Comments (2)
Fixed with this
kubernetes-sigs/aws-load-balancer-controller#305 (comment)
https://github.com/raf-d/aws-alb-controller/blob/master/RBAC-for-aws-controller.md
Create the ServiceAccount, ClusterRole and ClusterRoleBinding to use with the ALB controller.
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app: alb1
release: v1
name: alb-service-account
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
labels:
app: alb1
release: v1
name: alb-sa-clusterrole
rules:
- apiGroups:
- ""
- extensions
resources:
- configmaps
- endpoints
- events
- ingresses
- ingresses/status
- services
verbs:
- create
- get
- list
- update
- watch
- patch
- apiGroups:
- ""
- extensions
resources:
- nodes
- pods
- secrets
- services
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
labels:
app: alb1
release: v1
name: alb-sa-clusterrolebind
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: alb-sa-clusterrole
subjects:
- kind: ServiceAccount
name: alb-service-account
namespace: kube-system
Add the serviceAccountName
in the controller.
# Application Load Balancer (ALB) Ingress Controller Deployment Manifest.
# This manifest details sensible defaults for deploying an ALB Ingress Controller.
# GitHub: https://github.com/coreos/alb-ingress-controller
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
# Namespace the ALB Ingress Controller should run in. Does not impact which
# namespaces it's able to resolve ingress resource for. For limiting ingress
# namespace scope, see --watch-namespace.
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: alb-ingress-controller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: alb-ingress-controller
spec:
containers:
- args:
- /server
# Ingress controllers must have a default backend deployment where
# all unknown locations can be routed to. Often this is a 404 page. The
# default backend is not particularly helpful to the ALB Ingress Controller
# but is still required. The default backend and its respective service
# must be running Kubernetes for this controller to start.
- --default-backend-service=kube-system/default-http-backend
# Limit the namespace where this ALB Ingress Controller deployment will
# resolve ingress resources. If left commented, all namespaces are used.
#- --watch-namespace=your-k8s-namespace
# Setting the ingress-class flag below will ensure that only ingress resources with the
# annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may
# choose any class you'd like for this controller to respect.
#- --ingress-class=alb
env:
# AWS region this ingress controller will operate in.
# List of regions:
# http://docs.aws.amazon.com/general/latest/gr/rande.html#vpc_region
- name: AWS_REGION
value: us-west-1
# Name of your cluster. Used when naming resources created
# by the ALB Ingress Controller, providing distinction between
# clusters.
- name: CLUSTER_NAME
value: devCluster
# AWS key id for authenticating with the AWS API.
# This is only here for examples. It's recommended you instead use
# a project like kube2iam for granting access.
#- name: AWS_ACCESS_KEY_ID
#value: KEYVALUE
# AWS key secret for authenticating with the AWS API.
# This is only here for examples. It's recommended you instead use
# a project like kube2iam for granting access.
#- name: AWS_SECRET_ACCESS_KEY
#value: SECRETVALUE
# Enables logging on all outbound requests sent to the AWS API.
# If logging is desired, set to true.
- name: AWS_DEBUG
value: "false"
# Maximum number of times to retry the aws calls.
# defaults to 20.
- name: AWS_MAX_RETRIES
value: "20"
- name: POD_NAME
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
apiVersion: v1
fieldPath: metadata.namespace
# Repository location of the ALB Ingress Controller.
image: quay.io/coreos/alb-ingress-controller:1.0-alpha.3
imagePullPolicy: Always
name: server
resources: {}
terminationMessagePath: /dev/termination-log
dnsPolicy: ClusterFirst
restartPolicy: Always
serviceAccountName: alb-service-account
from terraform-aws-eks.
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
from terraform-aws-eks.
Related Issues (20)
- Add CUSTOM ami_type support. HOT 10
- metadata_options not reflecting in nodes when use_custom_launch_template = false HOT 4
- Improve Karpenter example - Multiple tagged security groups found for instance HOT 2
- Bottlerocket - SelfManaged NodeGroup - extra parameter issue HOT 3
- Error: Unsupported attribute for provider_key_arn when Upgrading to V19 from v18 HOT 6
- Add support for `ignore_failed_scaling_activities` HOT 2
- Add flexibility to choose cloudwatch event rule name HOT 2
- EKS cluster module doesn't create a cluster access entry for SSO users HOT 4
- No default networking add-ons: Terraform waiting for the nodes to be in Ready state (question) HOT 5
- Port 9443 and 8443 should not be added to node nsg unless these modules are installed HOT 2
- ConfigMap "aws-auth": Unauthorized HOT 6
- Can't pass tags to EC2 instance from eks managed node group HOT 1
- Add upgrade_policy config block for aws_eks_cluster HOT 1
- Created ec2 instances cannot join the cluster HOT 1
- Add depends_on for the 'resource "aws_eks_addon" "before_compute"' HOT 1
- dynamic number of access_entires HOT 2
- Documentation needs improvement + linting issue?
- Using terraform <1.6.0, `aws_ec2_tag` with dynamic tag *values* results in for_each error about unknown *keys* HOT 1
- Missing node to node security group
- AWS CLB creation question HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-aws-eks.