All Products
Search

This Product

    Server Load Balancer:Authorize a self-managed Kubernetes cluster to use the ALB Ingress controller

    Document Center

    Server Load Balancer:Authorize a self-managed Kubernetes cluster to use the ALB Ingress controller

    Last Updated:Mar 20, 2024

    The Application Load Balancer (ALB) Ingress controller provides powerful Ingress traffic management capabilities. The ALB Ingress controller can be used in container services such as Container Service for Kubernetes (ACK) and in self-managed Kubernetes clusters. You must authorize a self-managed Kubernetes cluster to use the ALB Ingress controller before you can use the ALB Ingress controller to manage traffic.

    Step 1: Create a RAM user

    1. Log on to the Resource Access Management (RAM) console by using an Alibaba Cloud account.

    2. In the left-side navigation pane, choose Identities > Users. On the page that appears, click Create User.

    3. On the Create User page, set the Logon Name and Display Name parameters, select OpenAPI Access, and then click OK.

    4. On the Create User page, copy the AccessKey ID and AccessKey secret of the RAM user.

    Step 2: Create a RAM policy and attach the policy to the RAM user

    1. Create a policy to provide the permissions that are required for using the ALB Ingress controller.

      1. In the left-side navigation pane of the RAM console, choose Permissions > Policies. On the right side of the page, click Create Policy.

      2. Click the JSON tab, copy and paste the following content to the editor, and then click Next to edit policy information.

        View the sample code

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:Describe*",
        "ecs:CreateRouteEntry",
        "ecs:DeleteRouteEntry",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:ModifyInstanceAttribute",
        "ecs:AttachKeyPair",
        "ecs:StopInstance",
        "ecs:StartInstance",
        "ecs:ReplaceSystemDisk"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:Describe*",
        "slb:CreateLoadBalancer",
        "slb:DeleteLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveBackendServers",
        "slb:AddBackendServers",
        "slb:RemoveTags",
        "slb:AddTags",
        "slb:StopLoadBalancerListener",
        "slb:StartLoadBalancerListener",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:DeleteLoadBalancerListener",
        "slb:CreateVServerGroup",
        "slb:DescribeVServerGroups",
        "slb:DeleteVServerGroup",
        "slb:SetVServerGroupAttribute",
        "slb:DescribeVServerGroupAttribute",
        "slb:ModifyVServerGroupBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:SetLoadBalancerName",
        "slb:ModifyLoadBalancerInstanceChargeType",
        "slb:RemoveVServerGroupBackendServers"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nlb:TagResources",
        "nlb:UnTagResources",
        "nlb:ListTagResources",
        "nlb:CreateLoadBalancer",
        "nlb:DeleteLoadBalancer",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListLoadBalancers",
        "nlb:UpdateLoadBalancerAttribute",
        "nlb:UpdateLoadBalancerAddressTypeConfig",
        "nlb:UpdateLoadBalancerZones",
        "nlb:CreateListener",
        "nlb:DeleteListener",
        "nlb:ListListeners",
        "nlb:UpdateListenerAttribute",
        "nlb:StopListener",
        "nlb:StartListener",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus",
        "nlb:CreateServerGroup",
        "nlb:DeleteServerGroup",
        "nlb:UpdateServerGroupAttribute",
        "nlb:AddServersToServerGroup",
        "nlb:RemoveServersFromServerGroup",
        "nlb:UpdateServerGroupServersAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:GetJobStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:Describe*",
        "vpc:DeleteRouteEntry",
        "vpc:CreateRouteEntry"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "alb.aliyuncs.com",
            "audit.log.aliyuncs.com",
            "logdelivery.alb.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "yundun-cert:DescribeSSLCertificateList",
        "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
        "yundun-cert:CreateSSLCertificateWithName",
        "yundun-cert:DeleteSSLCertificate"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alb:TagResources",
        "alb:UnTagResources",
        "alb:ListServerGroups",
        "alb:ListServerGroupServers",
        "alb:AddServersToServerGroup",
        "alb:RemoveServersFromServerGroup",
        "alb:ReplaceServersInServerGroup",
        "alb:CreateLoadBalancer",
        "alb:DeleteLoadBalancer",
        "alb:UpdateLoadBalancerAttribute",
        "alb:UpdateLoadBalancerEdition",
        "alb:EnableLoadBalancerAccessLog",
        "alb:DisableLoadBalancerAccessLog",
        "alb:EnableDeletionProtection",
        "alb:DisableDeletionProtection",
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:CreateListener",
        "alb:GetListenerAttribute",
        "alb:UpdateListenerAttribute",
        "alb:ListListenerCertificates",
        "alb:AssociateAdditionalCertificatesWithListener",
        "alb:DissociateAdditionalCertificatesFromListener",
        "alb:DeleteListener",
        "alb:CreateRule",
        "alb:DeleteRule",
        "alb:UpdateRuleAttribute",
        "alb:UpdateRulesAttribute",
        "alb:CreateRules",
        "alb:DeleteRules",
        "alb:ListRules",
        "alb:CreateServerGroup",
        "alb:DeleteServerGroup",
        "alb:UpdateServerGroupAttribute",
        "alb:DescribeZones",
        "alb:CreateAcl",
        "alb:DeleteAcl",
        "alb:ListAcls",
        "alb:AddEntriesToAcl",
        "alb:AssociateAclsWithListener",
        "alb:ListAclEntries",
        "alb:RemoveEntriesFromAcl",
        "alb:DissociateAclsFromListener",
        "alb:EnableLoadBalancerIpv6Internet",
        "alb:DisableLoadBalancerIpv6Internet"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

      3. Set Name in the Basic Information section and click OK.

    2. Attach the policy to the RAM user to authorize the RAM user to use the ALB Ingress controller.

      1. In the left-side navigation pane, choose Identities > Users.

      2. On the Users page, find the RAM user that you created and click Add Permissions in the Actions column.

      3. In the Add Permissions panel, click Custom Policy, select a policy, keep the default settings for the other parameters, and then click OK.

    Step 3: Configure the AccessKey ID and AccessKey secret in the self-managed cluster

    1. Use Base64 to encode the AccessKey ID and AccessKey secret and obtain the encoded AccessKey pair.

    2. Run the following command to add the Base64-encoded AccessKey ID and AccessKey secret to the load-balancer-config ConfigMap and save the ConfigMap: 

      vim <load-balancer-config ConfigMap file name>

      The following code block shows an example of the load-balancer-config ConfigMap:

      apiVersion: v1
kind: ConfigMap
metadata:
  name: load-balancer-config
  namespace: kube-system
data:
  cloud-config.conf: |-
    {
        "Global": {
            "AccessKeyID": "VndV***",              # Specify the Base64-encoded AccessKey ID. 
            "AccessKeySecret": "UWU0NnUyTFdhcG***" # Specify the Base64-encoded AccessKey secret. 
        }
    }

    3. Run the following command to deploy the load-balancer-config ConfigMap: 

      kubectl apply -f  <load-balancer-config ConfigMap file name>

    4. Restart the pod of load-balancer-controller for the configuration to take effect.

      1. Run the following command to query the pod of load-balancer-controller: 

        kubectl get pod -n kube-system|grep load-balancer-controller

      2. Run the following command to delete the pod of load-balancer-controller: 

        kubectl delete pod -n kube-system load-balancer-controller-***

        Expected output:

        pod load-balancer-controller-*** deleted

      3. Run the following command to query the status of the pod that is recreated for load-balancer-controller: 

        kubectl get pod -n kube-system|grep load-balancer-controller

        Expected output:

        load-balancer-controller-0o9s***     1/1    Running   0    10s

    References

    For more information about how to use the ALB Ingress controller in self-managed Kubernetes clusters, see the following topics: