You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What happened?
Autogenerated nodegroup role's *PolicyALBIngress policy doesn't have any wafv2 allow actions. Because of that AWS ALB ingress controller is unable to configure WAF due to lack of permissions:
E0508 11:09:33.764826 1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" "error"="failed get WAFv2 webACL for load balancer arn:aws:elasticloadbalancing:eu-central-1:REDACTED:loadbalancer/app/e0d27dff-default-appingres-350b/REDACTED: AccessDeniedException: User: arn:aws:sts::REDACTED:assumed-role/eksctl-auth-branch-nodegroup-auth-NodeInstanceRole-WROWGI7AAD3M/i-REDACTED is not authorized to perform: wafv2:GetWebACLForResource on resource: arn:aws:wafv2:eu-central-1:REDACTED:regional/webacl/*\n\tstatus code: 400, request id: REDACTED" "controller"="alb-ingress-controller" "request"={"Namespace":"default","Name":"app-ingress"}
What you expected to happen?
Appropriate WAF permissions should be given for the ALB Ingress controller to work with WAF.
What happened?
Autogenerated nodegroup role's
*PolicyALBIngress
policy doesn't have anywafv2
allow actions. Because of that AWS ALB ingress controller is unable to configure WAF due to lack of permissions:What you expected to happen?
Appropriate WAF permissions should be given for the ALB Ingress controller to work with WAF.
How to reproduce it?
Create a cluster using
Check missing wafv2 permissions in generated
*PolicyALBIngress
policy. Use WAF feature of AWS ALB ingress controller https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#wafAnything else we need to know?
#2068 PR fixes the problem of missing wafv2 permissions.
Versions
The text was updated successfully, but these errors were encountered: