All Products
Search
Document Center

Server Load Balancer:Authorize a self-managed cluster to use the ALB Ingress controller

Last Updated:Jul 05, 2023

The Application Load Balancer (ALB) Ingress controller provides powerful Ingress traffic management capabilities. This topic describes how to authorize a self-managed cluster to use the ALB Ingress controller to manage traffic.

Procedure

  1. Step 1: Create a Resource Access Management (RAM) user

  2. Step 2: Create a RAM policy and attach it to the RAM user

  3. Step 3: Configure the AccessKey ID and AccessKey secret in the self-managed cluster

Step 1: Create a RAM user

  1. Log on to the RAM console with your Alibaba Cloud account.

  2. In the left-side navigation pane, choose Identities > Users. On the page that appears, click Create User.

  3. On the Create User page, set the Logon Name and Display Name parameters, select OpenAPI Access, and then click OK.

  4. On the Create User page, copy the AccessKey ID and AccessKey secret of the RAM user.

Step 2: Create a RAM policy and attach the policy to the RAM user

  1. Create a policy to provide the permissions that are required for using the ALB Ingress controller.

    1. In the left-side navigation pane of the RAM console, choose Permissions > Policies. On the right side of the page, click Create Policy.

    2. Click the JSON tab, copy and paste the following content to the editor, and then click Next to edit policy information.

      Code details

      {
        "Version": "1",
        "Statement": [
          {
            "Action": [
              "ecs:Describe*",
              "ecs:CreateRouteEntry",
              "ecs:DeleteRouteEntry",
              "ecs:CreateNetworkInterface",
              "ecs:DeleteNetworkInterface",
              "ecs:CreateNetworkInterfacePermission",
              "ecs:DeleteNetworkInterfacePermission",
              "ecs:ModifyInstanceAttribute",
              "ecs:AttachKeyPair",
              "ecs:StopInstance",
              "ecs:StartInstance",
              "ecs:ReplaceSystemDisk"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "slb:Describe*",
              "slb:CreateLoadBalancer",
              "slb:DeleteLoadBalancer",
              "slb:ModifyLoadBalancerInternetSpec",
              "slb:RemoveBackendServers",
              "slb:AddBackendServers",
              "slb:RemoveTags",
              "slb:AddTags",
              "slb:StopLoadBalancerListener",
              "slb:StartLoadBalancerListener",
              "slb:SetLoadBalancerHTTPListenerAttribute",
              "slb:SetLoadBalancerHTTPSListenerAttribute",
              "slb:SetLoadBalancerTCPListenerAttribute",
              "slb:SetLoadBalancerUDPListenerAttribute",
              "slb:CreateLoadBalancerHTTPSListener",
              "slb:CreateLoadBalancerHTTPListener",
              "slb:CreateLoadBalancerTCPListener",
              "slb:CreateLoadBalancerUDPListener",
              "slb:DeleteLoadBalancerListener",
              "slb:CreateVServerGroup",
              "slb:DescribeVServerGroups",
              "slb:DeleteVServerGroup",
              "slb:SetVServerGroupAttribute",
              "slb:DescribeVServerGroupAttribute",
              "slb:ModifyVServerGroupBackendServers",
              "slb:AddVServerGroupBackendServers",
              "slb:ModifyLoadBalancerInstanceSpec",
              "slb:ModifyLoadBalancerInternetSpec",
              "slb:SetLoadBalancerModificationProtection",
              "slb:SetLoadBalancerDeleteProtection",
              "slb:SetLoadBalancerName",
              "slb:ModifyLoadBalancerInstanceChargeType",
              "slb:RemoveVServerGroupBackendServers"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "nlb:TagResources",
              "nlb:UnTagResources",
              "nlb:ListTagResources",
              "nlb:CreateLoadBalancer",
              "nlb:DeleteLoadBalancer",
              "nlb:GetLoadBalancerAttribute",
              "nlb:ListLoadBalancers",
              "nlb:UpdateLoadBalancerAttribute",
              "nlb:UpdateLoadBalancerAddressTypeConfig",
              "nlb:UpdateLoadBalancerZones",
              "nlb:CreateListener",
              "nlb:DeleteListener",
              "nlb:ListListeners",
              "nlb:UpdateListenerAttribute",
              "nlb:StopListener",
              "nlb:StartListener",
              "nlb:GetListenerAttribute",
              "nlb:GetListenerHealthStatus",
              "nlb:CreateServerGroup",
              "nlb:DeleteServerGroup",
              "nlb:UpdateServerGroupAttribute",
              "nlb:AddServersToServerGroup",
              "nlb:RemoveServersFromServerGroup",
              "nlb:UpdateServerGroupServersAttribute",
              "nlb:ListServerGroups",
              "nlb:ListServerGroupServers",
              "nlb:GetJobStatus"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "vpc:Describe*",
              "vpc:DeleteRouteEntry",
              "vpc:CreateRouteEntry"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": "ram:CreateServiceLinkedRole",
            "Resource": "*",
            "Effect": "Allow",
            "Condition": {
              "StringEquals": {
                "ram:ServiceName": [
                  "alb.aliyuncs.com",
                  "audit.log.aliyuncs.com",
                  "logdelivery.alb.aliyuncs.com"
                ]
              }
            }
          },
          {
            "Action": [
              "yundun-cert:DescribeSSLCertificateList",
              "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
              "yundun-cert:CreateSSLCertificateWithName",
              "yundun-cert:DeleteSSLCertificate"
            ],
            "Resource": "*",
            "Effect": "Allow"
          },
          {
            "Action": [
              "alb:TagResources",
              "alb:UnTagResources",
              "alb:ListServerGroups",
              "alb:ListServerGroupServers",
              "alb:AddServersToServerGroup",
              "alb:RemoveServersFromServerGroup",
              "alb:ReplaceServersInServerGroup",
              "alb:CreateLoadBalancer",
              "alb:DeleteLoadBalancer",
              "alb:UpdateLoadBalancerAttribute",
              "alb:UpdateLoadBalancerEdition",
              "alb:EnableLoadBalancerAccessLog",
              "alb:DisableLoadBalancerAccessLog",
              "alb:EnableDeletionProtection",
              "alb:DisableDeletionProtection",
              "alb:ListLoadBalancers",
              "alb:GetLoadBalancerAttribute",
              "alb:ListListeners",
              "alb:CreateListener",
              "alb:GetListenerAttribute",
              "alb:UpdateListenerAttribute",
              "alb:ListListenerCertificates",
              "alb:AssociateAdditionalCertificatesWithListener",
              "alb:DissociateAdditionalCertificatesFromListener",
              "alb:DeleteListener",
              "alb:CreateRule",
              "alb:DeleteRule",
              "alb:UpdateRuleAttribute",
              "alb:UpdateRulesAttribute",
              "alb:CreateRules",
              "alb:DeleteRules",
              "alb:ListRules",
              "alb:CreateServerGroup",
              "alb:DeleteServerGroup",
              "alb:UpdateServerGroupAttribute",
              "alb:DescribeZones",
              "alb:CreateAcl",
              "alb:DeleteAcl",
              "alb:ListAcls",
              "alb:AddEntriesToAcl",
              "alb:AssociateAclsWithListener",
              "alb:ListAclEntries",
              "alb:RemoveEntriesFromAcl",
              "alb:DissociateAclsFromListener",
              "alb:EnableLoadBalancerIpv6Internet",
              "alb:DisableLoadBalancerIpv6Internet"
            ],
            "Resource": "*",
            "Effect": "Allow"
          }
        ]
      }
    3. Set Name in the Basic Information section and click OK.

  2. Attach the policy to the RAM user to authorize the RAM user to use the ALB Ingress controller.

    1. In the left-side navigation pane, choose Identities > Users.

    2. On the Users page, find the RAM user created in Step 1: Create a RAM user and click Add Permissions in the Actions column.

    3. In the Add Permissions panel, click Custom Policy, select a policy, keep the default settings for the other parameters, and then click OK.

Step 3: Configure the AccessKey ID and AccessKey secret in the self-managed cluster

  1. Use Base64 to encode the AccessKey ID and AccessKey secret.

    1. Visit Base64, enter the AccessKey ID on the page, and then click Encode to obtain the encoded AccessKey ID.

    2. Enter the AccessKey secret and click Encode to obtain the encoded AccessKey secret.

  2. Run the following command to add the Base64-encoded AccessKey ID and AccessKey secret to the load-balancer-config ConfigMap and save the ConfigMap:

    vim <load-balancer-config ConfigMap file name> 

    The following code block shows an example of the load-balancer-config ConfigMap:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: load-balancer-config
      namespace: kube-system
    data:
      cloud-config.conf: |-
        {
            "Global": {
                "AccessKeyID": "VndV***",              # Specify the Base64-encoded AccessKey ID. 
                "AccessKeySecret": "UWU0NnUyTFdhcG***" # Specify the Base64-encoded AccessKey secret. 
            }
        }
                            
  3. Run the following command to deploy the load-balancer-config ConfigMap:

    kubectl apply -f  <load-balancer-config ConfigMap file name> 
  4. Restart the pod of load-balancer-controller for the configuration to take effect.

    1. Run the following command to query the pod of load-balancer-controller:

      kubectl get pod -n kube-system|grep load-balancer-controller
    2. Run the following command to delete the pod of load-balancer-controller:

      kubectl delete pod -n kube-system load-balancer-controller-***

      Expected output:

      pod load-balancer-controller-*** deleted
    3. Run the following command to query the status of the pod that is recreated for load-balancer-controller:

      kubectl get pod -n kube-system|grep load-balancer-controller

      Expected output:

      load-balancer-controller-0o9s***     1/1    Running   0    10s

References

Tutorials:

Use ALB Ingresses on self-managed Kubernetes clusters

Source code: