What happened?
Autogenerated nodegroup role's *PolicyALBIngress policy doesn't have any wafv2 allow actions. Because of that AWS ALB ingress controller is unable to configure WAF due to lack of permissions:
E0508 11:09:33.764826 1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" "error"="failed get WAFv2 webACL for load balancer arn:aws:elasticloadbalancing:eu-central-1:REDACTED:loadbalancer/app/e0d27dff-default-appingres-350b/REDACTED: AccessDeniedException: User: arn:aws:sts::REDACTED:assumed-role/eksctl-auth-branch-nodegroup-auth-NodeInstanceRole-WROWGI7AAD3M/i-REDACTED is not authorized to perform: wafv2:GetWebACLForResource on resource: arn:aws:wafv2:eu-central-1:REDACTED:regional/webacl/*\n\tstatus code: 400, request id: REDACTED" "controller"="alb-ingress-controller" "request"={"Namespace":"default","Name":"app-ingress"}
What you expected to happen?
Appropriate WAF permissions should be given for the ALB Ingress controller to work with WAF.
What happened? Autogenerated nodegroup role's
*PolicyALBIngress
policy doesn't have anywafv2
allow actions. Because of that AWS ALB ingress controller is unable to configure WAF due to lack of permissions:What you expected to happen? Appropriate WAF permissions should be given for the ALB Ingress controller to work with WAF.
How to reproduce it? Create a cluster using
Check missing wafv2 permissions in generated
*PolicyALBIngress
policy. Use WAF feature of AWS ALB ingress controller https://kubernetes-sigs.github.io/aws-alb-ingress-controller/guide/ingress/annotation/#wafAnything else we need to know? https://github.com/weaveworks/eksctl/pull/2068 PR fixes the problem of missing wafv2 permissions.
Versions