Aws-alb-controller: различия между версиями

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску
Строка 21: Строка 21:
 
<PRE>
  
<PRE>
 
{
  
{
"Effect": "Allow",
 +
"Version": "2012-10-17",
"Principal": {
 +
"Statement": [
 
{
"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.region.amazonaws.com/id/ABCD1234567890"
  
  +
"Effect": "Allow",
},
  
"Action": "sts:AssumeRoleWithWebIdentity",
 +
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
 +
"Principal": {
 
"Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012"
"StringEquals": {
  
  +
},
"oidc.eks.region.amazonaws.com/id/ABCD1234567890:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
  
  +
"Condition": {
}
  
 
"StringEquals": {
}
  
  +
"oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012:sub": [
 
"system:serviceaccount:kube-system:aws-load-balancer-controller"
  +
],
  +
"oidc.eks.us-east-1.amazonaws.com/id/123456789085475EA0123456789012:aud": [
  +
"sts.amazonaws.com"
  +
]
  +
}
  +
}
  +
}
  +
]
 
}
  
}
  +
 
</PRE>
  
</PRE>
 
<PRE>
  
<PRE>

Версия 12:52, 9 июня 2025


Это заметка про настройку aws-load-balancer-controller
https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main
Просто что бы не забыть шаги

Policy

curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
aws iam create-policy \
  --policy-name AWSLoadBalancerControllerIAMPolicy \
  --policy-document file://iam-policy.json

role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012"
            },
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012:sub": [
                        "system:serviceaccount:kube-system:aws-load-balancer-controller"
                    ],
                    "oidc.eks.us-east-1.amazonaws.com/id/123456789085475EA0123456789012:aud": [
                        "sts.amazonaws.com"
                    ]
                }
            }
        }
    ]
}


aws iam create-role \
  --role-name aws-lb-controller-role \
  --assume-role-policy-document file://trust-policy.json

attach

aws iam attach-role-policy \
  --role-name MyEksIamRole \
  --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/MyCustomPolicy

SA

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<generated-role-name>

helm

helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=<CLUSTER_NAME> \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller \
  --set region=<REGION> \
  --set vpcId=<VPC_ID> \
  --set ingressClass=alb
Источник — https://noname.com.ua/mediawiki/index.php?title=Aws-alb-controller&oldid=14630