Setup Ingress Controller in EKS
Prerequisites:
Create Cluster
You should have a EKS cluster in place to follow this . If you have already created eks cluster either using eksctl or manually using console , you should follow next steps .
Follow docs , to install this for your operating system
eksctl create cluster --cluster-name my-clusterInstall Kubectl
We will need this to perform actions on our cluster , follow docs to install this for you operating system.
Setting Up OIDC
What is OIDC ?
OpenID Connect (OIDC) is an authentication protocol that verifies a user’s identity when they try to access a protected HTTPS endpoint.
Why we need this?
OIDC is used to set up trust policy between 3rd party services ( like our kubernetes cluster , facebook , github ) and AWS . This enable 3rd party service to assume roles in our account and perform actions . In this scenario , we need to set up OIDC , so that our ingress controller will be able to assume role to create and modify Elastic Load Balancer.
Replace my-cluster with the name of your cluster
cluster_name=my-clusteroidc_id=$(aws eks describe-cluster --name $cluster_name --query "cluster.identity.oidc.issuer" --output text | cut -d '/' -f 5)echo $oidc_id- Determine whether an IAM OIDC provider with your cluster’s issuer ID is already in your account.
aws iam list-open-id-connect-providers | grep $oidc_id | cut -d "/" -f4- If output is returned, then you already have an IAM OIDC provider for your cluster and you can skip the next step. If no output is returned, then you must create an IAM OIDC provider for your cluster.
eksctl utils associate-iam-oidc-provider --cluster $cluster_name --approveFor more details docs
Deploying AWS Load Balancer Controller:
1. Create IAM Policy:
Firstly we will create a IAM policy which include the necessary permissions for ELB controller to create and modify Appliction Load Balancer.
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.5.4/docs/install/iam_policy.jsonaws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json2. Create IAM Role and Kubernetes Service Account:
Now we will create a role , and attach it will the policy we have created in the first step. And then this role will be assume by our eks cluster . Using eksctl we can perform these two step in one command . Just replace my-cluster with you cluster name in the command .
eksctl create iamserviceaccount \
--cluster=my-cluster \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name AmazonEKSLoadBalancerControllerRole \
--attach-policy-arn=arn:aws:iam::111122223333:policy/AWSLoadBalancerControllerIAMPolicy \
--approve3. Using Helm Installing Ingress Controller
Now we will install the elb controller , using helm chart . If you don’ t have helm install in you machine . Follow this for linux
Installing Helm
for other version docs
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh helm repo add eks https://aws.github.io/eks-charts
helm repo update eks
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
-n kube-system \
--set clusterName=my-cluster \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller(Optional ) Verify Installation:
kubectl get deployment -n kube-system aws-load-balancer-controllerExample Output:
NAME READY UP-TO-DATE AVAILABLE AGE
aws-load-balancer-controller 2/2 2 2 48s