How to Configure Advanced Load Balancer Settings in Kubernetes Clusters

The DigitalOcean Cloud Controller supports provisioning DigitalOcean Load Balancers in a cluster’s resource configuration file. You can specify the following advanced settings in the metadata stanza of your configuration file under annotations:

  • Algorithm
  • Sticky sessions
  • Health checks
  • SSL Certificates
  • Forced SSL connections
  • PROXY Protocol

Algorithm

By default, the load balancer splits connections evenly across the backend using the round-robin protocol. The least connections algorithm will route traffic to the backend worker node with the fewest number of open connections.

Use round_robin instead of least_connections to explicitly specify the default setting.

  
    
. . .
metadata:
  name: least-connections-snippet
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-algorithm: "least_connections"
. . .

  

See a full configuration example for least connections.

Sticky Sessions

By default, the load balancer routes each client request to the backend following the configured algorithm. When you enable sticky sessions, the load balancer will route a client’s initial request to a worker node and use a cookie to route its follow-up requests to that same node.

Use none instead of cookies to explicitly specify the default setting.

  
    
metadata:
  name: sticky-session-snippet
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-type: "cookies"
    service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-cookie-name: "example"
    service.beta.kubernetes.io/do-loadbalancer-sticky-sessions-cookie-ttl: "60"

  

See a full configuration example for sticky sessions.

Health Checks

By default, the load balancer peforms health checks on the worker nodes over HTTP on port 80 at the webserver root.

You can change both the protocol and path in the metadata stanza’s annotations section.

  
    
metadata:
  name: health-check-snippet
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "http"
    service.beta.kubernetes.io/do-loadbalancer-healthcheck-path: "/health"

  

See full configuration examples for the health check path and health check protocol.

SSL Certificates

You can encrypt traffic to your Kubernetes cluster by using an SSL certificate with the load balancer. You’ll have to create the SSL certificate or upload it first, and once you obtain the ID of the certificate using doctl or the API, you can specify it in the load balancer’s configuration file. The example section below creates a load balancer using an SSL certificate.

  
    
---
kind: Service
apiVersion: v1
metadata:
  name: https-with-cert
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "http"
    service.beta.kubernetes.io/do-loadbalancer-algorithm: "round_robin"
    service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"
    service.beta.kubernetes.io/do-loadbalancer-certificate-id: "your-certificate-id"
spec:
  type: LoadBalancer
  selector:
    app: nginx-example
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 80
    - name: https
      protocol: TCP
      port: 443
      targetPort: 80
. . .       

  

See the full configuration example.

Forced SSL Connections

If you configure at least one HTTP and one HTTPS rule, you can force the load balancer to redirect all HTTP requests to HTTPS. The example below contains the configuration settings that must be true for the redirect to work.

  
    
. . .
  name: https-with-redirect-snippet
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-protocol: "http"
    service.beta.kubernetes.io/do-loadbalancer-algorithm: "round_robin"
    service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"
    service.beta.kubernetes.io/do-loadbalancer-certificate-id: "your-certificate-id"
    service.beta.kubernetes.io/do-loadbalancer-redirect-http-to-https: "true"
. . .

  

See the full configuration example for forced SSL connections.

PROXY Protocol

You can use the PROXY Protocol with DigitalOcean Load Balancers. The software running on the nodes must be properly configured to accept the protocol for this to work.

Options are true or false. Defaults to false.

  
    
---
. . .
metadata:
  name: proxy-protocol
  annotations:
    service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
. . .       

  

To enable the DigitalOcean Load Balancers’ new PROXY Protocol feature for an existing cluster the master node must first be recycled. To recycle the master node, please contact support.

References

For more about managing load balancers, see: