はじめに
AWS Load Balancer ControllerにIRSAが設定できていない場合、kubectlでingressリソースをデプロイしてもALBが立ち上がらないので対処をまとめる。
現象
下記の内容でAWS Load Balancer Controllerをデプロイ。
eks_cluster.tf
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.0.5"
cluster_version = "1.22"
cluster_name = "eks-cluster"
vpc_id = module.vpc.vpc_id
subnet_ids = module.vpc.private_subnets
enable_irsa = true
eks_managed_node_groups = {
eks_node_group = {
desired_size = 2
instance_types = ["t2.medium"]
}
}
cluster_security_group_additional_rules = {
egress_nodes_ephemeral_ports_tcp = {
description = "To node 1025-65535"
protocol = "tcp"
from_port = 1025
to_port = 65535
type = "egress"
source_node_security_group = true
}
}
node_security_group_additional_rules = {
admission_webhook = {
description = "Admission Webhook"
protocol = "tcp"
from_port = 0
to_port = 65535
type = "ingress"
source_cluster_security_group = true
}
ingress_self_all = {
description = "Node to node all ports/protocols"
protocol = "-1"
from_port = 0
to_port = 0
type = "ingress"
self = true
}
egress_all = {
description = "Node all egress"
protocol = "-1"
from_port = 0
to_port = 0
type = "egress"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
}
}
resource "null_resource" "kubeconfig" {
triggers = {
cluster_name = module.eks.cluster_id
}
provisioner "local-exec" {
command = "aws eks update-kubeconfig --name ${module.eks.cluster_id}"
}
}
resource "kubernetes_service_account" "aws_loadbalancer_controller" {
metadata {
name = "aws-load-balancer-controller"
namespace = "kube-system"
annotations = {
"eks.amazonaws.com/role-arn" = module.iam_assumable_role_admin.iam_role_arn
}
}
}
data "aws_eks_cluster" "eks" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "eks" {
name = module.eks.cluster_id
}
aws_lb_controller.tf
locals {
albc_ns = "kube-system"
sa_name = "aws-load-balancer-controller"
}
data "http" "albc_policy_json" {
url = "https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.1.0/docs/install/iam_policy.json"
}
resource "aws_iam_policy" "aws_loadbalancer_controller" {
name = "EKSIngressAWSLoadBalancerController"
policy = data.http.albc_policy_json.body
}
module "iam_assumable_role_admin" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 4.0"
create_role = true
role_name = "EKSIngressAWSLoadBalancerController"
provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [aws_iam_policy.aws_loadbalancer_controller.arn]
oidc_subjects_with_wildcards = ["system:serviceaccount:*:*"]
}
resource "helm_release" "aws-load-balancer-controller" {
name = local.sa_name
namespace = local.albc_ns
repository = "https://aws.github.io/eks-charts"
chart = "aws-load-balancer-controller"
version = "1.4.2"
depends_on = [
kubernetes_service_account.aws_loadbalancer_controller,
]
set {
name = "clusterName"
value = data.aws_eks_cluster.eks.name
}
set {
name = "serviceAccount.create"
value = false
}
set {
name = "serviceAccount.name"
value = "aws-load-balancer-controller"
}
set {
name = "image.repository"
value = "602401143452.dkr.ecr.ap-northeast-1.amazonaws.com/amazon/aws-load-balancer-controller"
}
set {
name = "image.tag"
value = "v2.4.2"
}
}
その後、kubectlでingressをデプロイすると下記のようにエラー発生。
ALBが立ち上がらない。
Failed build model due to WebIdentityErr: failed to retrieve credentials caused by: InvalidIdentityToken: No OpenIDConnect provider found in your account for https://oidc.eks.us-east-2.amazonaws.com/id/XXXXXXXXXX status code: 400, request id: xxxxxxxxxx
Failed build model due to WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403, request id: yyyyyyyyyyyyy
対応
下記のようにIRSAの設定を修正
aws_lb_controller.tf
...
# IDプロバイダを明記
data "tls_certificate" "my_certificate" {
url = data.aws_eks_cluster.eks.identity.0.oidc.0.issuer
}
resource "aws_iam_openid_connect_provider" "my_openid_connect_provider" {
client_id_list = ["sts.amazonaws.com"]
thumbprint_list = [data.tls_certificate.my_certificate.certificates.0.sha1_fingerprint]
url = data.aws_eks_cluster.eks.identity.0.oidc.0.issuer
}
# IRSAを修正
module "iam_assumable_role_admin" {
source = "terraform-aws-modules/iam/aws//modules/iam-assumable-role-with-oidc"
version = "~> 4.0"
create_role = true
role_name = "EKSIngressAWSLoadBalancerController"
provider_url = replace(module.eks.cluster_oidc_issuer_url, "https://", "")
role_policy_arns = [aws_iam_policy.aws_loadbalancer_controller.arn]
oidc_fully_qualified_subjects = ["system:serviceaccount:${local.albc_ns}:${local.sa_name}"]
oidc_fully_qualified_audiences = ["sts.amazonaws.com"]
}
...
参考