By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Who to reuse the AmazonEKSLoadBalancerControllerRole in another EKS Cluster?

0

Hello community,

I would like to know how to use the AmazonEKSLoadBalancerControllerRole that I already have created for one EKS cluster in another cluster. Considering the guidance from the following link https://docs.aws.amazon.com/eks/latest/userguide/lbc-helm.html, which states: "You only need to create one IAM role for the AWS Load Balancer Controller per AWS account. Check if AmazonEKSLoadBalancerControllerRole exists in the IAM Console. If this role exists, proceed to Step 2: Install the AWS Load Balancer Controller."

We have executed the following command: eksctl create iamserviceaccount --cluster=[new-cluster] --namespace=kube-system --name=aws-load-balancer-controller --attach-role-arn [arn of existing role] --approve

The execution did not return an error; instead, it provided the following output: [ℹ] 1 iamserviceaccount (kube-system/aws-load-balancer-controller) was included (based on the include/exclude rules) [!] serviceaccounts that exist in Kubernetes will be excluded, use --override-existing-serviceaccounts to override [ℹ] 1 task: { create serviceaccount "kube-system/aws-load-balancer-controller" } [ℹ] created serviceaccount "kube-system/aws-load-balancer-controller"

However, the IAM Service Account associated with the new cluster is not displayed. ~ eksctl get iamserviceaccount --namespace kube-system --cluster=[new cluster] No iamserviceaccounts found

Thank you in advance for any assistance you can provide.

Topics
ContainersSecurity, Identity, & Compliance
Tags
Amazon Elastic Kubernetes ServiceIAM Roles Anywhere
Language
English
IssacG
asked a month ago777 views
2 Answers
1

Hello,

The issue you're facing with eksctl create iamserviceaccount seems to be related to the existing service account in the kube-system namespace. Eksctl by default excludes existing service accounts during creation.

Here's how you can reuse the existing AmazonEKSLoadBalancerControllerRole in another EKS cluster:

Override Existing Service Account:

Use the --override-existing-serviceaccounts flag with eksctl create iamserviceaccount to force creation even if a service account exists:

eksctl create iamserviceaccount --cluster=[new-cluster] --namespace=kube-system --name=aws-load-balancer-controller --attach-role-arn [arn of existing role] --override-existing-serviceaccounts

Verify IAM Service Account:

After running the command with the --override-existing-serviceaccounts flag, check if the service account is created:

eksctl get iamserviceaccount --namespace kube-system --cluster=[new cluster]

This command should now display the aws-load-balancer-controller service account.

Referral Link: The documentation you linked (https://docs.aws.amazon.com/eks/latest/userguide/aws-load-balancer-controller.html)

profile picture
EXPERT
NARRAVULA MUNISAI TEJA
answered a month ago
EXPERT
Parthasaradi
reviewed a month ago
0

Hi,

Was the cluster created with eksctl command? I tried the command you shared on a cluster and got the same response but my cluster was not created with eksctl command. I dont work much with eksctl so unsure if the cluster needs to created with eksctl also. But you can also check it in a different way. You can check for existence of service account in kube-system namespace.

Check for IAM role annotation in service account

kubectl get sa aws-load-balancer-controller -o yaml -n kube-system

Verify that this service account is mapped to the load balancer controller deployment ( if it deployed or when ever it would be deployed)

kubectl get deployments -o yaml -n kube-system aws-load-balancer-controller | grep serviceAccountName

Hope it helps

--Syd

profile picture
Syd
answered a month ago

Relevant content