aws-load-balancer-controller
aws-load-balancer-controller copied to clipboard
kubernetes-sigs
No ALPN Policy assigned to AWS Load Balancer
Describe the bug Create a new service of with a network load balancer, it creates an AWS Load Balancer with all the options except the ALPN Policy.
Steps to reproduce Create a new service of with the following load balancer options
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:.....
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
spec:
externalTrafficPolicy: "Local"
ports:
- name: "http-80"
port: 80
protocol: TCP
targetPort: http
- name: "https-443"
port: 443
protocol: TCP
targetPort: https
type: LoadBalancer
Check the AWS Web Console EC2 > Load Balancers > [New Load Balancer] > Listeners (tab) > TLS : 443 Security Policy = N/A.
Expected outcome ALPN policy assigned to new LoadBalancer
Environment
- AWS Load Balancer controller version ?
- Kubernetes version 1.22.6
- Using EKS (yes/no), if so version? yes, 1.23.3
Additional Context:
The service is created through haproxy-ingress.
What do I need to add in order to assign the ALPN policy?
Since you've specified the service annotation service.beta.kubernetes.io/aws-load-balancer-type: nlb, the NLB gets reconciled by the in-tree controller which does not support specifying ALPN policies.
If you want this controller to reconcile the NLB, you'd either need to specify the annotation service.beta.kubernetes.io/aws-load-balancer-type: external with the proper target type or set the service spec.loadBalancerClass to service.k8s.aws/nlb
I tried updating to the following:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-alpn-policy: HTTP2Preferred
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: ssl
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:.....
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
- service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ service.beta.kubernetes.io/aws-load-balancer-type: external
+ service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: 'instance'
spec:
...
I also tried ip instead of instance (not clear on the difference).
- service.beta.kubernetes.io/aws-load-balancer-type: nlb
+ service.beta.kubernetes.io/aws-load-balancer-type: external
+ service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: 'ip'
spec:
...
Either configuration leaves the LoadBalancer in a pending state and never resolves.
With the helm chart I'm using, I do not have the option to add a spec.loadBalancerClass
I may just need to remember to always set the ALPN. Thanks for the explanation.
@tleish, with the service.beta.kubernetes.io/aws-load-balancer-type annotation change, I'd recommend to delete the existing service and create a new service with the desired value.
Since the state is pending, could you verify if aws-load-balancer-controller is installed and running?
kubectl get deploy -n kube-system aws-load-balancer-controller
I removed the LoadBalancer and re-applied, still same results. The aws-load-balancer-controller is never deployed (neither when the NLB with the original configuration, or the new configuration).
@tleish, you need to install the aws-load-balancer-controller and specify the annotation service.beta.kubernetes.io/aws-load-balancer-type as external on your service for ALPN.
@tleish, I'm closing the issue. If problem persists, feel free to reach out to us.