Aws-alb-controller

Материал из noname.com.ua
Перейти к навигацииПерейти к поиску


Это заметка про настройку aws-load-balancer-controller
https://github.com/kubernetes-sigs/aws-load-balancer-controller/tree/main
Просто что бы не забыть шаги

Policy

curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json
aws iam create-policy \
  --policy-name AWSLoadBalancerControllerIAMPolicy \
  --policy-document file://iam-policy.json

role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Principal": {
                "Federated": "arn:aws:iam::123456789012:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012"
            },
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/12345678901285475EA0123456789012:sub": [
                        "system:serviceaccount:kube-system:aws-load-balancer-controller"
                    ],
                    "oidc.eks.us-east-1.amazonaws.com/id/123456789085475EA0123456789012:aud": [
                        "sts.amazonaws.com"
                    ]
                }
            }
        }
    ]
}


aws iam create-role \
  --role-name AWSLoadBalancerControllerIAMRole \
  --assume-role-policy-document file://trust-policy.json

Attach Plicy to Role

aws iam attach-role-policy \
  --role-name AWSLoadBalancerControllerIAMRole \
  --policy-arn arn:aws:iam::<ACCOUNT_ID>:policy/AWSLoadBalancerControllerIAMPolicy

SA

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<account-id>:role/<generated-role-name>

???? 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::543591064633:role/AWSLoadBalancerControllerIAMRole

helm

helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=<CLUSTER_NAME> \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller \
  --set region=<REGION> \
  --set vpcId=<VPC_ID> \
  --set ingressClass=alb


aws eks describe-cluster --name education-eks-1o3RFCvh --query "cluster.resourcesVpcConfig.vpcId" "vpc-0cc5209fbf68dXXXX"


Регион можно узнать например так 

aws eks describe-cluster --name education-eks-1o3RFCvh --query "cluster.arn"
"arn:aws:eks:us-east-1:54XXXXXXXXXX:cluster/education-eks-1o3RFCvh"
Источник — https://noname.com.ua/mediawiki/index.php?title=Aws-alb-controller&oldid=14644