Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] AWS Load Balancer Controller well known policy missing listener attribute actions required in v2.9.0 #7987

Open
jonathanfoster opened this issue Oct 5, 2024 · 7 comments
Open

[Bug] AWS Load Balancer Controller well known policy missing listener attribute actions required in v2.9.0 #7987

jonathanfoster opened this issue Oct 5, 2024 · 7 comments
Labels
kind/bug

Comments

@jonathanfoster
Copy link

jonathanfoster commented Oct 5, 2024
edited
Loading

AWS Load Balancer Controller v2.9.0 added support for listener attributes, which requires two additional IAM permissions that are not currently included in the eksctl well known policy awsLoadBalancerController:

  • elasticloadbalancing:DescribeListenerAttributes
  • elasticloadbalancing:ModifyListenerAttributes

This causes LoadBalancer service resource initialization to fail when using v2.9.0 and a service account created using eksctl.

What were you trying to accomplish?

I'm trying to use the latest AWS Load Balancer Controller and a service account created with eksctl's well known policy awsLoadBalancerController to create a LoadBalancer service resource. I'm trying to install Ingress NGINX, which creates a load balancer service that requires AWS Load Balancer Controller to create an ELB.

What happened?

Service resource initialization failed due to missing permissions. Service load balancer stayed in pending state.

How to reproduce it?

  1. Create service account.

    iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    wellKnownPolicies:
      awsLoadBalancerController: true

  2. Install AWS Load Balancer Controller.

    helm install aws-load-balancer-controller aws-load-balancer-controller \
  -n kube-system \
  --repo=https://aws.github.io/eks-charts \
  --set clusterName=$CLUSTER_NAME \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

  3. Install Ingress NGINX.

    helm install ingress-nginx ingress-nginx \
  -n ingress-nginx \
  --create-namespace
  --repo=https://kubernetes.github.io/ingress-nginx

Logs

AWS Load Balancer Controller logs include the following error message:

{"level":"error","ts":"2024-10-05T16:23:41Z","msg":"Reconciler error","controller":"service","namespace":"ingress-nginx","name":"ingress-nginx-controller","reconcileID":"53edcaa4-74dd-4f79-9343-710793941a08","error":"operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: af1b3d7f-87dc-4efd-b573-264c23f884d1, api error AccessDenied: User: arn:aws:sts::$AWS_ACCOUNT:assumed-role/$ROLE_NAME is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action"}

Anything else we need to know?

A workaround for this issue is to attach a policy with the required permissions when creating the service account.

iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    attachPolicy:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - elasticloadbalancing:DescribeListenerAttributes
            - elasticloadbalancing:ModifyListenerAttributes
          Resource: "*"
    wellKnownPolicies:
      awsLoadBalancerController: true

Versions

$ eksctl info
eksctl version: 0.191.0-dev+c736924d6.2024-09-27T00:54:42Z
kubectl version: v1.31.1
OS: darwin
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 5, 2024

Hello jonathanfoster 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

@jonathanfoster jonathanfoster mentioned this issue Oct 5, 2024
Open
7 tasks
@insider89
Copy link

insider89 commented Oct 8, 2024
edited
Loading

Have the same issue. Can we merge the fix?

@raghu-manne
Copy link

raghu-manne commented Oct 10, 2024
edited
Loading

I do have the same issue!
For workaround, do we have an eksctl command? @jonathanfoster

@raghu-manne raghu-manne mentioned this issue Oct 10, 2024
Open
@jonathanfoster
Copy link
Author

@raghu-manne For a workaround you can attach a policy with the required actions in the eksctl cluster config. See the issue above for an example.

@raghu-manne
Copy link

raghu-manne commented Oct 10, 2024
edited
Loading

I did tried with config file, but having issue with eksctl CRD's which I raised here #7995
How do we install CRD's for eksctl? @jonathanfoster

@raghu-manne
Copy link

Also there are typos in the Action; it should be

Action:
    - elasticloadbalancing:DescribeListenerAttributes
    - elasticloadbalancing:ModifyListenerAttributes
Resource: "*"

@jonathanfoster
Copy link
Author

@raghu-manne Your issue isn't related to this. I responded in your issue.

@syan-tibco syan-tibco mentioned this issue Oct 17, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jonathanfoster @insider89 @raghu-manne