AWS Load Balancer Controller
https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.4/deploy/installation/
# AWS Load Balancer Controller
# 安装AWS Load Balancer Controller
1.下载 AWS 负载均衡器控制器的 IAM 策略
curl -o iam-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.3/docs/install/iam_policy.json
1
2.创建一个名为 AWSLoadBalancerControllerIAMPolicy 的 IAM 策略
aws iam create-policy \
--policy-name AWSLoadBalancerControllerIAMPolicy \
--policy-document file://iam-policy.json
1
2
3
2
3
3.绑定到角色
xxxxAmazonEKSDevopsNodeRole
xxxxAmazonEKSTestNodeRole
xxxxAmazonEKSProdNodeRole
1
2
3
2
3
由于默认IAM 策略权限太高,修改了策略(适用于使用 仅目标组绑定*,不打算使用 AWS 负载均衡器控制器来管理安全组规则:*)
{
"Statement": [
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeInstances",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 将控制器添加到集群
通过yaml清单
# 安装证书管理器
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.5.4/cert-manager.yaml
1
# 应用 YAML
下载负载平衡器控制器的规范。
wget https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/download/v2.4.3/v2_4_3_full.yaml1编辑保存的 yaml 文件,转到部署规范,并将控制器 --cluster-name arg 值设置为您的 EKS 集群名称
apiVersion: apps/v1 kind: Deployment . . . name: aws-load-balancer-controller namespace: kube-system spec: . . . template: spec: containers: - args: - --cluster-name=birenchong-k8s-cluster1
2
3
4
5
6
7
8
9
10
11
12从 yaml 规范中删除 ServiceAccount。(没有删除)
apiVersion: v1 kind: ServiceAccount1
2应用 yaml 文件
kubectl apply -f v2_4_3_full.yaml1
# Pod readiness gate
# 在命名空间中添加标签开启Pod readiness gate
kubectl label namespace birenchong-prod elbv2.k8s.aws/pod-readiness-gate-inject=enabled
kubectl describe namespace birenchong-prod
kubectl label namespace birenchong-prod elbv2.k8s.aws/pod-readiness-gate-inject-
1
2
3
2
3
# 执行TargetGroupBinding.yaml
cat <<EOF | kubectl apply -f -
apiVersion: elbv2.k8s.aws/v1beta1
kind: TargetGroupBinding
metadata:
name: birenchong-prod-java-gw-tgb # 修改:tgb名称
namespace: birenchong-prod # 修改:所在命名空间
spec:
serviceRef:
name: birenchong-prod-java-gateway # 修改:绑定的service名
port: 18080 # 修改:绑定的service端口
targetGroupARN: arn:aws:elasticloadbalancing:eu-central-1:124117760613:targetgroup/birenchong-tg-prod-java-gw-18080/ad4b976744d55aee # 修改:绑定到的目标组ARN
targetType: ip
EOF
1
2
3
4
5
6
7
8
9
10
11
12
13
2
3
4
5
6
7
8
9
10
11
12
13
删除TargetGroupBinding
kubectl get targetgroupbinding -A
kubectl delete targetgroupbinding xxx -n xxx
1
2
2
# 优化
# 平滑滚动更新
添加生命周期管理-终止前动作
lifecycle:
preStop:
exec:
command:
- /bin/bash
- '-c'
- sleep 65
1
2
3
4
5
6
7
2
3
4
5
6
7
Last Updated: 2023/11/08, 14:45:54