LoadBalancer Controller
The LoadBalancer Controller is a Kubernetes controller that manages Elastic Load Balancers (ELBs) for a Kubernetes cluster. It's designed to work with Amazon EKS (Elastic Kubernetes Service) and provides a way to expose Kubernetes services to the internet using AWS load balancers.
The LoadBalancer Controller is used to automate the creation, management, and deletion of AWS load balancers based on Kubernetes Ingress resources. It simplifies the process of managing load balancers by automatically provisioning them when needed and cleaning them up when they are no longer in use.
The LoadBalancer Controller is a prerequisite to use OBLV Deploy. For additional information, refer to the Prerequisites page.
Configuration
Configuring the LoadBalancer Controller involves setting up the necessary IAM policies and service accounts. Below is a detailed description of the IAM Policy creation, and Service Account creation commands:
IAM Policy creation
The command below is used to create an IAM policy within AWS. This policy is specifically designed for the LoadBalancer Controller, granting it the necessary permissions to manage AWS resources on your behalf.
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicyDemoPrivateTest \
--policy-document file://iam_policy.json
The command line above is described in the table below:
| Command | Description |
|---|---|
aws iam create-policy | This is the AWS CLI command used to create a new IAM policy. IAM (Identity and Access Management) is a service provided by AWS that helps you securely control access to AWS resources. |
--policy-name AWSLoadBalancerControllerIAMPolicyDemoPrivateTest | This option specifies the name of the IAM policy you are creating. It's important to choose a name that clearly indicates the purpose of the policy, in this case providing permissions for the LoadBalancer Controller. |
--policy-document file://iam_policy.json | This option points to the file that contains the policy document. The policy document is a JSON-formatted file that defines the permissions granted by the policy. The file:// prefix indicates that the file is located on the local filesystem. In this command, the policy document is iam_policy.json, which has been downloaded from the LoadBalancer Controller's GitHub repository as part of the setup process. |
Service Account creation
The configuration of the LoadBalancer Controller involves creating an IAM service account with the necessary permissions. This is achieved using the eksctl command-line tool. The following code block presents an example of a command used to create an IAM service account for the LoadBalancer Controller.
eksctl create iamserviceaccount \
--cluster=${CLUSTER_NAME} \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name AmazonEKSLoadBalancerControllerRolePrivateTest \
--attach-policy-arn=arn:aws:iam::${AWS_CURRENT_ACCOUNT}:policy/AWSLoadBalancerControllerIAMPolicyDemoPrivateTest \
--approve
The command line above is described in the table below:
| Parameter | Description |
|---|---|
--cluster=${CLUSTER_NAME} | Specifies the name of the EKS cluster where the service account will be created. Replace ${CLUSTER_NAME} with the actual name of your EKS cluster. |
--namespace=kube-system | Specifies the Kubernetes namespace where the service account will be created. In this case, it is created in the kube-system namespace, which is typically used for system-level resources. |
--name=aws-load-balancer-controller | Specifies the name of the service account. This name is used to identify the service account within the Kubernetes cluster. |
--role-name | AmazonACKec2ControllerRolePrivateTest: Specifies the name of the IAM role that will be associated with the service account. This role should have the necessary permissions to manage EC2 resources. |
--attach-policy-arn= arn:aws:iam::${AWS_CURRENT_ACCOUNT}:policy/ AWSLoadBalancerControllerIAMPolicyDemoPrivateTest | Attaches the specified IAM policy to the role. |
--approve | Automatically approves the creation of the service account and the associated IAM role. |
- Security: The command attaches the IAM policy
AWSLoadBalancerControllerIAAMPolicyDemoPrivateTestto the service account. Ensure that this policy exists and grants the necessary permissions for the LoadBalancer Controller to manage AWS resources. - Namespace: The service account is created in the
kube-systemnamespace. This is a common practice for system-level resources, but you may choose to create the service account in a different namespace if your organization's policies dictate so. - Role Name: The role name
AmazonEKSLoadBalancerControllerRolePrivateTestis used in this example. In a production environment, you should use a role name that reflects the purpose and environment of the service account.
What's next?
For additional information about how OBLV Deploy uses the LoadBalancer Controller, access the Prerequisites page.