aws-load-balancer-controller
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for aws-load-balancer-controller.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
replicaCount: 2
6
revisionHistoryLimit: 10
7
image:
8
repository: cgr.dev/chainguard-private/aws-load-balancer-controller
9
tag: latest@sha256:3d68443e886dd8e409d5b9fff1a399060418643506699c16e78a9409e4057776
10
pullPolicy: IfNotPresent
11
runtimeClassName: ""
12
imagePullSecrets: []
13
nameOverride: ""
14
fullnameOverride: ""
15
# AWS LBC only has 1 main working pod, other pods are just standby
16
# the purpose of enable hpa is to survive load induced failure by the calls to the aws-load-balancer-webhook-service
17
# since the calls from kube-apiserver are sent round-robin to all replicas, and the failure policy on those webhooks is Fail
18
# if the pods become overloaded and do not respond within the timeout that could block the creation of pods, targetgroupbindings or ingresses
19
# Please keep in mind that the controller pods have `priorityClassName: system-cluster-critical`, enabling HPA may lead to the eviction of other low-priority pods in the node
20
autoscaling:
21
enabled: false
22
minReplicas: 1
23
maxReplicas: 5
24
targetCPUUtilizationPercentage: 80
25
serviceAccount:
26
# Specifies whether a service account should be created
27
create: true
28
# Annotations to add to the service account
29
annotations: {}
30
# The name of the service account to use.
31
# If not set and create is true, a name is generated using the fullname template
32
name:
33
# Automount API credentials for a Service Account.
34
automountServiceAccountToken: true
35
# List of image pull secrets to add to the Service Account.
36
imagePullSecrets:
37
# - name: docker
38
rbac:
39
# Specifies whether rbac resources should be created
40
create: true
41
podSecurityContext:
42
fsGroup: 65534
43
securityContext:
44
# capabilities:
45
# drop:
46
# - ALL
47
readOnlyRootFilesystem: true
48
runAsNonRoot: true
49
allowPrivilegeEscalation: false
50
# Time period for the controller pod to do a graceful shutdown
51
terminationGracePeriodSeconds: 10
52
resources: {}
53
# We usually recommend not to specify default resources and to leave this as a conscious
54
# choice for the user. This also increases chances charts run on environments with little
55
# resources, such as Minikube. If you do want to specify resources, uncomment the following
56
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
57
# limits:
58
# cpu: 100m
59
# memory: 128Mi
60
# requests:
61
# cpu: 100m
62
# memory: 128Mi
63
64
# priorityClassName specifies the PriorityClass to indicate the importance of controller pods
65
# ref: https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
66
priorityClassName: system-cluster-critical
67
nodeSelector: {}
68
tolerations: []
69
# affinity specifies a custom affinity for the controller pods
70
affinity: {}
71
# configureDefaultAffinity specifies whether to configure a default affinity for the controller pods to prevent
72
# co-location on the same node. This will get ignored if you specify a custom affinity configuration.
73
configureDefaultAffinity: true
74
# topologySpreadConstraints is a stable feature of k8s v1.19 which provides the ability to
75
# control how Pods are spread across your cluster among failure-domains such as regions, zones,
76
# nodes, and other user-defined topology domains.
77
#
78
# more details here: https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
79
topologySpreadConstraints: []
80
updateStrategy: {}
81
# type: RollingUpdate
82
# rollingUpdate:
83
# maxSurge: 1
84
# maxUnavailable: 1
85
86
# serviceAnnotations contains annotations to be added to the provisioned webhook service resource
87
serviceAnnotations: {}
88
# deploymentAnnotations contains annotations for the controller deployment
89
deploymentAnnotations: {}
90
podAnnotations: {}
91
podLabels: {}
92
# additionalLabels -- Labels to add to each object of the chart.
93
additionalLabels: {}
94
# Enable cert-manager
95
enableCertManager: false
96
# Overrideable variables when enableCertManager is set to true
97
certManager:
98
# Webhook serving certificate configuration
99
duration: "8760h0m0s" # 1 year
100
renewBefore: "720h0m0s" # 30 days
101
revisionHistoryLimit:
102
# Root CA certificate configuration
103
rootCert:
104
duration: "43800h0m0s" # 5 years
105
# Optional: custom issuer reference
106
# issuerRef:
107
# name: my-issuer
108
# kind: ClusterIssuer
109
# The name of the Kubernetes cluster. A non-empty value is required
110
clusterName:
111
# cluster contains configurations specific to the kubernetes cluster
112
cluster:
113
# Cluster DNS domain (required for requesting TLS certificates)
114
dnsDomain: cluster.local
115
# The ingress class this controller will satisfy. If not specified, controller will match all
116
# ingresses without ingress class annotation and ingresses of type alb
117
ingressClass: alb
118
# ingressClassParams specify the IngressCLassParams that enforce settings for a set of Ingresses when using with ingress Controller.
119
ingressClassParams:
120
create: true
121
# The name of ingressClassParams resource will be referred in ingressClass
122
name:
123
spec: {}
124
# Due to dependency issue, the validation webhook ignores this particular ingressClassParams resource.
125
# We recommend creating ingressClassParams resources separately after installing this chart and the
126
# controller is functional.
127
#
128
# You can set the specifications in the `helm install` command through `--set` or `--set-string`
129
# If you do want to specify in the values.yaml, uncomment the following
130
# lines, adjust them as necessary, and remove the curly braces after 'spec:'
131
#
132
# namespaceSelector:
133
# matchLabels:
134
# group:
135
# scheme:
136
# ipAddressType:
137
# tags:
138
# loadBalancerAttributes:
139
# - key:
140
# value:
141
# To use IngressClass resource instead of annotation, before you need to install the IngressClass resource pointing to controller.
142
# If specified as true, the IngressClass resource will be created.
143
createIngressClassResource: true
144
# The AWS region for the kubernetes cluster. Set to use KIAM or kube2iam for example.
145
region:
146
# The VPC ID for the Kubernetes cluster. Set this manually when your pods are unable to use the metadata service to determine this automatically
147
vpcId:
148
# This is alternative to vpcId. Set this when your pods are unable to use the metadata service to determine VPC automatically.
149
# All specified tags are used as AND filters for VPC lookup.
150
vpcTags: {}
151
# Name: tagValue
152
153
# Custom AWS API Endpoints (serviceID1=URL1,serviceID2=URL2)
154
awsApiEndpoints:
155
# awsApiThrottle specifies custom AWS API throttle settings (serviceID1:operationRegex1=rate:burst,serviceID2:operationRegex2=rate:burst)
156
# example: --set awsApiThrottle="{Elastic Load Balancing v2:RegisterTargets|DeregisterTargets=4:20,Elastic Load Balancing v2:.*=10:40}"
157
awsApiThrottle:
158
# Maximum retries for AWS APIs (default 10)
159
awsMaxRetries:
160
# Default target type. Used as the default value of the "alb.ingress.kubernetes.io/target-type" and
161
# "service.beta.kubernetes.io/aws-load-balancer-nlb-target-type" annotations.
162
# Possible values are "ip" and "instance"
163
# The value "ip" should be used for ENI-based CNIs, such as the Amazon VPC CNI,
164
# Calico with encapsulation disabled, or Cilium with masquerading disabled.
165
# The value "instance" should be used for overlay-based CNIs, such as Calico in VXLAN or IPIP mode or
166
# Cilium with masquerading enabled.
167
defaultTargetType: instance
168
# Default load balancer scheme when not specifying "alb.ingress.kubernetes.io/scheme" or
169
# "service.beta.kubernetes.io/aws-load-balancer-scheme" annotations.
170
# Possible values are "internal" and "internet-facing" (default "internal")
171
defaultLoadBalancerScheme:
172
# If enabled, targetHealth readiness gate will get injected to the pod spec for the matching endpoint pods (default true)
173
enablePodReadinessGateInject:
174
# Enable Shield addon for ALB (default true)
175
enableShield:
176
# Enable WAF addon for ALB (default true)
177
enableWaf:
178
# Enable WAF V2 addon for ALB (default true)
179
enableWafv2:
180
# Maximum number of concurrently running reconcile loops for ingress (default 3)
181
ingressMaxConcurrentReconciles:
182
# Set the controller log level - info(default), debug (default "info")
183
logLevel:
184
# The address the metric endpoint binds to. (default ":8080")
185
metricsBindAddr: ""
186
webhookConfig:
187
# disableIngressValidation disables the validation of resources of kind Ingress, false by default
188
disableIngressValidation:
189
# whether or not to fail the ingress creation if the webhook fails
190
ingressValdationFailurePolicy: Fail
191
# limit ingress validation webhook to only validate ingresses matching the objectSelector
192
ingressValidationObjectSelector:
193
matchExpressions:
194
matchLabels:
195
# limit ingress validation webhook to only validate ingresses in the namespace matching the object selector.
196
ingressValidationNamespaceSelector:
197
matchExpressions:
198
matchLabels:
199
# The TCP port the Webhook server binds to. (default 9443)
200
webhookBindPort:
201
# webhookTLS specifies TLS cert/key for the webhook
202
webhookTLS:
203
caCert:
204
cert:
205
key:
206
# keepTLSSecret specifies whether to reuse existing TLS secret for chart upgrade when cert-manager is not being used
207
keepTLSSecret: false
208
# array of namespace selectors for the pod mutator webhook
209
webhookNamespaceSelectors:
210
# - key: elbv2.k8s.aws/pod-readiness-gate-inject
211
# operator: In
212
# values:
213
# - enabled
214
215
# Maximum number of concurrently running reconcile loops for service (default 3)
216
serviceMaxConcurrentReconciles:
217
# Maximum number of concurrently running reconcile loops for targetGroupBinding
218
targetgroupbindingMaxConcurrentReconciles:
219
# Maximum duration of exponential backoff for targetGroupBinding reconcile failures
220
targetgroupbindingMaxExponentialBackoffDelay:
221
# Duration after which TargetGroupBinding will be requeued for reconciliation when it's waiting for AWS resources to update.
222
targetgroupbindingRequeueDuration:
223
# Maximum number of concurrently running reconcile loops for ALB gateways (default 3)
224
albGatewayMaxConcurrentReconciles:
225
# Maximum number of concurrently running reconcile loops for NLB gateways (default 3)
226
nlbGatewayMaxConcurrentReconciles:
227
# Maximum number of concurrently running reconcile loops for GlobalAccelerator objects
228
globalAcceleratorMaxConcurrentReconciles:
229
# Maximum duration of exponential backoff for GlobalAccelerator reconcile failures
230
globalAcceleratorMaxExponentialBackoffDelay:
231
# Interval at which the controller monitors the state of load balancer after creation for stabilization
232
lbStabilizationMonitorInterval:
233
# Period at which the controller forces the repopulation of its local object stores. (default 10h0m0s)
234
syncPeriod:
235
# Namespace the controller watches for updates to Kubernetes objects, If empty, all namespaces are watched.
236
watchNamespace:
237
# disableIngressClassAnnotation disables the usage of kubernetes.io/ingress.class annotation, false by default
238
disableIngressClassAnnotation:
239
# disableIngressGroupNameAnnotation disables the usage of alb.ingress.kubernetes.io/group.name annotation, false by default
240
disableIngressGroupNameAnnotation:
241
# tolerateNonExistentBackendService permits rules which specify backend services that don't exist, true by default (When enabled, it will return 503 error if backend service not exist)
242
tolerateNonExistentBackendService:
243
# tolerateNonExistentBackendAction permits rules which specify backend actions that don't exist, true by default (When enabled, it will return 503 error if backend action not exist)
244
tolerateNonExistentBackendAction:
245
# defaultSSLPolicy specifies the default SSL policy to use for TLS/HTTPS listeners
246
defaultSSLPolicy:
247
# Liveness probe configuration for the controller
248
livenessProbe:
249
failureThreshold: 2
250
httpGet:
251
path: /healthz
252
port: 61779
253
scheme: HTTP
254
initialDelaySeconds: 30
255
timeoutSeconds: 10
256
# readiness probe configuration for the controller
257
readinessProbe:
258
failureThreshold: 2
259
httpGet:
260
path: /readyz
261
port: 61779
262
scheme: HTTP
263
successThreshold: 1
264
initialDelaySeconds: 10
265
timeoutSeconds: 10
266
# Environment variables to set for aws-load-balancer-controller pod.
267
# We strongly discourage programming access credentials in the controller environment. You should setup IRSA or
268
# comparable solutions like kube2iam, kiam etc instead.
269
env:
270
# ENV_1: ""
271
# ENV_2: ""
272
273
# Use Environment variables credentials from Secret (aws-secret) for aws-load-balancer-controller pod similarly as The EBS CSI Driver does.
274
# envSecretName: aws-secret
275
276
# Use envFrom to set environment variables from a Secret or ConfigMap
277
# envFrom:
278
# - secretRef:
279
# name: my-secret
280
281
# Specifies if aws-load-balancer-controller should be started in hostNetwork mode.
282
# This is required if using a custom CNI where the managed control plane nodes are unable to initiate
283
# network connections to the pods, for example using Calico CNI plugin on EKS. This is not required or
284
# recommended if using the Amazon VPC CNI plugin.
285
hostNetwork: false
286
# Specifies the dnsPolicy that should be used for pods in the deployment
287
#
288
# This may need to be used to be changed given certain conditions. For instance, if one uses the cilium CNI
289
# with certain settings, one may need to set `hostNetwork: true` and webhooks won't work unless `dnsPolicy`
290
# is set to `ClusterFirstWithHostNet`. See https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
291
dnsPolicy:
292
# extraVolumeMounts are the additional volume mounts. This enables setting up IRSA on non-EKS Kubernetes cluster
293
extraVolumeMounts:
294
# - name: aws-iam-token
295
# mountPath: /var/run/secrets/eks.amazonaws.com/serviceaccount
296
# readOnly: true
297
298
# extraVolumes for the extraVolumeMounts. Useful to mount a projected service account token for example.
299
extraVolumes:
300
# - name: aws-iam-token
301
# projected:
302
# defaultMode: 420
303
# sources:
304
# - serviceAccountToken:
305
# audience: sts.amazonaws.com
306
# expirationSeconds: 86400
307
# path: token
308
309
# defaultTags are the tags to apply to all AWS resources managed by this controller
310
defaultTags: {}
311
# default_tag1: value1
312
# default_tag2: value2
313
314
# podDisruptionBudget specifies the disruption budget for the controller pods.
315
# Disruption budget will be configured only when the replicaCount is greater than 1
316
podDisruptionBudget: {}
317
# maxUnavailable: 1
318
319
# externalManagedTags is the list of tag keys on AWS resources that will be managed externally
320
externalManagedTags: []
321
# enableEndpointSlices enables k8s EndpointSlices for IP targets instead of Endpoints (default false)
322
enableEndpointSlices:
323
# enableBackendSecurityGroup enables shared security group for backend traffic (default true)
324
enableBackendSecurityGroup:
325
# enableManageBackendSecurityGroupRules enables controller manages security group rules (default false)
326
enableManageBackendSecurityGroupRules:
327
# backendSecurityGroup specifies backend security group id (default controller auto create backend security group)
328
backendSecurityGroup:
329
# disableRestrictedSecurityGroupRules specifies whether to disable creating port-range restricted security group rules for traffic
330
disableRestrictedSecurityGroupRules:
331
# maxTargetsPerTargetGroup specifies the maximum number of targets that the controller will attempt to add to a given ELB instance
332
maxTargetsPerTargetGroup:
333
# controllerConfig specifies controller configuration
334
controllerConfig:
335
# featureGates set of key: value pairs that describe AWS load balance controller features
336
featureGates: {}
337
# ListenerRulesTagging: true
338
# WeightedTargetGroups: true
339
# ServiceTypeLoadBalancerOnly: false
340
# EndpointsFailOpen: true
341
# EnableServiceController: true
342
# EnableIPTargetType: true
343
# EnableTCPUDPListener: false
344
# EnableRGTAPI: false
345
# SubnetsClusterTagCheck: true
346
# NLBHealthCheckAdvancedConfig: true
347
# NLBSecurityGroup: true
348
# ALBSingleSubnet: false
349
# LBCapacityReservation: true
350
# SubnetDiscoveryByReachability: true
351
# NLBGatewayAPI: true
352
# ALBGatewayAPI: true
353
# GatewayListenerSet: true
354
# GlobalAcceleratorController: false
355
# EnhancedDefaultBehavior: false
356
# EnableDefaultTagsLowPriority: false
357
# ALBTargetControlAgent: false
358
# EnableCertificateManagement: false
359
certDiscovery:
360
allowedCertificateAuthorityARNs: "" # empty means all CAs are in scope
361
# objectSelector for webhook
362
objectSelector:
363
matchExpressions:
364
# - key: <key>
365
# operator: <operator>
366
# values:
367
# - <value>
368
matchLabels:
369
# key: value
370
serviceMonitor:
371
# Specifies whether a service monitor should be created
372
enabled: false
373
# Namespace to create the service monitor in
374
namespace:
375
# Labels to add to the service monitor
376
additionalLabels: {}
377
# Prometheus scrape interval
378
interval: 1m
379
# Prometheus scrape timeout
380
scrapeTimeout:
381
# Relabelings to apply to samples before ingestion
382
relabelings:
383
# Metric relabelings to apply to samples before ingestion
384
metricRelabelings:
385
# clusterSecretsPermissions lets you configure RBAC permissions for secret resources
386
# Access to secrets resource is required only if you use the OIDC feature, and instead of
387
# enabling access to all secrets, we recommend configuring namespaced role/rolebinding.
388
# This option is for backwards compatibility only, and will potentially be deprecated in future.
389
clusterSecretsPermissions:
390
# allowAllSecrets allows the controller to access all secrets in the cluster.
391
# This is to get backwards compatible behavior, but *NOT* recommended for security reasons
392
allowAllSecrets: false
393
# ingressClassConfig contains configurations specific to the ingress class
394
ingressClassConfig:
395
default: false
396
# enableServiceMutatorWebhook allows you enable the webhook which makes this controller the default for all new services of type LoadBalancer
397
enableServiceMutatorWebhook: true
398
# serviceMutatorWebhook contains configurations specific to the service mutator webhook
399
serviceMutatorWebhookConfig:
400
# whether or not to fail the service creation if the webhook fails
401
failurePolicy: Fail
402
# limit webhook to only mutate services matching the objectSelector
403
objectSelector:
404
matchExpressions: []
405
# - key: <key>
406
# operator: <operator>
407
# values:
408
# - <value>
409
matchLabels: {}
410
# key: value
411
# array of namespace selectors for the service mutator webhook
412
namespaceSelectors:
413
# - key: <key>
414
# operator: <operator>
415
# values:
416
# - <value>
417
# which operations trigger the webhook
418
operations:
419
- CREATE
420
# - UPDATE
421
# podMutatorWebhookConfig contains configurations specific to the service mutator webhook
422
podMutatorWebhookConfig:
423
# whether or not to fail the pod creation if the webhook fails
424
failurePolicy: Ignore
425
# serviceTargetENISGTags specifies AWS tags, in addition to the cluster tags, for finding the target ENI SG to which to add inbound rules from NLBs.
426
serviceTargetENISGTags:
427
# Specifies the class of load balancer to use for services. This affects how services are provisioned if type LoadBalancer is used (default service.k8s.aws/nlb)
428
loadBalancerClass:
429
430
# creator will disable helm default labels, so you can only add yours
431
# creator: "me"
432
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.