metallb

Helm chart

Last changed

Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Tag:

# Default values for metallb.

# This is a YAML-formatted file.

# Declare variables to be passed into your templates.

imagePullSecrets: []

nameOverride: ""

fullnameOverride: ""

loadBalancerClass: ""

# To configure MetalLB, you must specify ONE of the following two

# options.

rbac:

# create specifies whether to install and use RBAC rules.

create: true

prometheus:

# scrape annotations specifies whether to add Prometheus metric

# auto-collection annotations to pods. See

# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml

# for a corresponding Prometheus configuration. Alternatively, you

# may want to use the Prometheus Operator

# (https://github.com/coreos/prometheus-operator) for more powerful

# monitoring configuration. If you use the Prometheus operator, this

# can be left at false.

scrapeAnnotations: false

# port both controller and speaker will listen on for metrics

metricsPort: 7472

# if set, enables rbac proxy on the controller and speaker to expose

# the metrics via tls.

# secureMetricsPort: 9120

# the name of the secret to be mounted in the speaker pod

# to expose the metrics securely. If not present, a self signed

# certificate to be used.

speakerMetricsTLSSecret: ""

# the name of the secret to be mounted in the controller pod

# to expose the metrics securely. If not present, a self signed

# certificate to be used.

controllerMetricsTLSSecret: ""

# prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one

rbacPrometheus: true

# the service account used by prometheus

# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "

serviceAccount: ""

# the namespace where prometheus is deployed

# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "

namespace: ""

# the image to be used for the kuberbacproxy container

rbacProxy:

repository: cgr.dev/scratch-images/test-tmp/kube-rbac-proxy

tag: 0.22.0-r0@sha256:910f21d91afc35b914309c7e3caed27d7f85cfa437bf60142c6e8f22681cd9b9

pullPolicy:

# Prometheus Operator PodMonitors

podMonitor:

# enable support for Prometheus Operator

enabled: false

# optional additional labels for podMonitors

additionalLabels: {}

# optional annotations for podMonitors

annotations: {}

# Job label for scrape target

jobLabel: "app.kubernetes.io/name"

# Scrape interval. If not set, the Prometheus default scrape interval is used.

interval:

# metric relabel configs to apply to samples before ingestion.

metricRelabelings: []

# - action: keep

# sourceLabels: [__name__]

# relabel configs to apply to samples before ingestion.

relabelings: []

# - sourceLabels: [__meta_kubernetes_pod_node_name]

# separator: ;

# regex: ^(.*)$

# target_label: nodename

# replacement: $1

# action: replace

# Prometheus Operator ServiceMonitors. To be used as an alternative

# to podMonitor, supports secure metrics.

serviceMonitor:

# enable support for Prometheus Operator

enabled: false

speaker:

# optional additional labels for the speaker serviceMonitor

additionalLabels: {}

# optional additional annotations for the speaker serviceMonitor

annotations: {}

# optional tls configuration for the speaker serviceMonitor, in case

# secure metrics are enabled.

tlsConfig:

insecureSkipVerify: true

controller:

# optional additional labels for the controller serviceMonitor

additionalLabels: {}

# optional additional annotations for the controller serviceMonitor

annotations: {}

# optional tls configuration for the controller serviceMonitor, in case

# secure metrics are enabled.

tlsConfig:

insecureSkipVerify: true

100

# Job label for scrape target

101

jobLabel: "app.kubernetes.io/name"

102

# Scrape interval. If not set, the Prometheus default scrape interval is used.

103

interval:

104

# metric relabel configs to apply to samples before ingestion.

105

metricRelabelings: []

106

# - action: keep

107

108

# sourceLabels: [__name__]

109

110

# relabel configs to apply to samples before ingestion.

111

relabelings: []

112

# - sourceLabels: [__meta_kubernetes_pod_node_name]

113

# separator: ;

114

# regex: ^(.*)$

115

# target_label: nodename

116

# replacement: $1

117

# action: replace

118

# Prometheus Operator alertmanager alerts

119

prometheusRule:

120

# enable alertmanager alerts

121

enabled: false

122

# optional additional labels for prometheusRules

123

additionalLabels: {}

124

# optional annotations for prometheusRules

125

annotations: {}

126

# MetalLBStaleConfig

127

staleConfig:

128

enabled: true

129

labels:

130

severity: warning

131

# MetalLBConfigNotLoaded

132

configNotLoaded:

133

enabled: true

134

labels:

135

severity: warning

136

# MetalLBAddressPoolExhausted

137

addressPoolExhausted:

138

enabled: true

139

labels:

140

severity: critical

141

# Exclude the pools matching the regular expression from triggering the alert.

142

excludePools: ""

143

addressPoolUsage:

144

enabled: true

145

thresholds:

146

- percent: 75

147

labels:

148

severity: warning

149

- percent: 85

150

labels:

151

severity: warning

152

- percent: 95

153

labels:

154

severity: critical

155

# Exclude the pools matching the regular expression from triggering the alert.

156

excludePools: ""

157

# MetalLBBGPSessionDown

158

bgpSessionDown:

159

enabled: true

160

labels:

161

severity: critical

162

extraAlerts: []

163

# controller contains configuration specific to the MetalLB cluster

164

# controller.

165

controller:

166

enabled: true

167

# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`

168

logLevel: info

169

# command: /controller

170

webhookMode: enabled

171

image:

172

repository: cgr.dev/scratch-images/test-tmp/metallb-controller

173

tag: 0.15.3-r10@sha256:853f87dffb6c487c24b3e42cdec23173072d1a66402f94e0ae75807ffab55bd0

174

pullPolicy:

175

## @param controller.updateStrategy.type Metallb controller deployment strategy type.

176

## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy

177

## e.g:

178

## strategy:

179

## type: RollingUpdate

180

## rollingUpdate:

181

## maxSurge: 25%

182

## maxUnavailable: 25%

183

184

strategy:

185

type: RollingUpdate

186

serviceAccount:

187

# Specifies whether a ServiceAccount should be created

188

create: true

189

# The name of the ServiceAccount to use. If not set and create is

190

# true, a name is generated using the fullname template

191

name: ""

192

annotations: {}

193

securityContext:

194

runAsNonRoot: true

195

# nobody

196

runAsUser: 65534

197

fsGroup: 65534

198

resources: {}

199

# limits:

200

# cpu: 100m

201

# memory: 100Mi

202

nodeSelector: {}

203

tolerations: []

204

priorityClassName: ""

205

runtimeClassName: ""

206

affinity: {}

207

podAnnotations: {}

208

labels: {}

209

livenessProbe:

210

enabled: true

211

failureThreshold: 3

212

initialDelaySeconds: 10

213

periodSeconds: 10

214

successThreshold: 1

215

timeoutSeconds: 1

216

readinessProbe:

217

enabled: true

218

failureThreshold: 3

219

initialDelaySeconds: 10

220

periodSeconds: 10

221

successThreshold: 1

222

timeoutSeconds: 1

223

tlsMinVersion: "VersionTLS12"

224

tlsCipherSuites: ""

225

extraContainers: []

226

# speaker contains configuration specific to the MetalLB speaker

227

# daemonset.

228

speaker:

229

enabled: true

230

# command: /speaker

231

# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`

232

logLevel: info

233

tolerateMaster: true

234

memberlist:

235

# -- When enabled: false, the speaker pods must run on all nodes

236

enabled: true

237

mlBindPort: 7946

238

mlBindAddrOverride: ""

239

mlSecretKeyPath: "/etc/ml_secret_key"

240

excludeInterfaces:

241

enabled: true

242

# ignore the exclude-from-external-loadbalancer label

243

ignoreExcludeLB: false

244

image:

245

repository: cgr.dev/scratch-images/test-tmp/metallb-speaker

246

tag: 0.15.3-r10@sha256:dc63c26da33e1949c9f6405e355d61e5f420d0316ac9936c06f71cbbb41903c2

247

pullPolicy:

248

## @param speaker.updateStrategy.type Speaker daemonset strategy type

249

## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/

250

251

updateStrategy:

252

## StrategyType

253

## Can be set to RollingUpdate or OnDelete

254

255

type: RollingUpdate

256

serviceAccount:

257

# Specifies whether a ServiceAccount should be created

258

create: true

259

# The name of the ServiceAccount to use. If not set and create is

260

# true, a name is generated using the fullname template

261

name: ""

262

annotations: {}

263

securityContext: {}

264

## Defines a secret name for the controller to generate a memberlist encryption secret

265

## By default secretName: {{ "metallb.fullname" }}-memberlist

266

267

# secretName:

268

resources: {}

269

# limits:

270

# cpu: 100m

271

# memory: 100Mi

272

nodeSelector: {}

273

tolerations: []

274

priorityClassName: ""

275

affinity: {}

276

## Selects which runtime class will be used by the pod.

277

runtimeClassName: ""

278

podAnnotations: {}

279

labels: {}

280

livenessProbe:

281

enabled: true

282

failureThreshold: 3

283

initialDelaySeconds: 10

284

periodSeconds: 10

285

successThreshold: 1

286

timeoutSeconds: 1

287

readinessProbe:

288

enabled: true

289

failureThreshold: 3

290

initialDelaySeconds: 10

291

periodSeconds: 10

292

successThreshold: 1

293

timeoutSeconds: 1

294

startupProbe:

295

enabled: true

296

failureThreshold: 30

297

periodSeconds: 5

298

# frr contains configuration specific to the MetalLB FRR container,

299

# for speaker running alongside FRR.

300

frr:

301

enabled: true

302

image:

303

repository: cgr.dev/scratch-images/test-tmp/frr

304

tag: 10.4.4-r0@sha256:b50a910f4c27c4f4a991310d1e942650628c9e3db2c955648175db6eb30d53f5

305

pullPolicy:

306

metricsPort: 7473

307

resources: {}

308

# if set, enables a rbac proxy sidecar container on the speaker to

309

# expose the frr metrics via tls.

310

# secureMetricsPort: 9121

311

reloader:

312

resources: {}

313

frrMetrics:

314

resources: {}

315

initContainers:

316

cpFrrFiles:

317

resources: {}

318

cpReloader:

319

resources: {}

320

cpMetrics:

321

resources: {}

322

extraContainers: []

323

crds:

324

enabled: true

325

validationFailurePolicy: Fail

326

# frrk8s contains the configuration related to using an frrk8s instance

327

# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.

328

# This allows configuring additional frr parameters in combination to those

329

# applied by MetalLB.

330

frrk8s:

331

# if set, enables frrk8s as a backend. This is mutually exclusive to frr

332

# mode.

333

enabled: false

334

external: false

335

namespace: ""

336

# networkpolicies

337

networkpolicies:

338

# if set, networkpolicies for metallb components will be installed in the metallb namespace

339

enabled: false

340

# if set, a default deny network policy will be installed in the metallb namespace

341

defaultDeny: false

342

# to override internal k8s api targetPort

343

apiPort: 6443

344

The trusted source for open source

Talk to an expert

Privacy

Terms

© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.

metallb

The trusted source for open source

Product

Solutions

Customers

Resources

Company