我使用 Helm 安装了 AWS 负载均衡器控制器,但当我创建新入口时,它无法在 AWS 上配置 ALB。
对于大多数步骤,我遵循这些指南 1、指南 2、指南 3 和 指南 4。
重现步骤
首先。我使用
eksctl utils associate-iam-oidc-provider --region=us-east-1 --cluster=<name> --approve角色与政策
我使用此 terraform 文件创建所需的角色和策略,并安装 helm 图表:
terraform {
required_providers {
aws = {
source = "hashicorp/aws"
version = "~> 5.0"
}
helm = {
source = "hashicorp/helm"
version = "~> 2.9"
}
}
required_version = ">= 1.5.0"
}
provider "aws" {
region = "us-east-1" # Change to your desired region
profile = "default" # Change to your AWS CLI profile if necessary
}
variable "cluster_name" {
description = "The name of the EKS cluster"
type = string
}
variable "vpc_id" {
description = "The ID of the VPC"
type = string
}
data "aws_iam_policy_document" "aws_lbc" {
statement {
effect = "Allow"
principals {
type = "Service"
identifiers = ["pods.eks.amazonaws.com"]
}
actions = [
"sts:AssumeRole",
"sts:TagSession"
]
}
}
resource "aws_iam_role" "aws_lbc" {
name = "AmazonEKSLoadBalancerControllerRole"
assume_role_policy = data.aws_iam_policy_document.aws_lbc.json
}
# I tried this command too: (aws iam create-policy --policy-name AWSLoadBalancerControllerIAMPolicy --policy-document file://AWSLoadBalancerControllerIAMPolicy.json)
resource "aws_iam_policy" "aws_lbc" {
# curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json
policy = file("./iam/AWSLoadBalancerControllerIAMPolicy.json")
name = "AWSLoadBalancerControllerIAMPolicy"
}
resource "aws_iam_role_policy_attachment" "aws_lbc" {
policy_arn = aws_iam_policy.aws_lbc.arn
role = aws_iam_role.aws_lbc.name
}
resource "aws_eks_pod_identity_association" "aws_lbc" {
cluster_name = var.cluster_name
namespace = "kube-system"
service_account = "aws-load-balancer-controller"
role_arn = aws_iam_role.aws_lbc.arn
}
data "aws_eks_cluster" "eks" {
name = "<name>"
}
data "aws_eks_cluster_auth" "eks" {
name = "name>"
}
provider "helm" {
kubernetes {
host = data.aws_eks_cluster.eks.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.eks.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.eks.token
}
}
# I deployed this after creating the service account
resource "helm_release" "aws_lbc" {
name = "aws-load-balancer-controller"
repository = "https://aws.github.io/eks-charts"
chart = "aws-load-balancer-controller"
namespace = "kube-system"
version = "1.11.0"
cleanup_on_fail = true
set {
name = "clusterName"
value = var.cluster_name
}
set{
name = "serviceAccount.create"
value = "false"
}
set {
name = "serviceAccount.name"
value = "aws-load-balancer-controller"
}
set {
name = "vpcId"
value = var.vpc_id
}
set{
name = "region"
value = "us-east-1"
}
set{
name = "replicaCount"
value = 1
}
}
我也尝试过这个
AmazonEKSLoadBalancerControllerRole{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:I am::<accountID>:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/<id>"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/<id>:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
}
}
}
]
}
此外,我尝试使用 helm cli 而不是 terraform 安装 helm 图表:
helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
--version 1.11.0 \
--namespace kube-system \
--set clusterName=<name> \
--set serviceAccount.create=false \
--set serviceAccount.name=aws-load-balancer-controller \
--set vpcId=<> \
--set region=us-east-1 \
--set replicaCount=1
入口
这是我的入口清单:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: <>
namespace: testing
annotations:
alb.ingress.kubernetes.io/certificate-arn: arn:aws:acm:us-east-1:<>:certificate/<>
alb.ingress.kubernetes.io/group.name: new-shared-k8s-alb-group
alb.ingress.kubernetes.io/healthcheck-path: /healthz
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80}, {"HTTPS":443}]'
alb.ingress.kubernetes.io/load-balancer-name: new-shared-k8s-alb-group
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS-1-2-2017-01
alb.ingress.kubernetes.io/ssl-redirect: "443"
alb.ingress.kubernetes.io/target-type: IP
# kubernetes.io/ingress.class: alb # I tried this too
spec:
ingressClassName: alb
rules:
- host: <>
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: <>
port:
number: 80
tls:
- hosts:
- <>
服务帐号
我在安装图表之前创建了一个服务帐户:
eksctl create iamserviceaccount \
--cluster=<name> \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--attach-policy-arn=arn:aws:iam::<>:policy/AWSLoadBalancerControllerIAMPolicy \
--override-existing-serviceaccounts \
--approve
它使用此自动生成的注释创建了服务帐户
Name: aws-load-balancer-controller
Namespace: kube-system
Labels: app.kubernetes.io/managed-by=eksctl
Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<>:role/eksctl-<clusterName>-addon-iamservice-Role1-mP2d1JUPOppx
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
Events: <none>
它不起作用,所以我将其更新为
eks.amazonaws.com/role-arnarn:aws:iam::<>:role/AmazonEKSLoadBalancerControllerRoleName: aws-load-balancer-controller
Namespace: kube-system
Labels: app.kubernetes.io/managed-by=eksctl
Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::<>:role/AmazonEKSLoadBalancerControllerRole
Image pull secrets: <none>
Mountable secrets: <none>
Tokens: <none>
不幸的是,这没有任何区别。
预期结果
应创建 ALB,并且我应该看到分配给我的入口资源的 ALB。
目前成果
Failed build model due to operation error Elastic Load Balancing v2: DescribeLoadBalancers, get identity: get credentials: failed to refresh cached credentials, failed to load credentials, exceeded maximum number of attempts, 10, request send failed, Get "http://169.254.170.23/v1/credentials": dial tcp 169.254.170.23:80: i/o timeout{"level":"error","ts":"2025-01-21T20:37:36Z","msg":"Reconciler error","controller":"ingress","object":{"name":"new-shared-k8s-alb-group"},"namespace":"","name":"new-shared-k8s-alb-group","reconcileID":"18b4f2a0-0d46-46b3-a89a-e43cf2c58dd1","error":"operation error Elastic Load Balancing v2: DescribeLoadBalancers, get identity: get credentials: failed to refresh cached credentials, failed to load credentials, exceeded maximum number of attempts, 10, request send failed, Get \"http://169.254.170.2/2025/01/21 20:49:32 http: TLS handshake error from 10.0.21.244:35898: EOFkubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml{"level":"error","ts":"2025-01-21T21:48:06Z","msg":"Reconciler error","controller":"ingress","object":{"name":"new-shared-k8s-alb-group"},"namespace":"","name":"new-shared-k8s-alb-group","reconcileID":"6cbe3d55-9104-469f-855f-c1d279b76d36","error":"operation error Elastic Load Balancing v2: DescribeLoadBalancers, get identity: get credentials: failed to refresh cached credentials, failed to load credentials, exceeded maximum number of attempts, 10, request send failed, Get \"http://169.254.170.23/v1/credentials\": dial tcp 169.254.170.23:80: i/o timeout"}环境
其他背景
我也安装了这些 CRD:
wget https://raw.githubusercontent.com/aws/eks-charts/master/stable/aws-load-balancer-controller/crds/crds.yaml
kubectl apply -f crds.yaml
# I tried this too
kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller/crds?ref=master"
我也创建了两个具有所需标签的子网
kubernetes.io/cluster/new-crowdanalyzer-eks:sharedkubernetes.io/role/elb:1Syvsuvsusvysvusuvsiisgisgigwibabiaibsusbvausbuvuvsuvsvyvsya