Failing to create target group with default policy #2692
Comments
|
@croachrose do you mind sharing a little more details about your EKS environment? |
|
@berry2012 Not sure what other details would be helpful. Our policy looks exactly like that. We applied the policy from docs/install. In order to fix this, I temporarily removed |
|
@berry2012 It's almost like AWS changed the implementation of |
|
@croachrose from a more recent alb controller, e.g. v2.4.1 with EKS 1.22, I see tags as part of the request so that explains it. I reproduced this in the environments below without altering the default IAM policy of the alb controller in the documentation and did not encounter the error. Env 1 Env 2 Your workaround make sense as well for your specific environment. Below works as well |
|
@berry2012 Any idea what is different about our environment? Is it the controller version? For what it's worth, this was working just fine and we changed nothing. It just stopped working suddenly. |
|
@berry2012 update - AWS got back to us and our clusters were upgraded automatically to 1.18 when this started happening. Could k8s 1.18 have issues with controller 2.2.3? |
|
My EKS version is 1.20 (not fresh, but upgraded from 1.15 -> 1.16 -> 1.17 -> 1.18 -> 1.19 -> 1.20) with ALB Ingress Controller v 1.1.5. When upgrading it to:
Below didn't work either. |
|
Any update on this issue? |
|
@croachrose, if you ran the aws-alb-ingress-controller previously, then you'd need to be on v1.1.3 or later before upgrading to the aws-load-balancer-controller v2.x. You'd also need additional IAM permissions. With appropriate IAM permissions, controller v2.2.3 works with k8s 1.18. In your case, is the target group an existing one, or controller is trying to create a new target group? |
|
@kishorj We were happily running v2.2.3 for months with no issue and no changes. We were using the exact policy from the install docs (with the tag conditions). It just stopped working one day and removing those conditions fixed it. The target group was not an existing group. |
We also ran into the same problem with existing target groups across multiple EKS clusters. |
|
@Glaaj, @croachrose, do you have any automation removing tags on resources? Please share the cloudtrail events from the failure. You can email to k8s-alb-controller-triage AT amazon.com |
|
I believe we do not have any automation for that. |
|
bump |
|
We also do not have any automation to remove tags |
|
@Glaaj, were you able to get the cloudtrail events? Also share the policy permissions from the role. You can email them to k8s-alb-controller-triage AT amazon.com |
|
We've run into this issue (or something with very similar symptoms) on a brand new eks cluster using k8s 1.24 and the latest release of the controller. we are still investigating |
|
We've also run into that issue Today. Surprisingly that happened to only one of our clusters that was running fine for over 4 months. We are currently using EKS 1.22 and aws-lb-controller v2.4.2 (we tried also to update to v2.4.6, it didn't help though). Only a cluster in ap-northeast-1 is affected. Event record For now we have set up |
|
Same issue as described above, only one of ap-southeast-1 clusters affected, happed for the first time today. aws-load-balancer-controller v2.4.4 Policy attached to the role {
"Statement": [
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"ec2:GetCoipPoolUsage",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeTags",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeCoipPools",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeAccountAttributes"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"wafv2:GetWebACLForResource",
"wafv2:GetWebACL",
"wafv2:DisassociateWebACL",
"wafv2:AssociateWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:DisassociateWebACL",
"waf-regional:AssociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:DeleteProtection",
"shield:CreateProtection",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": "ec2:CreateTags",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
},
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Sid": ""
},
{
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Sid": ""
},
{
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:CreateLoadBalancer"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateListener"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:AddTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:AddTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
],
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeleteLoadBalancer"
],
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Effect": "Allow",
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"Sid": ""
},
{
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates"
],
"Effect": "Allow",
"Resource": "*",
"Sid": ""
}
],
"Version": "2012-10-17"
}event with error {
"eventVersion": "1.08",
"userIdentity": {
"type": "AssumedRole",
"principalId": "XXXXXXXXXXXX",
"arn": "arn:aws:sts::XXXXXXXXXXXX:assumed-role/XXX-aws-load-balancer-controller/fXXXXXXXXXXXXXXXXXXX",
"accountId": "XXXXXXXXXXXX",
"accessKeyId": "XXXXXXXXXXXXXXXXXXXXX",
"sessionContext": {
"sessionIssuer": {
"type": "Role",
"principalId": "XXXXXXXXXXXXXXXXXXXXXX",
"arn": "arn:aws:iam::XXXXXXXXXXXX:role/XXX-aws-load-balancer-controller",
"accountId": "XXXXXXXXXXXX",
"userName": "XXX-aws-load-balancer-controller"
},
"webIdFederationData": {
"federatedProvider": "arn:aws:iam::XXXXXXXXXXXX:oidc-provider/oidc.eks.ap-southeast-1.amazonaws.com/id/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX",
"attributes": {}
},
"attributes": {
"creationDate": "2023-02-09T14:00:28Z",
"mfaAuthenticated": "false"
}
}
},
"eventTime": "2023-02-09T14:39:00Z",
"eventSource": "elasticloadbalancing.amazonaws.com",
"eventName": "CreateTargetGroup",
"awsRegion": "ap-southeast-1",
"sourceIPAddress": "XXX.XXX.XXX.XXX",
"userAgent": "elbv2.k8s.aws/v2.4.4 aws-sdk-go/1.42.27 (go1.18.6; linux; amd64)",
"errorCode": "AccessDenied",
"errorMessage": "User: arn:aws:sts::XXXXXXXXXXXX:assumed-role/XXX-aws-load-balancer-controller/XXXXXXXXXXXXXXXXXXX is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-southeast-1:XXXXXXXXXXXX:targetgroup/XXXXXXXXXXXXXXXXXXXX/* because no identity-based policy allows the elasticloadbalancing:AddTags action",
"requestParameters": null,
"responseElements": null,
"requestID": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
"eventID": "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx",
"readOnly": false,
"eventType": "AwsApiCall",
"managementEvent": true,
"recipientAccountId": "XXXXXXXXXXXX",
"eventCategory": "Management",
"tlsDetails": {
"tlsVersion": "TLSv1.2",
"cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
"clientProvidedHostHeader": "elasticloadbalancing.ap-southeast-1.amazonaws.com"
}
} |
|
i also just started seeing this today when spinning up a new eks cluster on kubernetes 1.24 in us-east-1, running aws-load-balancer-controller 2.4.2, using the policy from the docs (https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.2/docs/install/iam_policy.json) |
|
We also just started seeing this issue today. Using v2.4.4 (via helm chart v1.4.5) on EKS 1.23 Removing the |
|
We're having the same issue with a new cluster running kubernetes 1.24 and aws-load-balancer-controller 2.4.6 with the policy from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/main/docs/install/iam_policy.json. Following for advice. |
|
The same problems occurs on It works if only Hopefully there will be a quick update. 🥲 |
|
Same for me here: I'll remove the |
|
This is also happening in GovCloud FWIW. |
|
This is due to recent behavior change on the requirement of explicit We will update our recommended policies and documentation. |
|
The above policy change does not work for me unless I also add Versions: aws-load-balancer-controller v2.4.1, EKS 1.22 |
|
ELB team have temporarily rolled back their change regards IAM permissions |
|
I ran into this issue as well. Deleting and creating the service resolved it even without changing the IAM Policy. I had done this many times before without issue. The issue occurred on EKS 1.24 ap-southeast-1, controller v2.4.6 |
|
I have exactly the same issue on EKS 1.26, controller v2.4.7. |
|
we meet the same error today with v2.4.0 |
|
We met the same error today with EKS v1.24.0 and controller v2.4.1 in us-east-1 |
|
For anyone who has encountered the same issue, we have found a solution in CDK. The key to solving the problem is to explicitly declare the policy of the ALB controller and assign it when creating the cluster. Here is the example: const document = {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeTags",
"ec2:GetCoipPoolUsage",
"ec2:DescribeCoipPools",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"waf-regional:GetWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:AssociateWebACL",
"waf-regional:DisassociateWebACL",
"wafv2:GetWebACL",
"wafv2:GetWebACLForResource",
"wafv2:AssociateWebACL",
"wafv2:DisassociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:CreateProtection",
"shield:DeleteProtection"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Resource": "arn:aws:ec2:*:*:security-group/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteRule"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:RemoveTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeleteTargetGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule"
],
"Resource": "*"
}
]
}
const cluster = new eks.Cluster(this, 'EKSCluster', {
vpc: props.workshopVpc,
vpcSubnets: [{ subnetType: ec2.SubnetType.PRIVATE_WITH_EGRESS }],
mastersRole: clusterAdminRole,
defaultCapacity: 1,
defaultCapacityInstance: new ec2.InstanceType('m5.large'),
version: eks.KubernetesVersion.V1_24,
kubectlLayer: new KubectlV24Layer(this, 'Kubectlv24Layer'),
albController: {
version: eks.AlbControllerVersion.V2_4_1,
policy: document
},
clusterName: `Workshop-Cluster`,
endpointAccess: eks.EndpointAccess.PUBLIC,
}); |
|
Same error today with
IAM policies applied to aws-alb-controller Role coming from https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.0/docs/install/iam_policy.json |
|
For anyone who got this issue and suddently see it works, you might be able to check if there is any message is detected in your AWS Health Dashboard to allow you still can use deprecating policy to create target groups. To make sure you won't be impacted by this API change, please make sure you are applying the latest IAM Policy [1] for your controller. Your policy generally needs to include: {
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
}If you still have any issue, feel free to open a technical support case in account basis. Hope this helps! |
|
Thank you @0xlen for the hint about AWS Health Dashboard I can confirm the issue is still around yet inconsistent, I had no problem with two 1.23 clusters in eu-west-1 and us-east-1 yet when we tried to create a new one in 1.23 the issue spawned. Here is the resolution recommended by AWS "We recommend you update your IAM policy configuration to allow access to 'elasticloadbalancing:AddTags' when using 'Create*' API calls. You can find the most recent Global [2], China [3], or GovCloud [4] IAM policy on the AWS Load Balancer Controller repository, which contains the required permission for these API calls. For more information on control permission to tag resources during creation, please refer to the 'ABAC with Elastic Load Balancing' documentation [5]. " |
|
The same problem is stil exists, eks 1.27 & AWS lb controller 2.6.2 |
and others
Describe the bug
The controller is failing to create a target group based on the provided policy.
This error occurs after trying to create the target group and before reconciliation.
Based on my understanding of the policy,
AddTagsrequires anullcluster tag in the request but also requires a non-nullresource tag. I'm not sure how that can be possible during target group creation. Especially since the request has the cluster tag and presumably the target group has no tags on creation.Steps to reproduce
Expected outcome
The target group should be created with expected tags
Environment
Additional Context:
The text was updated successfully, but these errors were encountered: