search

kubernetes-sigs / aws-load-balancer-controller

A Kubernetes controller for Elastic Load Balancers
https://kubernetes-sigs.github.io/aws-load-balancer-controller/
Apache License 2.0
3.93k stars 1.46k forks source link

Can you comment on version compatibility? #1255

Closed thesurlydev closed 4 years ago

thesurlydev commented 4 years ago

Apologies if I've missed any documentation around this but can someone comment on which versions of Kubernetes/EKS are compatible with which versions of aws-alb-ingress-controller?

Specifically, I'm wondering if for example the version of ingress-controller should match K8s version? I'm asking because I'm running into the following issue:

1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" \
"error"="failed to get web acl for load balancer arn:aws:elasticloadbalancing:us-west-2:114169298763:loadbalancer/app/66655845-default-springboo-bf49/5e0da9a111425711: AccessDeniedException: \
User: arn:aws:sts::112233445566:assumed-role/eksctl-ra-addon-iamserviceaccount-kube-syste-Role1-CSAMS7XALXQ8/1588915308237680554 \
is not authorized to perform: waf-regional:GetWebACLForResource on resource: \
arn:aws:waf-regional:us-west-2:112233445566:*/* with an explicit deny\n\tstatus \
code: 400, request id: c9cdedba-a6d2-4623-8019-febe18e3f170"  "controller"="alb-ingress-controller" \
"request"={"Namespace":"default","Name":"springboot-microservice-ingress"

I'm current running (not quite) the following versions and curious to know with confidence that aws-alb-ingress-controller is backwards compatible with older versions of Kubernetes.

Kubernetes: 1.15
EKS platform: eks.2 
aws-alb-ingress-controller: 1.17
region: us-west-2

Thanks!

billputer commented 4 years ago

I don't believe it's due to your Kubernetes version. It's actually a new IAM permission required by v1.1.7. See the v1.1.7 release notes.

Frankly, I find this kind of change to be hostile to users. The expectation should be that a PATCH version change from 1.1.6 to 1.1.7 wouldn't have any breaking changes.

thesurlydev commented 4 years ago

I did see the IAM permission change and had added that but didn't turn out to be the issue.

I eventually got it to work and wasn't a version incompatibility (afaik). What it ended up being in my case was a missing annotation in the service.yaml: 

alb.ingress.kubernetes.io/target-type: ip
fejta-bot commented 4 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

thesurlydev commented 4 years ago

/close

k8s-ci-robot commented 4 years ago

@digitalsanctum: Closing this issue.

In response to [this](https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/1255#issuecomment-675786094): >/close Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes/test-infra](https://github.com/kubernetes/test-infra/issues/new?title=Prow%20issue:) repository.