全部产品
Search

搜索本产品

    负载均衡:授予自建Kubernetes集群ALB Ingress Controller权限

    文档中心

    负载均衡:授予自建Kubernetes集群ALB Ingress Controller权限

    更新时间:Mar 05, 2024

    ALB Ingress基于阿里云应用型负载均衡ALB(Application Load Balancer)之上提供更为强大的Ingress流量管理方式。ALB Ingress除了支持在阿里云容器服务ACK等容器产品中使用,也可以在您自建的Kubernetes集群中使用。在自建的Kubernetes集群中使用ALB Ingress前,需要先授予自建Kubernetes集群ALB Ingress Controller权限。

    步骤一:创建RAM用户

    1. 使用阿里云账号登录RAM控制台

    2. 在左侧导航栏,选择身份管理>用户,在右侧页面单击创建用户

    3. 创建用户页面,输入登录名称显示名称,选中OpenAPI 调用访问,然后单击确定

    4. 创建用户页面,复制AccessKey IDAccessKey Secret

    步骤二:创建权限策略,并授予RAM用户

    1. 创建调用ALB Ingress Controller组件的权限策略。

      1. 在RAM控制台左侧导航栏,选择权限管理>权限策略,在右侧页面单击创建权限策略

      2. 单击脚本编辑页签,将以下内容复制到代码框,单击继续编辑基本信息

        展开查看详细代码

        {
  "Version": "1",
  "Statement": [
    {
      "Action": [
        "ecs:Describe*",
        "ecs:CreateRouteEntry",
        "ecs:DeleteRouteEntry",
        "ecs:CreateNetworkInterface",
        "ecs:DeleteNetworkInterface",
        "ecs:CreateNetworkInterfacePermission",
        "ecs:DeleteNetworkInterfacePermission",
        "ecs:ModifyInstanceAttribute",
        "ecs:AttachKeyPair",
        "ecs:StopInstance",
        "ecs:StartInstance",
        "ecs:ReplaceSystemDisk"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "slb:Describe*",
        "slb:CreateLoadBalancer",
        "slb:DeleteLoadBalancer",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:RemoveBackendServers",
        "slb:AddBackendServers",
        "slb:RemoveTags",
        "slb:AddTags",
        "slb:StopLoadBalancerListener",
        "slb:StartLoadBalancerListener",
        "slb:SetLoadBalancerHTTPListenerAttribute",
        "slb:SetLoadBalancerHTTPSListenerAttribute",
        "slb:SetLoadBalancerTCPListenerAttribute",
        "slb:SetLoadBalancerUDPListenerAttribute",
        "slb:CreateLoadBalancerHTTPSListener",
        "slb:CreateLoadBalancerHTTPListener",
        "slb:CreateLoadBalancerTCPListener",
        "slb:CreateLoadBalancerUDPListener",
        "slb:DeleteLoadBalancerListener",
        "slb:CreateVServerGroup",
        "slb:DescribeVServerGroups",
        "slb:DeleteVServerGroup",
        "slb:SetVServerGroupAttribute",
        "slb:DescribeVServerGroupAttribute",
        "slb:ModifyVServerGroupBackendServers",
        "slb:AddVServerGroupBackendServers",
        "slb:ModifyLoadBalancerInstanceSpec",
        "slb:ModifyLoadBalancerInternetSpec",
        "slb:SetLoadBalancerModificationProtection",
        "slb:SetLoadBalancerDeleteProtection",
        "slb:SetLoadBalancerName",
        "slb:ModifyLoadBalancerInstanceChargeType",
        "slb:RemoveVServerGroupBackendServers"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "nlb:TagResources",
        "nlb:UnTagResources",
        "nlb:ListTagResources",
        "nlb:CreateLoadBalancer",
        "nlb:DeleteLoadBalancer",
        "nlb:GetLoadBalancerAttribute",
        "nlb:ListLoadBalancers",
        "nlb:UpdateLoadBalancerAttribute",
        "nlb:UpdateLoadBalancerAddressTypeConfig",
        "nlb:UpdateLoadBalancerZones",
        "nlb:CreateListener",
        "nlb:DeleteListener",
        "nlb:ListListeners",
        "nlb:UpdateListenerAttribute",
        "nlb:StopListener",
        "nlb:StartListener",
        "nlb:GetListenerAttribute",
        "nlb:GetListenerHealthStatus",
        "nlb:CreateServerGroup",
        "nlb:DeleteServerGroup",
        "nlb:UpdateServerGroupAttribute",
        "nlb:AddServersToServerGroup",
        "nlb:RemoveServersFromServerGroup",
        "nlb:UpdateServerGroupServersAttribute",
        "nlb:ListServerGroups",
        "nlb:ListServerGroupServers",
        "nlb:GetJobStatus"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "vpc:Describe*",
        "vpc:DeleteRouteEntry",
        "vpc:CreateRouteEntry"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": "ram:CreateServiceLinkedRole",
      "Resource": "*",
      "Effect": "Allow",
      "Condition": {
        "StringEquals": {
          "ram:ServiceName": [
            "alb.aliyuncs.com",
            "audit.log.aliyuncs.com",
            "logdelivery.alb.aliyuncs.com"
          ]
        }
      }
    },
    {
      "Action": [
        "yundun-cert:DescribeSSLCertificateList",
        "yundun-cert:DescribeSSLCertificatePublicKeyDetail",
        "yundun-cert:CreateSSLCertificateWithName",
        "yundun-cert:DeleteSSLCertificate"
      ],
      "Resource": "*",
      "Effect": "Allow"
    },
    {
      "Action": [
        "alb:TagResources",
        "alb:UnTagResources",
        "alb:ListServerGroups",
        "alb:ListServerGroupServers",
        "alb:AddServersToServerGroup",
        "alb:RemoveServersFromServerGroup",
        "alb:ReplaceServersInServerGroup",
        "alb:CreateLoadBalancer",
        "alb:DeleteLoadBalancer",
        "alb:UpdateLoadBalancerAttribute",
        "alb:UpdateLoadBalancerEdition",
        "alb:EnableLoadBalancerAccessLog",
        "alb:DisableLoadBalancerAccessLog",
        "alb:EnableDeletionProtection",
        "alb:DisableDeletionProtection",
        "alb:ListLoadBalancers",
        "alb:GetLoadBalancerAttribute",
        "alb:ListListeners",
        "alb:CreateListener",
        "alb:GetListenerAttribute",
        "alb:UpdateListenerAttribute",
        "alb:ListListenerCertificates",
        "alb:AssociateAdditionalCertificatesWithListener",
        "alb:DissociateAdditionalCertificatesFromListener",
        "alb:DeleteListener",
        "alb:CreateRule",
        "alb:DeleteRule",
        "alb:UpdateRuleAttribute",
        "alb:UpdateRulesAttribute",
        "alb:CreateRules",
        "alb:DeleteRules",
        "alb:ListRules",
        "alb:CreateServerGroup",
        "alb:DeleteServerGroup",
        "alb:UpdateServerGroupAttribute",
        "alb:DescribeZones",
        "alb:CreateAcl",
        "alb:DeleteAcl",
        "alb:ListAcls",
        "alb:AddEntriesToAcl",
        "alb:AssociateAclsWithListener",
        "alb:ListAclEntries",
        "alb:RemoveEntriesFromAcl",
        "alb:DissociateAclsFromListener",
        "alb:EnableLoadBalancerIpv6Internet",
        "alb:DisableLoadBalancerIpv6Internet"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

      3. 基本信息下方,输入名称,单击确定

    2. 授予RAM用户调用ALB Ingress Controller组件的权限策略。

      1. 在左侧导航栏,选择身份管理>用户

      2. 用户页面,找到创建的RAM用户,在该RAM用户右侧操作列,单击添加权限

      3. 添加权限面板,单击自定义策略,选择已创建的权限策略,其他采用默认配置,单击确定

    步骤三:在自建集群配置AccessKey ID与AccessKey Secret

    1. 对AccessKey ID与AccessKey Secret进行Base64编码,获取AccessKey ID、AccessKey Secret编码后的结果。

    2. 执行以下命令,在自建集群的load-balancer-config ConfigMap输入Base64编码后的AccessKey ID与AccessKey Secret,保存load-balancer-config ConfigMap。

      vim <load-balancer-config ConfigMap文件名称>

      load-balancer-config ConfigMap代码示例如下:

      apiVersion: v1
kind: ConfigMap
metadata:
  name: load-balancer-config
  namespace: kube-system
data:
  cloud-config.conf: |-
    {
        "Global": {
            "AccessKeyID": "VndV***",              # 填写Base64编码后的AccessKey ID。
            "AccessKeySecret": "UWU0NnUyTFdhcG***" # 填写Base64编码后的AccessKey Secret。
        }
    }

    3. 执行以下命令,部署load-balancer-config ConfigMap。

      kubectl apply -f  <load-balancer-config ConfigMap文件名称>

    4. 重启load-balancer-controller的Pod,使配置生效。

      1. 执行以下命令,获取load-balancer-controller的Pod名称。

        kubectl get pod -n kube-system|grep load-balancer-controller

      2. 执行以下命令,删除load-balancer-controller的Pod。

        kubectl delete pod -n kube-system load-balancer-controller-***

        预期输出:

        pod load-balancer-controller-*** deleted

      3. 执行以下命令,查看重建后load-balancer-controller的Pod状态。

        kubectl get pod -n kube-system|grep load-balancer-controller

        预期输出:

        load-balancer-controller-0o9s***     1/1    Running   0    10s

    相关文档

    自建Kubernetes集群场景下您可参考对应的ALB Ingress最佳实践文档: