You often hear that Kubernetes applications should be stateless to scale effectively.
However, your real-world engineering requirements might involve legacy sessions or complex authenticated user flows.
When you need to keep a user connected to the same backend pod, session affinity becomes a critical infrastructure challenge.
Oracle Kubernetes Engine now provides a direct way to handle this through managed load balancers.
You can use this capability to maintain session continuity without modifying your application logic.
Architecture for Session Affinity in OKE
You can achieve sticky sessions by using either a standard Kubernetes Service or the OCI Native Ingress Controller.
Your choice depends on whether you need simple external exposure or advanced path-based routing.
Both methods allow you to offload session management to the infrastructure layer.
This reduces the amount of stateful logic you have to write in your application code.
It also helps you manage stateful workloads that have not yet been fully externalized.
| Feature | Service Type LoadBalancer | OCI Native Ingress Controller |
|---|---|---|
| Configuration Method | Service Annotations | Ingress Annotations |
| Routing Capability | Simple Port Mapping | Host and Path Based |
| K8s Version Requirement | 1.32 or Higher | 1.32 or Higher |
You should verify that your cluster is running a compatible version before attempting these configurations.
Older versions of Kubernetes will ignore these specific OCI annotations during the resource reconciliation process.
Implementing Load Balancer Cookie Persistence
In this model, your OCI load balancer generates and manages the cookie for you.
You do not need to change any code inside your containerized application.
The load balancer adds a unique cookie to the response to track the backend pod assignment.
To enable this on a service, you apply specific annotations to your manifest.
oci-load-balancer.oraclecloud.com/lb-cookie-session-persistence-config: |
{
"cookieName": "X-Oracle-OCI-Route",
"disableFallback": true,
"path": "/",
"isHttpOnly": true
}
You must ensure your annotation is formatted as valid JSON, or the reconciliation process will fail.
You can also configure the domain and maxAge properties to control how long the session stays active.
The disableFallback field is particularly important for ensuring strict affinity during scaling events.
If you set this to true, requests will fail if the specific backend pod becomes unavailable.
Configuring Application Cookie Persistence
You might prefer to use a cookie that your backend application already generates.
This is useful when your app already handles session tokens, but you need the infrastructure to respect them.
The load balancer will observe the Set-Cookie header sent by your pod.
It then ensures subsequent requests with that cookie reach the same instance.
This approach allows your application to maintain full control over the session lifecycle.
Quotes from the field suggest that this method is best for applications being migrated before session handling is externalized.
To set this up using the OCI Native Ingress Controller, you use a different annotation key.
oci-native-ingress.oraclecloud.com/session-persistence-config: |
{
"cookieName": "APPSESS"
}
Remember that persistence only starts after your backend pod returns the matching cookie name.
You should audit your application to confirm it is sending the correct header.
Infrastructure and Security Challenges
You must consider a few technical hurdles when implementing these configurations.
First, you cannot enable both persistence models at the same time on a single backend set.
Doing so will cause a reconciliation error in the OKE control plane.
Second, if you set the isSecure flag to true, you must use HTTPS listeners.
The browser will reject secure cookies if they are sent over an unencrypted HTTP connection.
You should also verify that your load balancer is running in HTTP mode rather than TCP mode.
Cookie-based persistence is not available for TCP-based listeners.
- Use valid JSON in all annotation fields.
- Match your cookie names exactly between the app and the config.
- Update your clusters to version 1.32 to access these features.
- Check your backend set status if traffic is not sticking as expected.
- Monitor your load balancer logs for cookie rejection errors.
- Ensure your client applications support and store cookies correctly.
You may encounter issues if your application uses multiple cookies with the same name.
You should also be aware of how path and domain settings affect cookie visibility across different subdomains.
Conclusion
Integrating session persistence into your OKE environment simplifies how you manage stateful workloads.
You can choose between application-controlled or load-balancer-managed cookies based on your architecture.
By using native annotations, you keep your infrastructure configuration close to your code.
You now have the tools to handle session continuity without adding complexity to your application layer.
This capability ensures that your migration to Kubernetes does not break critical user experiences.
