How do I set up the AWS Load Balancer Controller on an Amazon EKS cluster for Fargate and deploy the 2048 game?

Last updated: 2022-08-08

I want to set up the AWS Load Balancer Controller on an Amazon Elastic Kubernetes Service (Amazon EKS) cluster for AWS Fargate. Then, I want to deploy the 2048 game.

Short description

The following steps show how to set up the AWS Load Balancer Controller on a new Fargate cluster. You set up the AWS Load Balancer Controller without any existing Application Load Balancer (ALB) Ingress Controller deployments.

Before you get started, consider the following:

  • Uninstall the AWS ALB Ingress Controller for Kubernetes. The AWS Load Balancer Controller replaces the functionality of the AWS ALB Ingress Controller.
  • Use eksctl version 0.97.0 or greater.
  • Install Helm on the workstation.
  • The --region variable isn't always used in the commands because the default value for your AWS Region is used. To check the default value, run the aws configure command. To change the AWS Region, use the --region flag.
  • Amazon EKS on Fargate is available in all AWS Regions, except China (Beijing), China (Ningxia), AWS GovCloud (US-East), and AWS GovCloud (US-West).
  • Replace placeholder values in code snippets with your own values.

Resolution

Create an Amazon EKS cluster, service account policy, and RBAC policies

1.    To use eksctl to create an Amazon EKS cluster for Fargate, run this command:

eksctl create cluster --name YOUR_CLUSTER_NAME --version 1.21 --fargate

Note: You don't need to create a Fargate pod execution role for clusters that use only Fargate pods (--fargate).

2.    To allow the cluster to use AWS Identity and Access Management (IAM) for service accounts, run this command:

eksctl utils associate-iam-oidc-provider --cluster YOUR_CLUSTER_NAME --approve

Note: The FargateExecutionRole is the role that the kubelet and kube-proxy run your Fargate pod on. However, it's not the role for the Fargate pod (that is, the aws-load-balancer-controller). For Fargate pods, you must use the IAM role for the service account. For more information, see IAM roles for service accounts.

3.    To download an IAM policy that allows the AWS Load Balancer Controller to make calls to AWS APIs on your behalf, run this command:

curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/install/iam_policy.json

4.    To create an IAM policy using the policy that you downloaded in step 3, run this command:

aws iam create-policy \
   --policy-name AWSLoadBalancerControllerIAMPolicy \
   --policy-document file://iam_policy.json

5.    To create a service account named aws-load-balancer-controller in the kube-system namespace for the AWS Load Balancer Controller, run this command:

eksctl create iamserviceaccount \
  --cluster=YOUR_CLUSTER_NAME \
  --namespace=kube-system \
  --name=aws-load-balancer-controller \
  --attach-policy-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:policy/AWSLoadBalancerControllerIAMPolicy \
  --override-existing-serviceaccounts \
  --approve

6.    To verify that the new service role was created, run this command:

eksctl get iamserviceaccount --cluster YOUR_CLUSTER_NAME --name aws-load-balancer-controller --namespace kube-system

-or-

kubectl get serviceaccount aws-load-balancer-controller --namespace kube-system

Install the AWS Load Balancer Controller using Helm

Important: For more information, see cert-manager on the Jetstack GitHub site, and the discussion topic Cert-manager issues with Fargate on the Kubernetes GitHub site.

1.    To add the Amazon EKS chart repo to Helm, run this command:

helm repo add eks https://aws.github.io/eks-charts

2.    To install the TargetGroupBinding custom resource definitions (CRDs), run this command:

kubectl apply -k "github.com/aws/eks-charts/stable/aws-load-balancer-controller//crds?ref=master"

3.    To install the Helm chart, run this command:

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
    --set clusterName=YOUR_CLUSTER_NAME \
    --set serviceAccount.create=false \
    --set region=YOUR_REGION_CODE \
    --set vpcId=<VPC_ID> \
    --set serviceAccount.name=aws-load-balancer-controller \
    -n kube-system

Test the AWS Load Balancer Controller

You can use the AWS Load Balancer Controller to create either an ALB for Ingress, or a Network Load Balancer for creating a k8s service. The following steps show how to deploy a sample app called 2048 with ALB Ingress.

1.    To create a Fargate profile that's required for the game deployment, run this command:

eksctl create fargateprofile --cluster your-cluster --region your-region-code --name your-alb-sample-app --namespace game-2048

2.    To deploy the sample game and verify that the AWS Load Balancer Controller creates an ALB Ingress resource, run this command:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/examples/2048/2048_full.yaml

3.    After a few minutes, run this command to verify that the Ingress resource was created:

kubectl get ingress/ingress-2048 -n game-2048

Output:

NAME           CLASS    HOSTS   ADDRESS                                                                   PORTS   AGE
ingress-2048   <none>   *       k8s-game2048-ingress2-xxxxxxxxxx-yyyyyyyyyy.us-east-2.elb.amazonaws.com   80      2m32s

Note: If your Ingress isn't created after several minutes, then run this command to view the AWS Load Balancer Controller logs:

kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller

Note: Your logs might contain error messages that can help you diagnose issues with your deployment.

4.    Open a browser and navigate to the ADDRESS URL from the previous command output to view the sample application.

Note: You might need to wait a few minutes, and then refresh your browser.

Deploy a sample application with the NLB IP mode service

To use the Network Load Balancer (NLB) IP mode, you must have a cluster running at least Kubernetes v1.16 or higher.

1.    To create a Fargate profile, run this command:

eksctl create fargateprofile --cluster your-cluster --region your-region-code --name your-alb-sample-app --namespace game-2048

2.    To get the manifest for deploying the 2048 game, run this command:

curl -o 2048-game.yaml https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.1/docs/examples/2048/2048_full.yaml

3.    In the manifest from step 2, delete this Ingress section:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  namespace: game-2048
  name: ingress-2048
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
spec:
  rules:
    - http:
        paths:
          - path: /*
            backend:
              serviceName: service-2048
              servicePort: 80

4.    Modify the Service object:

apiVersion: v1
kind: Service
metadata:
  namespace: game-2048
  name: service-2048
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
    service.beta.kubernetes.io/aws-load-balancer-type: external
    service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: app-2048

5.    To create the service and deployment manifest, run this command:

kubectl apply -f 2048-game.yaml

6.    To check for service creation and the DNS name of the Network Load Balancer, run this command:

kubectl get svc -n game-2048

Output:

NAME           TYPE           CLUSTER-IP       EXTERNAL-IP                                                                     PORT(S)        AGE
service-2048   LoadBalancer   10.100.114.197   k8s-game2048-service2-xxxxxxxxxx-yyyyyyyyyy.us-east-2.elb.amazonaws.com   80:30159/TCP   23m

7.    Wait a few minutes until the load balancer is active. Then, to check that you can reach the deployment, open the fully qualified domain name (FQDN) of the Network Load Balancer that's referenced in the EXTERNAL-IP section in a web browser.

Troubleshoot the AWS Load Balancer Controller

If you have issues setting up the controller, run these commands:

$ kubectl logs -n kube-system deployment.apps/aws-load-balancer-controller
$ kubectl get endpoints -n game-2048
$ kubectl get ingress/2048-ingress -n 2048-game

The output from the logs command returns error messages (for example, with tags or subnets) that can help you troubleshoot common errors (from the Kubernetes GitHub website). The get endpoints command shows you if the backed deployment pods are correctly registered. The get ingress commands show you if Ingress resources are deployed.


Did this article help?


Do you need billing or technical support?