Deploying AWS Load Balancer Controller on Amazon EKS

Customers use AWS Network Load Balancer (NLB), Classic Load Balancer (CLB), or Application Load Balancer (ALB) as load balancers or ingress with Amazon Elastic Kubernetes Service (Amazon EKS) clusters. AWS Load Balancer Controller is designed to help manage Elastic Load Balancers for a Kubernetes cluster. It satisfies Kubernetes Ingress resources by provisioning ALBs and Kubernetes Load Balancer by provisioning NLBs. To deploy AWS Load Balancer Controller on existing EKS clusters requires multiple manual steps, and it is hard to manage at scale. This post automates the manual deployment aspects of AWS Load Balancer Controller for existing EKS clusters.

The AWS Load Balancer Controller adds value by automating and streamlining the load balancer configuration process. Some of the key benefits of using the AWS Load Balancer Controller include:

• Simplified Load Balancer Configuration: It simplifies the process of creating and configuring AWS load balancers within a Kubernetes cluster. This automation reduces the manual work required to set up and manage load balancers.
• Integration with Kubernetes: It integrates seamlessly with Kubernetes, allowing you to define and manage load balancer resources using Kubernetes manifests and annotations.
• Cost Optimization: ease of maintenance and lower configuration costs.
• Automatic Target Group Registration: It can automatically register pods with the appropriate target groups based on the Kubernetes service definitions, which simplifies scaling and makes sure that traffic is directed to the correct pods.
• Dynamic Updates: The AWS Load Balancer Controller can dynamically update load balancer configurations in response to changes in your Kubernetes services and pods. This helps make sure that your applications are highly available and can scale seamlessly.
• Support for Advanced Features: It supports path-based routing, SSL termination, and integration with AWS WAF for security purposes.

The following figures show the anatomy and possibilities for AWS Load Balancer Controller with Amazon EKS.

Figure 1: IP target mode with AWS Load Balancer Controller and Amazon EKS

Figure 2: Instance mode with AWS Load Balancer Controller and Amazon EKS

One-click install solution overview

This AWS CloudFormation solution automates the manual deployment aspects of AWS Load Balancer Controller for an existing EKS cluster. The manual steps include: creating an AWS Identity and Access Management (IAM) policy to allow AWS Load Balancer Controller to make AWS API calls creating a Kubernetes service account and attaching the IAM policy and associated role to the service account, configuring the AWS Security Token Service endpoint type used by your Kubernetes service account, installing AWS Load Balancer controller by applying a Kubernetes manifest and cert-manager, and verifying the installation.

The Solution automates all the preceding manual steps. The following figure describes the solution, and the below CloudFormation template creates an IAM policy for the AWS Load Balancer Controller that allows it to make calls to AWS APIs by using assume-role.

• It creates an IAM role with your provided OpenID Connect (OIDC) ID as the parameter and creates a trust policy and IAM role.
• It also creates an AWS Lambda function that creates a Kubernetes service account named aws-load-balancer-controller annotated with the IAM role.
• The Lambda function deploys cert-manager and AWS Load Balancer Controller by applying the default yaml files provided in the official document to the EKS cluster.

To grant the Amazon EKS API access to the Lambda function, you can follow this Amazon post to learn how to create a Lambda IAM Role and authorize the Lambda role to administer the EKS cluster.

Figure 3: Solution overview

Solution deployment

You can deploy this solution into your AWS account using a CloudFormation template.

Prerequisites

For this walkthrough, you should have the following prerequisites:

• An AWS account.
• An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.
• An existing IAM OIDC provider for your cluster. To determine whether you already have one, or need to create one, see Creating an IAM OIDC provider for your cluster.
• Make sure that your Amazon Virtual Private Cloud (Amazon VPC) CNI plugin for Kubernetes, kube-proxy, and CoreDNS add-ons are at the minimum versions listed in Service account tokens.
• An IAM role for the Lambda function and you must configure EKS cluster to authorize the Lambda role to administer the EKS cluster – see Simplifying Kubernetes Configurations using AWS Lambda.
• Download the Lambda code (function.zip) from github and upload it to an Amazon Simple Storage Service (Amazon S3) bucket.

Deploying through CloudFormation template

In this section we deploy the following:

• IAM policy and Role for the Kubernetes service account of AWS Load Balancer Controller
  • AmazonEKSLoadBalancerControllerRole
  • AWSLoadBalancerControllerIAMPolicy
• Lambda function
  • Create Kubernetes Service Account for AWS Load Balancer and annotate with AmazonEKSLoadBalancerControllerRole
  • Install Cert-manager
  • Install AWS Load Balancer Controller
  • Deploy IngressClss and IngressClass parameters
• Amazon CloudWatch logs
  • LambdaLogGroupForEKSALBInstaller, with seven days retention

Steps to deploy the CloudFormation template

1. Download the yaml file.
2. Navigate to the CloudFormation console in your AWS account.
3. Choose Create stack.
4. Choose Template is ready, upload a template file, and navigate to the yaml file that you just downloaded.
5. Choose Next.Give the stack a name (max. length 30 characters), provide your EKS cluster name, OIDC provider ID, AWS Account number, AWS Region, S3 bucket with Lambda code, and select Next. Refer to the following figure for input parameters expected for this CloudFormation stack. Figure 4: Parameters for CloudFormation stack
6. Add tags if desired, and select Next.
7. Scroll to Capabilities at the bottom of the screen, and check the box I acknowledge that AWS CloudFormation might create IAM resources with custom names, and then Create stack.
8. Wait for the stack creation to complete.

Once the stack is deployed successfully, navigate to the Lambda console and run the Lambda function using the Test option with the default test event. This successfully installs the AWS Load Balancer Controller within the cluster. You can navigate to your EKS cluster to check IngressClasses under resources to verify successful installation of the AWS Load Balancer Controller. The following figure shows what a successful installation of AWS Load Balancer Controller looks like in the Amazon EKS console.

Figure 5: Successful installation of AWS Load Balancer Controller

You can test the AWS Load Balancer Controller by deploying a sample application. This solution can be reused within the account and AWS Region by changing the Cluster Name and OIDC Provider ID Environment variables of the Lambda function. Furthermore, trusted entities of the previously created IAM role need to be updated to include the OIDC Provider ID of that cluster.

Cost considerations

This solution uses a Lambda function that makes API calls. It also creates a CloudWatch logs group with seven-day retention period. All pricing details are available on the CloudWatch, and Lambda pricing pages.

Cleaning up

If you decide that you no longer want to keep the dashboard and associated resources, then you can navigate to CloudFormation in the AWS Management Console, choose the stack you deployed earlier, and choose Delete. Once that finishes, all of the resources you created should be deleted.

Conclusion

This solution helps you quickly install AWS Load Balancer Controller from a pre-built Lambda function that can be re-used for all your EKS clusters within your account and AWS Region.

About the authors