This document walks you through Amazon EKS with CoreOS ALB ingress conbtroller.
Attach extra IAM policy allowing all elasticloadbalancing:* method to the EC2 node instance role. The ingress controller will need
aws iam put-role-policy --role-name <EC2_NODE_INSTANCE_ROLE> --policy-name elb-allow-all --policy-document file://elb-inline-policy.json
Install the default-http-backend
$ kubectl apply -f https://raw.githubusercontent.com/coreos/alb-ingress-controller/master/examples/default-backend.yamlmodify the alb-ingress-controller.yaml file:
-
AWS_REGION: Region of your Amazon EKS cluster.- name: AWS_REGION value: us-west-2
-
CLUSTER_NAME: name of the cluster- name: CLUSTER_NAME value: mycluster
Create the ClusterRole, ClusterRoleBinding and ServiceAccount
$ kubectl apply -f albrbac.yamlDeploy the ingress-controller
$ kubectl apply -f alb-ingress-controller.yamlVerify the deployment was successful and the controller started.
$ kubectl logs -n kube-system \
$(kubectl get po -n kube-system | \
egrep -o alb-ingress[a-zA-Z0-9-]+) | \
egrep -o '\[ALB-INGRESS.*$'Create the sample application
$ kubectl apply -f app.yamlUpdate the ingress resource
$ vim ingress-resource.yamlapiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: "webapp-alb-ingress"
annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/subnets: 'subnet-xxxxxxxx,subnet-xxxxxxxx'
alb.ingress.kubernetes.io/security-groups: 'sg-xxxxxxxx,sg-xxxxxxxx'
alb.ingress.kubernetes.io/certificate-arn: <ACM_CERT_ARN>
labels:
app: webapp-service
spec:
rules:
- http:
paths:
- path: /greeting
backend:
serviceName: "webapp-service"
servicePort: 80
- path: /
backend:
serviceName: "caddy-service"
servicePort: 80- make sure to modify the
subnetsecurity-groupsandcertificate-arnif required. - make sure public internet can access ALB TCP 80 and 443 and ALB can access any TCP port on node group - double check your security groups setting. You would usually need two security groups - one for TCP 80 and 443 public from all and the other for the NodeSecurityGroup.
find your EKS NodeSecurityGroup
$ aws ec2 describe-security-groups --query "SecurityGroups[?VpcId=='vpc-e692c79f']|[?contains(GroupName, 'NodeSecurityGroup')].GroupId"
[
"sg-49c86737"
]find your EKS subnets with aws cli :
$ aws ec2 describe-subnets --query "join(',', Subnets[?VpcId=='vpc-e692c79f'].SubnetId)" --output text
subnet-eb16cba0,subnet-7ef24007Deploy the ingress resource
$ kubectl apply -f ingress-resource.yaml
ingress "webapp-alb-ingress" createdDescribe your ingress resource
$ kubectl describe ing/webapp-alb-ingress
Name: webapp-alb-ingress
Namespace: default
Address: mycluster-default-webappal-9895-232573660.us-west-2.elb.amazonaws.com
Default backend: default-http-backend:80 (192.168.109.73:8080)
Rules:
Host Path Backends
---- ---- --------
*
/greeting webapp-service:80 (<none>)
/ caddy-service:80 (<none>)
Annotations:
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 2m ingress-controller Ingress default/webapp-alb-ingress
Normal CREATE 2m ingress-controller mycluster-default-webappal-9895 created
Normal CREATE 2m ingress-controller mycluster-32235-HTTP-7c52fdc target group created
Normal CREATE 2m ingress-controller mycluster-30214-HTTP-7c52fdc target group created
Normal CREATE 2m ingress-controller 80 listener created
Normal CREATE 2m (x2 over 2m) ingress-controller 1 rule created
Normal CREATE 2m (x2 over 2m) ingress-controller 2 rule created
Normal CREATE 2m ingress-controller 443 listener created
Normal UPDATE 1m ingress-controller Ingress default/webapp-alb-ingressAfter a few minutes of DNS propagation of your ALB, you should be able to test it like this:
$ curl "http://<YOUR_ALB_DNS_NAME>/greeting?name=pahud"
Hello pahudand the root path will go to Caddy web server document root:
$ curl http://<YOUR_ALB_DNS_NAME>