4.3
Load balancers
Lenses can also be deployed with and AWS Load balancer or Azure Application gateway.
Lenses can be deployed with AWS Application Load Balancer. First, you need to attach the following IAM Policies to the EKS Node Instance IAM Role you will use to deploy ALB ingress controller.
# Create Policy for IAM Role
curl \
https://raw.githubusercontent.com/kubernetes-sigs/aws-alb-ingress-controller/v1.0.0/docs/examples/iam-policy.json \
-O
aws iam create-policy \
--policy-name <YOUR-POLICY-NAME> \
--policy-document file://iam-policy.json \
aws iam attach-user-policy \
--user-name <YOUR-USER-NAME> \
--policy-arn `CREATED-POLICY-ARN`
Install the ALB ingress controller
# Install ALB Ingress controller
helm repo add incubator http://storage.googleapis.com/kubernetes-charts-incubator
helm install incubator/aws-alb-ingress-controller \
--set clusterName=<EKS-CLUSTER-NAME> \
--set awsRegion=<YOUR-REGION> \
--set awsVpcID=<YOUR-VPC-ID> \
--name <RELEASE-NAME>
When you run the above commands the ALB ingress controller will not be created till you deploy Lenses which includes a ingress resource. Add the following options to the Helm values file:
restPort: 3030
servicePort: 3030
service:
enabled: true
type: ClusterIP
annotations: {}
ingress:
enabled: true
host:
annotations:
kubernetes.io/ingress.class: alb
alb.ingress.kubernetes.io/subnets: <SUBNETS-VPC-OF-DEPLOYED-ALB>
alb.ingress.kubernetes.io/scheme: internet-facing
alb.ingress.kubernetes.io/target-type: ip
If you specify a host for ingress, you need to add the ALB address to Route53 to be able to access it externally. Or, deploy an external DNS to manage Route53 records automatically.
Follow the Azure documentation to set up a Application Gateway .
The Application Gateway ingress controller will not be created until you deploy Lenses which includes an ingress resource. Add the following annotation to the ingress the Lenses chart deploys.
ingress:
enabled: true
host:
annotations:
kubernetes.io/ingress.class: azure/application-gateway
If you specify a host for the ingress, add the Application Gateway address to Azure DNS to be able to access it externally. Or, deploy an external DNS to manage Azure DNS records automatically.
If you receive an error with the service account which you will use (eg. default) about the followings:
- Failed to list v1.Endpoints: endpoints is forbidden: User
- Failed to list v1.Service: services is forbidden: User
Then you need to bind your service account with role cluster-admin with the following RBAC YAML:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: tiller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system