Open allabalakrishna99 opened 2 days ago
zac-nixon
commented
2 days ago Please apply the latest IAM policy: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/a2e02479398b9f637c978db5081bb1775d65798b/docs/install/iam_policy.json#L44
allabalakrishna99
commented
2 days ago @zac-nixon I understand we need to apply the IAM policy but the behavior on port 80 vs 443 must be exactly same instead if we roll out on port 80, we get the error as shown above but the same works on port 443. i believe this is the bug the is introduced with aws load balancer controller 2.9 and above and expecting same behavior on port 80 as well as 443.
zac-nixon
commented
2 days ago Is the problem that you see inconsistent behavior between port 80 vs port 443? The root cause is still that you haven't applied the updated IAM permissions.
The reason why you see this issue on port 80 is that listener attributes are currently not supported for TLS listeners, so we only attempt to modify listener attributes when the listener is non-TLS: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/c701a42ce2e03c0dc18eea20449ef48d091192c8/pkg/deploy/elbv2/listener_manager.go#L381-L384.
TL;DR - Just update your IAM policy to use the new LBC version.
allabalakrishna99
commented
2 days ago Yes, i am seeing inconsistent behavior where i can deploy on port 443 without adding any permissions to IAM policy vs if I deploy on port 80, it errored out after which I added, it would help if we can have consistent behavior where it needs to fail on port 443 as well like port 80 without having DescribeListenerAttributes in IAM Policy.
zac-nixon
commented
2 days ago I don't agree with making that behavior consistent.
allabalakrishna99
commented
2 days ago Can you please help me understand why that's the case?
Why should rollout of a load balancer on port 443 allowed without adding the required permissions which is not allowed port 80?
zac-nixon
commented
2 days ago I explained it above:
The reason why you see this issue on port 80 is that listener attributes are currently not supported for TLS listeners, so we only attempt to modify listener attributes when the listener is non-TLS: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/c701a42ce2e03c0dc18eea20449ef48d091192c8/pkg/deploy/elbv2/listener_manager.go#L381-L384.
Describe the bug While creating NLB with type:LoadBalancer on port 80, when using aws-load-balancer-controller v2.9.2, getting below error when the same load balancer can be rolled out on port 443 without any issues
Failed deploy model due to operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: e476513e-2c4e-41ce-b1d4-7b967aaac6d0, api error AccessDenied: User: arn:aws:sts::690476720064:assumed-role/rafay-mgi-dev-eks-addon-iamserviceaccount-kub-Role1-CRVXhzK1iLmK/1731946561026787408 is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action
Steps to reproduce
Deploy below yaml file when using aws-load-balancer controller v2.9.2 on port 80:
apiVersion: v1 kind: Service metadata: name: abc-service namespace: xyz annotations: service.beta.kubernetes.io/aws-load-balancer-type: "external" service.beta.kubernetes.io/aws-load-balancer-name: "abc" service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip" service.beta.kubernetes.io/aws-load-balancer-subnets: '' service.beta.kubernetes.io/aws-load-balancer-scheme: "internal" service.beta.kubernetes.io/load-balancer-source-ranges: "" service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp" service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "3049" service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" spec: ports:
Expected outcome NLB Load balancer must be rolled out on port 80
Environment
Additional Context:
Reverting to lower version to v2.8 of aws-load-balancer-controller works