You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/deploy/configurations.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -170,18 +170,18 @@ If running on EC2, the default values are obtained from the instance metadata se
170
170
### Feature Gates
171
171
There are a set of key=value pairs that describe AWS load balancer controller features. You can use it as flags `--feature-gates=key1=value1,key2=value2`
172
172
173
-
|Features-gate Supported Key | Type | Default Value | Description |
| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules |
176
-
| WeightedTargetGroups | string | true | Enable or disable weighted target groups |
177
-
| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` |
178
-
| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
179
-
| EnableServiceController | string | true | Toggles support for `Service` type resources. |
180
-
| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |
181
-
| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. |
182
-
| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery |
183
-
| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout |
184
-
| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance |
185
-
| NLBSecurityGroup | string | true | Enable or disable all NLB security groups actions including frontend sg creation, backend sg creation, and backend sg modifications |
186
-
| LBCapacityReservation | string | true | Enable or disable the capacity reservation feature on ALB and NLB |
187
-
| EnableTCPUDPListenerType | string | false | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener` |
173
+
|Features-gate Supported Key | Type | Default Value | Description |
| ListenerRulesTagging | string | true | Enable or disable tagging AWS load balancer listeners and rules |
176
+
| WeightedTargetGroups | string | true | Enable or disable weighted target groups |
177
+
| ServiceTypeLoadBalancerOnly | string | false | If enabled, controller will be limited to reconciling service of type `LoadBalancer` |
178
+
| EndpointsFailOpen | string | true | Enable or disable allowing endpoints with `ready:unknown` state in the target groups. |
179
+
| EnableServiceController | string | true | Toggles support for `Service` type resources. |
180
+
| EnableIPTargetType | string | true | Used to toggle support for target-type `ip` across `Ingress` and `Service` type resources. |
181
+
| EnableRGTAPI | string | false | If enabled, the tagging manager will describe resource tags via RGT APIs, otherwise via ELB APIs. In order to enable RGT API, `tag:GetResources` is needed in controller IAM policy. |
182
+
| SubnetsClusterTagCheck | string | true | Enable or disable the check for `kubernetes.io/cluster/${cluster-name}` during subnet auto-discovery |
183
+
| NLBHealthCheckAdvancedConfiguration | string | true | Enable or disable advanced health check configuration for NLB, for example health check timeout |
184
+
| ALBSingleSubnet | string | false | If enabled, controller will allow using only 1 subnet for provisioning ALB, which need to get whitelisted by ELB in advance |
185
+
| NLBSecurityGroup | string | true | Enable or disable all NLB security groups actions including frontend sg creation, backend sg creation, and backend sg modifications. This same behavior is able to be applied to an individual service by using the annotation `aws-load-balancer-disable-nlb-sg` |
186
+
| LBCapacityReservation | string | true | Enable or disable the capacity reservation feature on ALB and NLB |
187
+
| EnableTCPUDPListenerType | string | false | Enable or disable creation of TCP_UDP type listeners. This value can be overriden at the Service level by the annotation `service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener` |
|[service.beta.kubernetes.io/aws-load-balancer-enable-icmp-for-path-mtu-discovery](#icmp-path-mtu-discovery)| string || If specified, a security group rule is added to the managed security group to allow explicit ICMP traffic for [Path MTU discovery](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/network_mtu.html#path_mtu_discovery) for IPv4 and dual-stack VPCs. Creates a rule for each source range if `service.beta.kubernetes.io/load-balancer-source-ranges` is present. |
67
67
|[service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener](#tcp-udp-listener)| boolean | false | If specified, the controller will attempt to try TCP_UDP Listeners when the service defines a TCP and UDP port on the same port number. |
68
+
|[service.beta.kubernetes.io/aws-load-balancer-disable-nlb-sg](#nlb-sg-disable)| boolean | false | If specified, the controller will not create or manage Security Groups for the service. |
68
69
69
70
## Traffic Routing
70
71
Traffic Routing can be controlled with following annotations:
@@ -332,17 +333,26 @@ for proxy protocol v2 configuration.
- <aname="tcp-udp-listener">`service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener`</a> allows creation of [TCP_UDP](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html#listener-configuration) listener type when the service defines a TCP and UDP port on the same port number.
336
+
- <aname="tcp-udp-listener">`service.beta.kubernetes.io/aws-load-balancer-enable-tcp-udp-listener`</a> allows creation of [TCP_UDP](https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-listeners.html#listener-configuration) listener type when the service defines a TCP and UDP port on the same port number.
336
337
337
-
!!!note ""
338
-
- To change the default from false to true, use the controller flag `--feature-gates=EnableTCPUDPListener=true` to allow creation of TCP_UDP listeners for all services.
339
-
!!!example
340
-
- Allow for the creation of TCP_UDP listeners for a service.
- To change the default from false to true, use the controller flag `--feature-gates=EnableTCPUDPListener=true` to allow creation of TCP_UDP listeners for all services.
340
+
341
+
!!!example
342
+
- Allow for the creation of TCP_UDP listeners for a service.
- <a name="nlb-sg-disable">`service.beta.kubernetes.io/aws-load-balancer-disable-nlb-sg`</a> disables creation and management of SGs for the NLB. Note: This value shouldn't be changed after initial service creation. Once an NLB has been created, SGs can not be removed likewise, SGs can not be added to an existing NLB without an SG attached.
345
348
349
+
!!!warning ""
350
+
- This is a fine-grained way of setting the controller level feature flag `--feature-gates=NLBSecurityGroup=false` to disable SG management for a specific service.
- <a name="deprecated-attributes"></a>the following annotations are deprecated in v2.3.0 release in favor of [service.beta.kubernetes.io/aws-load-balancer-attributes](#load-balancer-attributes)
0 commit comments