DirectorySecurity AdvisoriesPricing
Sign in
Directory
metallb logoHELM

metallb

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:
1
# Default values for metallb.
2
# This is a YAML-formatted file.
3
# Declare variables to be passed into your templates.
4
5
imagePullSecrets: []
6
nameOverride: ""
7
fullnameOverride: ""
8
loadBalancerClass: ""
9
# To configure MetalLB, you must specify ONE of the following two
10
# options.
11
rbac:
12
# create specifies whether to install and use RBAC rules.
13
create: true
14
tls:
15
# -- Comma-separated list of TLS cipher suites. If empty, uses Go defaults. Only applies to TLS 1.2.
16
cipherSuites: ""
17
# -- Comma-separated list of numeric CurveID values (e.g. 29,4588). See https://pkg.go.dev/crypto/tls#CurveID. If empty, uses Go defaults.
18
curvePreferences: ""
19
# -- Minimum TLS version (VersionTLS12 or VersionTLS13). Defaults to VersionTLS13.
20
minVersion: ""
21
# -- The name of the secret to be mounted in the controller pod to provide TLS certificates for metrics endpoints. If not present, a self-signed certificate is auto-generated.
22
controllerMetricsTLSSecret: ""
23
# -- The name of the secret to be mounted in the speaker pod to provide TLS certificates for metrics endpoints. If not present, a self-signed certificate is auto-generated.
24
speakerMetricsTLSSecret: ""
25
prometheus:
26
# scrape annotations specifies whether to add Prometheus metric
27
# auto-collection annotations to pods. See
28
# https://github.com/prometheus/prometheus/blob/release-2.1/documentation/examples/prometheus-kubernetes.yml
29
# for a corresponding Prometheus configuration. Alternatively, you
30
# may want to use the Prometheus Operator
31
# (https://github.com/coreos/prometheus-operator) for more powerful
32
# monitoring configuration. If you use the Prometheus operator, this
33
# can be left at false.
34
scrapeAnnotations: false
35
# port both controller and speaker will listen on for metrics (always HTTPS).
36
# Matches the port kube-rbac-proxy previously served on.
37
metricsPort: 9120
38
# prometheus doesn't have the permission to scrape all namespaces so we give it permission to scrape metallb's one
39
rbacPrometheus: true
40
# the service account used by prometheus
41
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
42
serviceAccount: ""
43
# the namespace where prometheus is deployed
44
# required when " .Values.prometheus.rbacPrometheus == true " and " .Values.prometheus.podMonitor.enabled=true or prometheus.serviceMonitor.enabled=true "
45
namespace: ""
46
# Prometheus Operator PodMonitors
47
podMonitor:
48
# enable support for Prometheus Operator
49
enabled: false
50
# optional additional labels for podMonitors
51
additionalLabels: {}
52
# optional annotations for podMonitors
53
annotations: {}
54
# Job label for scrape target
55
jobLabel: "app.kubernetes.io/name"
56
# Scrape interval. If not set, the Prometheus default scrape interval is used.
57
interval:
58
# metric relabel configs to apply to samples before ingestion.
59
metricRelabelings: []
60
# - action: keep
61
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
62
# sourceLabels: [__name__]
63
64
# relabel configs to apply to samples before ingestion.
65
relabelings: []
66
# - sourceLabels: [__meta_kubernetes_pod_node_name]
67
# separator: ;
68
# regex: ^(.*)$
69
# target_label: nodename
70
# replacement: $1
71
# action: replace
72
# Prometheus Operator ServiceMonitors. To be used as an alternative
73
# to podMonitor, supports secure metrics.
74
serviceMonitor:
75
# enable support for Prometheus Operator
76
enabled: false
77
speaker:
78
# optional additional labels for the speaker serviceMonitor
79
additionalLabels: {}
80
# optional additional annotations for the speaker serviceMonitor
81
annotations: {}
82
# optional tls configuration for the speaker serviceMonitor, in case
83
# secure metrics are enabled.
84
tlsConfig:
85
insecureSkipVerify: true
86
controller:
87
# optional additional labels for the controller serviceMonitor
88
additionalLabels: {}
89
# optional additional annotations for the controller serviceMonitor
90
annotations: {}
91
# optional tls configuration for the controller serviceMonitor, in case
92
# secure metrics are enabled.
93
tlsConfig:
94
insecureSkipVerify: true
95
# Job label for scrape target
96
jobLabel: "app.kubernetes.io/name"
97
# Scrape interval. If not set, the Prometheus default scrape interval is used.
98
interval:
99
# metric relabel configs to apply to samples before ingestion.
100
metricRelabelings: []
101
# - action: keep
102
# regex: 'kube_(daemonset|deployment|pod|namespace|node|statefulset).+'
103
# sourceLabels: [__name__]
104
105
# relabel configs to apply to samples before ingestion.
106
relabelings: []
107
# - sourceLabels: [__meta_kubernetes_pod_node_name]
108
# separator: ;
109
# regex: ^(.*)$
110
# target_label: nodename
111
# replacement: $1
112
# action: replace
113
# Prometheus Operator alertmanager alerts
114
prometheusRule:
115
# enable alertmanager alerts
116
enabled: false
117
# optional additional labels for prometheusRules
118
additionalLabels: {}
119
# optional annotations for prometheusRules
120
annotations: {}
121
# MetalLBStaleConfig
122
staleConfig:
123
enabled: true
124
labels:
125
severity: warning
126
# MetalLBConfigNotLoaded
127
configNotLoaded:
128
enabled: true
129
labels:
130
severity: warning
131
# MetalLBAddressPoolExhausted
132
addressPoolExhausted:
133
enabled: true
134
labels:
135
severity: critical
136
# Exclude the pools matching the regular expression from triggering the alert.
137
excludePools: ""
138
addressPoolUsage:
139
enabled: true
140
thresholds:
141
- percent: 75
142
labels:
143
severity: warning
144
- percent: 85
145
labels:
146
severity: warning
147
- percent: 95
148
labels:
149
severity: critical
150
# Exclude the pools matching the regular expression from triggering the alert.
151
excludePools: ""
152
# MetalLBBGPSessionDown
153
bgpSessionDown:
154
enabled: true
155
labels:
156
severity: critical
157
extraAlerts: []
158
# controller contains configuration specific to the MetalLB cluster
159
# controller.
160
controller:
161
enabled: true
162
# -- Controller log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
163
logLevel: info
164
# command: /controller
165
webhookMode: enabled
166
image:
167
repository: chainreg.biz/scratch-images/test-tmp/metallb-controller
168
tag: 0.16.1-r2@sha256:7b09bdd78b4d9c75108af4e5f47da1eb774c7f1f86f5bd509745ee7efe146130
169
pullPolicy:
170
## @param controller.updateStrategy.type Metallb controller deployment strategy type.
171
## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
172
## e.g:
173
## strategy:
174
## type: RollingUpdate
175
## rollingUpdate:
176
## maxSurge: 25%
177
## maxUnavailable: 25%
178
##
179
strategy:
180
type: RollingUpdate
181
serviceAccount:
182
# Specifies whether a ServiceAccount should be created
183
create: true
184
# The name of the ServiceAccount to use. If not set and create is
185
# true, a name is generated using the fullname template
186
name: ""
187
annotations: {}
188
securityContext:
189
runAsNonRoot: true
190
# nobody
191
runAsUser: 65534
192
fsGroup: 65534
193
resources: {}
194
# limits:
195
# cpu: 100m
196
# memory: 100Mi
197
nodeSelector: {}
198
tolerations: []
199
priorityClassName: ""
200
runtimeClassName: ""
201
affinity: {}
202
podAnnotations: {}
203
labels: {}
204
livenessProbe:
205
enabled: true
206
port: 17472
207
failureThreshold: 3
208
initialDelaySeconds: 10
209
periodSeconds: 10
210
successThreshold: 1
211
timeoutSeconds: 1
212
readinessProbe:
213
enabled: true
214
port: 17472
215
failureThreshold: 3
216
initialDelaySeconds: 10
217
periodSeconds: 10
218
successThreshold: 1
219
timeoutSeconds: 1
220
extraContainers: []
221
# speaker contains configuration specific to the MetalLB speaker
222
# daemonset.
223
speaker:
224
enabled: true
225
# command: /speaker
226
# -- Speaker log level. Must be one of: `all`, `debug`, `info`, `warn`, `error` or `none`
227
logLevel: info
228
tolerateMaster: true
229
memberlist:
230
# -- When enabled: false, the speaker pods must run on all nodes
231
enabled: true
232
mlBindPort: 7946
233
mlBindAddrOverride: ""
234
mlSecretKeyPath: "/etc/ml_secret_key"
235
excludeInterfaces:
236
enabled: true
237
# ignore the exclude-from-external-loadbalancer label
238
ignoreExcludeLB: false
239
# -- BGP debounce timeout for FRR configuration reloads, in milliseconds. Only applies when BGP type is frr. Default (when unset) is 3000 ms. This feature is experimental
240
bgpDebounceTimeout: null
241
image:
242
repository: chainreg.biz/scratch-images/test-tmp/metallb-speaker
243
tag: 0.16.1-r2@sha256:6c66ff82b87cb71bf778df4c86a663369ec0bfeb338088de05d28773440b1549
244
pullPolicy:
245
## @param speaker.updateStrategy.type Speaker daemonset strategy type
246
## ref: https://kubernetes.io/docs/tasks/manage-daemon/update-daemon-set/
247
##
248
updateStrategy:
249
## StrategyType
250
## Can be set to RollingUpdate or OnDelete
251
##
252
type: RollingUpdate
253
serviceAccount:
254
# Specifies whether a ServiceAccount should be created
255
create: true
256
# The name of the ServiceAccount to use. If not set and create is
257
# true, a name is generated using the fullname template
258
name: ""
259
annotations: {}
260
securityContext: {}
261
## Defines a secret name for the controller to generate a memberlist encryption secret
262
## By default secretName: {{ "metallb.fullname" }}-memberlist
263
##
264
# secretName:
265
resources: {}
266
# limits:
267
# cpu: 100m
268
# memory: 100Mi
269
nodeSelector: {}
270
tolerations: []
271
priorityClassName: ""
272
affinity: {}
273
## Selects which runtime class will be used by the pod.
274
runtimeClassName: ""
275
podAnnotations: {}
276
labels: {}
277
livenessProbe:
278
enabled: true
279
port: 17472
280
failureThreshold: 3
281
initialDelaySeconds: 10
282
periodSeconds: 10
283
successThreshold: 1
284
timeoutSeconds: 1
285
readinessProbe:
286
enabled: true
287
port: 17472
288
failureThreshold: 3
289
initialDelaySeconds: 10
290
periodSeconds: 10
291
successThreshold: 1
292
timeoutSeconds: 1
293
startupProbe:
294
enabled: true
295
failureThreshold: 30
296
periodSeconds: 5
297
# frr contains configuration specific to the MetalLB FRR container,
298
# for speaker running alongside FRR.
299
# DEPRECATED: The FRR mode is deprecated and will be removed in a future
300
# release. Use the frr-k8s mode (frrk8s.enabled) instead, which is now
301
# the default BGP backend.
302
frr:
303
enabled: false
304
image:
305
repository: chainreg.biz/scratch-images/test-tmp/frr
306
tag: 10.5.4-r1@sha256:aa901c8de726d7c5b761d26237bac78f9ee544092cc2d7b19181da233bdbb2b9
307
pullPolicy:
308
metricsPort: 9121
309
resources: {}
310
reloader:
311
resources: {}
312
frrMetrics:
313
resources: {}
314
initContainers:
315
cpFrrFiles:
316
resources: {}
317
cpReloader:
318
resources: {}
319
cpMetrics:
320
resources: {}
321
extraContainers: []
322
crds:
323
enabled: true
324
validationFailurePolicy: Fail
325
# frrk8s contains the configuration related to using an frrk8s instance
326
# (github.com/metallb/frr-k8s) as the backend for the BGP implementation.
327
# This allows configuring additional frr parameters in combination to those
328
# applied by MetalLB.
329
frrk8s:
330
# -- If set, enables frrk8s as a backend. This is mutually exclusive to frr mode.
331
enabled: true
332
# -- If true, uses an external frr-k8s installation instead of the bundled subchart.
333
external: false
334
# -- Namespace where external frr-k8s is installed (only used when external=true).
335
namespace: ""
336
# Values passed to the frr-k8s subchart (note the hyphen in "frr-k8s").
337
# For all available options, see:
338
# https://github.com/metallb/frr-k8s/blob/main/charts/frr-k8s/values.yaml
339
frr-k8s:
340
prometheus:
341
serviceMonitor:
342
# -- Enable Prometheus ServiceMonitor for frr-k8s metrics.
343
enabled: false
344
# The FRR-K8s BGP/BFD metrics are exposed with the "frrk8s_" prefix
345
# (e.g. frrk8s_bgp_session_up, frrk8s_bfd_session_up).
346
# To rename them to the legacy "metallb_" prefix for backward compatibility
347
# with existing dashboards or alerts, enable and configure metric relabelings:
348
# metricRelabelings:
349
# - sourceLabels: [__name__]
350
# regex: "frrk8s_bgp_(.*)"
351
# targetLabel: "__name__"
352
# replacement: "metallb_bgp_$1"
353
# - sourceLabels: [__name__]
354
# regex: "frrk8s_bfd_(.*)"
355
# targetLabel: "__name__"
356
# replacement: "metallb_bfd_$1"
357
# networkpolicies
358
networkpolicies:
359
# if set, networkpolicies for metallb components will be installed in the metallb namespace
360
enabled: false
361
# if set, a default deny network policy will be installed in the metallb namespace
362
defaultDeny: false
363
# to override internal k8s api targetPort
364
apiPort: 6443
365

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing

Solutions

FedRAMPPCI DSSCMMC 2.0SOC 2Golden ImagesCVE RemediationPublic SectorStartups

Customers

Customer StoriesChainguard Reviews

Resources

Events & WebinarsSupply Chain Security 101Chainguard CoursesDocumentationTrust CenterChainguard Slack Community

Company

About UsBlogOpen Source LeadershipPartnersNewsroomCareersLegal
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.