Install the Amazon Load Balancer Controller add-on using Kubernetes Manifests
This topic describes how to install the controller by downloading and applying Kubernetes
manifests. You can view the full documentation
In the following steps, replace the
with your own values.example values
Prerequisites
Before starting this tutorial, you must install and configure the following tools and resources that you need to create and manage an Amazon EKS cluster.
-
An existing Amazon EKS cluster. To deploy one, see Getting started with Amazon EKS.
-
An existing Amazon Identity and Access Management (IAM) OpenID Connect (OIDC) provider for your cluster. To determine whether you already have one, or to create one, see Create an IAM OIDC provider for your cluster.
-
Make sure that your Amazon VPC CNI plugin for Kubernetes,
kube-proxy
, and CoreDNS add-ons are at the minimum versions listed in Service account tokens. -
Familiarity with Amazon Elastic Load Balancing. For more information, see the Elastic Load Balancing User Guide.
Step 1: Configure IAM
Note
You only need to create an IAM Role for the Amazon Load Balancer Controller one per Amazon account. Check if
AmazonEKSLoadBalancerControllerRole
exists in the IAM Console
Create an IAM policy.
-
Download an IAM policy for the Amazon Load Balancer Controller that allows it to make calls to Amazon APIs on your behalf.
-
Create an IAM policy using the policy downloaded in the previous step.
$
aws iam create-policy \ --policy-name
AWSLoadBalancerControllerIAMPolicy
\ --policy-document file://iam_policy.jsonNote
If you view the policy in the Amazon Web Services Management Console, the console shows warnings for the ELB service, but not for the ELB v2 service. This happens because some of the actions in the policy exist for ELB v2, but not for ELB. You can ignore the warnings for ELB.
Step 2: Install cert-manager
Install cert-manager
using one of the following methods to inject
certificate configuration into the webhooks. For more information, see Getting
Startedcert-manager
Documentation.
We recommend using the quay.io
container registry to install
cert-manager
. If your nodes do not have access to the
quay.io
container registry, Install cert-manager
using
Amazon ECR (see below).
Step 3: Install Amazon Load Balancer Controller
Install Amazon Load Balancer Controller using a Kubernetes manifest
-
Download the controller specification. For more information about the controller, see the documentation
on GitHub. curl -Lo v2_7_2_full.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.7.2/v2_7_2_full.yaml
-
Make the following edits to the file.
-
If you downloaded the
v2_7_2_full.yaml
file, run the following command to remove theServiceAccount
section in the manifest. If you don't remove this section, the required annotation that you made to the service account in a previous step is overwritten. Removing this section also preserves the service account that you created in a previous step if you delete the controller.$
sed -i.bak -e '596,604d' ./v2_7_2_full.yaml
If you downloaded a different file version, then open the file in an editor and remove the following lines.
apiVersion: v1 kind: ServiceAccount metadata: labels: app.kubernetes.io/component: controller app.kubernetes.io/name: aws-load-balancer-controller name: aws-load-balancer-controller namespace: kube-system ---
-
Replace
in theyour-cluster-name
Deployment
spec
section of the file with the name of your cluster and add thefollowing parameters
under--ingress-class=alb
.[...] spec: containers: - args: - --cluster-name=
your-cluster-name
- --ingress-class=alb - --enable-shield=false - --enable-waf=false - --enable-wafv2=false [...] -
(Required only for Fargate or Restricted IMDS)
If you're deploying the controller to Amazon EC2 nodes that have restricted access to the Amazon EC2 instance metadata service (IMDS)
, or if you're deploying to Fargate, then add the following parameters
under- args:
.[...] spec: containers: - args: - --cluster-name=
your-cluster-name
- --ingress-class=alb- --enable-shield=false - --enable-waf=false - --enable-wafv2=false - --aws-vpc-id=
[...]vpc-xxxxxxxx
- --aws-region=region-code
-
-
Apply the file.
$
kubectl apply -f v2_7_2_full.yaml
-
Download the
IngressClass
andIngressClassParams
manifest to your cluster.$
curl -Lo v2_7_2_ingclass.yaml https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.7.2/v2_7_2_ingclass.yaml
-
Apply the manifest to your cluster.
$
kubectl apply -f v2_7_2_ingclass.yaml
Step 4: Verify that the controller is installed
-
Verify that the controller is installed.
$
kubectl get deployment -n kube-system aws-load-balancer-controller
An example output is as follows.
NAME READY UP-TO-DATE AVAILABLE AGE aws-load-balancer-controller 2/2 2 2 84s
You receive the previous output if you deployed using Helm. If you deployed using the Kubernetes manifest, you only have one replica.
-
Before using the controller to provision Amazon resources, your cluster must meet specific requirements. For more information, see Application load balancing on Amazon EKS and Network load balancing on Amazon EKS.