AWS/AWS_EKS

EKS Ingress 설정

KK_Ryong 2025. 5. 28. 16:21

eks ingress

--oidc 추가

aws iam create-open-id-connect-provider --url [클러스터 OpenID Connect 공급자 URL ] --client-id-list sts.amazonaws.com --thumbprint-list 9e99a48a9960b14926bb7f3b02e22da0afd6e91e --profile 프로파일

* 9e99a48a9960b14926bb7f3b02e22da0afd6e91e 는 고정 값 


--Kubernetes provider 설정 추가

provider "kubernetes" {
  host                   = data.aws_eks_cluster.dev-sw-eks-cluster.endpoint

  cluster_ca_certificate = base64decode(data.aws_eks_cluster.dev-sw-eks-cluster.certificate_authority[0].data)
  exec {
    api_version = "client.authentication.k8s.io/v1beta1"
    command     = "aws"
    args        = [
      "eks",
      "get-token",
      "--cluster-name",
      data.aws_eks_cluster.dev-sw-eks-cluster.name,
      "--region",
      "ap-northeast-2"
    ]
    env = {
      AWS_PROFILE = "프로파일"
    }
  }
}


--iam 생성

data "aws_eks_cluster" "dev-sw-eks-cluster" {
  name = "dev-sw-eks-cluster"
}

data "aws_eks_cluster_auth" "dev-sw-eks-cluster" {
  name = data.aws_eks_cluster.dev-sw-eks-cluster.name
}

data "aws_iam_openid_connect_provider" "dev-sw-eks-oidc" {
  url = data.aws_eks_cluster.dev-sw-eks-cluster.identity[0].oidc[0].issuer
}
resource "aws_iam_role" "dev-sw-eks-alb-role" {
  name = "dev-sw-eks-alb-role"
  assume_role_policy = jsonencode({
    Version = "2012-10-17"
    Statement = [{
      Effect = "Allow"
      Principal = {
        Federated = data.aws_iam_openid_connect_provider.dev-sw-eks-oidc.arn
      }
      Action = "sts:AssumeRoleWithWebIdentity"
      Condition = {
        StringEquals = {
          "${replace(data.aws_eks_cluster.dev-sw-eks-cluster.identity[0].oidc[0].issuer, "https://", "")}:sub" = "system:serviceaccount:kube-system:aws-load-balancer-controller"
        }
      }
    }]
  })
}

resource "aws_iam_policy" "dev-sw-eks-alb-policy" {
  name        = "dev-sw-eks-alb-policy"
  description = "ALB permissions including ELB, EC2, ACM, WAF"
  policy = jsonencode({
    Version = "2012-10-17"
    Statement = [
      {
        Effect = "Allow"
        Action = [
          "elasticloadbalancing:*"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
        "ec2:CreateSecurityGroup",
        "ec2:DeleteSecurityGroup",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeInstances",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:DescribeTags",
        "ec2:DescribeAvailabilityZones",
        "ec2:CreateTags",
        "ec2:*" #테스트 용도
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "acm:ListCertificates",
          "acm:DescribeCertificate"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "shield:GetSubscriptionState",
          "shield:CreateProtection",
          "shield:DeleteProtection",
          "shield:DescribeProtection",
          "shield:DescribeSubscription",
          "shield:ListAttacks",
          "shield:ListProtections",
          "shield:UpdateSubscription"
        ]
        Resource = "*"
      },
      {
        Effect = "Allow"
        Action = [
          "waf:GetWebACLForResource",
          "waf:GetWebACL",
          "waf:AssociateWebACL",
          "waf:DisassociateWebACL",
          "wafv2:GetWebACLForResource",
          "wafv2:GetWebACL",
          "wafv2:AssociateWebACL",
          "wafv2:DisassociateWebACL"
        ]
        Resource = "*"
      }
    ]
  })
}

resource "aws_iam_role_policy_attachment" "dev-sw-eks-alb-attach-policy" {
  role       = aws_iam_role.dev-sw-eks-alb-role.name
  policy_arn = aws_iam_policy.dev-sw-eks-alb-policy.arn
}


--k8s service account 생성
aws eks update-kubeconfig --name dev-sw-eks-cluster --region ap-northeast-2 --profile dev-sw-eks

--vi alb.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: aws-load-balancer-controller
  namespace: kube-system
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::036292797641:role/dev-sw-eks-alb-role

k apply -f alb.yaml

--alb controller 설치 
helm repo add eks https://aws.github.io/eks-charts
helm repo update

helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
  -n kube-system \
  --set clusterName=dev-sw-eks-cluster \
  --set region=ap-northeast-2 \
  --set vpcId=vpc-0f0f9d8b2b625a910 \
  --set serviceAccount.create=false \
  --set serviceAccount.name=aws-load-balancer-controller

-- 설치 확인
kubectl -n kube-system get deployment aws-load-balancer-controller

--테스트 할 pods 생성

test-pod.yaml


apiVersion: v1
kind: Pod
metadata:
  name: test-nginx
  labels:
    app: test-nginx
spec:
  containers:
  - name: nginx
    image: nginx
    resources:
      requests:
        cpu: "100m"
        memory: "128Mi"
      limits:
        cpu: "100m"
        memory: "128Mi"
    ports:
    - containerPort: 80
--service.yaml
apiVersion: v1
kind: Service
metadata:
  name: nginx-test
  namespace: default
spec:
  selector:
    app: test-nginx
  ports:
  - protocol: TCP
    port: 80         # Service가 노출하는 포트
    targetPort: 80   # Pod의 컨테이너 포트
  type: ClusterIP    

--ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-test
  namespace: default
  annotations:
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTP":80},{"HTTPS":443}]'
    alb.ingress.kubernetes.io/certificate-arn: 사용할 acm arn

    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/security-groups: sg-0c797c8f7ee0e2c09
    alb.ingress.kubernetes.io/actions.redirect-to-https: >
      {"Type": "redirect", "RedirectConfig": {"Protocol": "HTTPS", "Port": "443", "StatusCode": "HTTP_301"}}
spec:
  rules:
  - http:
      paths:
      # HTTP 요청 → HTTPS 리다이렉트
      - path: /
        pathType: Prefix
        backend:
          service:
            name: redirect-to-https
            port:
              name: use-annotation
      # HTTPS 요청 → 실제 서비스
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-test
            port:
              number: 80

--ingress 생성
k apply -f ingress.yaml 
k get ingress ingress-test -n default
정보가 나오고 dns 뜰 때 까지 대기 (최대 10분)
ingress 인식하여 alb 콘솔에서 확인 가능

 

alb dns 로 접근 해서 nginx 뜨면 정상 

alb sg 80 > node sg 오픈 

'AWS > AWS_EKS' 카테고리의 다른 글

EKS HPA (동적 크기 조절)  (0) 2025.05.29
EKS Deployment  (0) 2025.05.29
EKS Cluster <> ASG 연동 (cluster-autoscaler)  (0) 2025.05.27
EKS.tf (Self-managed)  (0) 2025.05.23
EKS 기본 구성  (0) 2025.05.23

'AWS/AWS_EKS'의 다른글

  • 현재글EKS Ingress 설정

관련글

티스토리툴바