*100 common problems in Kubernetes LoadBalancer implementations**

November 12, 2025

Tags

• kubernetes
• loadbalancer

Here’s a comprehensive list of 100 common problems in Kubernetes LoadBalancer implementations, organized by categories (architecture, networking, configuration, DNS, health checks, cloud provider issues, etc.) with brief technical explanations:

---

🧩 1. Architectural and Design-Level Issues

1. Misunderstanding Layer 4 vs. Layer 7 load balancing.
2. Using LoadBalancer type on bare-metal clusters without MetalLB or similar.
3. Multiple LoadBalancers per service causing excessive cloud resource usage.
4. No external IP assigned due to pending load balancer provisioning.
5. Failure to expose internal services (wrong external/internal annotation).
6. Inconsistent behavior across cloud providers (AWS vs GCP vs Azure).
7. Exceeding the limit of allowed load balancers per cloud project.
8. Misaligned CIDR ranges between cluster and external network.
9. Overlapping service CIDRs causing routing conflicts.
10. Using external load balancers without proper NAT handling.
11. Ignoring idle connection timeouts in cloud LB (common in AWS ELB).
12. Lack of HA strategy for single load balancer dependency.
13. Not accounting for failover between multiple zones.
14. LoadBalancer fronting another LoadBalancer (double LB hop).
15. Insufficient throughput capacity for expected workloads.
16. Using NodePort underneath without firewall rules for nodes.
17. Load balancer not resilient to node restarts or scaling.
18. Using wrong protocol type (TCP vs UDP vs HTTP).
19. Exposing control plane components accidentally.
20. Traffic not routed through kube-proxy (bypassing service rules).

---

🌐 2. Networking and Connectivity Problems

1. Misconfigured CNI plugin blocking external traffic.
2. LoadBalancer not accessible due to missing external routes.
3. NetworkPolicy blocking health check probes.
4. Cloud firewall rules missing for NodePort ranges (30000–32767).
5. Incorrect MTU leading to packet fragmentation/loss.
6. Node IP not reachable from LB due to NAT misconfig.
7. LoadBalancer health checks hitting wrong port or path.
8. Source IP preserved incorrectly, breaking backend logic.
9. Reverse path filtering causing dropped packets.
10. Connection tracking issues (conntrack table overflow).
11. Node local routing bypassing kube-proxy IPVS tables.
12. Multiple NICs confusing the load balancer routing.
13. BGP peering instability (in MetalLB setups).
14. ARP/NDP conflicts between MetalLB speakers.
15. VXLAN overlay interfering with external routes.
16. Routing table overflow (too many routes).
17. SNAT masking client IPs (breaking access logs).
18. Kubernetes IPVS not syncing with kernel conntrack.
19. Proxy ARP disabled on nodes (MetalLB issue).
20. Incorrect egress IP or masquerade setup.

---

⚙️ 3. Configuration and Annotation Errors

1. Missing cloud-specific annotations (e.g., AWS ALB ingress annotations).
2. Wrong load balancer class (loadBalancerClass field not set).
3. Misconfigured health check path annotation.
4. Backend protocol mismatch (HTTP vs HTTPS).
5. Missing SSL certificate reference.
6. Incorrect security group annotations.
7. Service selector not matching any pods.
8. Missing externalTrafficPolicy configuration.
9. Misusing sessionAffinity settings.
10. Wrong loadBalancerIP specified (not in pool).
11. Missing loadBalancerSourceRanges.
12. Disabled cross-zone load balancing by mistake.
13. Using unsupported annotations in managed clusters.
14. Forgetting to delete dangling LB when service is removed.
15. Overly aggressive externalTrafficPolicy=Local causing node starvation.
16. Conflicting annotations between multiple ingress controllers.
17. Cloud provider ignoring unrecognized annotation.
18. Unintentionally setting loadBalancerSourceRanges: 0.0.0.0/0.
19. Auto-assigned IP not in allowed subnet range.
20. Health probe ports mismatched with container ports.

---

🧱 4. Ingress Controller Integration Problems

1. Ingress controller using same ports as LoadBalancer.
2. Duplicate ingress rules sending traffic to wrong backend.
3. Path rewrite rules conflicting with app routes.
4. TLS secret not found by ingress controller.
5. Default backend misconfigured or missing.
6. Ingress not picking up annotations from Service.
7. Conflicts between Traefik and NGINX ingress controllers.
8. Cert-manager not updating ingress TLS cert.
9. Hostname mismatch causing SSL handshake failure.
10. Ingress controller pod crashlooping due to invalid config.
11. Load balancer health checks failing due to HTTP 301/302 redirects.
12. Misconfigured ingress class (IngressClassName not set).
13. Missing X-Forwarded-For header propagation.
14. HTTP → HTTPS redirection loop.
15. Wildcard hostnames not resolving properly.
16. Static IP not associated with ingress LB.
17. Overlapping host rules across namespaces.
18. Backend timeout lower than LB idle timeout.
19. Unsupported path type (Exact vs Prefix mismatch).
20. Controller RBAC not allowing status updates.

---

☁️ 5. Cloud Provider and Infrastructure Problems

1. Cloud provider API quota exhausted (cannot create LB).
2. Service stuck in “pending” due to missing IAM permissions.
3. Firewall rules not auto-created by cloud controller.
4. Cloud controller not running in cluster.
5. Using private subnet for LoadBalancer IPs unintentionally.
6. Cloud LB not supporting IPv6 while cluster does.
7. Static IP reservation expired or released.
8. Using custom network tags that block LB provisioning.
9. Cloud load balancer name too long for provider limit.
10. Cloud provider API latency causing update delays.
11. Regional vs. zonal LB mismatch.
12. Load balancer nodes not detected due to tag mismatch.
13. Cloud controller manager version incompatible with cluster.
14. IAM policy missing elasticloadbalancing:* permissions.
15. Cloud load balancer doesn’t support UDP (e.g., AWS Classic ELB).
16. Load balancer node pool scaled down automatically.
17. Backend instance registration failing silently.
18. Security group dependency cycles (common in AWS).
19. Subnet exhaustion—no available IPs for new LBs.
20. Provider rate limits hit due to frequent service updates.

---

🔍 Reference Source Chains

Many of these issues can be traced through:

• Kubernetes source: pkg/cloudprovider/providers/* pkg/proxy/ipvs/, pkg/proxy/iptables/, pkg/proxy/topology.go
• Cloud Controller Manager logic: kubernetes/cloud-provider controller/service/service_controller.go
• MetalLB internals: metallb/metallb → speaker/arp.go, bgp_controller.go
• Ingress controllers: kubernetes/ingress-nginx, traefik/traefik

---

Share Tweet LinkedIn Reddit