Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Bug] AWS Load Balancer Controller well known policy missing listener attribute actions required in v2.9.0 #7987

Closed
jonathanfoster opened this issue Oct 5, 2024 · 10 comments

Comments

@jonathanfoster
Copy link
Contributor

jonathanfoster commented Oct 5, 2024

AWS Load Balancer Controller v2.9.0 added support for listener attributes, which requires two additional IAM permissions that are not currently included in the eksctl well known policy awsLoadBalancerController:

  • elasticloadbalancing:DescribeListenerAttributes
  • elasticloadbalancing:ModifyListenerAttributes

This causes LoadBalancer service resource initialization to fail when using v2.9.0 and a service account created using eksctl.

What were you trying to accomplish?

I'm trying to use the latest AWS Load Balancer Controller and a service account created with eksctl's well known policy awsLoadBalancerController to create a LoadBalancer service resource. I'm trying to install Ingress NGINX, which creates a load balancer service that requires AWS Load Balancer Controller to create an ELB.

What happened?

Service resource initialization failed due to missing permissions. Service load balancer stayed in pending state.

How to reproduce it?

  1. Create service account.

    iam:
      withOIDC: true
      serviceAccounts:
      - metadata:
          name: aws-load-balancer-controller
          namespace: kube-system
        wellKnownPolicies:
          awsLoadBalancerController: true
  2. Install AWS Load Balancer Controller.

    helm install aws-load-balancer-controller aws-load-balancer-controller \
      -n kube-system \
      --repo=https://aws.github.io/eks-charts \
      --set clusterName=$CLUSTER_NAME \
      --set serviceAccount.create=false \
      --set serviceAccount.name=aws-load-balancer-controller 
  3. Install Ingress NGINX.

    helm install ingress-nginx ingress-nginx \
      -n ingress-nginx \
      --create-namespace
      --repo=https://kubernetes.github.io/ingress-nginx

Logs

AWS Load Balancer Controller logs include the following error message:

{"level":"error","ts":"2024-10-05T16:23:41Z","msg":"Reconciler error","controller":"service","namespace":"ingress-nginx","name":"ingress-nginx-controller","reconcileID":"53edcaa4-74dd-4f79-9343-710793941a08","error":"operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: af1b3d7f-87dc-4efd-b573-264c23f884d1, api error AccessDenied: User: arn:aws:sts::$AWS_ACCOUNT:assumed-role/$ROLE_NAME is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action"}

Anything else we need to know?

A workaround for this issue is to attach a policy with the required permissions when creating the service account.

iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    attachPolicy:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - elasticloadbalancing:DescribeListenerAttributes
            - elasticloadbalancing:ModifyListenerAttributes
          Resource: "*"
    wellKnownPolicies:
      awsLoadBalancerController: true

Versions

$ eksctl info
eksctl version: 0.191.0-dev+c736924d6.2024-09-27T00:54:42Z
kubectl version: v1.31.1
OS: darwin
Copy link
Contributor

github-actions bot commented Oct 5, 2024

Hello jonathanfoster 👋 Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-5 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website

@insider89
Copy link

insider89 commented Oct 8, 2024

Have the same issue. Can we merge the fix?

@raghu-manne
Copy link

raghu-manne commented Oct 10, 2024

I do have the same issue!
For workaround, do we have an eksctl command? @jonathanfoster

@jonathanfoster
Copy link
Contributor Author

@raghu-manne For a workaround you can attach a policy with the required actions in the eksctl cluster config. See the issue above for an example.

@raghu-manne
Copy link

raghu-manne commented Oct 10, 2024

I did tried with config file, but having issue with eksctl CRD's which I raised here #7995
How do we install CRD's for eksctl? @jonathanfoster

@raghu-manne
Copy link

Also there are typos in the Action; it should be

Action:
    - elasticloadbalancing:DescribeListenerAttributes
    - elasticloadbalancing:ModifyListenerAttributes
Resource: "*"

@jonathanfoster
Copy link
Contributor Author

@raghu-manne Your issue isn't related to this. I responded in your issue.

Copy link
Contributor

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

@github-actions github-actions bot added the stale label Nov 14, 2024
Copy link
Contributor

This issue was closed because it has been stalled for 5 days with no activity.

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 19, 2024
@jonathanfoster
Copy link
Contributor Author

This issue was resolved in eksctl 0.194.0. 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants