By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

The ingress object doesn't creates an ALB to direct traffic to the Kubernetes pods

0

Hi all, i follow the step in skillbuilder lab Building and Deploying a Containerized Application with Amazon Elastic Kubernetes Service, almost all steps works as expected. EKS cluster created without any issue and load balancer is up and running. But apply the following yaml file, i can't see ingress's address: According to lab's step, it should be

********************************
**** This is OUTPUT ONLY. ****
******************************

NAME          CLASS    HOSTS   ADDRESS                                                                  PORTS   AGE
lab-ingress   <none>   *     **  k8s-containe-labingre-3207ffb4ea-513194013.us-west-2.elb.amazonaws.com**   80      102s**

YAML file

apiVersion: apps/v1
kind: Deployment
metadata:
  namespace: containers-lab
  name: eks-lab-deploy
  labels:
    app: eks-app
spec:
  replicas: 3
  selector:
    matchLabels:
      app: lab-app
  template:
    metadata:
      labels:
        app: lab-app
    spec:
      containers:
      - name: website
        image: $ECR_REPO_URI_WEBSITE:latest ## <-- Placeholder replaced with environment variable
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /var/metadata
          name: metadata-vol
      - name: sidecar
        image: $ECR_REPO_URI_SIDECAR:latest ## <-- Placeholder replaced with environment variable
        volumeMounts:
        - mountPath: /var/metadata
          name: metadata-vol
      volumes:
      - name: metadata-vol
        emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: lab-service
  namespace: containers-lab
spec:
  ports:
    - port: 80
      targetPort: 80
      protocol: TCP
  type: NodePort
  selector:
    app: lab-app
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: containers-lab
  name: lab-ingress
  annotations:
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    kubernetes.io/ingress.class: alb
spec:
  rules:
    - http:
        paths:
        - path: /
          pathType: Prefix
          backend:
            service:
              name: lab-service
              port:
                number: 80

ec2-user:~/environment/environment/eksLabRepo/eks-lab-app (main) $ kubectl get ing -n containers-lab
NAME          CLASS    HOSTS   ADDRESS   PORTS   AGE
lab-ingress   <none>   *                 80      11m

i changed service type from NodePort to LoadBalancer, now i can see svc's external IP.

ec2-user:~/environment/environment/eksLabRepo/eks-lab-app (main) $ kubectl get svc -n containers-lab                                                         
NAME          TYPE           CLUSTER-IP     EXTERNAL-IP                                                                    PORT(S)        AGE
lab-service   LoadBalancer   10.100.94.17   a431b71834d084969ae445843c1c0c1c-1440339911.ap-southeast-2.elb.amazonaws.com   80:30923/TCP   124m

but i want to see address generated in ingress, is there any steps i missing and how to fix it?

Regards, Rock

Topics
ContainersNetworking & Content Delivery
Tags
Amazon Elastic Kubernetes ServiceElastic Load Balancing
Language
English
zhengmao
asked 10 months ago703 views
3 Answers
0
Accepted Answer

Looks like the ingress controller did not create the ALB for some reason. For troubleshooting further I suggest to look at:

  1. kubectl describe ing lab-ingress -n containers-lab
  2. examine the logs of the ingress controller pods (usually they are running on kube-system namespace)

One possible reason can be that the ingress controller does not have the necessary permissions to create the load balancer. The logs will help you determine if this is the case.

profile pictureAWS
EXPERT
Yaniv Rozenboim
answered 10 months ago
profile picture
EXPERT
Adeleke Adebowale Julius
reviewed 10 months ago
0

thanks for your reply. i found the following error message from ingress controller pod, but not sure if that is the root cause.

{"level":"error","ts":"2024-07-18T03:30:47Z","msg":"Reconciler error","controller":"ingress","object":{"name":"lab-ingress","namespace":"containers-lab"},"namespace":"containers-lab","name":"lab-ingress","reconcileID":"a428e91b-8edd-4679-b3c0-a4c11e97582b","error":"AccessDenied: User: arn:aws:sts::654654314383:assumed-role/AmazonEKSLoadBalancerControllerRole/1721273359055840536 is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-southeast-2:654654314383:targetgroup/k8s-containe-labservi-11117e6551/* because no identity-based policy allows the elasticloadbalancing:AddTags action\n\tstatus code: 403, request id: 1baec434-ccca-4493-956e-0882739effe7"}

could you please provide advice or direction, thanks!

zhengmao
answered 10 months ago
0

i changed the --attach-policy-arn to a higher priviledge policy, and delete the old iamserviceaccount, recreate a new one. now i can see the ingress's address now. eksctl create iamserviceaccount --name iampolicy-sa --namespace containers-lab --cluster eks-lab-cluster --role-name "eksRole4serviceaccount1" --attach-policy-arn arn:aws:iam::$ACCOUNT_NUMBER:policy/eks-lab-read-policy --approve --override-existing-serviceaccounts

zhengmao
answered 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content