All Products
Search

This Product

    Server Load Balancer:Authorize a self-managed Kubernetes cluster to use the ALB Ingress controller

    Document Center

    Server Load Balancer:Authorize a self-managed Kubernetes cluster to use the ALB Ingress controller

    Last Updated:Dec 12, 2024

    The Application Load Balancer (ALB) Ingress controller provides powerful Ingress traffic management capabilities. This topic describes how to authorize a self-managed cluster to use the ALB Ingress controller before you can use the ALB Ingress controller to manage traffic.

    Procedure

    1. Step 1: Create a RAM user

    2. Step 2: Create a RAM policy and attach the policy to the RAM user

    3. Step 3: Configure the AccessKey ID and AccessKey secret in the self-managed cluster

    Step 1: Create a RAM user

    1. Log on to the Resource Access Management (RAM) console by using an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users. On the page that appears, click Create User.

    3. On the Create User page, set the Logon Name and Display Name parameters, select Using permanent AccessKey to access, then click OK.

    4. On the Create User page, copy the AccessKey ID and AccessKey secret of the RAM user.

    Step 2: Create a RAM policy and attach the policy to the RAM user

    1. Create a policy to provide the permissions that are required for using the ALB Ingress controller.

      1. In the left-side navigation pane of the RAM console, choose Permissions > Policies. On the right side of the page, click Create Policy.

      2. Click the JSON tab, copy and paste the following content to the editor, then click OK.

        View the sample code

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:Describe*",
        "ecs:CreateRouteEntry",
        "ecs:DeleteRouteEntry",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:ModifyInstanceAttribute",
        "ecs:AttachKeyPair",
        "ecs:StopInstance",
        "ecs:StartInstance",
        "ecs:ReplaceSystemDisk"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:Describe*",
        "slb:CreateLoadBalancer",
        "slb:DeleteLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveBackendServers",
        "slb:AddBackendServers",
        "slb:RemoveTags",
        "slb:AddTags",
        "slb:StopLoadBalancerListener",
        "slb:StartLoadBalancerListener",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:DeleteLoadBalancerListener",
        "slb:CreateVServerGroup",
        "slb:DescribeVServerGroups",
        "slb:DeleteVServerGroup",
        "slb:SetVServerGroupAttribute",
        "slb:DescribeVServerGroupAttribute",
        "slb:ModifyVServerGroupBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:SetLoadBalancerName",
        "slb:ModifyLoadBalancerInstanceChargeType",
        "slb:RemoveVServerGroupBackendServers"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nlb:TagResources",
        "nlb:UnTagResources",
        "nlb:ListTagResources",
        "nlb:CreateLoadBalancer",
        "nlb:DeleteLoadBalancer",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListLoadBalancers",
        "nlb:UpdateLoadBalancerAttribute",
        "nlb:UpdateLoadBalancerAddressTypeConfig",
        "nlb:UpdateLoadBalancerZones",
        "nlb:CreateListener",
        "nlb:DeleteListener",
        "nlb:ListListeners",
        "nlb:UpdateListenerAttribute",
        "nlb:StopListener",
        "nlb:StartListener",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus",
        "nlb:CreateServerGroup",
        "nlb:DeleteServerGroup",
        "nlb:UpdateServerGroupAttribute",
        "nlb:AddServersToServerGroup",
        "nlb:RemoveServersFromServerGroup",
        "nlb:UpdateServerGroupServersAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:GetJobStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:Describe*",
        "vpc:DeleteRouteEntry",
        "vpc:CreateRouteEntry"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "alb.aliyuncs.com",
            "audit.log.aliyuncs.com",
            "logdelivery.alb.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "yundun-cert:DescribeSSLCertificateList",
        "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
        "yundun-cert:CreateSSLCertificateWithName",
        "yundun-cert:DeleteSSLCertificate"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alb:TagResources",
        "alb:UnTagResources",
        "alb:ListServerGroups",
        "alb:ListServerGroupServers",
        "alb:AddServersToServerGroup",
        "alb:RemoveServersFromServerGroup",
        "alb:ReplaceServersInServerGroup",
        "alb:CreateLoadBalancer",
        "alb:DeleteLoadBalancer",
        "alb:UpdateLoadBalancerAttribute",
        "alb:UpdateLoadBalancerEdition",
        "alb:EnableLoadBalancerAccessLog",
        "alb:DisableLoadBalancerAccessLog",
        "alb:EnableDeletionProtection",
        "alb:DisableDeletionProtection",
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:CreateListener",
        "alb:GetListenerAttribute",
        "alb:UpdateListenerAttribute",
        "alb:ListListenerCertificates",
        "alb:AssociateAdditionalCertificatesWithListener",
        "alb:DissociateAdditionalCertificatesFromListener",
        "alb:DeleteListener",
        "alb:CreateRule",
        "alb:DeleteRule",
        "alb:UpdateRuleAttribute",
        "alb:UpdateRulesAttribute",
        "alb:CreateRules",
        "alb:DeleteRules",
        "alb:ListRules",
        "alb:CreateServerGroup",
        "alb:DeleteServerGroup",
        "alb:UpdateServerGroupAttribute",
        "alb:DescribeZones",
        "alb:CreateAcl",
        "alb:DeleteAcl",
        "alb:ListAcls",
        "alb:AddEntriesToAcl",
        "alb:AssociateAclsWithListener",
        "alb:ListAclEntries",
        "alb:RemoveEntriesFromAcl",
        "alb:DissociateAclsFromListener",
        "alb:EnableLoadBalancerIpv6Internet",
        "alb:DisableLoadBalancerIpv6Internet"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

      3. In the Create Policy dialog box, set Name and click OK.

    2. Attach the policy to the RAM user to authorize the RAM user to use the ALB Ingress controller.

      1. In the left-side navigation pane, choose Identities > Users.

      2. On the Users page, find the RAM user that you created in Step 1: Create a RAM user and click Add Permissions in the Actions column.

      3. In the Grant Permission panel, in the Policy section, select Custom Policy from the drop-down list in the upper-right corner, select a policy, keep the default settings for the other parameters, then click Grant permissions.

      4. Click Close.

    Step 3: Configure the AccessKey ID and AccessKey secret in the self-managed cluster

    1. Use Base64 to encode the AccessKey ID and AccessKey secret.

      1. Visit Base64, enter the AccessKey ID on the page, then click Encode to obtain the encoded AccessKey ID.

      2. Enter the AccessKey secret and click Encode to obtain the encoded AccessKey secret.

    2. Run the following command to add the Base64-encoded AccessKey ID and AccessKey secret to the load-balancer-config ConfigMap and save the ConfigMap: 

      vim <load-balancer-config ConfigMap file name>

      The following code block shows an example of the load-balancer-config ConfigMap:

      apiVersion: v1
kind: ConfigMap
metadata:
  name: load-balancer-config
  namespace: kube-system
data:
  cloud-config.conf: |-
    {
        "Global": {
            "AccessKeyID": "VndV***",              # Specify the Base64-encoded AccessKey ID. 
            "AccessKeySecret": "UWU0NnUyTFdhcG***" # Specify the Base64-encoded AccessKey secret. 
        }
    }

    3. Run the following command to deploy the load-balancer-config ConfigMap: 

      kubectl apply -f  <load-balancer-config ConfigMap file name>

    4. Restart the pod of load-balancer-controller for the configuration to take effect.

      1. Run the following command to query the pod of load-balancer-controller: 

        kubectl get pod -n kube-system|grep load-balancer-controller

      2. Run the following command to delete the pod of load-balancer-controller: 

        kubectl delete pod -n kube-system load-balancer-controller-***

        Expected output:

        pod load-balancer-controller-*** deleted

      3. Run the following command to query the status of the pod that is recreated for load-balancer-controller: 

        kubectl get pod -n kube-system|grep load-balancer-controller

        Expected output:

        load-balancer-controller-0o9s***     1/1    Running   0    10s

    Reference

    Tutorial:

    Use ALB Ingresses on self-managed Kubernetes clusters

    Source code documentation: