If you want to access Services by using an Application Load Balancer (ALB) Ingress in a Container Service for Kubernetes (ACK) dedicated cluster, you must grant the required permissions to the ALB Ingress controller before you deploy the Services. This topic describes how to grant permissions to the ALB Ingress controller in an ACK dedicated cluster.

Procedure

  1. Log on to the ACK console and click Clusters in the left-side navigation pane.
  2. On the Clusters page, click the name of the cluster that you want to manage. On the details page of the cluster, click the Cluster Resources tab.
  3. On the Cluster Resources tab, click K8sWorkerRole-**** to the right side of Worker RAM Role.
    K8sWorkerRole hyperlink
  4. In the Resource Access Management (RAM) console, modify the trust policy and RAM policy.
    1. On the K8sWorkerRole-**** page, click the Trust Policy Management tab.
    2. Check whether the content of the trust policy is the same as the following content. If not, click Edit Trust Policy. In the Edit Trust Policy panel, copy the following content to the template and click OK:
      {
        "Statement": [
          {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Principal": {
              "Service": [
                "ecs.aliyuncs.com"
              ]
            }
          }
        ],
        "Version": "1"
      }
    3. On the K8sWorkerRole-**** page, click the Permissions tab and then click K8sWorkerRolePolicy-****.
    4. On the details page of the policy, check whether the following ALB Ingress-related permissions are included. If the policy does not include all of the permissions, click Modify Policy Document. In the Modify Policy Document panel, add the following content and then click OK:
      {
                  "Action": [
                      "alb:TagResources",
                      "alb:ListServerGroups",
                      "alb:ListServerGroupServers",
                      "alb:AddServersToServerGroup",
                      "alb:RemoveServersFromServerGroup",
                      "alb:ReplaceServersInServerGroup",
                      "alb:CreateLoadBalancer",
                      "alb:DeleteLoadBalancer",
                      "alb:UpdateLoadBalancerAttribute",
                      "alb:UpdateLoadBalancerEdition",
                      "alb:EnableLoadBalancerAccessLog",
                      "alb:DisableLoadBalancerAccessLog",
                      "alb:EnableDeletionProtection",
                      "alb:DisableDeletionProtection",
                      "alb:ListLoadBalancers",
                      "alb:GetLoadBalancerAttribute",
                      "alb:ListListeners",
                      "alb:CreateListener",
                      "alb:GetListenerAttribute",
                      "alb:UpdateListenerAttribute",
                      "alb:ListListenerCertificates",
                      "alb:AssociateAdditionalCertificatesWithListener",
                      "alb:DissociateAdditionalCertificatesFromListener",
                      "alb:DeleteListener",
                      "alb:CreateRule",
                      "alb:DeleteRule",
                      "alb:UpdateRuleAttribute",
                      "alb:CreateRules",
                      "alb:UpdateRulesAttribute",
                      "alb:DeleteRules",
                      "alb:ListRules",
                      "alb:CreateServerGroup",
                      "alb:DeleteServerGroup",
                      "alb:UpdateServerGroupAttribute",
                      "alb:DescribeZones"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              },
              {
                  "Action": "ram:CreateServiceLinkedRole",
                  "Resource": "*",
                  "Effect": "Allow",
                  "Condition": {
                      "StringEquals": {
                          "ram:ServiceName": [
                              "alb.aliyuncs.com",
                              "logdelivery.alb.aliyuncs.com"
                          ]
                      }
                  }
              },
              {
                  "Action": [
                      "yundun-cert:DescribeSSLCertificateList",
                      "yundun-cert:DescribeSSLCertificatePublicKeyDetail"
                  ],
                  "Resource": "*",
                  "Effect": "Allow"
              }
      Note To specify multiple actions, add a comma (,) to the end of the content of each action before you enter the content of the next action.
  5. Check whether the RAM role of the Elastic Compute Service (ECS) instance is normal.
    1. In the left-side navigation pane of the details page, choose Nodes > Nodes.
    2. On the Nodes page, find the node that you want to manage and click the instance ID. Example: i-2ze5d2qi9iy90pzb****.
    3. On the details page of the instance, click the Instance Details tab. Go to the Other Information section and check whether a RAM role exists in the RAM Role field.
      If no RAM role exists, assign a RAM role to the ECS instance. For more information, see Step 2. Create an ECS instance and attach the RAM role to the instance..
  6. Delete the pod named alb-ingress-controller and check the status of the recreated pod.
    1. Run the following command to query the pod named alb-ingress-controller:
      kubectl -n kube-system get pod | grep alb-ingress-controller
      Expected output:
      NAME                          READY   STATUS    RESTARTS   AGE
      alb-ingress-controller-***    1/1     Running   0          60s
    2. Run the following command to delete the pod named alb-ingress-controller:

      Replace alb-ingress-controller-*** with the pod name that you obtained in the previous step.

      kubectl -n kube-system delete pod alb-ingress-controller-***
      Expected output:
      pod "alb-ingress-controller-***" deleted
    3. Wait for a few minutes and then run the following command to query the recreated pod:
      kubectl -n kube-system get pod
      Expected output:
      NAME                          READY   STATUS    RESTARTS   AGE
      alb-ingress-controller-***2    1/1     Running   0          60s
      The output indicates that the recreated pod named alb-ingress-controller-***2 is in the Running state.

What to do next

For more information about how to access Services by using an ALB Ingress in an ACK dedicated cluster, see Access Services by using an ALB Ingress.