To use an Application Load Balancer (ALB) Ingress to access Services deployed in an ACK dedicated cluster, you need to first grant the cluster permissions on the ALB Ingress controller. This topic describes how to authorize an ACK dedicated cluster to access the ALB Ingress controller.
Prerequisites
Usage notes
You need to authorize a cluster to access the ALB Ingress controller only if the cluster is an ACK dedicated cluster. You can skip this step if the cluster is an ACK managed cluster or ACK Serverless cluster.
Procedure
Create a custom Resource Access Management (RAM) policy.
In the left-side navigation pane, choose .
On the Policies page, click Create Policy.
On the Create Policy page, click the JSON tab.
On the Create Policy page, click the JSON tab. Copy the following policy content to the code editor and click Next to edit policy information.
{ "Version": "1", "Statement": [ { "Action": [ "alb:EnableLoadBalancerIpv6Internet", "alb:DisableLoadBalancerIpv6Internet", "alb:CreateAcl", "alb:DeleteAcl", "alb:ListAcls", "alb:ListAclRelations", "alb:AddEntriesToAcl", "alb:AssociateAclsWithListener", "alb:ListAclEntries", "alb:RemoveEntriesFromAcl", "alb:DissociateAclsFromListener", "alb:TagResources", "alb:UnTagResources", "alb:ListServerGroups", "alb:ListServerGroupServers", "alb:AddServersToServerGroup", "alb:RemoveServersFromServerGroup", "alb:ReplaceServersInServerGroup", "alb:CreateLoadBalancer", "alb:DeleteLoadBalancer", "alb:UpdateLoadBalancerAttribute", "alb:UpdateLoadBalancerEdition", "alb:EnableLoadBalancerAccessLog", "alb:DisableLoadBalancerAccessLog", "alb:EnableDeletionProtection", "alb:DisableDeletionProtection", "alb:ListLoadBalancers", "alb:GetLoadBalancerAttribute", "alb:ListListeners", "alb:CreateListener", "alb:GetListenerAttribute", "alb:UpdateListenerAttribute", "alb:ListListenerCertificates", "alb:AssociateAdditionalCertificatesWithListener", "alb:DissociateAdditionalCertificatesFromListener", "alb:DeleteListener", "alb:CreateRule", "alb:DeleteRule", "alb:UpdateRuleAttribute", "alb:CreateRules", "alb:UpdateRulesAttribute", "alb:DeleteRules", "alb:ListRules", "alb:UpdateListenerLogConfig", "alb:CreateServerGroup", "alb:DeleteServerGroup", "alb:UpdateServerGroupAttribute", "alb:UpdateLoadBalancerAddressTypeConfig", "alb:AttachCommonBandwidthPackageToLoadBalancer", "alb:DetachCommonBandwidthPackageFromLoadBalancer", "alb:UpdateServerGroupServersAttribute", "alb:MoveResourceGroup", "alb:DescribeZones", "alb:ListAScripts", "alb:CreateAScripts", "alb:UpdateAScripts", "alb:DeleteAScripts" ], "Resource": "*", "Effect": "Allow" }, { "Action": "ram:CreateServiceLinkedRole", "Resource": "*", "Effect": "Allow", "Condition": { "StringEquals": { "ram:ServiceName": [ "alb.aliyuncs.com", "audit.log.aliyuncs.com", "nlb.aliyuncs.com", "logdelivery.alb.aliyuncs.com" ] } } }, { "Action": [ "log:GetProductDataCollection", "log:OpenProductDataCollection", "log:CloseProductDataCollection" ], "Resource": "acs:log:*:*:project/*/logstore/alb_*", "Effect": "Allow" }, { "Action": [ "yundun-cert:DescribeSSLCertificateList", "yundun-cert:DescribeSSLCertificatePublicKeyDetail", "yundun-cert:CreateSSLCertificateWithName", "yundun-cert:DeleteSSLCertificate" ], "Resource": "*", "Effect": "Allow" } ] }
NoteTo specify multiple actions, add a comma (,) to the end of the content of each action before you enter the content of the next action.
Specify the Name and Description fields.
Click OK.
Attach the RAM policy to the worker RAM role used by your cluster.
Log on to the ACK console. In the left-side navigation pane, click Clusters.
On the Clusters page, the cluster that you want to manage and click its name. On the page that appears, click the Basic Information tab.
On the Basic Information tab, click the hyperlink next to Worker RAM Role field to log on to the RAM console.
On the Permissions tab, click Grant Permission. In the Grant Permission panel, select Custom Policy from the drop-down list and select the custom policy that you created in the previous step.
Click Grant permissions.
Click Close.
Check whether the RAM role of the Elastic Compute Service (ECS) instance is normal.
In the left-side navigation pane of the details page, choose .
On the Nodes page, click the ID of the node that you want to manage, such as i-2ze5d2qi9iy90pzb****.
On the page that appears, click the Instance Details tab. Then, check whether the RAM Role parameter in the Other Information section displays the RAM role of the ECS instance.
If no RAM role exists, assign a RAM role to the ECS instance. For more information, see Step 2: Create an ECS instance and attach the RAM role to the instance.
Delete the pod of alb-ingress-controller and check the status of alb-ingress-controller after the pod is recreated.
ImportantWe recommend that you perform this step during off-peak hours.
Run the following command to query the name of the alb-ingress-controller pod:
kubectl -n kube-system get pod | grep alb-ingress-controller
Expected output:
NAME READY STATUS RESTARTS AGE alb-ingress-controller-*** 1/1 Running 0 60s
Run the following command to delete the pod of alb-ingress-controller:
Replace
alb-ingress-controller-***
with the pod name that you obtained in the previous step.kubectl -n kube-system delete pod alb-ingress-controller-***
Expected output:
pod "alb-ingress-controller-***" deleted
Wait a few minutes and run the following command to query the status of the recreated pod:
kubectl -n kube-system get pod
Expected output:
NAME READY STATUS RESTARTS AGE alb-ingress-controller-***2 1/1 Running 0 60s
The output indicates that the recreated pod is in the Running state.
What to do next
For more information about how to use an ALB Ingress to access Services in an ACK dedicated cluster, see Access Services by using an ALB Ingress.