Help Center/ Cloud Container Engine/ User Guide/ Networking/ Services/ LoadBalancer/ Certificate and Security Management/ Configuring a Blocklist/Trustlist Access Policy for a LoadBalancer Service
Updated on 2026-06-16 GMT+08:00

Configuring a Blocklist/Trustlist Access Policy for a LoadBalancer Service

When using a LoadBalancer Service, you can configure a trustlist or blocklist to specify the IP addresses that are allowed or denied accessing a load balancer listener.

  • Trustlist: Only the IP addresses in the list can access the listener.
  • Blocklist: The IP addresses in the list are not allowed to access the listener.

After a blocklist or trustlist access policy is configured, if you delete the blocklist or trustlist access policy configuration on the CCE console or delete the target annotation from the YAML file, the configuration on the ELB will be retained.

Prerequisites

  • A Kubernetes cluster is available and the cluster version meets the following requirements:
    • v1.23: v1.23.12-r0 or later
    • v1.25: v1.25.7-r0 or later
    • v1.27: v1.27.4-r0 or later
    • v1.28: v1.28.2-r0 or later
    • Other clusters of later versions
  • An IP address group has been created on the ELB console. For details, see Creating an IP Address Group.

Creating a LoadBalancer Service and Configuring a Blocklist/Trustlist Access Policy

Use one of the following methods.

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services & Ingresses. In the upper right corner, click Create Service.

    In this example, only mandatory parameters for configuring SNI are listed. Retain the default settings for other parameters. For details, see Using the CCE Console (New Version).

  3. Configure basic parameters.

    Parameter

    Description

    Example

    Service Type

    Select LoadBalancer.

    None

    Service Name

    Enter a name, which can be the same as the workload name.

    nginx

    Namespace

    Select the namespace that the workload belongs to.

    default

    Selector

    Add the key and value of a pod label. The Service will be associated with the workload pods based on the label and direct traffic to the pods with this label.

    You can also click Reference Workload Label to use the label of an existing workload. In the dialog box displayed, select a workload and click OK.

    app:nginx

  4. Configure load balancer parameters.

    Parameter

    Description

    Example

    Load Balancer

    Select a load balance type and how the load balancer will be created.
    • Use existing: Only the load balancers in the same VPC as the cluster can be selected. If no load balancer is available, click Create Load Balancer to create one on the ELB console.
    • Auto create: The load balancer will be created in the VPC that the cluster belongs to. For details, see Table 1.

    An existing Dedicated load balancer of the Network (TCP/UDP/TLS) & Application (HTTP/HTTPS) type

  5. Configure access parameters.

    Parameter

    Description

    Example

    Service Affinity

    Whether to route external traffic to a local node or a cluster-wide endpoint. For details, see Service Affinity (externalTrafficPolicy).
    • Cluster-level: The IP addresses and ports of all nodes in a cluster can access the workload associated with the Service. However, accessing the Service may result in decreased performance due to route redirection, and the client's source IP address may not be obtainable.
    • Node-level: Only the IP address and port of the node where the workload is located can access the workload associated with the Service. Accessing the Service will not result in a performance decrease due to route redirection, and the client's source IP address can be obtained.

    Cluster-level

    Port

    • Protocol: the protocol used by the Service. According to the Kubernetes implementation, if a Service uses a load balancer with a non-UDP protocol, this parameter must be set to TCP and the corresponding listener frontend protocol must be selected. For details, see Protocols for Services.
    • Container Port: the port that the workload listens on. For example, Nginx uses port 80 by default.
    • Service Port: the port used by the Service.
      • Listen on a port: The port ranges from 1 to 65535.
      • Listen on ports: ELB allows you to create listeners that listen on ports within specified ranges. Each listener can support up to 10 non-overlapping port ranges.

        To configure port ranges for load balancer listeners, ensure the following conditions are met:

        • The cluster version must be v1.23.18-r0, v1.25.13-r0, v1.27.10-r0, v1.28.8-r0, v1.29.4-r0, v1.30.1-r0, or later.
        • A dedicated load balancer must be used with TCP/UDP/TLS selected.
        • This function requires ELB. Before using this function, check whether ELB supports full-port listening and forwarding for layer-4 protocols in the current region.
    • Frontend Protocol: Set the protocol of the load balancer listener for establishing connections with clients. When a dedicated load balancer is selected, HTTP/HTTPS can be configured only when Application (HTTP/HTTPS) is selected and TLS can be configured only when Network (TCP/UDP/TLS) is selected.
    NOTE:

    When a LoadBalancer Service is created, a random node port number (NodePort) is automatically generated.

    • Protocol: TCP
    • Container Port: 80
    • Service Port: 80
    • Frontend Protocol: HTTP

  6. Configure listener parameters.

    Parameter

    Description

    Example

    Access Control

    • Inherit ELB Configurations: CCE does not modify the existing access control configurations on the ELB console.
    • Allow all IP addresses: No access control is configured.
    • Trustlist: Only the selected IP address group can access the load balancer.
    • Blocklist: The selected IP address group cannot access the load balancer.
    NOTE:

    For clusters v1.25.16-r10, v1.27.16-r10, v1.28.15-r0, v1.29.10-r0, v1.30.6-r0, v1.31.1-r0, or later, when using a dedicated load balancer, you can select a maximum of five IP address groups at a time for access control.

    Blocklist

    Access Control (status)

    This parameter is mandatory only if a blocklist or trustlist is configured. Use this function to separately control whether the blocklist or trustlist configuration is enabled.

    Enable

  7. Click Create.
  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. Choose Services and Ingresses in the navigation pane, click the Services tab, and click Create Service in the upper right corner.
  3. Configure Service parameters.

    • Service Name: Enter a service name, for example, service-acl.
    • Service Type: Select LoadBalancer.
    • Service Affinity: Select cluster level or node level as needed. For details about the differences, see Service Affinity (externalTrafficPolicy).
    • Selector: Add a label and click Confirm. The Service will use this label to select pods. You can also click Reference Workload Label to use the label of an existing workload. In the dialog box that is displayed, select a workload and click OK.
    • Load Balancer

      Select a load balancer to be accessed. Only load balancers in the same VPC as the cluster are supported. If no load balancer is available, click Create Load Balancer to create one on the ELB console. Alternatively, select Auto create to create a load balancer. For details about parameter settings, see Table 4.

    • Health Check: defaults to Global health check. You can configure this parameter as needed.
    • Port
      • Protocol: the protocol used by the Service.
      • Service Port: the port used by the Service. The port ranges from 1 to 65535.
      • Container Port: the port that the workload listens on. For example, Nginx uses port 80 by default.
    • Access Control
      • Inherit ELB Configurations: CCE does not modify the existing access control configurations on the ELB console.
      • Allow all IP addresses: No access control is configured.
      • Trustlist: Only the selected IP address group can access the load balancer.
      • Blocklist: The selected IP address group cannot access the load balancer.

      For clusters v1.25.16-r10, v1.27.16-r10, v1.28.15-r0, v1.29.10-r0, v1.30.6-r0, v1.31.1-r0, or later, when using a dedicated load balancer, you can select a maximum of five IP address groups at a time for access control.

  4. Click OK.
An example YAML file of a Service created using an existing load balancer is as follows:
apiVersion: v1 
kind: Service 
metadata: 
  name: nginx
  annotations:
    kubernetes.io/elb.id: <your_elb_id>                    # Load balancer ID. Replace it with the actual value.
    kubernetes.io/elb.class: performance                   # Load balancer type
    kubernetes.io/elb.acl-id: <your_acl_id>               # ID of an IP address group for accessing a load balancer
    kubernetes.io/elb.acl-status: 'on'                  # Enable access control.
    kubernetes.io/elb.acl-type: 'white'                   # Trustlist for access control
spec:
  selector: 
     app: nginx
  ports: 
  - name: service0 
    port: 80
    protocol: TCP 
    targetPort: 80
  type: LoadBalancer
Table 1 Annotations for ELB access control

Parameter

Type

Description

kubernetes.io/elb.acl-id

String

  • If this parameter is not specified, CCE does not modify access control on the ELB.
  • If this parameter is left empty, all IP addresses are allowed to access the load balancer.
  • If this parameter is set to the IP address group ID of the load balancer, access control is enabled and you need to configure an IP address blocklist or trustlist for the load balancer. Additionally, you need to configure both kubernetes.io/elb.acl-status and kubernetes.io/elb.acl-type.
    NOTE:

    For clusters v1.25.16-r10, v1.27.16-r10, v1.28.15-r0, v1.29.10-r0, v1.30.6-r0, v1.31.1-r0, or later, when using a dedicated load balancer, you can select a maximum of five IP address groups at a time, separated by commas (,).

    How to obtain:

    Log in to the ELB console, choose Elastic Load Balance > IP Address Groups, and copy the ID of the target IP address group. For details, see Creating an IP Address Group.

kubernetes.io/elb.acl-status

String

This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. Options:

  • on or true: Access control is enabled.
  • off or false: Access control is disabled.

kubernetes.io/elb.acl-type

String

This parameter is mandatory when you configure an IP address blocklist or trustlist for a load balancer. Options:

  • black: indicates a blocklist. The selected IP address group cannot access the load balancer.
  • white: indicates a trustlist. Only the selected IP address group can access the load balancer.

Verifying Configuration

  1. Log in to the CCE console and click the cluster name to access the cluster console.
  2. In the navigation pane, choose Services and Ingresses. Locate the row that contains the created Service and click the load balancer name to go to the ELB console.
  3. Switch to the Listeners tab, locate the listener of the created port, and check whether the option is enabled.