If you want to access Services by using an ALB Ingress in a dedicated Kubernetes cluster, you must grant the required permissions to the ALB Ingress controller before you deploy the Services. This topic describes how to grant permissions to the ALB Ingress controller in a dedicated Kubernetes cluster.

Procedure

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, click Clusters.
  3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
  4. On the Cluster Information page, click the Cluster Resources tab.
  5. On the Cluster Resources tab, click K8sWorkerRole-**** to the right of Worker RAM Role.
    K8sWorkerRole hyperlink
  6. In the Resource Access Management (RAM) console, modify the trust policy and RAM policy.
    1. On the K8sWorkerRole-**** page, click the Trust Policy Management tab.
    2. Check whether the content of the trust policy is the same as the following content. If not, click Edit Trust Policy. In the Edit Trust Policy panel, copy the following content to the template and click OK:
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
    3. On the K8sWorkerRole-**** page, click the Permissions tab and then click the policy name of K8sWorkerRolePolicy-****.
    4. On the Policy Management page, check whether the following ALB Ingress permissions are included in the policy. If the following ALB Ingress permissions are not included in the policy, click Modify Policy Document. In the Modify Policy Document panel, add the following content and then click OK:
      {
                  "Action": [
                      "alb:TagResources",
                      "alb:ListServerGroups",
                      "alb:ListServerGroupServers",
                      "alb:AddServersToServerGroup",
                      "alb:RemoveServersFromServerGroup",
                      "alb:ReplaceServersInServerGroup",
                      "alb:CreateLoadBalancer",
                      "alb:DeleteLoadBalancer",
                      "alb:UpdateLoadBalancerAttribute",
                      "alb:UpdateLoadBalancerEdition",
                      "alb:EnableLoadBalancerAccessLog",
                      "alb:DisableLoadBalancerAccessLog",
                      "alb:EnableDeletionProtection",
                      "alb:DisableDeletionProtection",
                      "alb:ListLoadBalancers",
                      "alb:GetLoadBalancerAttribute",
                      "alb:ListListeners",
                      "alb:CreateListener",
                      "alb:GetListenerAttribute",
                      "alb:UpdateListenerAttribute",
                      "alb:ListListenerCertificates",
                      "alb:AssociateAdditionalCertificatesWithListener",
                      "alb:DissociateAdditionalCertificatesFromListener",
                      "alb:DeleteListener",
                      "alb:CreateRule",
                      "alb:DeleteRule",
                      "alb:UpdateRuleAttribute",
                      "alb:CreateRules",
                      "alb:UpdateRulesAttribute",
                      "alb:DeleteRules",
                      "alb:ListRules",
                      "alb:CreateServerGroup",
                      "alb:DeleteServerGroup",
                      "alb:UpdateServerGroupAttribute",
                      "alb:DescribeZones"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "alb.aliyuncs.com",
                              "logdelivery.alb.aliyuncs.com"
                          ]
                      }
                  }
              },
              {
                  "Action": [
                      "yundun-cert:DescribeSSLCertificateList",
                      "yundun-cert:DescribeSSLCertificatePublicKeyDetail"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
      Note To specify multiple actions, add a comma (,) to the end of the content of each action before you enter the content of the next action.
  7. Check whether the RAM role of the Elastic Compute Service (ECS) instance is normal.
    1. In the left-side navigation pane of the details page, choose Nodes > Nodes.
    2. On the Nodes page, find the node that you want to manage and click the instance ID. Example: i-2ze5d2qi9iy90pzb****.
    3. On the page that appears, click the Instance Details tab. Go to the Other Information section and check whether a RAM role exists in the RAM Role field.
      If no RAM role exists, assign a RAM role to the ECS instance. For more information, see Step 2. Create an ECS instance and attach the RAM role to the instance..
  8. Delete the pod named alb-ingress-controller and check the status of the recreated pod.
    1. Run the following command to delete the pod named alb-ingress-controller:
      kubectl -n kube-system delete pod alb-ingress-controller-xxx
      Expected output:
      pod "alb-ingress-controller-***1" deleted
    2. Wait for a few minutes and then run the following command to query the recreated pod:
      kubectl -n kube-system get pod
      Expected output:
      NAME                          READY   STATUS    RESTARTS   AGE
      alb-ingress-controller-***2   1/1     Running   0          60s
      The output indicates that the recreated pod named alb-ingress-controller-***2 is in the Running state.

What to do next

For more information about how to access Services by using an ALB Ingress in a dedicated Kubernetes cluster, see Access Services by using an ALB Ingress.