The page has been translated by Gen AI.

Using type LoadBalancer Service

Service Configuration Method

You can configure a LoadBalancer type Service by writing and applying a Service manifest file (example: my-lb-svc.yaml ).

Caution
  • LoadBalancer is created in the cluster Subnet by default.
  • To create a LoadBalancer in a different Subnet, use the annotation service.beta.kubernetes.io/scp-load-balancer-subnet-id. For details, refer to Annotation Detailed Settings

Follow these steps to write and apply a type LoadBalancer Service.

  1. Write a Service manifest file my-lb-svc.yaml .

    Color mode
    apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to LB service protocol type setting section
  type: LoadBalancer
    apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
      appProtocol: tcp # Refer to LB service protocol type setting section
  type: LoadBalancer
    Code block. Service manifest file my-lb-svc.yaml writing example

  2. Deploy the Service manifest using the kubectl apply command.

    Color mode
    kubectl apply -f my-lb-svc.yaml
    kubectl apply -f my-lb-svc.yaml
    Code block. Deploying Service manifest with kubectl apply command

Caution
  • When a type LoadBalancer Service is created, a corresponding Load Balancer service is automatically created. It may take a few minutes for the configuration to complete.
  • Do not arbitrarily modify the automatically created Load Balancer service and LB server group. Changes may be reverted or unexpected behavior may occur.
  • For detailed configurable features, refer to Annotation Detailed Settings.
  1. Check the Load Balancer configuration using the kubectl get service command.
    Color mode
    # kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m
    # kubectl get service my-lb-svc
NAMESPACE     NAME         TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)         AGE
default       my-lb-svc    LoadBalancer   172.20.49.206    123.123.123.123   80:32068/TCP    3m
    Code block. Checking Load Balancer configuration with kubectl get service command

Protocol Type

You can use it by writing a Service manifest. The following is a simple example.

Color mode
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # Required (choose one of TCP, UDP)
      appProtocol: tcp # Optional (leave blank or choose one of tcp, http, https)
  type: LoadBalancer   # Type load balancer
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    ...
  ports:
    - port: 80
      targetPort: 9376
      protocol: TCP    # Required (choose one of TCP, UDP)
      appProtocol: tcp # Optional (leave blank or choose one of tcp, http, https)
  type: LoadBalancer   # Type load balancer
Code block. Service manifest writing example

The list of protocols (protocol and appProtocol) supported by Kubernetes Engine’s type Load Balancer Service and the settings applied to the Load Balancer service accordingly are as follows.

Category(k8s)
protocol		(k8s)
appProtocol		(LB)
Service Category		(LB)
LB Listener		(LB)
LB Server Group		(LB)
Health Check
L4 TCPTCP(tcp)L4TCP {port}TCP {nodePort}TCP {nodePort}
L4 UDPUDP-L4UDP {port}UDP {nodePort}TCP {nodePort}
L7 HTTPTCPhttpL7HTTP {port}TCP {nodePort}TCP/HTTP {nodePort}
L7 HTTPSTCPhttpsL7HTTPS {port}TCP {nodePort}TCP/HTTP {nodePort}
Table. k8s Service manifest and Load Balancer service application settings
  • According to the k8s Service manifest spec, you can specify multiple ports for a single service.
Caution

Depending on the Load Balancer service category (L4, L7), you cannot mix and use protocol layers within a single Service.

  • That is, L4(TCP, UDP) and L7(HTTP, HTTPS) cannot be used together in a single Service.

L4 Service Manifest Writing Example

Color mode
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - protocol: TCP
      port: 80
      targetPort: 9376
  type: LoadBalancer
Code block. L4 Service manifest writing example

L7 Service Manifest Writing Example

Color mode
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # Required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # Required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # Required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # Required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer
apiVersion: v1
kind: Service
metadata:
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-layer-type: "L7" # Required
    service.beta.kubernetes.io/scp-load-balancer-client-cert-id: "24da35de187b450eb0cf09fb6fa146de" # Required
  name: my-service
spec:
  selector:
    app.kubernetes.io/name: MyApp
  ports:
    - appProtocol: http # Required
      protocol: TCP
      port: 80
      targetPort: 9376
    - appProtocol: https # Required
      protocol: TCP
      port: 443
      targetPort: 9898
  type: LoadBalancer
Code block. L7 Service manifest writing example

Annotation Detailed Settings

You can set detailed features by adding annotations to the service manifest.

Color mode
apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...
apiVersion: v1
kind: Service
metatdata:
  name: my-lb-svc
  annotations:
    service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled: "true"
    service.beta.kubernetes.io/scp-load-balancer-health-check-interval: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-timeout: "5"
    service.beta.kubernetes.io/scp-load-balancer-health-check-count: "3"
    service.beta.kubernetes.io/scp-load-balancer-session-duration-time: "300"
  spec:
  type: LoadBalancer
  ...
Code block. Example of adding annotations to service manifest
Note
  • If no separate annotation is added to the service, the annotation default value is applied.
  • Even if the annotation added to the service does not meet the allowed value, the annotation default value is applied.

Below is a description of all annotations available for type LoadBalancer service.

AnnotationProtocolDefault ValueAllowed ValueExampleDescription
service.beta.kubernetes.io/scp-load-balancer-source-ranges-firewall-rulesAllfalsetrue, falsefalseAutomatically add firewall rules (LB source ranges → LB service IP)
service.beta.kubernetes.io/scp-load-balancer-snat-healthcheck-firewall-rulesAllfalsetrue,falsefalseAutomatically add firewall rules (LB Source NAT IP, HealthCheck IP → member IP:Port)
  • When using this annotation, firewall rules are added as many as the number of ports in the type LB service, so a very large number of firewall rules may be added.
  • If having too many firewall rules is a burden, as an alternative, you can manually add firewall rules without using this annotation. For example, you can add firewall rules with the destination as the member IP’s NodePort range (30000-32767).
Table. Firewall-related settings in Kubernetes annotations
AnnotationProtocolDefault ValueAllowed ValueExampleDescription
service.beta.kubernetes.io/scp-load-balancer-security-group-idAll-UUID92d84b44-ee71-493d-9782-3a90481ce5f3Automatically add rules to the Security Group corresponding to the specified ID
  • When using this annotation, rules are added to the Security Group as many as the number of ports in the type LB service, so a very large number of Security Group rules may be added.
  • If having too many Security Group rules is a burden, as an alternative, you can manually add Security Group rules without using this annotation. For example, you can add Security Group rules with the destination address as the Load Balancer’s Source NAT IP and health check IP, and the allowed port as the NodePort range (30000-32767).
  • Security Group rules added by this annotation are not automatically deleted even if this annotation is deleted or changed.
  • Can add multiple separated by commas. (example: ddc25ad8-6d3f-4242-8c86-2a059212ddc6,26ab7fe1-b3ea-4aa9-9e9d-35a7c237904e)
  • This annotation can be used simultaneously with service.beta.kubernetes.io/scp-load-balancer-security-group-name annotation, and rules are automatically added to all Security Groups that meet the conditions.
service.beta.kubernetes.io/scp-load-balancer-security-group-nameAll-Stringsecurity-group-1Automatically add rules to the Security Group corresponding to the specified Name
  • When using this annotation, rules are added to the Security Group as many as the number of ports in the type LB service, so a very large number of Security Group rules may be added.
  • If having too many Security Group rules is a burden, as an alternative, you can manually add Security Group rules without using this annotation. For example, you can add Security Group rules with the destination address as the Load Balancer’s Source NAT IP and health check IP, and the allowed port as the NodePort range (30000-32767).
  • Security Group rules added by this annotation are not automatically deleted even if this annotation is deleted or changed.
  • Can add multiple separated by commas (example: security-group-1,security-group-2)
  • This annotation can be used simultaneously with service.beta.kubernetes.io/scp-load-balancer-security-group-id annotation, and rules are automatically added to all Security Groups that meet the conditions.
Table. Security Group-related settings in Kubernetes annotations
AnnotationProtocolDefault ValueAllowed ValueExampleDescription
service.beta.kubernetes.io/scp-load-balancer-layer-typeAllL4L4, L7L4Specify the Load Balancer service category
  • When using this annotation, if you want to use TCP or UDP, specify L4, and if you want to use HTTP or HTTPS, specify L7.
  • Cannot be changed after initial creation. To change, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-subnet-idAll-ID7f05eda5e1cf4a45971227c57a6d60faSpecify the Load Balancer Service Subnet
  • If this annotation is not specified, the cluster’s Subnet is used.
  • Cannot be changed after initial creation. To change, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-service-ipAll-IP Address192.168.10.7Specify the Load Balancer Service IP
  • Cannot be changed after initial creation. To change, you must recreate the service.
service.beta.kubernetes.io/scp-load-balancer-public-ip-enabledAllfalsetrue, falsefalseSpecify whether to use Load Balancer Public NAT IP
  • If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is not specified, IP is automatically assigned.
  • If this annotation is set to true and service.beta.kubernetes.io/scp-load-balancer-public-ip-id is specified, the Public IP corresponding to the specified ID is applied.
service.beta.kubernetes.io/scp-load-balancer-public-ip-idAll-ID4119894bd9614cef83db6f8dda667a20Specify the ID of the Public IP to use as the Load Balancer Public NAT IP
  • If service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is not set to true, this annotation is ignored.
  • If service.beta.kubernetes.io/scp-load-balancer-public-ip-enabled is set to true and this annotation is specified, the Public IP corresponding to the specified ID is applied.
Table. Load Balancer-related settings in Kubernetes annotations
AnnotationProtocolDefault ValueAllowed ValueExampleDescription
service.beta.kubernetes.io/scp-load-balancer-idle-timeoutHTTP, HTTPS-60 - 3600(in 60-second units)600Specify the LB Listener’s idle-timeout (seconds)
  • If annotation is not set or is not an allowed value (e.g., “”, “0”), the default value (not used) is applied.
  • Cannot change from used to not used. To change, you must recreate the service.
  • Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-session-duration-time.
  • Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-response-timeout.
service.beta.kubernetes.io/scp-load-balancer-session-duration-timeAllL4: 120
L7: -		L4 TCP: 60 - 3600(in 60-second units)
L4 UDP: 60 - 180(in 60-second units)
L7: 0 - 120		120Specify the LB Listener’s session-duration-time (seconds)
  • L4: If annotation is not set or is not an allowed value, the default value (“120”) is applied. (L4 cannot be not used)
  • L7: If annotation is not set or is not an allowed value (e.g., “”, “0”), the default value (not used) is applied.
  • Cannot change from used to not used. To change, you must recreate the service.
  • Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-idle-timeout.
service.beta.kubernetes.io/scp-load-balancer-response-timeoutHTTP, HTTPS-0 - 12060Specify the LB Listener’s response-timeout (seconds)
  • If annotation is not set or is not an allowed value (e.g., “”, “0”), the default value (not used) is applied.
  • Cannot change from used to not used. To change, you must recreate the service.
  • Cannot be set simultaneously with service.beta.kubernetes.io/scp-load-balancer-idle-timeout.
service.beta.kubernetes.io/scp-load-balancer-insert-client-ipTCPfalsetrue, falsefalseSpecify the LB Listener’s Insert Client IP
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-protoHTTP, HTTPSfalsetrue, falsefalseSpecify whether to use the LB Listener’s X-Forwarded-Proto header
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-portHTTP, HTTPSfalsetrue, falsefalseSpecify whether to use the LB Listener’s X-Forwarded-Port header
service.beta.kubernetes.io/scp-load-balancer-x-forwarded-forHTTP, HTTPSfalsetrue, falsefalseSpecify whether to use the LB Listener’s X-Forwarded-For header
service.beta.kubernetes.io/scp-load-balancer-support-http2HTTP, HTTPSfalsetrue, falsefalseSpecify whether to support HTTP 2.0 for LB Listener
service.beta.kubernetes.io/scp-load-balancer-persistenceTCP, HTTP, HTTPS"""", source-ip, cookiesource-ipSpecify the LB Listener’s persistence (one of none, source IP, cookie)
  • For UDP, this annotation cannot be used.
  • For TCP, you can specify "" or source-ip to use.
  • For HTTP/HTTPS, you can specify one of "", source-ip, cookie to use.
service.beta.kubernetes.io/scp-load-balancer-client-cert-idHTTPS-UUID78b9105e00324715b63700933125fa83Specify the ID of the LB Listener’s client SSL certificate
  • Required field when specifying HTTPS.
service.beta.kubernetes.io/scp-load-balancer-client-cert-levelHTTPSHIGHHIGH, NORMAL, LOWHIGHSpecify the security level of the LB Listener’s client SSL certificate
service.beta.kubernetes.io/scp-load-balancer-server-cert-levelHTTPS-HIGH, NORMAL, LOWHIGHSpecify the security level of the LB Listener’s server SSL certificate
Table. LB Listener-related settings in Kubernetes annotations
AnnotationProtocolDefault ValueAllowed ValueExampleDescription
service.beta.kubernetes.io/scp-load-balancer-lb-methodAllROUND_ROBINROUND_ROBIN, LEAST_CONNECTION, IP_HASHROUND_ROBINSpecify the LB server group load balancing policy
Table. LB server group-related settings in Kubernetes annotations
AnnotationProtocolDefault ValueAllowed ValueExampleDescription
service.beta.kubernetes.io/scp-load-balancer-health-check-enabledAlltruetrue, falsetrueSpecify whether to use LB health check
service.beta.kubernetes.io/scp-load-balancer-health-check-protocolAllTCPTCP, HTTPTCPSpecify the LB health check protocol
service.beta.kubernetes.io/scp-load-balancer-health-check-portAll{nodeport}1 - 6553430000Specify the LB health check port
  • Set to {nodeport} by default, so generally you don’t need to specify it.
service.beta.kubernetes.io/scp-load-balancer-health-check-countAll31 - 103Specify the LB health check detection count
service.beta.kubernetes.io/scp-load-balancer-health-check-intervalAll51 - 1805Specify the LB health check interval
service.beta.kubernetes.io/scp-load-balancer-health-check-timeoutAll51 - 1805Specify the LB health check timeout
service.beta.kubernetes.io/scp-load-balancer-health-check-http-methodHTTPGETGET, POSTGETSpecify the LB health check HTTP method
service.beta.kubernetes.io/scp-load-balancer-health-check-urlHTTP/String/healthzSpecify the LB health check URL
service.beta.kubernetes.io/scp-load-balancer-health-check-response-codeHTTP200200 - 500200Specify the LB health check response code
service.beta.kubernetes.io/scp-load-balancer-health-check-request-dataHTTP-Stringusername=admin&password=1234Specify the LB health check request string
  • Required field when specifying POST method.
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-enabledAlltruetrue, falsetrueSpecify whether to use LB health check for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-protocolAllTCPTCP, HTTPTCPSpecify the LB health check protocol for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-portAll-1 - 6553430000Specify the LB health check port for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-countAll31 - 103Specify the LB health check detection count for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-intervalAll51 - 1805Specify the LB health check interval for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-timeoutAll51 - 1805Specify the LB health check timeout for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-http-methodHTTPGETGET, POSTGETSpecify the LB health check HTTP method for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-urlHTTP/String/healthzSpecify the LB health check URL for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-response-codeHTTP200200 - 500200Specify the LB health check response code for the Service’s {port} port number
service.beta.kubernetes.io/scp-load-balancer-port-{port}-health-check-request-dataHTTP-Stringusername=admin&password=1234Specify the LB health check request string for the Service’s {port} port number
  • Required field when specifying POST method.
Table. LB health check-related settings in Kubernetes annotations

Constraints

The following are constraints to consider when using Kubernetes annotations.

ConstraintRelated Annotation
Rules created in existing Security Group are not automatically deleted when changing Security Groupservice.beta.kubernetes.io/scp-load-balancer-security-group-id
service.beta.kubernetes.io/scp-load-balancer-security-group-name
Cannot change Load Balancer service category (L4/L7)service.beta.kubernetes.io/scp-load-balancer-layer-type
Cannot use L4 and L7 together in the same k8s Serviceservice.beta.kubernetes.io/scp-load-balancer-layer-type
Cannot change Load Balancer subnetservice.beta.kubernetes.io/scp-load-balancer-subnet-id
Cannot change Load Balancer Service IPservice.beta.kubernetes.io/scp-load-balancer-service-ip
LB Listener idle-timeout cannot be changed from used to not usedservice.beta.kubernetes.io/scp-load-balancer-idle-timeout
LB Listener session-duration-time cannot be changed from used to not usedservice.beta.kubernetes.io/scp-load-balancer-session-duration-time
LB Listener response-timeout cannot be changed from used to not usedservice.beta.kubernetes.io/scp-load-balancer-response-timeout
LB Listener idle-timeout cannot be set simultaneously with session-duration-time or response-timeoutservice.beta.kubernetes.io/scp-load-balancer-idle-timeout
service.beta.kubernetes.io/scp-load-balancer-session-duration-time
service.beta.kubernetes.io/scp-load-balancer-response-timeout
Cannot use TCP and UDP together with the same port number in the same k8s Service-
L7 Listener’s routing rules only support the default URL path of the LB server group delivery method
  • To add other URL paths, add them directly in the Samsung Cloud Platform console
  • URL redirection is not supported
-
Table. Constraints when using Kubernetes annotations
Accessing the Cluster
Considerations for Use