Skip to content

Commit a5b901b

Browse files
author
Martin Linkhorst
committed
add the aws-load-balancer-controller
1 parent 9599188 commit a5b901b

File tree

6 files changed

+1257
-0
lines changed

6 files changed

+1257
-0
lines changed

cluster/cluster.yaml

Lines changed: 215 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3222,6 +3222,221 @@ Resources:
32223222
PolicyName: root
32233223
RoleName: "{{.Cluster.LocalID}}-audittrail-adapter"
32243224
Type: 'AWS::IAM::Role'
3225+
# {{- if eq .Cluster.Provider "zalando-eks"}}
3226+
AWSLoadBalancerControllerIAMRole:
3227+
Properties:
3228+
AssumeRolePolicyDocument: !Sub
3229+
- |
3230+
{
3231+
"Version": "2012-10-17",
3232+
"Statement": [
3233+
{
3234+
"Effect": "Allow",
3235+
"Principal": {
3236+
"Federated": [
3237+
"arn:aws:iam::${AWS::AccountId}:oidc-provider/${OIDC}"
3238+
]
3239+
},
3240+
"Action": [
3241+
"sts:AssumeRoleWithWebIdentity"
3242+
],
3243+
"Condition": {
3244+
"StringEquals": {
3245+
"${OIDC}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"
3246+
}
3247+
}
3248+
}
3249+
]
3250+
}
3251+
{{- if eq .Cluster.Provider "zalando-eks" }}
3252+
- OIDC: !Select [1, !Split ["//", !GetAtt EKSCluster.OpenIdConnectIssuerUrl]]
3253+
{{- else }}
3254+
- OIDC: "{{.Cluster.LocalID}}.{{.Values.hosted_zone}}"
3255+
{{- end }}
3256+
Path: /
3257+
Policies:
3258+
- PolicyDocument:
3259+
Version: '2012-10-17'
3260+
Statement:
3261+
- Effect: Allow
3262+
Action:
3263+
- iam:CreateServiceLinkedRole
3264+
Resource: "*"
3265+
Condition:
3266+
StringEquals:
3267+
iam:AWSServiceName: elasticloadbalancing.amazonaws.com
3268+
- Effect: Allow
3269+
Action:
3270+
- ec2:DescribeAccountAttributes
3271+
- ec2:DescribeAddresses
3272+
- ec2:DescribeAvailabilityZones
3273+
- ec2:DescribeInternetGateways
3274+
- ec2:DescribeVpcs
3275+
- ec2:DescribeVpcPeeringConnections
3276+
- ec2:DescribeSubnets
3277+
- ec2:DescribeSecurityGroups
3278+
- ec2:DescribeInstances
3279+
- ec2:DescribeNetworkInterfaces
3280+
- ec2:DescribeTags
3281+
- ec2:GetCoipPoolUsage
3282+
- ec2:DescribeCoipPools
3283+
- ec2:GetSecurityGroupsForVpc
3284+
- ec2:DescribeIpamPools
3285+
- elasticloadbalancing:DescribeLoadBalancers
3286+
- elasticloadbalancing:DescribeLoadBalancerAttributes
3287+
- elasticloadbalancing:DescribeListeners
3288+
- elasticloadbalancing:DescribeListenerCertificates
3289+
- elasticloadbalancing:DescribeSSLPolicies
3290+
- elasticloadbalancing:DescribeRules
3291+
- elasticloadbalancing:DescribeTargetGroups
3292+
- elasticloadbalancing:DescribeTargetGroupAttributes
3293+
- elasticloadbalancing:DescribeTargetHealth
3294+
- elasticloadbalancing:DescribeTags
3295+
- elasticloadbalancing:DescribeTrustStores
3296+
- elasticloadbalancing:DescribeListenerAttributes
3297+
- elasticloadbalancing:DescribeCapacityReservation
3298+
Resource: "*"
3299+
- Effect: Allow
3300+
Action:
3301+
- cognito-idp:DescribeUserPoolClient
3302+
- acm:ListCertificates
3303+
- acm:DescribeCertificate
3304+
- iam:ListServerCertificates
3305+
- iam:GetServerCertificate
3306+
- waf-regional:GetWebACL
3307+
- waf-regional:GetWebACLForResource
3308+
- waf-regional:AssociateWebACL
3309+
- waf-regional:DisassociateWebACL
3310+
- wafv2:GetWebACL
3311+
- wafv2:GetWebACLForResource
3312+
- wafv2:AssociateWebACL
3313+
- wafv2:DisassociateWebACL
3314+
- shield:GetSubscriptionState
3315+
- shield:DescribeProtection
3316+
- shield:CreateProtection
3317+
- shield:DeleteProtection
3318+
Resource: "*"
3319+
- Effect: Allow
3320+
Action:
3321+
- ec2:AuthorizeSecurityGroupIngress
3322+
- ec2:RevokeSecurityGroupIngress
3323+
Resource: "*"
3324+
- Effect: Allow
3325+
Action:
3326+
- ec2:CreateSecurityGroup
3327+
Resource: "*"
3328+
- Effect: Allow
3329+
Action:
3330+
- ec2:CreateTags
3331+
Resource: arn:aws:ec2:*:*:security-group/*
3332+
Condition:
3333+
StringEquals:
3334+
ec2:CreateAction: CreateSecurityGroup
3335+
'Null':
3336+
aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
3337+
- Effect: Allow
3338+
Action:
3339+
- ec2:CreateTags
3340+
- ec2:DeleteTags
3341+
Resource: arn:aws:ec2:*:*:security-group/*
3342+
Condition:
3343+
'Null':
3344+
aws:RequestTag/elbv2.k8s.aws/cluster: 'true'
3345+
aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
3346+
- Effect: Allow
3347+
Action:
3348+
- ec2:AuthorizeSecurityGroupIngress
3349+
- ec2:RevokeSecurityGroupIngress
3350+
- ec2:DeleteSecurityGroup
3351+
Resource: "*"
3352+
Condition:
3353+
'Null':
3354+
aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
3355+
- Effect: Allow
3356+
Action:
3357+
- elasticloadbalancing:CreateLoadBalancer
3358+
- elasticloadbalancing:CreateTargetGroup
3359+
Resource: "*"
3360+
Condition:
3361+
'Null':
3362+
aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
3363+
- Effect: Allow
3364+
Action:
3365+
- elasticloadbalancing:CreateListener
3366+
- elasticloadbalancing:DeleteListener
3367+
- elasticloadbalancing:CreateRule
3368+
- elasticloadbalancing:DeleteRule
3369+
Resource: "*"
3370+
- Effect: Allow
3371+
Action:
3372+
- elasticloadbalancing:AddTags
3373+
- elasticloadbalancing:RemoveTags
3374+
Resource:
3375+
- arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
3376+
- arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*
3377+
- arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*
3378+
Condition:
3379+
'Null':
3380+
aws:RequestTag/elbv2.k8s.aws/cluster: 'true'
3381+
aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
3382+
- Effect: Allow
3383+
Action:
3384+
- elasticloadbalancing:AddTags
3385+
- elasticloadbalancing:RemoveTags
3386+
Resource:
3387+
- arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*
3388+
- arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*
3389+
- arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*
3390+
- arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*
3391+
- Effect: Allow
3392+
Action:
3393+
- elasticloadbalancing:ModifyLoadBalancerAttributes
3394+
- elasticloadbalancing:SetIpAddressType
3395+
- elasticloadbalancing:SetSecurityGroups
3396+
- elasticloadbalancing:SetSubnets
3397+
- elasticloadbalancing:DeleteLoadBalancer
3398+
- elasticloadbalancing:ModifyTargetGroup
3399+
- elasticloadbalancing:ModifyTargetGroupAttributes
3400+
- elasticloadbalancing:DeleteTargetGroup
3401+
- elasticloadbalancing:ModifyListenerAttributes
3402+
- elasticloadbalancing:ModifyCapacityReservation
3403+
- elasticloadbalancing:ModifyIpPools
3404+
Resource: "*"
3405+
Condition:
3406+
'Null':
3407+
aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
3408+
- Effect: Allow
3409+
Action:
3410+
- elasticloadbalancing:AddTags
3411+
Resource:
3412+
- arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
3413+
- arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*
3414+
- arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*
3415+
Condition:
3416+
StringEquals:
3417+
elasticloadbalancing:CreateAction:
3418+
- CreateTargetGroup
3419+
- CreateLoadBalancer
3420+
'Null':
3421+
aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
3422+
- Effect: Allow
3423+
Action:
3424+
- elasticloadbalancing:RegisterTargets
3425+
- elasticloadbalancing:DeregisterTargets
3426+
Resource: arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
3427+
- Effect: Allow
3428+
Action:
3429+
- elasticloadbalancing:SetWebAcl
3430+
- elasticloadbalancing:ModifyListener
3431+
- elasticloadbalancing:AddListenerCertificates
3432+
- elasticloadbalancing:RemoveListenerCertificates
3433+
- elasticloadbalancing:ModifyRule
3434+
- elasticloadbalancing:SetRulePriorities
3435+
Resource: "*"
3436+
PolicyName: root
3437+
RoleName: "aws-load-balancer-controller-{{.Cluster.Name}}"
3438+
Type: 'AWS::IAM::Role'
3439+
# {{- end }}
32253440
RemoteFilesEncryptionKey:
32263441
Type: "AWS::KMS::Key"
32273442
Properties:

cluster/manifests/aws-load-balancer-controller/deployment.yaml

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
# {{- if eq .Cluster.Provider "zalando-eks"}}
2+
apiVersion: apps/v1
3+
kind: Deployment
4+
metadata:
5+
name: aws-load-balancer-controller
6+
namespace: kube-system
7+
labels:
8+
application: kubernetes
9+
component: aws-load-balancer-controller
10+
spec:
11+
replicas: 2
12+
selector:
13+
matchLabels:
14+
deployment: aws-load-balancer-controller
15+
template:
16+
metadata:
17+
labels:
18+
application: kubernetes
19+
component: aws-load-balancer-controller
20+
deployment: aws-load-balancer-controller
21+
spec:
22+
containers:
23+
- args:
24+
- "--aws-region={{.Cluster.Region}}"
25+
- "--aws-vpc-id={{.Cluster.ConfigItems.vpc_id}}"
26+
- "--cluster-name={{.Cluster.Name}}"
27+
- --feature-gates=ServiceTypeLoadBalancerOnly=true
28+
- --webhook-cert-file=admission-controller.pem
29+
- --webhook-key-file=admission-controller-key.pem
30+
image: container-registry.zalando.net/teapot/aws-load-balancer-controller:v2.12.0-main-1.patched
31+
livenessProbe:
32+
failureThreshold: 2
33+
httpGet:
34+
path: /healthz
35+
port: 61779
36+
scheme: HTTP
37+
initialDelaySeconds: 30
38+
timeoutSeconds: 10
39+
name: controller
40+
ports:
41+
- containerPort: 9443
42+
name: webhook-server
43+
protocol: TCP
44+
resources:
45+
limits:
46+
cpu: 100m
47+
memory: 200Mi
48+
requests:
49+
cpu: 100m
50+
memory: 200Mi
51+
securityContext:
52+
allowPrivilegeEscalation: false
53+
readOnlyRootFilesystem: true
54+
runAsNonRoot: true
55+
volumeMounts:
56+
- mountPath: /tmp/k8s-webhook-server/serving-certs
57+
name: cert
58+
readOnly: true
59+
priorityClassName: system-cluster-critical
60+
securityContext:
61+
fsGroup: 1337
62+
serviceAccountName: aws-load-balancer-controller
63+
terminationGracePeriodSeconds: 10
64+
affinity:
65+
podAntiAffinity:
66+
requiredDuringSchedulingIgnoredDuringExecution:
67+
- topologyKey: topology.kubernetes.io/zone
68+
labelSelector:
69+
matchLabels:
70+
deployment: aws-load-balancer-controller
71+
volumes:
72+
- name: cert
73+
secret:
74+
defaultMode: 420
75+
secretName: admission-controller-tls-certs
76+
# {{- end }}

0 commit comments

Comments
 (0)