Skip to content

Commit e25a621

Browse files
osanguosangu
committed
[Terraform, Helm, EKS] :: alb_ingress_controller
1 parent fb8200c commit e25a621

File tree

4 files changed

+1464
-0
lines changed

4 files changed

+1464
-0
lines changed

helm/alb-ingress-controller/README.md

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
### Settings
2+
- [Document](https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.11/)
3+
4+
1. IRSA
5+
- Install iam policy json to make AWS Policy
6+
```shell
7+
# Difference at USA, China Region
8+
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.11.0/docs/install/iam_policy.json
9+
```
10+
- Create Policy
11+
- Terraform 참고
12+
- Attach Policy to K8S serviceaccount
13+
2. Install Cert Manager
14+
```shell
15+
curl -o cert-manager.yaml https://github.com/cert-manager/cert-manager/releases/download/v1.12.3/cert-manager.yaml
16+
17+
kubectl apply --validate=false -f cert-manger.yaml
18+
```
19+
20+
3. Install v2_11_0_full.yaml
21+
22+
23+
## Usage

helm/alb-ingress-controller/cert-manager.yaml

Whitespace-only changes.

helm/alb-ingress-controller/iam-policy.json

+247
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,247 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"ec2:GetSecurityGroupsForVpc",
33+
"elasticloadbalancing:DescribeLoadBalancers",
34+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
35+
"elasticloadbalancing:DescribeListeners",
36+
"elasticloadbalancing:DescribeListenerCertificates",
37+
"elasticloadbalancing:DescribeSSLPolicies",
38+
"elasticloadbalancing:DescribeRules",
39+
"elasticloadbalancing:DescribeTargetGroups",
40+
"elasticloadbalancing:DescribeTargetGroupAttributes",
41+
"elasticloadbalancing:DescribeTargetHealth",
42+
"elasticloadbalancing:DescribeTags",
43+
"elasticloadbalancing:DescribeTrustStores",
44+
"elasticloadbalancing:DescribeListenerAttributes",
45+
"elasticloadbalancing:DescribeCapacityReservation"
46+
],
47+
"Resource": "*"
48+
},
49+
{
50+
"Effect": "Allow",
51+
"Action": [
52+
"cognito-idp:DescribeUserPoolClient",
53+
"acm:ListCertificates",
54+
"acm:DescribeCertificate",
55+
"iam:ListServerCertificates",
56+
"iam:GetServerCertificate",
57+
"waf-regional:GetWebACL",
58+
"waf-regional:GetWebACLForResource",
59+
"waf-regional:AssociateWebACL",
60+
"waf-regional:DisassociateWebACL",
61+
"wafv2:GetWebACL",
62+
"wafv2:GetWebACLForResource",
63+
"wafv2:AssociateWebACL",
64+
"wafv2:DisassociateWebACL",
65+
"shield:GetSubscriptionState",
66+
"shield:DescribeProtection",
67+
"shield:CreateProtection",
68+
"shield:DeleteProtection"
69+
],
70+
"Resource": "*"
71+
},
72+
{
73+
"Effect": "Allow",
74+
"Action": [
75+
"ec2:AuthorizeSecurityGroupIngress",
76+
"ec2:RevokeSecurityGroupIngress"
77+
],
78+
"Resource": "*"
79+
},
80+
{
81+
"Effect": "Allow",
82+
"Action": [
83+
"ec2:CreateSecurityGroup"
84+
],
85+
"Resource": "*"
86+
},
87+
{
88+
"Effect": "Allow",
89+
"Action": [
90+
"ec2:CreateTags"
91+
],
92+
"Resource": "arn:aws:ec2:*:*:security-group/*",
93+
"Condition": {
94+
"StringEquals": {
95+
"ec2:CreateAction": "CreateSecurityGroup"
96+
},
97+
"Null": {
98+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
99+
}
100+
}
101+
},
102+
{
103+
"Effect": "Allow",
104+
"Action": [
105+
"ec2:CreateTags",
106+
"ec2:DeleteTags"
107+
],
108+
"Resource": "arn:aws:ec2:*:*:security-group/*",
109+
"Condition": {
110+
"Null": {
111+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
112+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
113+
}
114+
}
115+
},
116+
{
117+
"Effect": "Allow",
118+
"Action": [
119+
"ec2:AuthorizeSecurityGroupIngress",
120+
"ec2:RevokeSecurityGroupIngress",
121+
"ec2:DeleteSecurityGroup"
122+
],
123+
"Resource": "*",
124+
"Condition": {
125+
"Null": {
126+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
127+
}
128+
}
129+
},
130+
{
131+
"Effect": "Allow",
132+
"Action": [
133+
"elasticloadbalancing:CreateLoadBalancer",
134+
"elasticloadbalancing:CreateTargetGroup"
135+
],
136+
"Resource": "*",
137+
"Condition": {
138+
"Null": {
139+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
140+
}
141+
}
142+
},
143+
{
144+
"Effect": "Allow",
145+
"Action": [
146+
"elasticloadbalancing:CreateListener",
147+
"elasticloadbalancing:DeleteListener",
148+
"elasticloadbalancing:CreateRule",
149+
"elasticloadbalancing:DeleteRule"
150+
],
151+
"Resource": "*"
152+
},
153+
{
154+
"Effect": "Allow",
155+
"Action": [
156+
"elasticloadbalancing:AddTags",
157+
"elasticloadbalancing:RemoveTags"
158+
],
159+
"Resource": [
160+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
161+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
162+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
163+
],
164+
"Condition": {
165+
"Null": {
166+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
167+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
168+
}
169+
}
170+
},
171+
{
172+
"Effect": "Allow",
173+
"Action": [
174+
"elasticloadbalancing:AddTags",
175+
"elasticloadbalancing:RemoveTags"
176+
],
177+
"Resource": [
178+
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
179+
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
180+
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
181+
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
182+
]
183+
},
184+
{
185+
"Effect": "Allow",
186+
"Action": [
187+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
188+
"elasticloadbalancing:SetIpAddressType",
189+
"elasticloadbalancing:SetSecurityGroups",
190+
"elasticloadbalancing:SetSubnets",
191+
"elasticloadbalancing:DeleteLoadBalancer",
192+
"elasticloadbalancing:ModifyTargetGroup",
193+
"elasticloadbalancing:ModifyTargetGroupAttributes",
194+
"elasticloadbalancing:DeleteTargetGroup",
195+
"elasticloadbalancing:ModifyListenerAttributes",
196+
"elasticloadbalancing:ModifyCapacityReservation"
197+
],
198+
"Resource": "*",
199+
"Condition": {
200+
"Null": {
201+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
202+
}
203+
}
204+
},
205+
{
206+
"Effect": "Allow",
207+
"Action": [
208+
"elasticloadbalancing:AddTags"
209+
],
210+
"Resource": [
211+
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
212+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
213+
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
214+
],
215+
"Condition": {
216+
"StringEquals": {
217+
"elasticloadbalancing:CreateAction": [
218+
"CreateTargetGroup",
219+
"CreateLoadBalancer"
220+
]
221+
},
222+
"Null": {
223+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
224+
}
225+
}
226+
},
227+
{
228+
"Effect": "Allow",
229+
"Action": [
230+
"elasticloadbalancing:RegisterTargets",
231+
"elasticloadbalancing:DeregisterTargets"
232+
],
233+
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
234+
},
235+
{
236+
"Effect": "Allow",
237+
"Action": [
238+
"elasticloadbalancing:SetWebAcl",
239+
"elasticloadbalancing:ModifyListener",
240+
"elasticloadbalancing:AddListenerCertificates",
241+
"elasticloadbalancing:RemoveListenerCertificates",
242+
"elasticloadbalancing:ModifyRule"
243+
],
244+
"Resource": "*"
245+
}
246+
]
247+
}

0 commit comments

Comments
 (0)