Skip to content

Instantly share code, notes, and snippets.

@lukasz-kaniowski

lukasz-kaniowski/alb-ingress-controller.yaml

Last active March 4, 2019 09:58
Show Gist options
  • Save lukasz-kaniowski/a069e40eb83dcae1f7e82d8e1c6ddaf4 to your computer and use it in GitHub Desktop.
Save lukasz-kaniowski/a069e40eb83dcae1f7e82d8e1c6ddaf4 to your computer and use it in GitHub Desktop.
Download ZIP
Deploying k8s service with internal ALB
Raw
readme.md

How to make it work with kube2iam

Specify role that kube2iam will assume.

  1. Create a role arn:aws:iam::xxx:role/k8s-alb-controller with this iam policy
  2. Edit trust relationship with role attached to k8s worker nodes, i.e. arn:aws:iam::xxx:role/xxx-cluster.kubernetes_worker
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::xxx:role/xxx-cluster.kubernetes_worker"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
Raw
alb-ingress-controller.yaml
# Application Load Balancer (ALB) Ingress Controller Deployment Manifest.
# This manifest details sensible defaults for deploying an ALB Ingress Controller.
# GitHub: https://github.com/kubernetes-sigs/aws-alb-ingress-controller
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
spec:
replicas: 1
selector:
matchLabels:
app: alb-ingress-controller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
iam.amazonaws.com/role: arn:aws:iam::xxx:role/k8s-alb-controller
labels:
app: alb-ingress-controller
spec:
containers:
- args:
# Setting the ingress-class flag below ensures that only ingress resources with the
# annotation kubernetes.io/ingress.class: "alb" are respected by the controller. You may
# choose any class you'd like for this controller to respect.
- --ingress-class=alb
# Name of your cluster. Used when naming resources created
# by the ALB Ingress Controller, providing distinction between
# clusters.
- --cluster-name=xxx-cluster
# Repository location of the ALB Ingress Controller.
image: docker.io/amazon/aws-alb-ingress-controller:v1.1.0
imagePullPolicy: Always
name: server
resources: {}
terminationMessagePath: /dev/termination-log
dnsPolicy: ClusterFirst
restartPolicy: Always
securityContext: {}
terminationGracePeriodSeconds: 30
serviceAccountName: alb-ingress
serviceAccount: alb-ingress
Raw
nginx-service-private-alb.yaml
# Requires deployment of to the cluster https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/controller/setup/
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: nginx-deployment
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1.7.9
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx-service
spec:
selector:
app: nginx
ports:
- port: 80
protocol: TCP
targetPort: 80
type: NodePort
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "alb"
alb.ingress.kubernetes.io/scheme: internal
alb.ingress.kubernetes.io/subnets: 'subnet-xxxx,subnet-xxxx,subnet-xxxx'
name: nginx-ingress
spec:
rules:
- http:
paths:
- path: /
backend:
serviceName: nginx-service
servicePort: 80
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment