-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fully support AWS Load Balancer Controller addon #11446
Comments
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
/remove-lifecycle stale Sorry this issue slipped passed me. Will this work for you? |
/kind feature |
Worth a try at least 😊 |
1. What
kops
version are you running? The commandkops version
, will displaythis information.
2. What Kubernetes version are you running?
kubectl version
will print theversion if a cluster is running or provide the Kubernetes version specified as
a
kops
flag.v1.20.6
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
Create a new kops cluster with the AWS Load Balance Controller enabled.
5. What happened after the commands executed?
Failure to use certificates in ALB
6. What did you expect to happen?
All features on the AWS ALB supported
When enabling the AWS Load Balancer Controller today there are some limitations due to lack of permissions. The IAM role (for kops 1.20) does not have enough permissions on the AWS account to support all the features (annotations).
When enabling the add-on with:
The "default" IAM policy document mentioned in the deployment guide for the ALB contains a lot of permissions that are needed to support for example TLS termination in the ALB.
If I for example enable HTTP->HTTPS redirect with:
in my ingress I will get errors:
Had some discussions in the kops-dev slack channel regarding a different missing policy #11393 with @olemarkus so decided to create an issue for this.
When testing I found that I (at least) need the following permissions to use TLS and to modify rules:
But a better way would probably be to look at the policy document linked above.
The text was updated successfully, but these errors were encountered: