Aws-alb-controller: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
Строка 13: Строка 13:
 
<PRE>
  
<PRE>
 
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
  
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
  +
</PRE>
  +
<PRE>
 
aws iam create-policy \
  
aws iam create-policy \
 
--policy-name AWSLoadBalancerControllerIAMPolicy \
  
--policy-name AWSLoadBalancerControllerIAMPolicy \
 
--policy-document file://iam-policy.json
  
--policy-document file://iam-policy.json
  +
</PRE>
  +
  +
<PRE>
  +
{
  +
"Version": "2012-10-17",
  +
"Statement": [
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"iam:CreateServiceLinkedRole"
  +
],
  +
"Resource": "*",
  +
"Condition": {
  +
"StringEquals": {
  +
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"ec2:DescribeAccountAttributes",
  +
"ec2:DescribeAddresses",
  +
"ec2:DescribeAvailabilityZones",
  +
"ec2:DescribeInternetGateways",
  +
"ec2:DescribeVpcs",
  +
"ec2:DescribeVpcPeeringConnections",
  +
"ec2:DescribeSubnets",
  +
"ec2:DescribeSecurityGroups",
  +
"ec2:DescribeInstances",
  +
"ec2:DescribeNetworkInterfaces",
  +
"ec2:DescribeTags",
  +
"ec2:GetCoipPoolUsage",
  +
"ec2:DescribeCoipPools",
  +
"ec2:GetSecurityGroupsForVpc",
  +
"ec2:DescribeIpamPools",
  +
"ec2:DescribeRouteTables",
  +
"elasticloadbalancing:DescribeLoadBalancers",
  +
"elasticloadbalancing:DescribeLoadBalancerAttributes",
  +
"elasticloadbalancing:DescribeListeners",
  +
"elasticloadbalancing:DescribeListenerCertificates",
  +
"elasticloadbalancing:DescribeSSLPolicies",
  +
"elasticloadbalancing:DescribeRules",
  +
"elasticloadbalancing:DescribeTargetGroups",
  +
"elasticloadbalancing:DescribeTargetGroupAttributes",
  +
"elasticloadbalancing:DescribeTargetHealth",
  +
"elasticloadbalancing:DescribeTags",
  +
"elasticloadbalancing:DescribeTrustStores",
  +
"elasticloadbalancing:DescribeListenerAttributes",
  +
"elasticloadbalancing:DescribeCapacityReservation"
  +
],
  +
"Resource": "*"
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"cognito-idp:DescribeUserPoolClient",
  +
"acm:ListCertificates",
  +
"acm:DescribeCertificate",
  +
"iam:ListServerCertificates",
  +
"iam:GetServerCertificate",
  +
"waf-regional:GetWebACL",
  +
"waf-regional:GetWebACLForResource",
  +
"waf-regional:AssociateWebACL",
  +
"waf-regional:DisassociateWebACL",
  +
"wafv2:GetWebACL",
  +
"wafv2:GetWebACLForResource",
  +
"wafv2:AssociateWebACL",
  +
"wafv2:DisassociateWebACL",
  +
"shield:GetSubscriptionState",
  +
"shield:DescribeProtection",
  +
"shield:CreateProtection",
  +
"shield:DeleteProtection"
  +
],
  +
"Resource": "*"
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"ec2:AuthorizeSecurityGroupIngress",
  +
"ec2:RevokeSecurityGroupIngress"
  +
],
  +
"Resource": "*"
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"ec2:CreateSecurityGroup"
  +
],
  +
"Resource": "*"
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"ec2:CreateTags"
  +
],
  +
"Resource": "arn:aws:ec2:*:*:security-group/*",
  +
"Condition": {
  +
"StringEquals": {
  +
"ec2:CreateAction": "CreateSecurityGroup"
  +
},
  +
"Null": {
  +
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"ec2:CreateTags",
  +
"ec2:DeleteTags"
  +
],
  +
"Resource": "arn:aws:ec2:*:*:security-group/*",
  +
"Condition": {
  +
"Null": {
  +
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
  +
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"ec2:AuthorizeSecurityGroupIngress",
  +
"ec2:RevokeSecurityGroupIngress",
  +
"ec2:DeleteSecurityGroup"
  +
],
  +
"Resource": "*",
  +
"Condition": {
  +
"Null": {
  +
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:CreateLoadBalancer",
  +
"elasticloadbalancing:CreateTargetGroup"
  +
],
  +
"Resource": "*",
  +
"Condition": {
  +
"Null": {
  +
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:CreateListener",
  +
"elasticloadbalancing:DeleteListener",
  +
"elasticloadbalancing:CreateRule",
  +
"elasticloadbalancing:DeleteRule"
  +
],
  +
"Resource": "*"
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:AddTags",
  +
"elasticloadbalancing:RemoveTags"
  +
],
  +
"Resource": [
  +
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
  +
],
  +
"Condition": {
  +
"Null": {
  +
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
  +
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:AddTags",
  +
"elasticloadbalancing:RemoveTags"
  +
],
  +
"Resource": [
  +
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
  +
]
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:ModifyLoadBalancerAttributes",
  +
"elasticloadbalancing:SetIpAddressType",
  +
"elasticloadbalancing:SetSecurityGroups",
  +
"elasticloadbalancing:SetSubnets",
  +
"elasticloadbalancing:DeleteLoadBalancer",
  +
"elasticloadbalancing:ModifyTargetGroup",
  +
"elasticloadbalancing:ModifyTargetGroupAttributes",
  +
"elasticloadbalancing:DeleteTargetGroup",
  +
"elasticloadbalancing:ModifyListenerAttributes",
  +
"elasticloadbalancing:ModifyCapacityReservation",
  +
"elasticloadbalancing:ModifyIpPools"
  +
],
  +
"Resource": "*",
  +
"Condition": {
  +
"Null": {
  +
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:AddTags"
  +
],
  +
"Resource": [
  +
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
  +
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
  +
],
  +
"Condition": {
  +
"StringEquals": {
  +
"elasticloadbalancing:CreateAction": [
  +
"CreateTargetGroup",
  +
"CreateLoadBalancer"
  +
]
  +
},
  +
"Null": {
  +
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
  +
}
  +
}
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:RegisterTargets",
  +
"elasticloadbalancing:DeregisterTargets"
  +
],
  +
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
  +
},
  +
{
  +
"Effect": "Allow",
  +
"Action": [
  +
"elasticloadbalancing:SetWebAcl",
  +
"elasticloadbalancing:ModifyListener",
  +
"elasticloadbalancing:AddListenerCertificates",
  +
"elasticloadbalancing:RemoveListenerCertificates",
  +
"elasticloadbalancing:ModifyRule",
  +
"elasticloadbalancing:SetRulePriorities"
  +
],
  +
"Resource": "*"
  +
}
  +
]
  +
}
 
</PRE>
  
</PRE>
   

Версия 11:27, 23 июня 2025


Это заметка про настройку aws-load-balancer-controller
https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main
Просто что бы не забыть шаги

Policy

curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json

aws iam create-policy \
  --policy-name AWSLoadBalancerControllerIAMPolicy \
  --policy-document file://iam-policy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeSubnets",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstances",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribeTags",
                "ec2:GetCoipPoolUsage",
                "ec2:DescribeCoipPools",
                "ec2:GetSecurityGroupsForVpc",
                "ec2:DescribeIpamPools",
                "ec2:DescribeRouteTables",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTrustStores",
                "elasticloadbalancing:DescribeListenerAttributes",
                "elasticloadbalancing:DescribeCapacityReservation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "cognito-idp:DescribeUserPoolClient",
                "acm:ListCertificates",
                "acm:DescribeCertificate",
                "iam:ListServerCertificates",
                "iam:GetServerCertificate",
                "waf-regional:GetWebACL",
                "waf-regional:GetWebACLForResource",
                "waf-regional:AssociateWebACL",
                "waf-regional:DisassociateWebACL",
                "wafv2:GetWebACL",
                "wafv2:GetWebACLForResource",
                "wafv2:AssociateWebACL",
                "wafv2:DisassociateWebACL",
                "shield:GetSubscriptionState",
                "shield:DescribeProtection",
                "shield:CreateProtection",
                "shield:DeleteProtection"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateSecurityGroup"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": "CreateSecurityGroup"
                },
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:CreateTags",
                "ec2:DeleteTags"
            ],
            "Resource": "arn:aws:ec2:*:*:security-group/*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateTargetGroup"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:DeleteRule"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
            ],
            "Condition": {
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetIpAddressType",
                "elasticloadbalancing:SetSecurityGroups",
                "elasticloadbalancing:SetSubnets",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:ModifyListenerAttributes",
                "elasticloadbalancing:ModifyCapacityReservation",
                "elasticloadbalancing:ModifyIpPools"
            ],
            "Resource": "*",
            "Condition": {
                "Null": {
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticloadbalancing:CreateAction": [
                        "CreateTargetGroup",
                        "CreateLoadBalancer"
                    ]
                },
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets"
            ],
            "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:SetWebAcl",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:AddListenerCertificates",
                "elasticloadbalancing:RemoveListenerCertificates",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:SetRulePriorities"
            ],
            "Resource": "*"
        }
    ]
}

role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012"
            },
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012:sub": [
                        "system:serviceaccount:kube-system:aws-load-balancer-controller"
                    ],
                    "oidc.eks.us-east-1.amazonaws.com/id/123456789085475EA0123456789012:aud": [
                        "sts.amazonaws.com"
                    ]
                }
            }
        }
    ]
}


aws iam create-role \
  --role-name AWSLoadBalancerControllerIAMRole \
  --assume-role-policy-document file://trust-policy.json

Attach Plicy to Role

aws iam attach-role-policy \
  --role-name AWSLoadBalancerControllerIAMRole \
  --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/AWSLoadBalancerControllerIAMPolicy

SA

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<generated-role-name>

???? 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::54XXXXXXXXXX:role/AWSLoadBalancerControllerIAMRole

helm

helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=<CLUSTER_NAME> \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller \
  --set region=<REGION> \
  --set vpcId=<VPC_ID> \
  --set ingressClass=alb


aws eks describe-cluster --name education-eks-1o3RFCvh --query "cluster.resourcesVpcConfig.vpcId" "vpc-0cc5209fbf68dXXXX"


Регион можно узнать например так 

aws eks describe-cluster --name education-eks-1o3RFCvh --query "cluster.arn"
"arn:aws:eks:us-east-1:54XXXXXXXXXX:cluster/education-eks-1o3RFCvh"
Источник — https://noname.com.ua/mediawiki/index.php?title=Aws-alb-controller&oldid=14651