Skip to content

Add documentation for servies of type loadbalancer #18

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
DebakelOrakel wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

Add documentation for servies of type loadbalancer #18

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/modules/ROOT/nav.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
**** xref:network/try-cluster-mesh.adoc[]
*** xref:network/cilium-observability-with-hubble.adoc[]
*** xref:network/cilium-faq.adoc[]
*** xref:network/service-loadbalancer.adoc[]

** xref:logging/index.adoc[Logging]
*** xref:logging/tutorial-lokistack.adoc[Getting Started]
Expand Down
166 changes: 166 additions & 0 deletions docs/modules/ROOT/pages/network/service-loadbalancer.adoc
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,166 @@
= Service Type LoadBalancer

Depending on the infrastructure there are different implementations of services of type LoadBalancer.
Copy link
Copy Markdown
Member

@simu simu Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Depending on the infrastructure there are different implementations of services of type LoadBalancer.
Depending on the infrastructure there are different implementations of services of type LoadBalancer.
[IMPORTANT]
====
For some infrastructures, no `LoadBalancer` service types are available out of the box.
Please contact us if you need `LoadBalancer` services on such infrastructures.
====

Check your documentation or ask your system-admin if you don't know which types are available.

[NOTE]
=====
If you use services of type LoadBalancer you also need a NetworkPolicy or CiliumNetworkPolicy!
=====


== Cilium L2 Announcement

L2 Announcements is a feature which makes services visible and reachable on the machine network of the cluster.
This feature is primarily intended for on-premises deployments within networks without BGP based routing.

[source,yaml]
----
apiVersion: v1
kind: Service
metadata:
annotations:
lbipam.cilium.io/ips: 192.168.1.50 <5>
name: your-service-lb
namespace: your-namespace
spec:
type: LoadBalancer <1>
loadBalancerClass: io.cilium/l2-announcer <2>
selector: <3>
app.kubernetes.io/component: component
app.kubernetes.io/instance: instance
app.kubernetes.io/name: name
ports: <4>
- name: your-service
port: 10018
protocol: TCP
targetPort: 10018
----
<1> Use type `LoadBalancer` for the service.
<2> Use `io.cilium/l2-announcer` as loadbalancer class.
<3> Define the selector associated with your deployment.
<4> Define the port you want to expose, just like with a regular service.
<5> Optional: You can request a specific IP within the clusters machine network.


== Cilium BGP Announcement

L2 Announcements is a feature which makes services visible and reachable on the machine network of the cluster.
This feature is primarily intended for on-premises deployments within networks without BGP based routing.
Comment on lines +48 to +49
Copy link
Copy Markdown
Member

@simu simu Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy-paste error?


[source,yaml]
----
apiVersion: v1
kind: Service
metadata:
annotations:
lbipam.cilium.io/ips: 192.168.1.50 <5>
name: your-service-lb
namespace: your-namespace
spec:
type: LoadBalancer <1>
loadBalancerClass: io.cilium/bgp-control-plane <2>
selector: <3>
app.kubernetes.io/component: component
app.kubernetes.io/instance: instance
app.kubernetes.io/name: name
ports: <4>
- name: your-service
port: 10018
protocol: TCP
targetPort: 10018
----
<1> Use type `LoadBalancer` for the service.
<2> Use `io.cilium/bgp-control-plane` as loadbalancer class.
<3> Define the selector associated with your deployment.
<4> Define the port you want to expose, just like with a regular service.
<5> Optional: You can request a specific IP within the clusters machine network.


== Cloudscale LoadBalancer

A Cloudscale LoadBalancer consists of a redundant pair of virtual servers.
Externally, they share an IP address, which is active on one of the two systems and is seamlessly moved to the other system if a problem is detected.

[NOTE]
=====
If Cloudscale LoadBalancer are available you don't need to choose a specific `loadBalancerClass`!
=====

[source,yaml]
----
apiVersion: v1
kind: Service
metadata:
name: your-service-lb
namespace: your-namespace
Copy link
Copy Markdown
Member

@simu simu Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This example should have a few of the useful annotations such as access control and a link to https://github.com/cloudscale-ch/cloudscale-cloud-controller-manager?tab=readme-ov-file#loadbalancer-service-configuration

spec:
type: LoadBalancer <1>
selector: <2>
app.kubernetes.io/component: component
app.kubernetes.io/instance: instance
app.kubernetes.io/name: name
ports: <3>
- name: your-service
port: 10018
protocol: TCP
targetPort: 10018
----
<1> Use type `LoadBalancer` for the service.
<2> Define the selector associated with your deployment.
<3> Define the port you want to expose, just like with a regular service.


== NetworkPolicy for Services of Type LoadBalancer

Services of type LoadBalancer also require a NetworkPolicy _or_ a CiliumNetworkPolicy to allow connections.

----
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-your-service-lb
namespace: your-namespace
spec:
podSelector: <1>
matchLabels:
app.kubernetes.io/component: component
app.kubernetes.io/instance: instance
app.kubernetes.io/name: name
policyTypes:
- Ingress
ingress:
- from: <2>
- ipBlock:
cidr: 0.0.0.0/0
ports: <3>
- port: 10018
protocol: TCP
----
<1> Define the selector associated with your deployment.
<2> Allow access from `world`.
Copy link
Copy Markdown
Member

@simu simu Apr 8, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
<2> Allow access from `world`.
<2> Allow access from anywhere (CIDR `0.0.0.0/0`).
Note that, depending on the `LoadBalancer` implementation, it may or may not be possible to restrict access to specific IPs via network policy.

<3> Define the port you want to expose.

----
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-your-service-lb
namespace: your-namespace
spec:
endpointSelector: <1>
matchLabels:
app.kubernetes.io/component: component
app.kubernetes.io/instance: instance
app.kubernetes.io/name: name
ingress:
- fromEntities: <2>
- world
toPorts:
- ports: <3>
- port: 10018
protocol: TCP
----
<1> Define the selector associated with your deployment.
<2> Allow access from `world`.
<3> Define the port you want to expose.