ALB Controller

aws alb controller (application load balance controller)

์ฟ ๋ฒ„๋„คํ‹ฐ์Šค๋ฅผ ์ง์ ‘ ์„ค์น˜ํ•˜๊ณ  ์‚ฌ์šฉํ• ๋•Œ๋Š” ingress-nginx๋ฅผ ์‚ฌ์šฉํ•˜์˜€์œผ๋‚˜ eks์—๋Š” aws (alb) application load balance๋ฅผ ์‚ฌ์šฉํ• ์ˆ˜ ์žˆ๋Š” ๋ฐฉ๋ฒ•์ด ์žˆ๋‹ค.

์ฒ˜์Œ ๊ณ ๋ฏผ์ด aws์—์„œ ๋กœ๋“œ๋ฐœ๋ž€์Šค๋ฅผ ์„ธํŒ…ํ•˜๋Š”๊ฒŒ ๋ฒˆ๊ฑฐ๋กญ๋‹ค๋Š” ๊ณ ๋ฏผ์ด ์žˆ์—‡๋Š”๋ฐ ๊ทธ๊ฑธ aws์—์„œ ์•Œ๊ณ  ์žˆ์—‡๋Š”์ง€ kubernete ์„ค์ •ํŒŒ์ผ์— ์ ์–ด๋งŒ ์ฃผ๋ฉด ์ž๋™์œผ๋กœ alb๊ฐ€ ์ƒ์„ฑ์ด ๋œ๋‹ค.

LogoRoute internet traffic with AWS Load Balancer Controller - Amazon EKSAmazon EKS

ALB Controller๋ฅผ ์„ค์น˜๋ฅผ ํ•ด๋‘๋ฉด ์ฟ ๋ฒ„๋„คํ‹ฐ์Šค์— ์„ค์ •์„ ํ•˜๋ฉด ์ด ์ปจํŠธ๋กค๋Ÿฌ๊ฐ€ ALB๋ฅผ ์ž๋™์œผ๋กœ ๋“ฑ๋กํ•ด์ฃผ๋Š” ๊ฒƒ์ด๋‹ค.

์ด ์ปจํŠธ๋กค๋Ÿฌ๊ฐ€ alb์— ์ ‘์†์ด ๊ฐ€๋Šฅํ•˜๊ฒŒ ๋˜์•ผ๋Š”๋ฐ ์ด๊ฑธ oidc๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค.(์ธ์ฆ)

ALB๋Š” nodeport ๋‚˜ loadbalance๋งŒ ์ง€์›์„ ํ•œ๋‹ค.(์ค‘์š”)

๋งํฌ์— ์žˆ๋Š” ๋‚ด์šฉ์„ ํ•ด์ฃผ๋ฉด ๋œ๋‹ค. ๊ฐ„๋‹จํ•˜๊ฒŒ ์š”์•ฝํ•ด๋ณด๋ฉด

OIDC

https://docs.aws.amazon.com/eks/latest/userguide/enable-iam-roles-for-service-accounts.html

LogoCreate an IAM OIDC provider for your cluster - Amazon EKSAmazon EKS

OIDC Issuer

๊ธฐ๋ณธ์ ์œผ๋กœ eksctl๋กœ ์ƒ์„ฑํ•˜๋ฉด ์ด๊ฑด ๊ธฐ๋ณธ๊ฐ’์ด ๊ฐ™์ด ์ƒ๊น€

OIDC Provider

์•„๋ฌด๊ฒƒ๋„ ์•ˆ๋‚˜์˜จ๋‹ค. ์—†๋‹ค๋Š”๊ฑฐ๋‹ค ๊ทธ๋Ÿฌ๋ฉด ์ƒ์„ฑ ํ•ด์ค˜์•ผ ํ•œ๋‹ค. ์žˆ์œผ๋ฉด ์ƒ์„ฑ ๋ถ€๋ถ„์„ ๋„˜์–ด๊ฐ€๋ฉด ๋œ๋‹ค.

์—†์œผ๋ฉด ์ƒ์„ฑ

Create an IAM OIDC provider for your cluster

๋‚ด์šฉ ํ™•์ธ

๋‚ด์šฉ์ด ์žˆ๋‹ค. oidc provider๋Š” ๋งŒ๋“ค์–ด์กŒ๋‹ค.

์›น์‚ฌ์ดํŠธ์—์„œ๋„ ์ƒ์„ฑ ํ™•์ธ ๊ฐ€๋Šฅ

https://console.aws.amazon.com/iamv2/home#/identity_providers

ALB Controller Install

LogoRoute internet traffic with AWS Load Balancer Controller - Amazon EKSAmazon EKS

Create an IAM policy

arn์„ ๋ณต์‚ฌํ•ด์„œ ๋ณด๊ด€ํ•ด๋‘”๋‹ค.

์›น์‚ฌ์ดํŠธ์—์„œ ํ™•์ธ

https://console.aws.amazon.com/iam/home#/policies

AWSLoadBalancerControllerIAMPolicy๋กœ ๊ฒ€์ƒ‰ํ•ด๋ณด๋ฉด ์ƒ์„ฑ๋œ ๊ฒƒ์„ ์•Œ์ˆ˜ ์žˆ๋‹ค.

create Role

  • Open the IAM console at https://console.aws.amazon.com/iam/

  • role > create role

  • trusted entity > Web identity

  • permissions

  • Attach Policy section > AWSLoadBalancerControllerIAMPolicy

  • tags > review >

  • Role Name : AmazonEKSLoadBalancerControllerRole > create role

    ์ƒ์„ฑ๋œ๊ฑฐ ํ™•์ธ

  • After the role is created, choose the role in the console to open it for editing

  • Trust relationships > Edit trust relationship

  • ๋‹ค์Œ ๋ถ€๋ถ„์„ ์ˆ˜์ •

  • ๋‹ค์Œ ์ฝ”๋“œ๋กœ ๋ณ€๊ฒฝ

    sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"

  • Update Trust Policy

  • role arn์„ ๋ณต์‚ฌํ•ด๋‘”๋‹ค. arn:aws:iam::530310009353:role/AmazonEKSLoadBalancerControllerRole

{% endcode %}

`

`` role-arn ์„ ๋ณต์‚ฌํ•ด๋‘”๊ฑธ๋กœ ๋ฎ์–ด์“ด๋‹ค.

https://github.com/kubernetes-sigs/aws-load-balancer-controller ์—์„œ ์ตœ์‹  ๋ฆด๋ฆฌ์ฆˆ๋ฅผ ํ™•์ธํ•œ์ˆ˜ ๋ฒ„์ „๋“ฑ์€ ์ˆ˜์ •ํ•ด๋ผ.

cert-manager๊ฐ€ ๋””ํŽœ๋˜์‹œ๊ฐ€ ๊ฑธ๋ ค์žˆ๋‹ค. ๊ฐ™์ด ์„ค์น˜ํ•˜์ž.

ํŒŒ์ผ์„ ์ˆ˜์ •ํ•˜์ž.

ServiceAccount ์‚ญ์ œ

cluster name๋ณ€๊ฒฝ

ํ™•์ธ

์•„์›ƒํ’‹์ด ๋‚˜์˜ค๋ฉด ์ž˜ ๋œ๊ฒƒ์ด๋‹ค.

์—๋Ÿฌ๊ฐ€ ๋‚˜์˜ค๋ฉด ๊ถŒํ•œ๋ถ€๋ถ„์„ ๋‹ค์‹œ ํ•ด๋ณด๋„๋ก ํ•˜์ž.

๋กœ๊ทธ ํ™•์ธ

์ž˜ ์•ˆ๋˜๋ฉด ๋กœ๊ทธ๋ฅผ ํ™•์ธํ•ด๋ด์•ผํ•œ๋‹ค.

์ด๋Ÿฌ๋ฉด Oidc๊ฐ€ ์ž˜ ๋™์ž‘ํ•˜์ง€ ์•Š๋Š” ๊ฒƒ์ด๋‹ค.

version์ด ์•ˆ๋งž์•˜๋‹ค. policy๋Š” 2.1.3 controller๋Š” 2.2.2 ๋กœ ๋˜๋ฒ„๋ ธ๋‹ค.

2.1.3์œผ๋กœ ํ•˜๋ฉด ์ž˜๋œ๋‹ค.

alb controller ์‚ญ์ œ

delete role : AmazonEKSLoadBalancerControllerRole

delete policy : AWSLoadBalancerControllerIAMPolicy

๊ธฐ๋ณธ ingress ์‚ฌ์šฉ๋ฒ•

์ด๊ฑธ ์‚ฌ์šฉํ•˜๋ฉด ์ž๋™์œผ๋กœ aws application load balance๋„ ๋งŒ๋“ค์–ด ์ค€๋‹ค.

ec2 -> load balance

dns์— ์ถ”๊ฐ€

route53

http๋ฅผ https๋กœ redirect

์œ„์— ์ƒ˜ํ”Œ์— ์ ํ˜€๋Š” ์žˆ์œผ๋‚˜ ํŠน๋ณ„ํžˆ ๋”ฐ๋กœ ์„ค๋ช…ํ•œ๋‹ค.

anotation์— ๋‹ค์Œ ์ถ”๊ฐ€

๊ทธ๋ฆฌ๊ณ  path์— ๋‹ค์Œ ์ถ”๊ฐ€

์ด๋Ÿฌ๋ฉด http๋กœ ์ ‘๊ทผํ•˜๋ฉด https๋กœ ๋ฆฌ๋‹ค์ด๋ ‰ํŠธ๋ฅผ ์‹œ์ผœ์ค€๋‹ค. ๊ผญ ์ด์„ค์ •์ด ๋งจ์œ„์— ์™€์•ผํ•œ๋‹ค.

๊ด€๋ จ ๋‚ด์šฉ์€ ์—ฌ๊ธฐ๋ฅผ ์ฐธ๊ณ ํ•˜์ž. https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/tasks/ssl_redirect.md

ssl backend

ํŠน์ • pod๋Š” ํ”„๋กœ๊ทธ๋žจ ์ž์ฒด์—์„œ ssl๋กœ ์ ‘๊ทผ์„ ๋ฐ›์•„์•ผํ•  ํ•„์š”๊ฐ€ ์žˆ์„๋•Œ alb controller์—์„œ๋Š” ๋‹ค์Œ์ฒ˜๋Ÿผ ์ฒ˜๋ฆฌํ•œ๋‹ค.

anotation์— ๋‹ค์Œ ์ถ”๊ฐ€๋ฅผ ๋ณผ์ˆ˜ ์žˆ๋‹ค.

๋งŒ์•ฝ ์ด๊ฑธ ์ถ”๊ฐ€ํ•˜์ง€ ์•Š์œผ๋ฉด ์ด๋Ÿฐ ์—๋Ÿฌ๋ฅผ ๋ณผ์ˆ˜๊ฐ€ ์žˆ๋‹ค.

alb๊ฐ€ ๊ธฐ๋ณธ์ ์œผ๋กœ http๋กœ ํ†ต์‹ ์„ ์‹œ๋„ํ•˜๋ฏ€๋กœ ํฌํŠธ๋Š” 443์„ ์“ฐ๋ฉด์„œ http๋ฅผ ๋ณด๋‚ด๊ฒŒ ๋˜๋‹ค๋ณด๋‹ˆ ์ด๋Ÿฐ ์—๋Ÿฌ๊ฐ€ ๋‚˜์˜จ๋‹ค.

health check

๋กœ๋“œ ๋ฐœ๋ž€์Šค๊ฐ€ ๊ธฐ๋ณธ์ ์œผ๋กœ pod๋ฅผ ๋‹ค ์ฒดํฌํ•ด์„œ ์„œ๋น„์Šค๋ฅผ ์œ ์ง€ํ•ด์ค€๋‹ค. ํŠน๋ณ„ํžˆ health check ๊ฒฝ๋กœ๋ฅผ ์ˆ˜์ •ํ•˜๋ ค๋ฉด ๋‹ค์Œ์ฒ˜๋Ÿผ ํ•˜์ž.

pod๊ฐ€ ssl์„ ๊ธฐ๋Œ€ํ•˜๊ณ  ์žˆ์œผ๋ฉด healthcheck-protocol๋„ ๋งž๋Š”๊ฐ’์„ ๋„ฃ์–ด์ค˜์•ผํ•œ๋‹ค.

ELB target group์— ๊ฐ€๋ฉด ์œ„ ๋‚ด์šฉ์„ ์•ˆ๋„ฃ๋”๋ผ๋„ ๊ธฐ๋ณธ์œผ๋กœ healthcheck๊ฐ€ ์ƒ์„ฑ์ด ๋œ๋‹ค. ๊ธฐ๋ณธ๊ฐ’์ด ์žˆ๊ธฐ ๋•Œ๋ฌธ์ด๋‹ค.

nginx app์„ alb์— ์˜คํ”ˆ

ํ•œ๋ฒˆ๋” ๋ชจ๋“ ๊ฑธ ์ ์šฉํ•ด์„œ alb๋ฅผ ์‚ฌ์šฉํ•ด๋ณด์ž

์ ์šฉํ•˜๋ฉด alb๊ฐ€ ์ƒ๊ธฐ๋Š”๊ฒƒ์„ aws console ์—์„œ ๋ณผ ์ˆ˜ ์žˆ๋‹ค.

  • ssl๋„ ์ ์šฉํ–‡๋‹ค. cert-arn์€ certificate-manager์— ๊ฐ€์„œ ๋งŒ๋“ค๋ฉด ์ƒ๊ธด๋‹ค. ๊ทธ๊ฑธ ์‚ฌ์šฉ

  • ssl redirect ์ ์šฉ ์™„๋ฃŒ

  • internet-facing : ํ•„์ˆ˜์ด๋‹ค.

  • ํฌํŠธ๋Š” 80 443์€ ๋‘˜๋‹ค ์—ด์–ด์ฃผ๋ฉด ์ข‹๋‹ค.

multiple domain and ssl ์ ์šฉ

rules์— ์—ฌ๋Ÿฌ๊ฐœ์˜ ๋„๋ฉ”์ธ์„ ์ถ”๊ฐ€ํ•œ๋‹ค. ๊ทธ๋ฆฌ๊ณ  ssl์„ ์ปด๋งˆ๋กœ ์—ฐ๊ฒฐํ•œ๋‹ค.

์—ฌ๋Ÿฌ๊ฐœ์˜ ์ธ๊ทธ๋ ˆ์Šค์—์„œ albํ•˜๋‚˜๋ฅผ ๊ณต์œ ํ•˜๊ธฐ

Ingress๊ฐ€ ๋‹ค ๊ฐ๊ฐ์˜ name space์— ์ƒ๊ธฐ๋Š”๊ฒƒ์€ ๋งž๋‹ค.

๊ทธ๋ฆฌ๊ณ  ๊ทธ๊ฒƒ๋“ค์ด ํ•˜๋‚˜์˜ ๋กœ๋“œ๋ฐœ๋ž€์Šค๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค.

Previouscluster manageNextexternal-dns

Last updated

Was this helpful?