KubeLB provides comprehensive configuration options through the Config CRD and command-line flags for both the Manager and CCM components.
Config CRD The Config CRD is the primary way to configure KubeLB Manager behavior. It’s a cluster-scoped resource that defines global settings for load balancing, ingress, Gateway API, DNS, and certificates.
Configuration Structure The Config resource is typically named default and created in the kubelb namespace:
apiVersion : kubelb.k8c.io/v1alpha1 kind : Config metadata : name : default namespace : kubelb spec : envoyProxy : topology : shared replicas : 3 useDaemonset : false loadBalancer : {} ingress : {} gatewayAPI : {} dns : wildcardDomain : "*.example.com" certificates : {}
Envoy Proxy Configuration Configure the Envoy proxy deployment topology and resource settings:
Shared Topology (Recommended)
DaemonSet Mode
Custom Resources
envoyProxy : topology : shared # All tenants share the same Envoy deployment replicas : 3 useDaemonset : false singlePodPerNode : true
The dedicated and global topology values are deprecated. Both now default to shared topology.
Envoy Proxy Options Field Type Default Description topologystring sharedDeployment topology: shared (only supported value) useDaemonsetbool falseRun Envoy as DaemonSet instead of Deployment replicasint32 3Number of replicas (ignored if useDaemonset is true) singlePodPerNodebool falseSpread replicas across nodes using pod anti-affinity nodeSelectormap[string]string - Node selector for Envoy pods tolerations[]Toleration - Tolerations for Envoy pods affinityAffinity - Custom affinity rules for Envoy pods imagestring - Custom Envoy image (overrides default)
Graceful Shutdown Configuration Configure graceful shutdown behavior for Envoy pods:
envoyProxy : gracefulShutdown : disabled : false drainTimeout : "60s" minDrainDuration : "5s" terminationGracePeriodSeconds : 300 shutdownManagerImage : "docker.io/envoyproxy/gateway:v1.3.0"
Field Type Default Description disabledbool falseDisable graceful shutdown drainTimeoutduration 60sMaximum time to wait for connections to drain minDrainDurationduration 5sMinimum time before checking connection count terminationGracePeriodSecondsint64 300Pod termination grace period shutdownManagerImagestring docker.io/envoyproxy/gateway:v1.3.0Shutdown manager sidecar image
Overload Manager Configuration Protect Envoy from resource exhaustion:
envoyProxy : overloadManager : enabled : true maxActiveDownstreamConnections : 50000 maxHeapSizeBytes : 2147483648 # 2GB
Field Type Description enabledbool Enable overload manager maxActiveDownstreamConnectionsuint64 Maximum active downstream connections maxHeapSizeBytesuint64 Maximum heap size before rejecting connections
DNS Configuration Configure DNS management and automation:
dns : wildcardDomain : "*.apps.example.com" allowExplicitHostnames : true useDNSAnnotations : true useCertificateAnnotations : true
Field Type Description wildcardDomainstring Base domain for wildcard DNS records allowExplicitHostnamesbool Allow explicit hostnames in LoadBalancer.Spec.Hostname useDNSAnnotationsbool Add DNS annotations to DNS resources useCertificateAnnotationsbool Add certificate annotations to certificate resources
Annotation Settings Control which annotations are propagated from tenant resources:
propagatedAnnotations : "cert-manager.io/cluster-issuer" : "letsencrypt-prod" "external-dns.alpha.kubernetes.io/hostname" : "" propagateAllAnnotations : false defaultAnnotations : service : "kubelb.k8c.io/default-annotation" : "value" ingress : "nginx.ingress.kubernetes.io/ssl-redirect" : "true"
Field Type Description propagatedAnnotationsmap[string]string Annotations to propagate (empty value allows any) propagateAllAnnotationsbool Propagate all annotations (ignores propagatedAnnotations) defaultAnnotationsmap[AnnotatedResource]Annotations Default annotations per resource type
Supported AnnotatedResource values: all, service, ingress, gateway, httproute, grpcroute, tcproute, udproute, tlsroute
Manager Command-Line Flags The KubeLB Manager (kubelb) supports the following flags:
Basic Options kubelb \ --namespace=kubelb \ --metrics-addr=:9443 \ --health-probe-bind-address=:8081 \ --enable-leader-election=true
Flag Default Description --namespacekubelbNamespace where the controller runs --metrics-addr:9443Metrics endpoint bind address --health-probe-bind-address:8081Health probe endpoint bind address --enable-leader-electiontrueEnable leader election for HA deployments --kubeconfig- Path to kubeconfig (only for out-of-cluster)
Envoy Control Plane Options kubelb \ --listen-address=:8001 \ --enable-gateway-api=false
Flag Default Description --listen-address:8001Address for Envoy xDS control plane --enable-gateway-apifalseEnable Gateway API and controllers --debugfalseEnable debug mode for verbose logging
Gateway API CRDs must be installed before enabling --enable-gateway-api. The controller will fail to start if CRDs are missing.
Deprecated Flags Flag Status Notes --enable-tenant-migrationDeprecated NOOP - controller has been removed
CCM Command-Line Flags The KubeLB Cloud Controller Manager (kubelb-ccm) runs in tenant clusters and propagates resources to the management cluster.
Required Flags kubelb-ccm \ --cluster-name=production \ --kubelb-kubeconfig=/etc/kubelb/kubeconfig
Flag Required Description --cluster-nameYes Unique cluster/tenant name (auto-prefixed with tenant- if not present) --kubelb-kubeconfigYes Path to KubeLB management cluster kubeconfig
Service Controller Options kubelb-ccm \ --enable-cloud-provider=true \ --use-loadbalancer-class=false \ --node-address-type=ExternalIP
Flag Default Description --enable-cloud-providertrueEnable cloud controller behavior for LoadBalancer status --use-loadbalancer-classfalseFilter services by LoadBalancerClass kubelb --node-address-typeExternalIPAddress type for endpoints: ExternalIP, InternalIP, or Hostname
Ingress and Gateway API Options kubelb-ccm \ --use-ingress-class=true \ --use-gateway-class=true \ --enable-gateway-api=false \ --disable-ingress-controller=false \ --disable-gateway-controller=false \ --disable-httproute-controller=false \ --disable-grpcroute-controller=false
Flag Default Description --use-ingress-classtrueFilter Ingresses with ingressClassName: kubelb --use-gateway-classtrueFilter Gateways with gatewayClassName: kubelb --enable-gateway-apifalseEnable Gateway API support --disable-ingress-controllerfalseDisable Ingress controller --disable-gateway-controllerfalseDisable Gateway controller --disable-httproute-controllerfalseDisable HTTPRoute controller --disable-grpcroute-controllerfalseDisable GRPCRoute controller
Gateway API CRD Management kubelb-ccm \ --install-gateway-api-crds=false \ --gateway-api-crds-channel=standard
Flag Default Description --install-gateway-api-crdsfalseAutomatically install Gateway API CRDs --gateway-api-crds-channelstandardCRD channel: standard or experimental
Secret Synchronization kubelb-ccm \ --enable-secret-synchronizer=false
Flag Default Description --enable-secret-synchronizerfalseAuto-convert Secrets with label kubelb.k8c.io/managed-by: kubelb to SyncSecrets
High Availability Options kubelb-ccm \ --enable-leader-election=true \ --leader-election-namespace= ""
Flag Default Description --enable-leader-electiontrueEnable leader election --leader-election-namespace- Namespace for leader election lease
Observability Options kubelb-ccm \ --metrics-addr=:9445 \ --health-probe-bind-address=:8081
Flag Default Description --metrics-addr:9445Metrics endpoint bind address --health-probe-bind-address:8081Health probe endpoint bind address --kubeconfig- Path to tenant cluster kubeconfig
Configuration Best Practices
Use shared topology with at least 3 replicas for high availability
Enable singlePodPerNode to spread Envoy pods across nodes
Configure resource requests and limits based on expected traffic
Enable graceful shutdown with appropriate drain timeouts
Set up overload manager to prevent resource exhaustion
Multi-Tenant Environments
Use unique cluster-name for each tenant cluster
Configure propagatedAnnotations to control annotation propagation
Use use-loadbalancer-class and use-ingress-class for explicit opt-in
Enable secret synchronization for centralized certificate management
Install Gateway API CRDs before enabling Gateway API support
Use --gateway-api-crds-channel=standard for stable features
Enable Gateway API gradually (start with --enable-gateway-api=true)
Test with --use-gateway-class=true to filter specific gateways
Configure wildcardDomain for automatic hostname generation
Enable useDNSAnnotations for external-dns integration
Enable useCertificateAnnotations for cert-manager integration
Set allowExplicitHostnames when using custom domains
Environment Variables Both Manager and CCM support standard Kubernetes environment variables:
Variable Description NAMESPACEAlternative to --namespace flag (Manager only) KUBECONFIGAlternative to --kubeconfig flag HOMEUsed to find default kubeconfig location
Next Steps
Monitoring Set up Prometheus metrics and Grafana dashboards
Troubleshooting Debug common issues and check logs
