Issues while creating NLB with type:LoadBalancer on port 80 #3944
Comments
|
Please apply the latest IAM policy: |
|
@zac-nixon I understand we need to apply the IAM policy but the behavior on port 80 vs 443 must be exactly same instead if we roll out on port 80, we get the error as shown above but the same works on port 443. i believe this is the bug the is introduced with aws load balancer controller 2.9 and above and expecting same behavior on port 80 as well as 443. |
|
Is the problem that you see inconsistent behavior between port 80 vs port 443? The root cause is still that you haven't applied the updated IAM permissions. The reason why you see this issue on port 80 is that listener attributes are currently not supported for TLS listeners, so we only attempt to modify listener attributes when the listener is non-TLS: aws-load-balancer-controller/pkg/deploy/elbv2/listener_manager.go Lines 381 to 384 in c701a42 TL;DR - Just update your IAM policy to use the new LBC version. |
|
Yes, i am seeing inconsistent behavior where i can deploy on port 443 without adding any permissions to IAM policy vs if I deploy on port 80, it errored out after which I added, it would help if we can have consistent behavior where it needs to fail on port 443 as well like port 80 without having DescribeListenerAttributes in IAM Policy. |
|
I don't agree with making that behavior consistent. |
|
Can you please help me understand why that's the case? Why should rollout of a load balancer on port 443 allowed without adding the required permissions which is not allowed port 80? |
|
I explained it above: The reason why you see this issue on port 80 is that listener attributes are currently not supported for TLS listeners, so we only attempt to modify listener attributes when the listener is non-TLS: aws-load-balancer-controller/pkg/deploy/elbv2/listener_manager.go Lines 381 to 384 in c701a42 |
Describe the bug
While creating NLB with type:LoadBalancer on port 80, when using aws-load-balancer-controller v2.9.2, getting below error when the same load balancer can be rolled out on port 443 without any issues
Failed deploy model due to operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: e476513e-2c4e-41ce-b1d4-7b967aaac6d0, api error AccessDenied: User: arn:aws:sts::690476720064:assumed-role/rafay-mgi-dev-eks-addon-iamserviceaccount-kub-Role1-CRVXhzK1iLmK/1731946561026787408 is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action
Steps to reproduce
Deploy below yaml file when using aws-load-balancer controller v2.9.2 on port 80:
apiVersion: v1
kind: Service
metadata:
name: abc-service
namespace: xyz
annotations:
service.beta.kubernetes.io/aws-load-balancer-type: "external"
service.beta.kubernetes.io/aws-load-balancer-name: "abc"
service.beta.kubernetes.io/aws-load-balancer-nlb-target-type: "ip"
service.beta.kubernetes.io/aws-load-balancer-subnets: ''
service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
service.beta.kubernetes.io/load-balancer-source-ranges: ""
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-healthcheck-port: "3049"
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
spec:
ports:
- port: 80
targetPort: 3049
protocol: TCP
type: LoadBalancer
selector:
app: abcxyz
Expected outcome
NLB Load balancer must be rolled out on port 80
Environment
Additional Context:
Reverting to lower version to v2.8 of aws-load-balancer-controller works
The text was updated successfully, but these errors were encountered: