eksctl icon indicating copy to clipboard operation
eksctl copied to clipboard

Published 20 hours ago verified publisher icon eksctl-io

[Bug] AWS Load Balancer Controller well known policy missing listener attribute actions required in v2.9.0

Open jonathanfoster opened this issue 4 months ago • 7 comments

AWS Load Balancer Controller v2.9.0 added support for listener attributes, which requires two additional IAM permissions that are not currently included in the eksctl well known policy awsLoadBalancerController:

  • elasticloadbalancing:DescribeListenerAttributes
  • elasticloadbalancing:ModifyListenerAttributes

This causes LoadBalancer service resource initialization to fail when using v2.9.0 and a service account created using eksctl.

What were you trying to accomplish?

I'm trying to use the latest AWS Load Balancer Controller and a service account created with eksctl's well known policy awsLoadBalancerController to create a LoadBalancer service resource. I'm trying to install Ingress NGINX, which creates a load balancer service that requires AWS Load Balancer Controller to create an ELB.

What happened?

Service resource initialization failed due to missing permissions. Service load balancer stayed in pending state.

How to reproduce it?

  1. Create service account.

    iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    wellKnownPolicies:
      awsLoadBalancerController: true

  2. Install AWS Load Balancer Controller.

    helm install aws-load-balancer-controller aws-load-balancer-controller \
  -n kube-system \
  --repo=https://aws.github.io/eks-charts \
  --set clusterName=$CLUSTER_NAME \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

  3. Install Ingress NGINX.

    helm install ingress-nginx ingress-nginx \
  -n ingress-nginx \
  --create-namespace
  --repo=https://kubernetes.github.io/ingress-nginx

Logs

AWS Load Balancer Controller logs include the following error message:

{"level":"error","ts":"2024-10-05T16:23:41Z","msg":"Reconciler error","controller":"service","namespace":"ingress-nginx","name":"ingress-nginx-controller","reconcileID":"53edcaa4-74dd-4f79-9343-710793941a08","error":"operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: af1b3d7f-87dc-4efd-b573-264c23f884d1, api error AccessDenied: User: arn:aws:sts::$AWS_ACCOUNT:assumed-role/$ROLE_NAME is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action"}

Anything else we need to know?

A workaround for this issue is to attach a policy with the required permissions when creating the service account.

iam:
  withOIDC: true
  serviceAccounts:
  - metadata:
      name: aws-load-balancer-controller
      namespace: kube-system
    attachPolicy:
      Version: "2012-10-17"
      Statement:
        - Effect: Allow
          Action:
            - elasticloadbalancing:DescribeListenerAttributes
            - elasticloadbalancing:ModifyListenerAttributes
          Resource: "*"
    wellKnownPolicies:
      awsLoadBalancerController: true

Versions

$ eksctl info
eksctl version: 0.191.0-dev+c736924d6.2024-09-27T00:54:42Z
kubectl version: v1.31.1
OS: darwin

jonathanfoster avatar Oct 05 '24 16:10 jonathanfoster