DEV Community

Cover image for Create AWS Load Balancer Controller Ingress With CDK8S
AWS Community ASEAN

Create AWS Load Balancer Controller Ingress With CDK8S

Vu Dao
Awesome Devops || AWS SA || CloudOpz
Updated on ・6 min read

Table Of Contents

Create AWS Load Balancer Controller Ingress With CDK8S

🚀 What is AWS Load Balancer Controller

  • The AWS Load Balancer Controller manages AWS Elastic Load Balancers for a Kubernetes cluster. The controller provisions the following resources.
    • An AWS Application Load Balancer (ALB) when you create a Kubernetes Ingress.
    • An AWS Network Load Balancer (NLB) when you create a Kubernetes Service of type LoadBalancer.

🚀 Install AWS Load Balancer Controller as the ingress controller

  • Pre-requiste: EKS cluster

  • In order for the Ingress resource to work, the cluster must have an ingress controller running. Unlike other types of controllers which run as part of the kube-controller-manager binary, Ingress controllers are not started automatically with a cluster.

  • Using hlem to install

[ec2-user@eks-ctl dist]$ helm repo add eks
"eks" has been added to your repositories

export VPC_ID=$(aws eks describe-cluster --name eks-dev --query "cluster.resourcesVpcConfig.vpcId" --output text --region ap-northeast-2)

[ec2-user@eks-ctl dist]$ helm repo list

[ec2-user@eks-ctl dist]$ helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "eks" chart repository
Update Complete. ⎈Happy Helming!⎈

helm upgrade -i aws-load-balancer-controller \
    eks/aws-load-balancer-controller \
    -n kube-system \
    --set clusterName=eks-dev \
    --set serviceAccount.create=false \
    --set \
    --set image.tag="${LBC_VERSION}" \
    --set region=ap-northeast-2 \
    --set vpcId=${VPC_ID}

Release "aws-load-balancer-controller" does not exist. Installing it now.
NAME: aws-load-balancer-controller
LAST DEPLOYED: Sun Jun  6 10:44:19 2021
NAMESPACE: kube-system
STATUS: deployed
AWS Load Balancer controller installed!

[ec2-user@eks-ctl dist]$ kubectl get deployment -n kube-system aws-load-balancer-controller
NAME                           READY   UP-TO-DATE   AVAILABLE   AGE
aws-load-balancer-controller   0/2     2            0           8s

[ec2-user@eks-ctl dist]$ kubectl get po -n kube-system 
NAME                                            READY   STATUS    RESTARTS   AGE
aws-load-balancer-controller-85847bc9bd-fjdwf   1/1     Running   0          20s
aws-load-balancer-controller-85847bc9bd-gsctk   1/1     Running   0          20s
Enter fullscreen mode Exit fullscreen mode

🚀 Create AWS ALB IAM Role Service Account Using CDK

  • Pre-requisite: EKS cluster with OpenID connect, IAM identity provider (Ref to Using IAM Service Account Instead Of Instance Profile For EKS Pods for how to)

  • First create the IAM role which is federated by IAM identiy provider and assumed by sts:AssumeRoleWithWebIdentity, then attach policy to provide proper permission for the role. Brief of CDK code in python3:

    • iam_oic is the stack of creating IAM identity provider which is used OIDC as provider, open_id_connect_provider_arn is its ARN attribute from the stack.
    • Policy is created from iam_policy.json
from constructs import Construct
from aws_cdk.aws_s3_assets import Asset
from aws_cdk import (
    App, Stack, CfnJson,
    aws_iam as iam
import re, os

class IamOICProvider(Stack):
    def __init__(f, scope: Construct, construct_id: str, eks_cluster, env, **kwargs) -> None:
        super().__init__(scope, construct_id, env=env, **kwargs)

        oidc_url = eks_cluster.cluster_open_id_connect_issuer_url
        iam_oic = iam.OpenIdConnectProvider(
            f, construct_id,
        oidc_arn = iam_oic.open_id_connect_provider_arn
        oidc_provider = re.sub("https://", "", oidc_url)

        def string_like(name_space, sa_name):
            string_like = CfnJson(
                f, f'JsonCondition{sa_name}',
                    f'{oidc_provider}:sub': f'system:serviceaccount:{name_space}:{sa_name}',
                    f'{oidc_provider}:aud': ''
            return string_like

        alb_controller_role = iam.Role(
            f, 'AlbControllerRole',
                conditions={'StringEquals': string_like('kube-system', 'aws-load-balancer-controller')},
            iam.ManagedPolicy.from_managed_policy_name(f, "EksAWSLoadBalancerController",
            iam.ManagedPolicy.from_managed_policy_name(f, "EksAWSLoadBalancerControllerAdditional",
Enter fullscreen mode Exit fullscreen mode
  • Annotate the IRSA to aws-load-balancer-controller service account
$ kubectl annotate serviceaccount -n kube-system aws-load-balancer-controller
Enter fullscreen mode Exit fullscreen mode
  • Double check the IAM role at the Trust relationships to ensure correct OIDC url and Condition
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::123456789012:oidc-provider/<OIDC_PROVIDER_ID>"
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "<OIDC_PROVIDER_ID>:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller",
          "<OIDC_PROVIDER_ID>:aud": ""
Enter fullscreen mode Exit fullscreen mode
  • Check the SA
[ec2-user@eks-ctl ~]$ kubectl describe sa -n kube-system aws-load-balancer-controller 
Name:                aws-load-balancer-controller
Namespace:           kube-system
Annotations: arn:aws:iam::123456789012:role/eks-aws-load-balancer-controller-sa
Image pull secrets:  <none>
Mountable secrets:   aws-load-balancer-controller-token-gjsc2
Tokens:              aws-load-balancer-controller-token-gjsc2
Events:              <none>
Enter fullscreen mode Exit fullscreen mode

🚀 Create Ingress Using CDK8S

🚀 Apply the ingress yaml files

  • After applying the yaml files, check all ingress
[ec2-user@eks-ctl ~]$ kubectl get ingress -A
NAMESPACE   NAME                     CLASS    HOSTS                       ADDRESS                                                           PORTS   AGE
argocd      argocd                   <none>    80      14d
dev         app                      <none>   *                     80      18d
dev         backend                  <none>   *                     80      8d
dev         frontend                 <none>   *                     80      8d
dev         dev-alb                  <none>   *                     80      18d
grafana     grafana                  <none>    80      7d3h
logging     kibana                   <none>    80      25h
Enter fullscreen mode Exit fullscreen mode
  • Check aws-load-balancer-controller if your ingress does not work
kubectl logs -f --tail=100 -n kube-system -l
Enter fullscreen mode Exit fullscreen mode

🚀 Create Route53 records for the domains using CDK

  • In order to automate detect the AWS k8s ALB, we can use lookup function and base on the tag the AWS ALB controller created <group>
import re
import os
from constructs import Construct
import boto3
from aws_cdk import (
    App, Stack, Environment, Tags, CfnTag, Duration,
    aws_elasticloadbalancingv2 as elbv2,
    aws_route53 as _route53,

class Route53Stack(Stack):

    def __init__(self, scope: Construct, id: str, env, **kwargs) -> None:
        super().__init__(scope, id, env=env, **kwargs)

        def cname_record(record_name, hosted_zone):
                self, 'Route53Cname',

        alb = elbv2.ApplicationLoadBalancer.from_lookup(
            self, "AlbIngress",
            load_balancer_tags={'': 'dev'}
        alb_dns = alb.load_balancer_dns_name

        dev_hosted_zone = 'Z88PZ8J8P8RXXX'

        hz = _route53.HostedZone.from_hosted_zone_attributes(
            self, id="HostedZone", hosted_zone_id=dev_hosted_zone, zone_name='')

        records = ['', '', '',
                   '', '']
        for record in records:
            cname_record(record, hz)
Enter fullscreen mode Exit fullscreen mode

🚀 Conclusion

  • Keywords: IRSA, AWS ALB controller, ingress, cdk and cdk8s
  • If we change order of the ingress group, it might make ALB downtime a little bit to re-generate the rules.

vumdao image

Discussion (0)