding action of the Service associated with an ingress. ${svc_name} indicates the Service name, which can contain a maximum of 51 characters.

The annotation value is a JSON array. If it is set to [], the advanced forwarding action will be deleted.

The following advanced forwarding actions are supported:

The forwarding actions supported by clusters vary depending on the cluster version. For details, see Table 2.

Configuring IP Addresses as Backend Servers

For details about application scenarios and use cases, see Configuring IP Addresses as Backend Servers for a LoadBalancer Ingress.

Table 22 Annotations for configuring IP addresses as backend servers

Parameter

Type

Description

Supported Cluster Version

kubernetes.io/elb.ip-target-enabled

String
Enable IP addresses as backend servers for a load balancer. After this function is enabled, the backend IP addresses added to the associated Service or ingress are all IP addresses in VPC subnets. For a CCE Turbo cluster, the backend is <pod-IP-address>:<target-port>. For a CCE standard cluster, the backend is <node-IP-address>:<NodePort>.
  • true: Enable IP addresses as backend servers.
  • Other values are not supported.
CAUTION:
  • Only dedicated load balancers support this function.
  • This function can only be enabled during Service or ingress creation. The annotation cannot be added to or removed from an existing Service or ingress. To use this function, you must create a Service or an ingress.
  • If the load balancer associated with a Service or ingress does not have IP as a backend enabled, CCE will automatically enable it after the annotation is added. Once enabled, IP as a backend cannot be disabled.
  • Ensure that the backend subnets of the load balancer associated with the Service or ingress have sufficient IP addresses, or this function cannot be used. If the IP addresses are not enough, you can add more backend subnets on the Summary page of the load balancer.
  • For more details, see Using IP as a Backend to Route Traffic Across Backend Servers.

v1.25.16-r30, v1.27.16-r30, v1.28.15-r20, v1.29.13-r0, v1.30.10-r0, v1.31.6-r0, v1.32.1-r0, or later

Parameters for Automatically Creating a Load Balancer

Table 23 elb.autocreate data structure

Parameter

Mandatory

Type

Description

name

No

String

Name of the automatically created load balancer.

The value can contain 1 to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.

Default: cce-lb+service.UID

type

No

String

Network type of the load balancer.

  • public: public network load balancer
  • inner: private network load balancer

Default: inner

bandwidth_name

Yes for public network load balancers

String

Bandwidth name. The default value is cce-bandwidth-******.

The value can contain 1 to 64 characters. Only letters, digits, underscores (_), hyphens (-), and periods (.) are allowed.

bandwidth_chargemode

Yes for public network load balancers

String

Bandwidth billing mode.

  • bandwidth: billed by bandwidth
  • traffic: billed by traffic

bandwidth_size

Yes for public network load balancers

Integer

Bandwidth size. The value ranges from 1 Mbit/s to 2000 Mbit/s by default. Configure this parameter based on the bandwidth range allowed in your region.

The minimum increment for bandwidth adjustment varies depending on the bandwidth range.
  • The minimum increment is 1 Mbit/s if the allowed bandwidth does not exceed 300 Mbit/s.
  • The minimum increment is 50 Mbit/s if the allowed bandwidth ranges from 300 Mbit/s to 1000 Mbit/s.
  • The minimum increment is 500 Mbit/s if the allowed bandwidth exceeds 1000 Mbit/s.

bandwidth_sharetype

Yes for public network load balancers

String

Bandwidth sharing mode.

  • PER: dedicated bandwidth

eip_type

Yes for public network load balancers

String

EIP type.

  • 5_telcom: China Telecom
  • 5_union: China Unicom
  • 5_bgp: dynamic BGP
  • 5_sbgp: static BGP

The types vary by region. For details, see the EIP console.

vip_subnet_cidr_id

No

String

The ID of the IPv4 subnet where the load balancer resides. This subnet is used to allocate IP addresses for the load balancer to provide external services. The IPv4 subnet must belong to the cluster's VPC.

If this parameter is not specified, the load balancer and the cluster will be in the same subnet by default.

This field can be specified only for clusters of v1.21 or later.

How to obtain:

Log in to the VPC console. In the navigation pane, choose Subnets. Filter the target subnet by the cluster's VPC name, click the subnet name, and copy the IPv4 Subnet ID on the Summary tab.

ipv6_vip_virsubnet_id

No

String

The ID of the IPv6 subnet where the load balancer is deployed. IPv6 must be enabled for the subnet.

This parameter is available only for dedicated load balancers.

How to obtain:

Log in to the VPC console. In the navigation pane, choose Subnets. Filter the target subnet by the cluster's VPC name, click the subnet name, and copy the Network ID on the Summary tab.

elb_virsubnet_ids

No

Array of strings

The network ID of the subnet where the load balancer is located. This subnet is used to allocate IP addresses for accessing the backend server. If this parameter is not specified, the subnet specified by vip_subnet_cidr_id will be used by default. Load balancers occupy varying numbers of subnet IP addresses based on their specifications. Do not use the subnet CIDR blocks of other resources (such as clusters or nodes) as the load balancer's CIDR block.

This parameter is available only for dedicated load balancers.

Example:

"elb_virsubnet_ids": [
   "14567f27-8ae4-42b8-ae47-9f847a4690dd"
 ]

How to obtain:

Log in to the VPC console. In the navigation pane, choose Subnets. Filter the target subnet by the cluster's VPC name, click the subnet name, and copy the Network ID on the Summary tab.

vip_address

No

String

Private IP address of the load balancer. Only IPv4 addresses are supported.

The IP address must be in the ELB CIDR block. If this parameter is not specified, an IP address will be automatically assigned from the ELB CIDR block.

This parameter is available only in clusters of v1.23.11-r0, v1.25.6-r0, v1.27.3-r0, or later versions.

available_zone

Yes

Array of strings

AZ where the load balancer is located.

You can obtain all supported AZs by getting the AZ list.

This parameter is available only for dedicated load balancers.

l4_flavor_name

No

String

Flavor name of the Layer 4 load balancer. This parameter is mandatory when TCP, TLS, or UDP is used.

You can obtain all supported types by getting the flavor list.

This parameter is available only for dedicated load balancers.

l7_flavor_name

No

String

Flavor name of the Layer 7 load balancer. This parameter is mandatory when HTTP is used.

You can obtain all supported types by getting the flavor list.

This parameter is available only for dedicated load balancers. Its value must match that of l4_flavor_name, meaning both must be either elastic specifications or fixed specifications.
Parent Topic: LoadBalancer Ingresses