Updated on 2026-06-16 GMT+08:00

Configuring TLS for a LoadBalancer Service

TLS can be used if ultra-high performance and large-scale TLS offloading are required. You can use TLS to forward encrypted TCP requests from clients for a Service.

Service TLS relies on ELB. Before enabling TLS on a Service, check whether TLS is supported in the current region.

Prerequisites

  • A Kubernetes cluster is available and the cluster version meets the following requirements:
    • v1.23: v1.23.14-r0 or later
    • v1.25: v1.25.9-r0 or later
    • v1.27: v1.27.6-r0 or later
    • v1.28: v1.28.4-r0 or later
    • Other clusters of later versions
  • To create a cluster using commands, ensure kubectl is used. For details, see Accessing a Cluster Using kubectl.

Notes and Constraints

When TLS is used, sticky session is not allowed.

Creating a LoadBalancer Service and Configuring TLS

Use one of the following methods.

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.

    In this example, only mandatory parameters for configuring SNI are listed. Retain the default settings for other parameters. For details, see Using the CCE Console (New Version).

  3. Configure basic parameters.

    Parameter

    Description

    Example

    Service Type

    Select LoadBalancer.

    None

    Service Name

    Enter a name, which can be the same as the workload name.

    nginx

    Namespace

    Select the namespace that the workload belongs to.

    default

    Selector

    Add the key and value of a pod label. The Service will be associated with the workload pods based on the label and direct traffic to the pods with this label.

    You can also click Reference Workload Label to use the label of an existing workload. In the dialog box displayed, select a workload and click OK.

    app:nginx

  4. Configure load balancer parameters.

    Parameter

    Description

    Example

    Load Balancer

    Select a load balance type and how the load balancer will be created. To enable TLS on the listener port of a dedicated load balancer, the type of the load balancer must be Network (TCP/UDP/TLS) or Network (TCP/UDP/TLS) & Application (HTTP/HTTPS).
    • Use existing: Only the load balancers in the same VPC as the cluster can be selected. If no load balancer is available, click Create Load Balancer to create one on the ELB console.
    • Auto create: The load balancer will be created in the VPC that the cluster belongs to. For details, see Table 1.

    An existing Dedicated load balancer of the Network (TCP/UDP/TLS) & Application (HTTP/HTTPS) type

  5. Configure access parameters.

    Parameter

    Description

    Example

    Service Affinity

    Whether to route external traffic to a local node or a cluster-wide endpoint. For details, see Service Affinity (externalTrafficPolicy).
    • Cluster-level: The IP addresses and ports of all nodes in a cluster can access the workload associated with the Service. However, accessing the Service may result in decreased performance due to route redirection, and the client's source IP address may not be obtainable.
    • Node-level: Only the IP address and port of the node where the workload is located can access the workload associated with the Service. Accessing the Service will not result in a performance decrease due to route redirection, and the client's source IP address can be obtained.

    Cluster-level

    Port

    • Protocol: the protocol used by the Service. According to the Kubernetes implementation, if a Service uses a load balancer with a non-UDP protocol, this parameter must be set to TCP and the corresponding listener frontend protocol must be selected. For details, see Protocols for Services.
    • Container Port: the port that the workload listens on. For example, Nginx uses port 80 by default.
    • Service Port: the port used by the Service.
      • Listen on a port: The port ranges from 1 to 65535.
      • Listen on ports: ELB allows you to create listeners that listen on ports within specified ranges. Each listener can support up to 10 non-overlapping port ranges.

        To configure port ranges for load balancer listeners, ensure the following conditions are met:

        • The cluster version must be v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, v1.30.1-r0, or later.
        • A dedicated load balancer must be used with TCP/UDP/TLS selected.
        • This function requires ELB. Before using this function, check whether ELB supports full-port listening and forwarding for layer-4 protocols in the current region.
    • Frontend Protocol: Set the protocol of the load balancer listener for establishing connections with clients. When a dedicated load balancer is selected, HTTP/HTTPS can be configured only when Application (HTTP/HTTPS) is selected, and TLS can be configured only when Network (TCP/UDP/TLS) is selected.
    NOTE:

    When a LoadBalancer Service is created, a random node port number (NodePort) is automatically generated.

    • Protocol: TCP
    • Container Port: 80
    • Service Port: 80
    • Frontend Protocol: TLS

  6. Configure listener parameters.

    Parameter

    Description

    Constraint

    Example

    SSL Authentication

    • One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select two-way authentication.
    • Two-way authentication: Both the clients and the load balancer authenticate each other. This ensures only authenticated clients can access the load balancer. No additional backend server configuration is required if you select this option.

    This parameter is available only when Frontend Protocol is set to HTTPS or TLS.

    Dedicated load balancers are available in clusters v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. Shared load balancers are available in clusters v1.28.15-r60, v1.29.15-r20, v1.30.14-r20, v1.31.10-r20, v1.32.6-r20, v1.33.5-r10, or later.

    One-way authentication

    CA Certificate

    If SSL Authentication is set to Two-way authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a Certificate Authority (CA) and is used to verify the issuer of the client's certificate. If HTTPS two-way authentication is enabled, HTTPS connections can be established only if the client provides a certificate issued by a specific CA.

    This parameter is available only when Frontend Protocol is set to HTTPS or TLS and SSL Authentication is set to Two-way authentication.

    None

    Server Certificate

    Select a server certificate. If no certificate is available, create one on the ELB console. For details, see Adding a Certificate.

    This parameter is available only when Frontend Protocol is set to HTTPS or TLS.

    cert-test

  7. Configure a backend routing policy.

    Parameter

    Description

    Constraint

    Example Value

    Backend Protocol

    Protocol used by the load balancer to forward requests to backend servers. Backend servers must listen on this protocol and respond to requests.

    If Frontend Protocol is set to TLS, the backend protocol can be TCP or TLS. The default value is TCP.

    NOTE:

    When multiple ports are added, if the frontend protocols of some ports are not TLS, this configuration takes effect only for TLS ports.

    This parameter is only available in clusters v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later.

    TCP

  8. Click Create.
  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.
  3. Configure Service parameters. In this example, only mandatory parameters required for using TLS are listed. For details about how to configure other parameters, see Using the CCE Console (Old Version).

    • Service Name: Specify a Service name, which can be the same as the workload name.
    • Service Type: Select LoadBalancer.
    • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
    • Load Balancer: Select a load balancer type and creation mode.
      • In this example, only dedicated load balancers are supported, and the type of the load balancer must be Network (TCP/UDP/TLS) or Network (TCP/UDP/TLS) & Application (HTTP/HTTPS). Otherwise, TLS cannot be enabled on the listener port.
      • This section uses an existing load balancer as an example. For details about the parameters for automatically creating a load balancer, see Table 4.
    • Port
      • Protocol: Select TCP. If you select UDP, TLS will be unavailable.
      • Service Port: the port used by the Service. The port ranges from 1 to 65535.
      • Container Port: the port that the workload listens on. For example, Nginx uses port 80 by default.
      • Frontend Protocol: In this example, select TLS for the Service. For a dedicated load balancer, to use TLS, the type of the load balancer must be Network (TCP/UDP/TLS).
    • Listener
      • SSL Authentication: Select this option if Frontend Protocol is set to HTTPS or TLS. Dedicated load balancers are available in clusters v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later. Shared load balancers are available in clusters v1.28.15-r60, v1.29.15-r20, v1.30.14-r20, v1.31.10-r20, v1.32.6-r20, v1.33.5-r10, or later.
        • One-way authentication: Only the backend server is authenticated. If you also need to authenticate the identity of the client, select two-way authentication.
        • Two-way authentication: Both the clients and the load balancer authenticate each other. This ensures only authenticated clients can access the load balancer. No additional backend server configuration is required if you select this option.
      • CA Certificate: If SSL Authentication is set to Two-way authentication, add a CA certificate to authenticate the client. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If two-way authentication is required, connections can be established only when the client provides a certificate issued by a specific CA.
      • Server Certificate: Select a server certificate. If no certificate is available, create one on the ELB console. For details, see Adding a Certificate.
      • ProxyProtocol: transfers the source IP addresses of clients to backend servers.

        Ensure the backend servers support ProxyProtocol. Otherwise, services may be interrupted.

      • Security Policy: If Frontend Protocol is set to TLS, you can select a security policy. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
      • Backend Protocol: If Frontend Protocol is set to TLS, TCP or TLS can be used to access the backend server. The default value is TCP. This parameter is available only in clusters of v1.23.14-r0, v1.25.9-r0, v1.27.6-r0, v1.28.4-r0, or later versions.
    Figure 1 Configuring TLS

  4. Click OK.
This section uses an existing load balancer as an example. An example YAML file of a TLS-compliant Service is as follows:
apiVersion: v1
kind: Service
metadata:
  name: test-tls
  labels:
    app: nginx
  namespace: default
  annotations:
    kubernetes.io/elb.class: performance                                        # Load balancer type, which can only be performance (dedicated load balancer) supported by a TLS listener
    kubernetes.io/elb.id: 35cb350b-23e6-4551-ac77-10d5298f5204                  # ID of an existing load balancer
    kubernetes.io/elb.protocol-port: tls:443                                    # Port on which TLS is to be enabled
    kubernetes.io/elb.cert-id: 98e91cb03dea418582a438a212b461d5                 # TLS server certificate
    kubernetes.io/elb.tls-certificate-ids: e59934f5bc7044f58693de79f1cb4b6d     # TLS SNI certificate
    kubernetes.io/elb.client-ca-cert-id: 5b5178323a2f4eddbafed065945d9069       # Client CA certificate in TLS two-way authentication
    kubernetes.io/elb.proxy-protocol-enable: 'true'                             # ProxyProtocol for transferring the IP addresses of clients to backend servers
    kubernetes.io/elb.security-pool-protocol: 'on'                              # Backend security protocol. If this function is enabled, the backend protocol is TLS. Otherwise, the backend protocol is TCP.
    kubernetes.io/elb.security-policy-id: 175318e0-b6cb-44c5-80a2-0dc372f20df5  # ID of the custom security policy, whose priority is higher than that of the preset security policy
    kubernetes.io/elb.tls-ciphers-policy: tls-1-2-fs                            # Preset security policy
spec:
  selector:
    app: nginx
  externalTrafficPolicy: Cluster
  ports:
    - name: cce-service-0
      targetPort: 80
      nodePort: 0
      port: 443
      protocol: TCP
  type: LoadBalancer
  loadBalancerIP: **.**.**.**
Table 1 Key parameters

Parameter

Type

Description

kubernetes.io/elb.protocol-port

String

If a Service is TLS/HTTP/HTTPS-compliant, configure the protocol and port number in the format of "protocol:port".

where,

  • protocol: specifies the protocol used by the listener port. The value can be tls, http, or https.
  • port: Service port specified by spec.ports[].port.

For example, to create a TLS listener, the Service protocol must be tls and the Service port must be 443. Therefore, the parameter value is tls:443.

kubernetes.io/elb.cert-id

String

ID of an ELB certificate, which is used as the TLS/HTTPS server certificate.

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, and click Certificates in the navigation pane. In the certificate list, copy the ID under the target certificate name.

kubernetes.io/elb.tls-certificate-ids

String

In ELB, the IDs of SNI certificates that must contain a domain name are separated by commas (,). To change an ID, remove the SNI certificate by specifying an empty string "".

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, and click Certificates in the navigation pane. In the certificate list, copy the ID under the target certificate name.

kubernetes.io/elb.client-ca-cert-id

String

ID of an ELB CA certificate. A CA certificate is issued by a certificate authority (CA) and used to verify the certificate issuer. If TLS/HTTPS two-way authentication is required, TLS/HTTPS connections can be established only when the client provides a certificate issued by a specific CA. To change an ID, remove the CA certificate by specifying an empty string "".

To obtain the certificate, log in to the CCE console, choose Service List > Networking > Elastic Load Balance, click Certificates in the navigation pane, and filter CA certificates. In the certificate list, copy the ID under the target certificate name.

kubernetes.io/elb.security-pool-protocol

String

If the frontend protocol of a listener is TLS or HTTPS, you can enable the backend security protocol TLS or HTTPS. The backend security protocol of an existing listener cannot be changed. The modification takes effect only on new listeners that are created by changing the protocol or port.

  • on/true: enabled
  • off/false: disabled
NOTE:

When multiple ports are added, if the frontend protocols of some ports are not TLS, this configuration takes effect only for TLS ports.

kubernetes.io/elb.security-policy-id

String

ID of a custom security policy, whose priority is higher than that of a preset security policy. To change an ID, remove the policy by specifying an empty string "".

To obtain a security policy, log in to the CCE console, choose Service List > Networking > Elastic Load Balance > TLS Security Policies, and click the Custom Security Policies tab. In the security policy list, copy the ID under the target policy.

kubernetes.io/elb.tls-ciphers-policy

String

Preset security policy, which is tls-1-0 by default.

To obtain a security policy, log in to the CCE console, choose Service List > Networking > Elastic Load Balance > TLS Security Policies, and click the Default Security Policies tab. In the security policy list, copy the name of the target policy.

kubernetes.io/elb.proxy-protocol-enable

String

ProxyProtocol is enabled, which is available only when the frontend protocol is TLS. ProxyProtocol can be used to transfer the IP addresses of clients to backend servers.

  • on/true: enabled
  • off/false: disabled
NOTE:

Ensure the backend servers support ProxyProtocol. Otherwise, services may be interrupted.

Verifying Configuration

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services. Locate the row that contains the created Service. The access protocol of the port should be TLS.