How do I set up the ALB Ingress Controller on an Amazon EC2 node group in Amazon EKS?

Last updated: 2020-01-29

I want to set up the ALB Ingress Controller on an Amazon Elastic Compute Cloud (Amazon EC2) node group in Amazon Elastic Kubernetes Service (Amazon EKS).

Short Description

The following steps show you how to deploy the ALB Ingress Controller on an Amazon EC2 node group.

To deploy the ALB Ingress Controller on AWS Fargate, see How do I set up the ALB Ingress Controller on an Amazon EKS cluster for Fargate?

Resolution

Create an IAM policy for the ALB Ingress Controller

The Amazon EKS policy that you create allows the ALB Ingress Controller to make calls to AWS APIs on your behalf. It's a best practice to use AWS Identity and Access Management (IAM) roles for service accounts when you give access to AWS APIs.

1.    To download an IAM policy document for the ALB Ingress Controller from AWS GitHub, run the following command:

curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller//docs/examples/iam-policy.json

2.    To create an IAM policy named ALBIngressControllerIAMPolicy for your worker node instance profile, run the following command:

aws iam create-policy \
--policy-name ALBIngressControllerIAMPolicy \
--policy-document file://iam-policy.json

3.    Note the policy Amazon Resource Name (ARN) that's returned in the output from step 2.

4.    Use the existing IAM role or create a new IAM role for the ALB Ingress Controller.

Note: If you're using eksctl to create an IAM role, use the --attach-policy-arn parameter with the ARN of the IAM policy ALBIngressControllerIAMPolicy.

5.    To attach ALBIngressControllerIAMPolicy to IAM roles that you identified earlier, run the following command:

aws iam attach-role-policy \
--policy-arn arn:aws:iam::111122223333:policy/ALBIngressControllerIAMPolicy \
--role-name role-name

Note: Replace 111122223333 with your AWS account ID and role-name with your IAM role name.

6.    To create a service account, cluster role, and cluster role binding for the ALB Ingress Controller, run the following command:

curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/rbac-role.yaml

Note: Replace version with the version of the ALB Ingress Controller that you want to deploy.

7.    Open the rbac-role.yaml file in a text editor, and then make the following changes only to the ServiceAccount section of the file:

apiVersion: v1
kind: ServiceAccount
metadata:
  labels:
    app.kubernetes.io/name: alb-ingress-controller
  annotations:                                                                        # Add the annotations line
    eks.amazonaws.com/role-arn: arn:aws:iam::111122223333:role/role-name              # Add the IAM role
  name: alb-ingress-controller
  namespace: kube-system

Note: Replace 111122223333 with your AWS account ID and role-name with your IAM role name.

8.    Save the rbac-role.yaml file, and then run the following command:

kubectl apply -f rbac-role.yaml

Deploy the ALB Ingress Controller

1.    Verify that tags exist for the load balancer associated with your subnets.

2.    To download the manifest file from AWS GitHub, run the following command:

curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/alb-ingress-controller.yaml

Note: Replace version with the version of the ALB Ingress Controller that you want to deploy.

3.    In the downloaded manifest file, add the cluster-name for your cluster after the --ingress-class=alb line, and then save and close the file. See the following example:

spec:
containers:
- args:
    - --ingress-class=alb
    - --cluster-name=cluster-name   # Add the name of your cluster

4.    If you need the Amazon Virtual Private Cloud (Amazon VPC) ID, run the following command in the AWS Command Line Interface (AWS CLI):

aws eks describe-cluster --name cluster-name --query 'cluster.resourcesVpcConfig.vpcId' --output text

5.    To deploy the ALB Ingress Controller, run the following command:

kubectl apply -f alb-ingress-controller.yaml

Deploy a sample application to test the ALB Ingress Controller

Deploy a sample application to verify that the ALB Ingress Controller creates an Application Load Balancer because of the Ingress object.

1.    To deploy a game called 2048 as a sample application, run the following commands:

kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/2048/2048-namespace.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/2048/2048-deployment.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/2048/2048-service.yaml
kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/2048/2048-ingress.yaml

2.    To verify that the Ingress resource was created, wait a few minutes, and then run the following command:

kubectl get ingress/2048-ingress -n 2048-game

You receive output similar to the following:

NAME           HOSTS    ADDRESS                                                                 PORTS       AGE
2048-ingress   *        example-2048game-2048ingr-6fa0-352729433.us-west-2.elb.amazonaws.com    80          24h

If your Ingress is not created after several minutes, run the following command to view the ALB Ingress Controller logs:

kubectl logs -n kube-system deployment.apps/alb-ingress-controller

Note: ALB Ingress Controller logs can contain error messages to help you troubleshoot issues with your deployment.

3.    To see the sample application, open a web browser, and then navigate to the URL address from the output in step 2.

4.    To clean up the sample application, run the following command:

kubectl delete -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/version/docs/examples/2048/2048-namespace.yaml

Note: Replace version with the version of the ALB Ingress Controller that you want to deploy.


Did this article help you?

Anything we could improve?


Need more help?