How to Configure Advanced Load Balancer Settings in Kubernetes Clusters

The DigitalOcean Cloud Controller supports provisioning DigitalOcean Load Balancers in a cluster’s resource configuration file.

In the DigitalOcean Control Panel, cluster resources (worker nodes, load balancers, and block storage volumes) are listed outside of the Kubernetes page. If you rename or otherwise modify these resources in the control panel, you may render them unusable to the cluster or cause the reconciler to provision replacement resources. To avoid this, manage your cluster resources exclusively with kubectl or from the control panel’s Kubernetes page.

You can specify the following advanced settings in the metadata stanza of your configuration file under annotations:

  • Algorithm
  • Sticky sessions
  • Health checks
  • SSL Certificates
  • Forced SSL connections
  • PROXY Protocol


By default, the load balancer splits connections evenly across the backend using the round-robin protocol. The least connections algorithm will route traffic to the backend worker node with the fewest number of open connections.

Use round_robin instead of least_connections to explicitly specify the default setting.

. . .
  name: least-connections-snippet
  annotations: "least_connections"
. . .


See a full configuration example for least connections.

Sticky Sessions

By default, the load balancer routes each client request to the backend following the configured algorithm. When you enable sticky sessions, the load balancer will route a client’s initial request to a worker node and use a cookie to route its follow-up requests to that same node.

  • Sticky sessions will route consistently to the same nodes, not pods, so you should avoid having more than one pod per node serving requests.
  • Sticky sessions require your Service to configure externalTrafficPolicy: Local to avoid NAT confusion on the way in.

Use none instead of cookies to explicitly specify the default setting.

  name: sticky-session-snippet
  annotations: "http" "cookies" "example" "60"


See a full configuration example for sticky sessions.

Health Checks

By default, the load balancer performs health checks on the worker nodes over HTTP on port 80 at the webserver root.

You can change both the protocol and path in the metadata stanza’s annotations section.

  name: health-check-snippet
  annotations: "http" "/health"


See full configuration examples for the health check path and health check protocol.

SSL Certificates

You can encrypt traffic to your Kubernetes cluster by using an SSL certificate with the load balancer. You’ll have to create the SSL certificate or upload it first, and once you obtain the ID of the certificate using doctl or the API, you can specify it in the load balancer’s configuration file. The example section below creates a load balancer using an SSL certificate.

kind: Service
apiVersion: v1
  name: https-with-cert
  annotations: "http" "round_robin" "443" "your-certificate-id"
  type: LoadBalancer
    app: nginx-example
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
    - name: https
      protocol: TCP
      port: 443
      targetPort: 80
. . .       


See the full configuration example.

Forced SSL Connections

If you configure at least one HTTP and one HTTPS rule, you can force the load balancer to redirect all HTTP requests to HTTPS. The example below contains the configuration settings that must be true for the redirect to work.

. . .
  name: https-with-redirect-snippet
  annotations: "http" "round_robin" "443" "your-certificate-id" "true"
. . .


See the full configuration example for forced SSL connections.

PROXY Protocol

You can use the PROXY Protocol with DigitalOcean Load Balancers. The software running on the nodes must be properly configured to accept the protocol for this to work.

Options are true or false. Defaults to false.

. . .
  name: proxy-protocol
  annotations: "true"
. . .       



For more about managing load balancers, see: