Getting Started
LoadBalancer Controller
The LoadBalancer Controller is a Kubernetes controller that manages Elastic Load Balancers (ELBs) for a Kubernetes cluster. It's designed to work with Amazon EKS (Elastic Kubernetes Service) and provides a way to expose Kubernetes services to the internet using AWS load balancers.
The LoadBalancer Controller is used to automate the creation, management, and deletion of AWS load balancers based on Kubernetes Ingress resources. It simplifies the process of managing load balancers by automatically provisioning them when needed and cleaning them up when they are no longer in use.
The LoadBalancer Controller is a prerequisite to use OBLV Deploy. For additional information, refer to the Prerequisites page.
Configuration
To configure the LoadBalancer Controller, you need to set up the necessary IAM policies and service accounts. The process involves downloading the IAM Policy document and creating an IAM Service Account. Follow the detailed instructions below:
IAM Policy Document Download
Download the IAM policy document from the AWS Load Balancer Controller GitHub repository:
curl -O https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.16.0/docs/install/iam_policy.json
This policy document defines the permissions required for the LoadBalancer Controller to manage AWS Elastic Load Balancers and related resources.
IAM Policy Creation
Create an IAM policy in AWS using the policy document downloaded in the previous step. This policy grants the LoadBalancer Controller the necessary permissions to manage AWS load balancers on your behalf.
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam_policy.json
The command parameters are described in the table below:
| Parameter | Description |
|---|---|
aws iam create-policy | The AWS CLI command to create a new IAM policy. IAM (Identity and Access Management) is a service that helps you securely control access to AWS resources. |
--policy-name AWSLoadBalancerControllerIAMPolicy | The name of the IAM policy. Choose a descriptive name that clearly indicates the purpose—in this case, granting permissions for the LoadBalancer Controller. |
--policy-document file://iam_policy.json | Points to the policy document file. The file:// prefix indicates a local filesystem path. This references the iam_policy.json file downloaded in the previous step. |
Service Account Creation
Create an IAM service account for the LoadBalancer Controller with the necessary permissions using the eksctl command-line tool. This service account will be associated with the IAM policy created in the previous step.
eksctl create iamserviceaccount \
--cluster=${CLUSTER_NAME} \
--namespace=kube-system \
--name=aws-load-balancer-controller \
--role-name AmazonEKSLoadBalancerControllerRole \
--attach-policy-arn=arn:aws:iam::${AWS_CURRENT_ACCOUNT}:policy/AWSLoadBalancerControllerIAMPolicy \
--approve \
--region ${CLUSTER_REGION}
The command parameters are described in the table below:
| Parameter | Description |
|---|---|
--cluster=${CLUSTER_NAME} | Specifies the name of the EKS cluster where the service account will be created. Replace ${CLUSTER_NAME} with your actual cluster name. |
--namespace=kube-system | Specifies the Kubernetes namespace for the service account. The kube-system namespace is typically used for cluster-level system components. |
--name=aws-load-balancer-controller | The name of the service account used to identify it within the Kubernetes cluster. |
--role-name | The name of the IAM role associated with the service account. This role will have the necessary permissions to manage load balancer resources. |
--attach-policy-arn | Attaches the specified IAM policy ARN to the service account role. Replace ${AWS_CURRENT_ACCOUNT} with your AWS account ID. |
--approve | Automatically approves the creation of the service account and associated IAM role without manual confirmation. |
--region ${CLUSTER_REGION} | Specifies the AWS region where the EKS cluster is located. Replace ${CLUSTER_REGION} with your cluster's region. This ensures resources are created in the correct region. |
Important Considerations:
- Security: Ensure the
AWSLoadBalancerControllerIAMPolicyIAM policy exists and grants only the necessary permissions for the LoadBalancer Controller to manage AWS load balancer resources. - Namespace: The service account is created in the
kube-systemnamespace, which is standard for cluster-level controllers. You may choose a different namespace based on your organization's policies. - Role Name: The role name
AmazonEKSLoadBalancerControllerRoleis used in this example. In production environments, you may customize this name to reflect your naming conventions. - Region: Always verify that the specified region matches your EKS cluster's region. Mismatched regions can cause errors or create resources in unintended locations.
What's Next?
For additional information about how OBLV Deploy uses the LoadBalancer Controller, refer to the Prerequisites page.