Closed hendryanw closed 1 year ago
Creating ingress using ALB fails because of permission issues as shown in the following error log:
{ "level": "error", "ts": "2023-06-21T07:38:52Z", "msg": "Reconciler error", "controller": "ingress", "object": { "name": "redacted", "namespace": "redacted" }, "namespace": "redacted", "name": "redacted", "reconcileID": "21838bd2-b4b7-40a6-a216-9d061972cbfe", "error": "AccessDenied: User: arn:aws:sts::redacted:assumed-role/redacted is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:redacted:redacted:targetgroup/redacted/* because no identity-based policy allows the elasticloadbalancing:AddTags action\n\tstatus code: 403, request id: redacted" }
This may be related with this issue: https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2692
Ingress is successfully created without permissions issue as the addOn manage the required permissions.
The ingress creation fails with the error described above.
The cluster is created with the following blueprints code:
var addOns: Array<blueprints.ClusterAddOn> = [ new blueprints.addons.AwsLoadBalancerControllerAddOn(), new blueprints.addons.VpcCniAddOn(), new blueprints.addons.CoreDnsAddOn(), new blueprints.addons.KubeProxyAddOn("v1.26.2-eksbuild.1") ] const clusterProvider = new blueprints.GenericClusterProvider({ version: eks.KubernetesVersion.V1_26, managedNodeGroups: [ { id: 'x86-onde-large-mng', nodegroupName: 'x86-onde-large-mng', desiredSize: 1, minSize: 1, maxSize: 10, diskSize: 50, instanceTypes: [ new ec2.InstanceType("m5.large") ], nodeGroupCapacityType: eks.CapacityType.ON_DEMAND }, { id: 'arm-onde-large-mng', nodegroupName: 'arm-onde-large-mng', desiredSize: 1, minSize: 1, maxSize: 10, diskSize: 50, instanceTypes: [ new ec2.InstanceType("m6g.large") ], nodeGroupCapacityType: eks.CapacityType.ON_DEMAND, taints: [ { effect: eks.TaintEffect.NO_EXECUTE, key: "graviton", value: "true" } ] } ] }); blueprints.EksBlueprint.builder() .account(props.env?.account) .region(props.env?.region) .clusterProvider(clusterProvider) .addOns(...addOns) .build(scope, `${id}-eksblueprints`);
Then create an ingress resource with standard parameter to expose a service to the internet using ALB.
Update the file located in /lib/addons/aws-loadbalancer-controller/iam-policy.ts to the latest as in version 2.5.2
/lib/addons/aws-loadbalancer-controller/iam-policy.ts
No response
2.84.0
1.9.1
18.12.1
MacOS
I have tried replacing the policy with the latest one manually and the issue is fixed. Will submit a pull request.
Also having this issue, waiting for a release that includes #738
Just tested with 1.10.0 release, the issue is fixed.
Describe the bug
Creating ingress using ALB fails because of permission issues as shown in the following error log:
This may be related with this issue: https://github.com/kubernetes-sigs/aws-load-balancer-controller/issues/2692
Expected Behavior
Ingress is successfully created without permissions issue as the addOn manage the required permissions.
Current Behavior
The ingress creation fails with the error described above.
Reproduction Steps
The cluster is created with the following blueprints code:
Then create an ingress resource with standard parameter to expose a service to the internet using ALB.
Possible Solution
Update the file located in
/lib/addons/aws-loadbalancer-controller/iam-policy.ts
to the latest as in version 2.5.2Additional Information/Context
No response
CDK CLI Version
2.84.0
EKS Blueprints Version
1.9.1
Node.js Version
18.12.1
Environment details (OS name and version, etc.)
MacOS
Other information
I have tried replacing the policy with the latest one manually and the issue is fixed. Will submit a pull request.