2023. 9. 19. 18:54ㆍDev/EKS
Problem:
I tried to create a service in eks to provision NLB.
The aws load balancer controller version is v2.4.0
Code that worked fine 6 months ago now throws an insufficient permissions error.
Of course, adding the missing permissions to aws-load-balancer-controller solves the problem, but let's see why it happened.
Error:
58m Warning FailedDeployModel service/integration
Failed deploy model due to AccessDenied: User: arn:aws:sts::1234567890:assumed-role/eks-alb-controller-hhfz6/1695108220719227138 is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-northeast-2:1234567890:targetgroup/k8s-core-integrat-1c00c926fc/* because no identity-based policy allows the elasticloadbalancing:AddTags action...
The reason why
This is because the content of the iam-policy.json file provided by the official documentation has been updated when installing the loadbalancer controller.
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
],
"Condition": {
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
},
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
}
},This has been added.
Adding the above permissions to the role that serviceaccount sees should fix the problem.
'Dev > EKS' 카테고리의 다른 글
| Amazon ECR 다른 AWS 계정에서 사용하는 법 (0) | 2023.10.30 |
|---|---|
| EKS Workshop 해보기 - Fundamentals (0) | 2023.10.29 |
| AWS EKS POD DNS 문제 해결 - Route53 CNAME/A record (0) | 2023.09.13 |
| AWS EKS POD DNS 문제 해결 - CoreDNS forward (0) | 2023.09.13 |
| aws eks ALB, NLB error: service Failed build model due to unable to resolve at least one subnet (0) | 2023.08.10 |