ingress-controller -> loadbalancer-controller

aws-samples · Jan 6, 2021 · ef5ce27 · ef5ce27
1 parent 3cba6c6
commit ef5ce27
Show file tree

Hide file tree

Showing 11 changed files with 34,337 additions and 209 deletions.
diff --git a/cloudformation/eks-ingress-controller-iam.template.yaml b/cloudformation/eks-ingress-controller-iam.template.yaml
diff --git a/cloudformation/eks-loadbalancer-controller-iam-policy.template.yaml b/cloudformation/eks-loadbalancer-controller-iam-policy.template.yaml
@@ -0,0 +1,150 @@
+#############################################################
+## NOT FOR PRODUCTION USE.                                 ##
+## THE CONTENT OF THIS FILE IS FOR LEARNING PURPOSES ONLY  ##
+## created by David Surey, Amazon Web Services, 2021      ##
+#############################################################
+
+AWSTemplateFormatVersion: "2010-09-09"
+Resources:   
+
+  EKSIngressControllerPolicy:
+    Type: 'AWS::IAM::ManagedPolicy'
+    Properties:
+      ManagedPolicyName: EKSIngressControllerPolicy
+      PolicyDocument:
+        Version: 2012-10-17
+        Statement:
+        - Effect: Allow
+          Action:
+          - iam:CreateServiceLinkedRole
+          - ec2:DescribeAccountAttributes
+          - ec2:DescribeAddresses
+          - ec2:DescribeInternetGateways
+          - ec2:DescribeVpcs
+          - ec2:DescribeSubnets
+          - ec2:DescribeSecurityGroups
+          - ec2:DescribeInstances
+          - ec2:DescribeNetworkInterfaces
+          - ec2:DescribeTags
+          - elasticloadbalancing:DescribeLoadBalancers
+          - elasticloadbalancing:DescribeLoadBalancerAttributes
+          - elasticloadbalancing:DescribeListeners
+          - elasticloadbalancing:DescribeListenerCertificates
+          - elasticloadbalancing:DescribeSSLPolicies
+          - elasticloadbalancing:DescribeRules
+          - elasticloadbalancing:DescribeTargetGroups
+          - elasticloadbalancing:DescribeTargetGroupAttributes
+          - elasticloadbalancing:DescribeTargetHealth
+          - elasticloadbalancing:DescribeTags
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - cognito-idp:DescribeUserPoolClient
+          - acm:ListCertificates
+          - acm:DescribeCertificate
+          - iam:ListServerCertificates
+          - iam:GetServerCertificate
+          - waf-regional:GetWebACL
+          - waf-regional:GetWebACLForResource
+          - waf-regional:AssociateWebACL
+          - waf-regional:DisassociateWebACL
+          - wafv2:GetWebACL
+          - wafv2:GetWebACLForResource
+          - wafv2:AssociateWebACL
+          - wafv2:DisassociateWebACL
+          - shield:GetSubscriptionState
+          - shield:DescribeProtection
+          - shield:CreateProtection
+          - shield:DeleteProtection
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - ec2:AuthorizeSecurityGroupIngress
+          - ec2:RevokeSecurityGroupIngress
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - ec2:CreateSecurityGroup
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - ec2:CreateTags
+          Resource: arn:aws:ec2:*:*:security-group/*
+          Condition:
+            StringEquals:
+              ec2:CreateAction: CreateSecurityGroup
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - ec2:CreateTags
+          - ec2:DeleteTags
+          Resource: arn:aws:ec2:*:*:security-group/*
+          Condition:
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'true'
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - ec2:AuthorizeSecurityGroupIngress
+          - ec2:RevokeSecurityGroupIngress
+          - ec2:DeleteSecurityGroup
+          Resource: "*"
+          Condition:
+            'Null':
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:CreateLoadBalancer
+          - elasticloadbalancing:CreateTargetGroup
+          Resource: "*"
+          Condition:
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:CreateListener
+          - elasticloadbalancing:DeleteListener
+          - elasticloadbalancing:CreateRule
+          - elasticloadbalancing:DeleteRule
+          Resource: "*"
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:AddTags
+          - elasticloadbalancing:RemoveTags
+          Resource:
+          - arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
+          - arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*
+          - arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*
+          Condition:
+            'Null':
+              aws:RequestTag/elbv2.k8s.aws/cluster: 'true'
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:ModifyLoadBalancerAttributes
+          - elasticloadbalancing:SetIpAddressType
+          - elasticloadbalancing:SetSecurityGroups
+          - elasticloadbalancing:SetSubnets
+          - elasticloadbalancing:DeleteLoadBalancer
+          - elasticloadbalancing:ModifyTargetGroup
+          - elasticloadbalancing:ModifyTargetGroupAttributes
+          - elasticloadbalancing:DeleteTargetGroup
+          Resource: "*"
+          Condition:
+            'Null':
+              aws:ResourceTag/elbv2.k8s.aws/cluster: 'false'
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:RegisterTargets
+          - elasticloadbalancing:DeregisterTargets
+          Resource: arn:aws:elasticloadbalancing:*:*:targetgroup/*/*
+        - Effect: Allow
+          Action:
+          - elasticloadbalancing:SetWebAcl
+          - elasticloadbalancing:ModifyListener
+          - elasticloadbalancing:AddListenerCertificates
+          - elasticloadbalancing:RemoveListenerCertificates
+          - elasticloadbalancing:ModifyRule
+          Resource: "*"
+
diff --git a/eks-deploy-cluster.playbook.yaml b/eks-deploy-cluster.playbook.yaml
@@ -64,7 +64,7 @@
         - ./tasks/eks-storage-provider-efscsi.task.yaml
         - ./tasks/eks-container-insights.task.yaml
         - ./tasks/eks-cluster-autoscaler.task.yaml
-        - ./tasks/eks-ingress-controller.task.yaml
+        - ./tasks/eks-loadbalancer-controller.task.yaml
         - ./tasks/eks-external-dns.task.yaml
         - ./tasks/eks-metrics-server.task.yaml
         - ./tasks/eks-xray.task.yaml

diff --git a/eks-destroy-cluster.playbook.yaml b/eks-destroy-cluster.playbook.yaml
@@ -60,7 +60,7 @@
       loop: 
         - { name: cluster-autoscaler, namespace: kube-system }
         - { name: external-dns, namespace: kube-system }
-        - { name: alb-ingress-controller, namespace: kube-system }
+        - { name: alb-loadbalancer-controller, namespace: kube-system }
         - { name: ebs-csi-controller-sa, namespace: kube-system }
         - { name: ebs-snapshot-controller, namespace: kube-system }
         - { name: xray-daemon, namespace: kube-system }
@@ -76,7 +76,7 @@
         - "{{ eksexample_clustername }}-cluster-autoscaler-policy"
         - "{{ eksexample_clustername }}-container-insights-policy"
         - "{{ eksexample_clustername }}-external-dns-policy"
-        - "{{ eksexample_clustername }}-cluster-ingresscontroller-policy"
+        - "{{ eksexample_clustername }}-cluster-loadbalancercontroller-policy"
         - "{{ eksexample_clustername }}-storage-provider-ebscsi-policy"
         - "{{ eksexample_clustername }}-storage-provider-efscsi-storage"
 

diff --git a/k8s/alb-ingress-controller/eks-alb-ingress-controler-clusterrole.manifest.yaml b/k8s/alb-ingress-controller/eks-alb-ingress-controler-clusterrole.manifest.yaml
diff --git a/k8s/alb-ingress-controller/eks-alb-ingress-controler-clusterrolebinding.manifest.yaml b/k8s/alb-ingress-controller/eks-alb-ingress-controler-clusterrolebinding.manifest.yaml
diff --git a/k8s/alb-ingress-controller/eks-alb-ingress-controler-deployment.manifest.yaml b/k8s/alb-ingress-controller/eks-alb-ingress-controler-deployment.manifest.yaml