ALB Ingress Controller on Amazon EKS

The AWS ALB Ingress Controller for Kubernetes is a controller that triggers the creation of an Application Load Balancer (ALB) and the necessary supporting AWS resources whenever an Ingress resource is created on the cluster with the kubernetes.io/ingress.class: alb annotation. The Ingress resource configures the ALB to route HTTP or HTTPS traffic to different pods within the cluster. The ALB Ingress Controller is supported for production workloads running on Amazon EKS clusters.

To ensure that your ingress objects use the ALB Ingress Controller, add the following annotation to your Ingress specification. For more information, see Ingress specification in the documentation.

annotations: kubernetes.io/ingress.class: alb

The ALB Ingress controller supports the following traffic modes:

Instance – Registers nodes within your cluster as targets for the ALB. Traffic reaching the ALB is routed to NodePort for your service and then proxied to your pods. This is the default traffic mode. You can also explicitly specify it with the alb.ingress.kubernetes.io/target-type: instance annotation. Note Your Kubernetes service must specify the NodePort type to use this traffic mode.

IP – Registers pods as targets for the ALB. Traffic reaching the ALB is directly routed to pods for your service. You must specify the alb.ingress.kubernetes.io/target-type: ip annotation to use this traffic mode.

For other available annotations supported by the ALB Ingress Controller, see Ingress annotations .

This topic shows you how to configure the ALB Ingress Controller to work with your Amazon EKS cluster.

Important You cannot use the ALB Ingress Controller with Private clusters.

To deploy the ALB Ingress Controller to an Amazon EKS cluster Tag the subnets in your VPC that you want to use for your load balancers so that the ALB Ingress Controller knows that it can use them. For more information, see Subnet tagging requirement. If you deployed your cluster with eksctl , then the tags are already applied. All subnets in your VPC should be tagged accordingly so that Kubernetes can discover them. Key Value kubernetes.io/cluster/ <cluster-name> shared

Public subnets in your VPC should be tagged accordingly so that Kubernetes knows to use only those subnets for external load balancers. Key Value kubernetes.io/role/elb 1

Private subnets must be tagged in the following way so that Kubernetes knows it can use the subnets for internal load balancers. If you use an Amazon EKS AWS CloudFormation template to create your VPC after March 26, 2020, then the subnets created by the template are tagged when they're created. For more information about the Amazon EKS AWS CloudFormation VPC templates, see Creating a VPC for your Amazon EKS cluster. Key Value kubernetes.io/role/internal-elb 1 Create an IAM OIDC provider and associate it with your cluster. If you don't have eksctl version 0.28.0 or later installed, complete the instructions in Installing or upgrading eksctl to install or upgrade it. You can check your installed version with eksctl version . eksctl utils associate-iam-oidc-provider \ --region region-code \ --cluster prod \ --approve Download an IAM policy for the ALB Ingress Controller pod that allows it to make calls to AWS APIs on your behalf. You can view the policy document on GitHub. curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/iam-policy.json Create an IAM policy called ALBIngressControllerIAMPolicy using the policy downloaded in the previous step. aws iam create-policy \ --policy-name ALBIngressControllerIAMPolicy \ --policy-document file://iam-policy.json Take note of the policy ARN that is returned. Create a Kubernetes service account named alb-ingress-controller in the kube-system namespace, a cluster role, and a cluster role binding for the ALB Ingress Controller to use with the following command. If you don't have kubectl installed, complete the instructions in Installing kubectl to install it. kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/rbac-role.yaml Using the instructions in one of the following options, create an IAM role for the ALB Ingress Controller and attach the role to the service account created in the previous step. If you didn't create your cluster with eksctl , then use the instructions in the AWS Management Console or AWS CLI options. eksctl The following command only works for clusters that were created with eksctl . eksctl create iamserviceaccount \ -- region region-code \ --name alb-ingress-controller \ --namespace kube-system \ --cluster prod \ --attach-policy-arn arn:aws:iam:: 111122223333 :policy/ ALBIngressControllerIAMPolicy \ --override-existing-serviceaccounts \ --approve

AWS Management Console Using the instructions in To create your service account with the AWS Management Console, create an IAM role named eks-alb-ingress-controller and attach the ALBIngressControllerIAMPolicy IAM policy that you created in a previous step to it. Note the Amazon Resource Name (ARN) of the role, once you've created it. Annotate the Kubernetes service account with the ARN of the role that you created with the following command. kubectl annotate serviceaccount -n kube-system alb-ingress-controller \ eks.amazonaws.com/role-arn=arn:aws:iam:: 111122223333 :role/ eks-alb-ingress-controller

AWS CLI Using the instructions in To create your service account with the AWS CLI, create an IAM role named eks-alb-ingress-controller and attach the ALBIngressControllerIAMPolicy IAM policy that you created in a previous step to it. Note the Amazon Resource Name (ARN) of the role, once you've created it. Annotate the Kubernetes service account with the ARN of the role that you created with the following command. kubectl annotate serviceaccount -n kube-system alb-ingress-controller \ eks.amazonaws.com/role-arn=arn:aws:iam:: 111122223333 :role/ eks-alb-ingress-controller

Deploy the ALB Ingress Controller with the following command. kubectl apply -f https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.1.8/docs/examples/alb-ingress-controller.yaml Open the ALB Ingress Controller deployment manifest for editing with the following command. kubectl edit deployment.apps/alb-ingress-controller -n kube-system Add a line for the cluster name after the --ingress-class=alb line. If you're running the ALB Ingress Controller on Fargate, then you must also add the lines for the VPC ID, and AWS Region name of your cluster. Once you've added the appropriate lines, save and close the file. spec: containers: - args: - --ingress-class=alb - --cluster-name= prod - --aws-vpc-id= vpc-03468a8157edca5bd - --aws-region= region-code Confirm that the ALB Ingress Controller is running with the following command. kubectl get pods -n kube-system Expected output: NAME READY STATUS RESTARTS AGE alb-ingress-controller- 55b5bbcb5b-bc8q9 1/1 Running 0 56s