DirectorySecurity AdvisoriesPricing
Sign in
Directory
metallb logoHELM

metallb

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for metallb.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
imagePullSecrets: []
6
nameOverride: ""
7
fullnameOverride: ""
8
loadBalancerClass: ""
9
# To configure MetalLB, you must specify ONE of the following two
10
# options.
11
rbac:
12
# create specifies whether to install and use RBAC rules.
13
create: true
14
tls:
15
# -- Comma-separated list of TLS cipher suites. If empty, uses Go defaults. Only applies to TLS 1.2.
16
cipherSuites: ""
17
# -- Comma-separated list of numeric CurveID values (e.g. 29,4588). See https://pkg.go.dev/crypto/tls#CurveID. If empty, uses Go defaults.
18
curvePreferences: ""
19
# -- Minimum TLS version (VersionTLS12 or VersionTLS13). Defaults to VersionTLS13.
20
minVersion: ""
21
# -- The name of the secret to be mounted in the controller pod to provide TLS certificates for metrics endpoints. If not present, a self-signed certificate is auto-generated.
22
controllerMetricsTLSSecret: ""
23
# -- The name of the secret to be mounted in the speaker pod to provide TLS certificates for metrics endpoints. If not present, a self-signed certificate is auto-generated.
24
speakerMetricsTLSSecret: ""
25
prometheus:
26
# scrape annotations specifies whether to add Prometheus metric
27
# auto-collection annotations to pods. See
28
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
29
# for a corresponding Prometheus configuration. Alternatively, you
30
# may want to use the Prometheus Operator
31
# (https://github.com/coreos/prometheus-operator) for more powerful
32
# monitoring configuration. If you use the Prometheus operator, this
33
# can be left at false.
34
scrapeAnnotations: false
35
# port both controller and speaker will listen on for metrics (always HTTPS).
36
# Matches the port kube-rbac-proxy previously served on.
37
metricsPort: 9120
38
# prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
39
rbacPrometheus: true
40
# the service account used by prometheus
41
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
42
serviceAccount: ""
43
# the namespace where prometheus is deployed
44
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
45
namespace: ""
46
# Prometheus Operator PodMonitors
47
podMonitor:
48
# enable support for Prometheus Operator
49
enabled: false
50
# optional additional labels for podMonitors
51
additionalLabels: {}
52
# optional annotations for podMonitors
53
annotations: {}
54
# Job label for scrape target
55
jobLabel: "app.kubernetes.io/name"
56
# Scrape interval. If not set, the Prometheus default scrape interval is used.
57
interval:
58
# metric relabel configs to apply to samples before ingestion.
59
metricRelabelings: []
60
# - action: keep
61
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
62
# sourceLabels: [__name__]
63
64
# relabel configs to apply to samples before ingestion.
65
relabelings: []
66
# - sourceLabels: [__meta_kubernetes_pod_node_name]
67
# separator: ;
68
# regex: ^(.*)$
69
# target_label: nodename
70
# replacement: $1
71
# action: replace
72
# Prometheus Operator ServiceMonitors. To be used as an alternative
73
# to podMonitor, supports secure metrics.
74
serviceMonitor:
75
# enable support for Prometheus Operator
76
enabled: false
77
speaker:
78
# optional additional labels for the speaker serviceMonitor
79
additionalLabels: {}
80
# optional additional annotations for the speaker serviceMonitor
81
annotations: {}
82
# optional tls configuration for the speaker serviceMonitor, in case
83
# secure metrics are enabled.
84
tlsConfig:
85
insecureSkipVerify: true
86
controller:
87
# optional additional labels for the controller serviceMonitor
88
additionalLabels: {}
89
# optional additional annotations for the controller serviceMonitor
90
annotations: {}
91
# optional tls configuration for the controller serviceMonitor, in case
92
# secure metrics are enabled.
93
tlsConfig:
94
insecureSkipVerify: true
95
# Job label for scrape target
96
jobLabel: "app.kubernetes.io/name"
97
# Scrape interval. If not set, the Prometheus default scrape interval is used.
98
interval:
99
# metric relabel configs to apply to samples before ingestion.
100
metricRelabelings: []
101
# - action: keep
102
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
103
# sourceLabels: [__name__]
104
105
# relabel configs to apply to samples before ingestion.
106
relabelings: []
107
# - sourceLabels: [__meta_kubernetes_pod_node_name]
108
# separator: ;
109
# regex: ^(.*)$
110
# target_label: nodename
111
# replacement: $1
112
# action: replace
113
# Prometheus Operator alertmanager alerts
114
prometheusRule:
115
# enable alertmanager alerts
116
enabled: false
117
# optional additional labels for prometheusRules
118
additionalLabels: {}
119
# optional annotations for prometheusRules
120
annotations: {}
121
# MetalLBStaleConfig
122
staleConfig:
123
enabled: true
124
labels:
125
severity: warning
126
# MetalLBConfigNotLoaded
127
configNotLoaded:
128
enabled: true
129
labels:
130
severity: warning
131
# MetalLBAddressPoolExhausted
132
addressPoolExhausted:
133
enabled: true
134
labels:
135
severity: critical
136
# Exclude the pools matching the regular expression from triggering the alert.
137
excludePools: ""
138
addressPoolUsage:
139
enabled: true
140
thresholds:
141
- percent: 75
142
labels:
143
severity: warning
144
- percent: 85
145
labels:
146
severity: warning
147
- percent: 95
148
labels:
149
severity: critical
150
# Exclude the pools matching the regular expression from triggering the alert.
151
excludePools: ""
152
# MetalLBBGPSessionDown
153
bgpSessionDown:
154
enabled: true
155
labels:
156
severity: critical
157
extraAlerts: []
158
# controller contains configuration specific to the MetalLB cluster
159
# controller.
160
controller:
161
enabled: true
162
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
163
logLevel: info
164
# command: /controller
165
webhookMode: enabled
166
image:
167
repository: cgr.dev/scratch-images/test-tmp/metallb-controller
168
tag: 0.16.0-r3@sha256:20cf6665edbd28f87324e21d9c3bb1b49e708e93c0da07e678f0e5dde6351393
169
pullPolicy:
170
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
171
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
172
## e.g:
173
## strategy:
174
## type: RollingUpdate
175
## rollingUpdate:
176
## maxSurge: 25%
177
## maxUnavailable: 25%
178
##
179
strategy:
180
type: RollingUpdate
181
serviceAccount:
182
# Specifies whether a ServiceAccount should be created
183
create: true
184
# The name of the ServiceAccount to use. If not set and create is
185
# true, a name is generated using the fullname template
186
name: ""
187
annotations: {}
188
securityContext:
189
runAsNonRoot: true
190
# nobody
191
runAsUser: 65534
192
fsGroup: 65534
193
resources: {}
194
# limits:
195
# cpu: 100m
196
# memory: 100Mi
197
nodeSelector: {}
198
tolerations: []
199
priorityClassName: ""
200
runtimeClassName: ""
201
affinity: {}
202
podAnnotations: {}
203
labels: {}
204
livenessProbe:
205
enabled: true
206
failureThreshold: 3
207
initialDelaySeconds: 10
208
periodSeconds: 10
209
successThreshold: 1
210
timeoutSeconds: 1
211
readinessProbe:
212
enabled: true
213
failureThreshold: 3
214
initialDelaySeconds: 10
215
periodSeconds: 10
216
successThreshold: 1
217
timeoutSeconds: 1
218
extraContainers: []
219
# speaker contains configuration specific to the MetalLB speaker
220
# daemonset.
221
speaker:
222
enabled: true
223
# command: /speaker
224
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
225
logLevel: info
226
tolerateMaster: true
227
memberlist:
228
# -- When enabled: false, the speaker pods must run on all nodes
229
enabled: true
230
mlBindPort: 7946
231
mlBindAddrOverride: ""
232
mlSecretKeyPath: "/etc/ml_secret_key"
233
excludeInterfaces:
234
enabled: true
235
# ignore the exclude-from-external-loadbalancer label
236
ignoreExcludeLB: false
237
# -- BGP debounce timeout for FRR configuration reloads, in milliseconds. Only applies when BGP type is frr. Default (when unset) is 3000 ms. This feature is experimental
238
bgpDebounceTimeout: null
239
image:
240
repository: cgr.dev/scratch-images/test-tmp/metallb-speaker
241
tag: 0.16.0-r3@sha256:1c8b2625e7ea584c4507e28a517d796cb695b6bb917f2a5d6b82a0f9d591a875
242
pullPolicy:
243
## @param speaker.updateStrategy.type Speaker daemonset strategy type
244
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
245
##
246
updateStrategy:
247
## StrategyType
248
## Can be set to RollingUpdate or OnDelete
249
##
250
type: RollingUpdate
251
serviceAccount:
252
# Specifies whether a ServiceAccount should be created
253
create: true
254
# The name of the ServiceAccount to use. If not set and create is
255
# true, a name is generated using the fullname template
256
name: ""
257
annotations: {}
258
securityContext: {}
259
## Defines a secret name for the controller to generate a memberlist encryption secret
260
## By default secretName: {{ "metallb.fullname" }}-memberlist
261
##
262
# secretName:
263
resources: {}
264
# limits:
265
# cpu: 100m
266
# memory: 100Mi
267
nodeSelector: {}
268
tolerations: []
269
priorityClassName: ""
270
affinity: {}
271
## Selects which runtime class will be used by the pod.
272
runtimeClassName: ""
273
podAnnotations: {}
274
labels: {}
275
livenessProbe:
276
enabled: true
277
failureThreshold: 3
278
initialDelaySeconds: 10
279
periodSeconds: 10
280
successThreshold: 1
281
timeoutSeconds: 1
282
readinessProbe:
283
enabled: true
284
failureThreshold: 3
285
initialDelaySeconds: 10
286
periodSeconds: 10
287
successThreshold: 1
288
timeoutSeconds: 1
289
startupProbe:
290
enabled: true
291
failureThreshold: 30
292
periodSeconds: 5
293
# frr contains configuration specific to the MetalLB FRR container,
294
# for speaker running alongside FRR.
295
# DEPRECATED: The FRR mode is deprecated and will be removed in a future
296
# release. Use the frr-k8s mode (frrk8s.enabled) instead, which is now
297
# the default BGP backend.
298
frr:
299
enabled: false
300
image:
301
repository: cgr.dev/scratch-images/test-tmp/frr
302
tag: 10.4.4-r0@sha256:3cc28342b8cf2fa969643e6244188e35a114e368c483f25647650719386f757e
303
pullPolicy:
304
metricsPort: 9121
305
resources: {}
306
reloader:
307
resources: {}
308
frrMetrics:
309
resources: {}
310
initContainers:
311
cpFrrFiles:
312
resources: {}
313
cpReloader:
314
resources: {}
315
cpMetrics:
316
resources: {}
317
extraContainers: []
318
crds:
319
enabled: true
320
validationFailurePolicy: Fail
321
# frrk8s contains the configuration related to using an frrk8s instance
322
# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
323
# This allows configuring additional frr parameters in combination to those
324
# applied by MetalLB.
325
frrk8s:
326
# if set, enables frrk8s as a backend. This is mutually exclusive to frr
327
# mode.
328
enabled: true
329
external: false
330
namespace: ""
331
frr-k8s:
332
prometheus:
333
# The FRR-K8s BGP/BFD metrics are exposed with the "frrk8s_" prefix
334
# (e.g. frrk8s_bgp_session_up, frrk8s_bfd_session_up).
335
# To rename them to the legacy "metallb_" prefix for backward compatibility
336
# with existing dashboards or alerts, uncomment section below.
337
# serviceMonitor:
338
# enabled: true
339
# metricRelabelings:
340
# - sourceLabels: [__name__]
341
# regex: "frrk8s_bgp_(.*)"
342
# targetLabel: "__name__"
343
# replacement: "metallb_bgp_$1"
344
# - sourceLabels: [__name__]
345
# regex: "frrk8s_bfd_(.*)"
346
# targetLabel: "__name__"
347
# replacement: "metallb_bfd_$1"
348
# networkpolicies
349
networkpolicies:
350
# if set, networkpolicies for metallb components will be installed in the metallb namespace
351
enabled: false
352
# if set, a default deny network policy will be installed in the metallb namespace
353
defaultDeny: false
354
# to override internal k8s api targetPort
355
apiPort: 6443
356

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.