shraddhabang
commented
2 months ago Yes setting up IRSA for controller will work in this case. Please follow this doc to create one for your controller. https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.7/deploy/installation/#configure-iam
Kubernetes version 1.29. AWS LB controller version: 2.7.2 Masters set to Hop limit 3 token required. Worker nodes set to Hop Limit 1 token required,
Went to create a LB and got
2024-04-26T14:31:17Z","msg":"Reconciler error","controller":"ingress","object":{"name":"msa-grafana","namespace":"monitoring"},"namespace":"xxxx,"name":"xxxx","reconcileID":"ff76216b-0df8-495d-8777-f69e2aa26e32","error":"NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"}
Which means I either have to put it on a master node or change my worker nodes to a hop limit of 3 (if set to 2 I get the same error) This kind of compromises security a touch as we might be forced to set it to 1 and I really don;t want to install it on my masters if I can avoid it.
Does this work with service account linked to an IAM role if I annotate the service account ?