The AWS Load Balancer Controller manages Elastic Load Balancers for Kubernetes clusters. The controller provision a Network Load Balancer (NLB) when you create a Kubernetes service of type LoadBalancer and provisions an Application Load Balancer (ALB) when you create a Kubernetes Ingress.
This tutorial requires an EKS cluster with an IAM OIDC provider configured to support IAM Roles for Service accounts (IRSA).
You can use any eksctl created cluster or create your cluster with eksdemo.
» eksdemo create cluster blue
See the Create Cluster documentation for configuration options.
In this section we walk through the process of installing the AWS Load Balancer Controller application. The command for performing the installation is: eksdemo install aws-lb-controller -c <cluster-name>
Let’s learn a bit more about the command and it’s options before we continue by using the -h help shorthand flag.
» eksdemo install aws-lb-controller -h
Install aws-lb-controller
Usage:
eksdemo install aws-lb-controller [flags]
Aliases:
aws-lb-controller, aws-lb, awslb
Flags:
--chart-version string chart version (default "1.5.3")
-c, --cluster string cluster to install application (required)
--default-ingress-class set the alb IngressClass as the default for the cluster
--default-target-type string set the default target type for target groups (default "instance")
--disable-webhook disable the webhook so the in-tree controller can provision CLBs
--dry-run don't install, just print out all installation steps
-h, --help help for aws-lb-controller
-n, --namespace string namespace to install (default "awslb")
--replicas int number of replicas for the controller deployment (default 1)
--service-account string service account name (default "aws-load-balancer-controller")
--set strings set chart values (can specify multiple or separate values with commas: key1=val1,key2=val2)
--use-previous use previous working chart/app versions ("1.4.8"/"v2.4.7")
-v, --version string application version (default "v2.5.2")
The help content provides a lot of valuable information at a glance. The default chart version, application version, namespace, and service account name are included along with optional flags to modify the defaults if desired.
The AWS Load Balancer Controller specific flags are:
--default-ingress-class-- This flag sets the providedalbIngressClass as default IngressClass in cluster.-default-target-type-- You can set the default target type for the load balancer target groups. Options includeinstanceandip.--disable-webhook-- With the v2.5.0 release, the AWS Load Balancer Controller added a mutating webhook to default a Service of typeLoadBalancerto a Network Load Balancer (NLB) from a Classic Load Balancer (CLB). You can disable the webhook using this flag. You will no longer be able to provision a Classic Load Balancer (CLB) from your Kubernetes Service unless you use this flag.--replicas--eksdemodefaults to only 1 replica for easier log viewing in a demo environment. You can use this flag to increase to the default AWS Load Balancer Controller Helm chart value of 2 replicas for high availability.
A very powerful optional flag is the --dry-run flag. This will print out details about any dependencies and exactly how the application install will take place so there is no mystery about the steps eksdemo is taking to install your application. Let’s use the the --dry-run flag to understand how the AWS Load Balancer Controller will be installed. Replace <cluster-name> with the name of your EKS cluster.
» eksdemo install aws-lb-controller -c <cluster-name> --dry-run
Creating 1 dependencies for aws-lb-controller
Creating dependency: aws-lb-controller-irsa
Eksctl Resource Manager Dry Run:
eksctl create iamserviceaccount -f - --approve
---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: blue
region: us-west-2
iam:
withOIDC: true
serviceAccounts:
- metadata:
name: aws-load-balancer-controller
namespace: awslb
roleName: eksdemo.blue.awslb.aws-load-balancer-controller
roleOnly: true
attachPolicy:
<snip>
Helm Installer Dry Run:
+---------------------+----------------------------------+
| Application Version | v2.5.2 |
| Chart Version | 1.5.3 |
| Chart Repository | https://aws.github.io/eks-charts |
| Chart Name | aws-load-balancer-controller |
| Release Name | aws-lb-controller |
| Namespace | awslb |
| Wait | false |
+---------------------+----------------------------------+
Set Values: []
Values File:
---
replicaCount: 1
image:
tag: v2.5.2
fullnameOverride: aws-load-balancer-controller
clusterName: blue
serviceAccount:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::123456789012:role/eksdemo.blue.awslb.aws-load-balancer-controller
name: aws-load-balancer-controller
region: us-west-2
vpcId: vpc-08a68dc8b440fec75
defaultTargetType: instance
enableServiceMutatorWebhook: true
From the --dry-run output above, you can see that there is one dependency — an IAM Role. This role is associated with the AWS Load Balancer Controller’s service account. This is security best practices feature for EKS called IAM Roles for Service Accounts (IRSA). eksdemo uses eksctl to create the IAM Role and the dry run output includes the exact configuration that will be used.
Additionally, the output includes details on how the application will be installed. Most applications, including the AWS Load Balancer Controller, are installed using a Helm chart. The dry run information for Helm installs includes 3 sections:
- A table with the Helm chart repository URL and name, the chart and application versions and the release name and namespace where the application will be installed.
- Any
--setflag variables to override the chart’svalues.yamldefaults or the values file configuration in the next section. See the Helm documentation for more details on the format and limitations of the --set flag. - The opinionated values file settings built into the
eksdemoapplication catalog. Some of these settings can be change with optional flags. If a flag is not available for the value you wish to change, the--setflag can be used to override any value.
With this application and with many others, a number of values file settings are automatically populated. In the example above, the region, vpcID and AWS Account ID in the IRSA annotation are dynamically updated each time eksdemo runs.
With a thorough understanding of how the application install process works, let’s install the AWS Load Balancer controller. Replace <cluster-name> with the name of your EKS cluster.
» eksdemo install aws-lb-controller -c <cluster-name>
Creating 1 dependencies for aws-lb-controller
Creating dependency: aws-lb-controller-irsa
2023-01-30 21:49:52 [ℹ] 4 existing iamserviceaccount(s) (awslb/aws-load-balancer-controller,external-dns/external-dns,karpenter/karpenter,kube-system/cluster-autoscaler) will be excluded
2023-01-30 21:49:52 [ℹ] 1 iamserviceaccount (awslb/aws-load-balancer-controller) was excluded (based on the include/exclude rules)
2023-01-30 21:49:52 [!] serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override
2023-01-30 21:49:52 [ℹ] no tasks
Downloading Chart: https://aws.github.io/eks-charts/aws-load-balancer-controller-1.5.3.tgz
Helm installing...
2023/01/30 21:49:54 creating 2 resource(s)
2023/01/30 21:49:54 Clearing discovery cache
2023/01/30 21:49:54 beginning wait for 2 resources with timeout of 1m0s
2023/01/30 21:50:02 creating 1 resource(s)
2023/01/30 21:50:03 creating 12 resource(s)
Using chart version "1.5.3", installed "aws-lb-controller" version "v2.5.2" in namespace "awslb"
NOTES:
AWS Load Balancer controller installed!