Configure a load balancer in a Managed Kubernetes cluster for Ingress

Last update: May 30 2026

warning

After creating a Managed Kubernetes cluster, we recommend that you perform all actions with load balancers only via kubectl. Changes made in any other way are not saved in Kubernetes manifests. When re-creating a cluster, a load balancer, or synchronizing manifests, such changes will be reverted.

A load balancer in Managed Kubernetes is used to distribute incoming traffic between pods.

If you use the Traefik Ingress Controller, a load balancer will be automatically created when installing the Traefik Ingress Controller. To configure the load balancer during installation, use the Install Traefik Ingress Controller instruction. All annotations for configuring the load balancer that are described in this instruction are applied to the Traefik Ingress Controller only via the values.yaml file.

If you use another Ingress Controller without automatic load balancer creation or if an additional load balancer is needed for other applications, create a load balancer.

Create a load balancer

1. Connect to the cluster.
2. Create a yaml file with a manifest for a LoadBalancer-type Service object.

Example of a LoadBalancer-type Service manifest:

apiVersion: v1
kind: Service
metadata:
  name: loadbalancer-name
  labels:
    app: my-app
  annotations:
    loadbalancer.openstack.org/keep-floatingip: "true"
spec:
  type: LoadBalancer
  selector:
    app: my-app
  ports:
  - port: 80
    protocol: TCP

All additional parameters for the load balancer are passed in the annotations block — the instruction lists frequently used annotations that may be needed when creating a load balancer or, in some cases, for an already created load balancer.

3. Apply the manifest:

   kubectl apply -f <file_name>

   Specify <file_name> — the name of the yaml file with the manifest for creating a LoadBalancer-type Service object. For example, loadbalancer.yaml.

The created load balancer will appear in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers.

Specify a flavor and load balancer type

By default, without specifying an annotation, a Basic with reservation type load balancer is created.

To create a load balancer with a different type, use the annotation:

loadbalancer.openstack.org/flavor-id: "<flavor_id>"

Specify <flavor_id> — the flavor ID. Flavors correspond to load balancer types and determine the number of vCPU, RAM, and the number of load balancer instances. For example, ac18763b-1fc5-457d-9fa7-b0d339ffb336 — the ID for creating an Advanced with reservation balancer in the ru-9 pool. You can view the list of load balancer flavors in all pools in the table or view the list of load balancer flavors in a specific pool via OpenStack CLI.

In an already created load balancer, you cannot change the type — you need to create a new manifest with the required annotation.

Create a load balancer without a public IP address

By default, an unannotated balancer with a public IP address is created.

To create a load balancer without a public IP address, use the annotation:

service.beta.kubernetes.io/openstack-internal-load-balancer: "true"

In an already created load balancer, you cannot replace the parameter — you need to create a new manifest with the required annotation.

Create a load balancer with an IP address from other subnets

By default, a load balancer is created in the same network as the cluster nodes, and a public IP address is allocated for it.

You can create a load balancer in any other subnet — public, private, or cross-project.

1. Add an annotation with the subnet specification to the manifest:

   loadbalancer.openstack.org/subnet-id: "<subnet_uuid>"

   Specify <subnet_uuid> — the subnet ID, which you can view using the openstack subnet list

2. Disable automatic creation of a public IP address. To do this, add the annotation:

   service.beta.kubernetes.io/openstack-internal-load-balancer: "true"

3. Specify the load balancer IP address:

   spec:
       type: LoadBalancer
       selector:
         app: my-app
       ports:
       - port: 80
         protocol: TCP
         name: http
       loadBalancerIP: "<ip_address>"

   Specify <ip_address> — the IP address of the load balancer from the subnet you selected in Step 1.

   In an already created load balancer, you cannot replace the annotation — you need to create a new manifest with the required annotation.

Add connection settings

To manage connection settings between incoming requests and the load balancer or between the load balancer and servers, use the following annotations:

• maximum connections;
• connection timeout for incoming requests;
• connection timeout for balancer requests to servers;
• inactivity timeout;
• TCP waiting timeout.

Connection settings are configured for a load balancer rule. The connection settings established in annotations can be viewed in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers → load balancer page → open the rule card → open the Advanced rule settings block.

Maximum connections

To specify the maximum number of connections, use the annotation:

loadbalancer.openstack.org/connection-limit: "<value>"

Specify <value> — the maximum number of connections per second. Default is -1 (unlimited).

You can update the parameter in an already created load balancer.

You can view the parameter in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers → load balancer page → open the rule card → open the Advanced rule settings → block Requests to the load balancer → field Maximum connections.

Connection timeout for incoming requests

To specify the connection timeout for incoming requests to the load balancer, use the annotation:

loadbalancer.openstack.org/timeout-client-data: "<value>"

Specify <value> — the timeout value in milliseconds. Default is 50000.

You can update the parameter in an already created load balancer.

You can view the parameter in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers → load balancer page → open the rule card → open the Advanced rule settings → block Requests to the load balancer → field Connection timeout, ms.

Connection timeout for balancer requests to servers

To specify the connection timeout for balancer requests to servers, use the annotation:

loadbalancer.openstack.org/timeout-member-connect: "<value>"

Specify <value> — the timeout value in milliseconds. Default is 5000.

You can update the parameter in an already created load balancer.

You can view the parameter in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers → load balancer page → open the rule card → open the Advanced rule settings → block Requests from load balancer to servers → field Connection timeout, ms.

Inactivity timeout

The inactivity timeout for balancer requests to servers is the time during which the current connection is considered "alive", even if no data is being transmitted.

To specify the inactivity timeout, use the annotation:

loadbalancer.openstack.org/timeout-member-data: "<value>"

Specify <value> — the timeout value in milliseconds. Default is 50000.

You can update the parameter in an already created load balancer.

You can view the parameter in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers → load balancer page → open the rule card → open the Advanced rule settings → block Requests from load balancer to servers → field Inactivity timeout, ms.

TCP waiting timeout

When establishing a new TCP session, data is sometimes not transmitted immediately. The parameter defines the time during which the load balancer waits for data transmission for inspection over an already established connection.

To specify the TCP waiting timeout for balancer requests to servers, use the annotation:

loadbalancer.openstack.org/timeout-tcp-inspect: "<value>"

Specify <value> — the timeout value in milliseconds. Default is 0.

You can update the parameter in an already created load balancer.

You can view the parameter in the Control Panel: in the top menu, click Products and select Cloud Servers → section Load Balancers → tab Load Balancers → load balancer page → open the rule card → open the Advanced rule settings → block Requests from load balancer to servers → field TCP waiting timeout, ms.

Enable rule checking

To enable or disable checking for rules, use the annotation:

loadbalancer.openstack.org/enable-health-monitor: "<value>"

Specify <value> — rule checking status: true to enable checking or false to disable checking. Default value is true.

You can update the parameter in an already created load balancer.

Preserve client IP address

By default, Managed Kubernetes uses externalTrafficPolicy: Cluster. This means the client IP address is replaced by the cluster node's IP address. To receive the client IP address, add the X-Forwarded-For header or a TCP → PROXY rule.

Add the X-Forwarded-For header

Without specifying the annotation, the load balancer passes only the original HTTP request body to the server, replacing the client IP address with its own.

To ensure servers receive this information for proper operation or analysis, include the X-Forwarded-For header in the request to the server. To do this, add the following annotation to the manifest:

loadbalancer.openstack.org/x-forwarded-for: "true"

The rule will use the HTTP → HTTP scheme instead of TCP → TCP. If you need to use HTTPS instead of the HTTP protocol, terminate the TLS connection.

For a created load balancer, you cannot change the type — you need to create a new load balancer with the required annotation.

Do not use with the PROXY protocol. When adding a TCP → Proxy rule, the X-Forwarded-For header automatically reaches the service behind the load balancer.

Add a TCP → Proxy rule

The PROXY protocol is used to pass connection information from the source requesting the connection to the destination for which the connection was requested.

In the logs of the pod to which the connection is made via a load balancer with TCP → PROXY rules, the real IP address of the requester will be specified, rather than the load balancer's address.

To create a load balancer with a TCP → PROXY rule, add the annotation to the manifest:

loadbalancer.openstack.org/proxy-protocol: "true"

The X-Forwarded-For header automatically reaches the service behind the load balancer. You do not need to add additional annotations for it to work.

For a created load balancer, you cannot change the type — you need to create a new load balancer with the required annotation.

Preserve public IP address

To preserve the public IP address when re-creating a load balancer, use the annotation:

loadbalancer.openstack.org/keep-floatingip: "true"

Specify this or another public IP address in the loadBalancerIP: field:

spec:
  type: LoadBalancer
  selector:
    app: my-app
  ports:
  - port: 80
    protocol: TCP
    name: http
  loadBalancerIP: "<ip_address>"

You can use the annotation for an already created load balancer.