aws alb controller helm 설치

policy 공식문서 json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::${account number}:oidc-provider/oidc.eks.ap-northeast-2.amazonaws.com/id/${oidc id}"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.ap-northeast-2.amazonaws.com/id/${oidc id}:aud": "sts.amazonaws.com",
                    "oidc.eks.ap-northeast-2.amazonaws.com/id/${oidc id}:sub": "system:serviceaccount:${namespace}:${alb sa}"
                }
            }
        }
    ]
}

$ helm repo add eks https://aws.github.io/eks-charts
$ helm pull eks/aws-load-balancer-controller --version 1.6.1
$ tar xvf aws-load-balancer-controller-1.6.1.tgz

$ vi values.yaml
image:
  repository: ${your_account_id}.dkr.ecr.ap-northeast-2.amazonaws.com/${ecr repo name}

clusterName: ${cluster name}

region: ${region name}

vpcId: ${vpc ID}

enableShield: false

enableWaf: false

enableWafv2: false 

$ helm upgrade --install aws-load-balancer-controller ./aws-load-balancer-controller -n kube-system --values ./aws-load-balancer-controller/onboarding_values.yaml


$ aws ec2 create-tags --resource ${private elb subnet id} --tags "Key=kubernetes.io/role/internal-elb,Value=1"
$ aws ec2 create-tags --resource ${private elb subnet id} --tags "Key=kubernetes.io/role/internal-elb,Value=1"

만약 노드롤을 assume해서 권한이 없다는 오류가 나온다면, sa를 따로 만들어서 role어노테이션을 따로 해주자.! 왜 안되는건지 이해가 안되네. 저번에는 되던데..? ;;

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/instance: aws-load-balancer-controller
    app.kubernates.io/name: aws-load-balance-controller
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::${자신계정번호}:role/${albcontrollerrole이름}

validation error: missing key "app.kubernetes.io/managed-by": must be set to "Helm"; annotation validation error: missing key "meta.helm.sh/release-name": must be set to "aws-load-balancer-controller"; annotation validation error: missing key "meta.helm.sh/release-namespace": must be set to "kube-system" 오류가 나온다면 아래와같이 추가하면된다.

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/component: controller
    app.kubernates.io/name: aws-load-balance-controller
    app.kubernetes.io/managed-by: Helm
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::${자신계정번호}:role/${alb controller role 이름}
    meta.helm.sh/release-name: aws-load-balancer-controller
    meta.helm.sh/release-namespace: kube-system