4.3

Load balancers

Lenses can also be deployed with and AWS Load balancer or Azure Application gateway.

Lenses can be deployed with AWS Application Load Balancer. First, you need to attach the following IAM Policies to the EKS Node Instance IAM Role you will use to deploy ALB ingress controller.

# Create Policy for IAM Role
curl \
  https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/iam-policy.json \
  -O
aws iam create-policy \
  --policy-name <YOUR-POLICY-NAME> \
  --policy-document file://iam-policy.json \

aws iam attach-user-policy \
  --user-name <YOUR-USER-NAME> \
  --policy-arn `CREATED-POLICY-ARN`

Install the ALB ingress controller

# Install ALB Ingress controller
helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
helm install incubator/aws-alb-ingress-controller \
  --set clusterName=<EKS-CLUSTER-NAME> \
  --set awsRegion=<YOUR-REGION> \
  --set awsVpcID=<YOUR-VPC-ID> \
  --name <RELEASE-NAME>

When you run the above commands the ALB ingress controller will not be created till you deploy Lenses which includes a ingress resource. Add the following options to the Helm values file:

restPort: 3030
servicePort: 3030

service:
  enabled: true
  type: ClusterIP
  annotations: {}

ingress:
  enabled: true
  host:

  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/subnets: <SUBNETS-VPC-OF-DEPLOYED-ALB>
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip

If you specify a host for ingress, you need to add the ALB address to Route53 to be able to access it externally. Or, deploy an external DNS to manage Route53 records automatically.

Follow the Azure documentation to set up a Application Gateway .

The Application Gateway ingress controller will not be created until you deploy Lenses which includes an ingress resource. Add the following annotation to the ingress the Lenses chart deploys.

ingress:
  enabled: true
  host: 

  annotations:
    kubernetes.io/ingress.class: azure/application-gateway

If you specify a host for the ingress, add the Application Gateway address to Azure DNS to be able to access it externally. Or, deploy an external DNS to manage Azure DNS records automatically.


If you receive an error with the service account which you will use (eg. default) about the followings:

  • Failed to list v1.Endpoints: endpoints is forbidden: User
  • Failed to list v1.Service: services is forbidden: User

Then you need to bind your service account with role cluster-admin with the following RBAC YAML:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: tiller
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: tiller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: tiller
    namespace: kube-system