aws-load-balancer-controller icon indicating copy to clipboard operation
aws-load-balancer-controller copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

[aws iam, helm] Why do we need to create separate (from Helm) SA

Open rifler opened this issue 11 months ago • 3 comments

Hello! Actually it is a question, not feature request.

I'm migrating our aws-lbc installation from one ci pipeline to another. We are using ansible and I noticed that besides step which running actually helm upgrade --install there is one additional step which creates ServiceAccount.

Part of our ansible pipeline:

    - name: "Create Kubernetes service account for LBC"
      kubernetes.core.k8s:
        state: present
        definition:
          apiVersion: v1
          kind: ServiceAccount
          metadata:
            labels:
              app.kubernetes.io/component: controller
              app.kubernetes.io/name: aws-load-balancer-controller
            name: aws-load-balancer-controller
            namespace: kube-system
            annotations:
              eks.amazonaws.com/role-arn: "arn:aws:iam::111:role/my-role"

    - name: Setup eks/aws-load-balancer-controller helm chart
      kubernetes.core.helm:
        name: "xxx"
        chart_ref: "eks/aws-load-balancer-controller"
        release_namespace: kube-system
        create_namespace: true
        atomic: true
        wait: true
        timeout: 30m
        update_repo_cache: true
        chart_version: "zzz"
        values_files:
          - "helm/values.yaml"

Is your feature request related to a problem? In helm chart docs stated:

If using IAM Roles for service account install as follows - NOTE: you need to specify both of the chart values serviceAccount.create=false and serviceAccount.name=aws-load-balancer-controller

Why I can't use just:

serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1111:role/my-role"

Describe the solution you'd like

serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1111:role/my-role"

rifler avatar Mar 05 '24 17:03 rifler

@rifler, thanks for reaching out. If you create the SA with helm chart, how do you attach the IAM policy needed by the controller?

oliviassss avatar Mar 06 '24 22:03 oliviassss

@rifler, thanks for reaching out. If you create the SA with helm chart, how do you attach the IAM policy needed by the controller?

Thanks for quick reply!

I see that in values.yaml there is possibility to set custom annotations. So I consider doing something like that:

serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1111:role/my-role"

Or do you mean how to figure out SA name to specify in aws iam role?

resource "aws_iam_role" "lbc" {
  name   = "my-role"
  assume_role_policy = jsonencode({
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "xxxx",
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            // ...
            "oidc.eks.${local.region}.amazonaws.com/id/${local.oidc}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller",
            // SA name here ^^
          },
        },
      },
    ],
  })
}

rifler avatar Mar 07 '24 10:03 rifler

@rifler If you go through the Installation steps here, you will notice that we ask to attach the IAM policies to your service account role. So if want to create your SA using helm chart, make sure you also attach the required IAM policies.

shraddhabang avatar Mar 12 '24 21:03 shraddhabang

@rifler If you go through the Installation steps here, you will notice that we ask to attach the IAM policies to your service account role. So if want to create your SA using helm chart, make sure you also attach the required IAM policies.

Yes, I've tried this way and it works:

  1. Created IaM role (IRSA), I used terraform
  2. Deployed helm chart with below values:
serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1111:role/my-role"

I meant that helm chart docs itself are a bit confusing - https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/helm/aws-load-balancer-controller/README.md

On the very first line it is stated:

If using IAM Roles for service account install as follows - NOTE: you need to specify both of the chart values serviceAccount.create=false and serviceAccount.name=aws-load-balancer-controller

But as it is turned out it is not neccesary, no need to set serviceAccount.create=false, serviceAccount.name=aws-load-balancer-controller and manage SA creation somehow aside.

Just use builtin helm chart's feature:

serviceAccount:
  create: true
  annotations:
    eks.amazonaws.com/role-arn: "arn:aws:iam::1111:role/my-role"

rifler avatar Mar 14 '24 16:03 rifler

Yes you can use it as long as you have required right IAM policies attached to your SA.

shraddhabang avatar Mar 18 '24 17:03 shraddhabang