Merge pull request #1187 from samuel-esp/fix-docs-default-backend-protocol

k8s-ci-robot · web-flow · commit de9a0abc5efd · 2025-09-05T06:39:27.000-07:00
Fix backend protocol annotation incorrectly documented
diff --git a/docs/service_controller.md b/docs/service_controller.md
@@ -10,7 +10,7 @@ The service controller is responsible for watch for service and node object chan
 | service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name         | -                                   | -   | ELB | Access log S3 bucket name.  |
 | service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix       | -                                   | -   | ELB | Access log S3 bucket prefix.  |
 | service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags          | Comma-separated list of key=value   | -   | ELB,NLB | A comma-separated list of key-value pairs which will be recorded as additional tags in the ELB. For example: "Key1=Val1,Key2=Val2,KeyNoVal1=,KeyNoVal2" |
-| service.beta.kubernetes.io/aws-load-balancer-backend-protocol                  | [http\|https\|ssl\|tcp]             | -   | ELB,NLB | Specifies the protocol spoken by the backend (pod) behind a listener. If `http` (default) or `https`, an HTTPS listener that terminates the connection and parses headers is created. If set to `ssl` or `tcp`, a "raw" SSL listener is used. If set to `http` and `aws-load-balancer-ssl-cert` is not used then a HTTP listener is used. |
+| service.beta.kubernetes.io/aws-load-balancer-backend-protocol                  | [http\|https\|ssl\|tcp]             | tcp                       | ELB | Specifies the protocol spoken by the backend (pod) behind a listener. If set to `http` and the `aws-load-balancer-ssl-cert` annotation is missing or its value is empty (`""`), an HTTP listener is created; if set to `http` or `https` and the `aws-load-balancer-ssl-cert`annotation is also present, an HTTPS listener is created to terminate SSL and parse headers. If set to `ssl` or `tcp`, a "raw" SSL/TCP listener is used. if the annotation is missing, its value is empty (`""`), or set to `https` without the `aws-load-balancer-ssl-cert`annotation also being present, the default protocol is assumed to be `tcp`. |
 | service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled       | [true\|false]                       | -   | ELB | Enable [connection draining](https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/config-conn-drain.html). |
 | service.beta.kubernetes.io/aws-load-balancer-connection-draining-timeout       | [1-3600]                            | 300 | ELB | The maximum time (in seconds) for the load balancer to keep connections alive before reporting the instance as de-registered. The maximum timeout value can be set between 1 and 3,600 seconds (the default is 300 seconds). When the maximum time limit is reached, the load balancer forcibly closes connections to the de-registering instance. |
 | service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout           | [1-4000]                            | 60  | ELB | The load balancer has a configured idle timeout period (in seconds) that applies to its connections. If no data has been sent or received by the time that the idle timeout period elapses, the load balancer closes the connection. |
@@ -26,7 +26,7 @@ The service controller is responsible for watch for service and node object chan
 | service.beta.kubernetes.io/aws-load-balancer-ssl-cert                          | IAM or ACM ARN                      | -   | ELB,NLB | Requests a secure listener. Value is a valid certificate ARN. For more, see the [elb listener config guide](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-listener-config.html).  CertARN is an IAM or CM certificate ARN. |
 | service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy            | -                                   | ELBSecurityPolicy-2016-08 | ELB,NLB | Specifies SSL negotiation settings for the HTTPS/SSL listeners of your load balancer. Defaults to the default ELB policy. |
 | service.beta.kubernetes.io/aws-load-balancer-ssl-ports                         | Comma-separated list                | *   | ELB,NLB | Specifies a comma-separated list of ports that will use SSL/HTTPS listeners. Defaults to all. |
-| service.beta.kubernetes.io/aws-load-balancer-type                              | [nlb]                               | -   | ELB,NLB | Indicates the type of Load Balancer. The only valid value is nlb.  Leaving this field blank is equivalent to selecting ELB. |
+| service.beta.kubernetes.io/aws-load-balancer-type                              | [nlb]                               | -                         | ELB,NLB | Indicates the type of Load Balancer. The only valid value is `nlb`, this means that leaving this field blank or omitting the annotation is equivalent to selecting ELB. When selecting `nlb`, the backend protocol is automatically derived from the protocol defined in the Kubernetes Service, as long as that protocol is supported by NLB (supported protocols include TCP, the default for a Kubernetes Service, and UDP). If the protocol is TCP and the `aws-load-balancer-ssl-cert` annotation is also present, the NLB protocol will be set to TLS.                                                                        |
 | service.beta.kubernetes.io/aws-load-balancer-eip-allocations                   | Comma-separated list                | -   | NLB | List of EIP allocations to associate with a internet-facing load balancer. Only valid for NLB. |
 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-path                  | -                                   | /   | NLB | Specifies the http path for the health check in case of http/https protocol. |
 | service.beta.kubernetes.io/aws-load-balancer-healthcheck-port                  | [traffic-port\|1-65535]             | traffic-port | NLB | Specifies the TCP target port for the target group health check. |
