Absolutly loving this series, so happy that i've found it right when i wanted to setup my own eks cluster I'd like to see how deploying multiple apps would work with your guide, like Grafana, Prometheus and Loki for example, exposed with subdomain but also accessible from within the cluster by other services. Don't see that in the additional sections you've commented Keep up the good work!
Thank you! I have few additional lessons on EKS that will cover client side VPN + Private Route 53 hosted zones and internal Ingresses (pushing private DNS as VPN config)
Great playlist! I'm running into this error that shows up only in the aws-lbc-controller: "msg":"Reconciler error","controller":"service","namespace":"5-example","name":"myapp","reconcileID":"some-id","error":"NoCredentialProviders: no valid providers in chain. Deprecated. Any guidance would be appreciated, Thanks!
Thanks! That means you misconfigured access to your load balancer controller. Double-check everything in this file - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/15-aws-lbc.tf.
Nice Video and very informative i took a bit different approach to do this not sure if it is correct I create the necessary ALB using terraform and target group creation is done using CRD's CustomResourceDefinition target group controller which creates target group for alb and maps pod ip to target group
Great content again. Do you see any scenario that would benefit of using Application Load Balancer + Traefik or Nginx? For example the Load Balancer default route to Traefik and it takes care of the service forwarding.
ALB is more expensive and slower since it needs to parse HTTP requests in order to route them. It is possible to use it, but I wouldn't unless I have a very specific requirement that only this combination could solve.
@@AntonPutra I was thinking more like having TLS termination on ALB using ACM instead of using traefik(let's encrypt) for that. Then having traefik just for routing to the services running into EKS
@@thiagoscodeler5152 Why not to terminate TLS on the Network Load Balancer? It also supports that - aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
Thank you for the lesson! I have one question about certificates. Are there any ways to automate this, just like we can do with cert-manager + nginx ingress? If we don't want to store the certificate ARN directly in the kubernetes manifests... Because it seems to me that it's not very error-resistant in this case and we need always to update it manually in case of changing the certificate ARN for some reason
One way I can think of doing this is to create a higher abstraction. For example, to create and validate a certificate, you can use Terraform. Then, you can pass the ARN of the certificate from Terraform to the Helm chart as an argument responsible for deploying your application. The AWS Load Balancer Controller by itself does not provide any options to automate this.
Hello, Anton. Thank you for tutorials. One question I have, I installed argocd on EKS fargate, and not sure how to access UI. I am assuming the only way to access it is by creating ingress which creates public LB. But according to this demo it is not recommended to. provision public LB for internal tools.
Hi, no matter what, never expose your internal services to the internet. The best option is to create a private ingress. You can configure it using annotations on the ingress resource, but you also need to set up a client VPN and push private Route 53 hosted zones to your machine. It's not difficult; take a look at AWS Client VPN managed service. The second best option is to port forward each time, but it's annoying.
@@aidakhalelova3376 no problem, i have a little old tutorial but here is a source code for setting up self hosted openvpn and pushing routes & dns - github.com/antonputra/tutorials/tree/main/lessons/084
Thank you So much Genius, Could you please help me with ordered steps involved to upgrade eks cluster briefly ... i have followed below steps . could u pls validate and correct me if the order is not proper. 1. backup (kubectl get all --A -o yaml > backup.yaml 2. upgrade control plane throu aws console 3. upgrade node groups 4. upgrade addons (each verison at a time) by preserving 5. validate coredns etc...
Seems correct. However, from time to time, Kubernetes deprecates some APIs. For example, it deprecated the Ingress beta API. So, you should check before upgrading your cluster to see if you have anything that needs to be updated.
Amazing tutorial and tracklist Anton, you rock ! - I'm facing an issue regarding AWS LBC when it comes to generating load balancers for my service on "5-example" folder: Failed build model due to AccessDenied: User: arn:aws:sts:::assumed-role/staging-demo-eks-nodes/i- is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers because no identity-based policy allows the elasticloadbalancing:DescribeLoadBalancers action - Since I did create the AWS LBC verbatim as your tutorial also using the "AWSLoadBalancerController" json file for these permissions, I'm not sure what could I've done wrong here? Any suggestions? Really appreciated : )
thanks! based on this error "rn:aws:sts:::assumed-role/staging-demo-eks-nodes/i-" looks like your service trying to assume default k8s node role, meaning you misconfigured access. Double check namespace, and service account name for the k8s
@@AntonPutra thank you for your response ! I've managed to solve it by `terraform destroy` and `terraform apply` all over again. It might have been an error on my side when creating the kubernetes groups. Thank you so much for all your effort and videos ! It is truly top quality : ) Cheers from The Netherlands !
Great content! I'm following the tutorial and pretty much copying pasting the GitHub code. When I try to create the resource "helm_release" "aws_lbc", it hangs and doesn't create the lbc correctly. But, if I set vpcId for the resource, it gets created. However, then when applying the deployment and service the external ip doesn't get created (so, registered target remains 0). Would you have any hint how to investigate this?
The playlist has been smooth up till this point. Also have an issue with the alb. Deployed both Terraform and kubectl apply -f 5-example: no errors but ALB isn't deployed. where do I look for errors to understand why it didn't deploy?
best way to find the errors is in the aws load balancer controller logs, example "kubectl logs -f aws-load-balancer-controller-78556cfd88-zb4gc -n kube-system" pls let me know when you find the issue if i need to update anything
Hi, very good playlist, thanks a lot. I am facing an error when I try to install alb controller: "unable to initialize AWS cloud","error":"failed to introspect vpcID from EC2Metadata or Node name, specify --aws-vpc-id instead if EC2Metadata", I am using the same scripts, The only difference is the cluster version, I am using 1.30.
try to use the latest helm chart version for the aws load balancer controller, I'll test 1.30 in about a week and update the terraform code Run to get the latest verion: helm repo update helm search repo aws-load-balancer-controller
@@jesdavidgomez well, eks 1.30 was introduce a week or two ago, maybe it wasn't enough time to update load balancer controller. But like I said I'll be updating source code for this playlist 1 or 2 times a month moving forward.
For what it's worth, I seem to be running into the same issue no matter which version of EKS and the ALB controller I pick. (Edit: I had to provide the VPC ID, and then it worked.)
Is there anything specific you are interested in? In part 9, I use EKS security groups to allow access to the EFS file system. Something like this: resource "aws_efs_mount_target" "zone_a" { file_system_id = aws_efs_file_system.eks.id subnet_id = aws_subnet.private_zone1.id security_groups = [aws_eks_cluster.eks.vpc_config[0].cluster_security_group_id] }
@@AntonPutra yes sir like pod security group means you can directly attach security groups to pods and like how to attach security group to eks using terraform
Hello @AntonPutra Why is the controller unable to retrieve the VPC ID from the EC2 instance metadata the instance automatically yet the nodegroup iam role includes `AmazonEKSWorkerNodePolicy` policy as well as the controller iam policy includes all permissions? aws-load-balancer-controller-5675bcffbb-mpz7z 0/1 CrashLoopBackOff 1 (11s ago) 19s ### POD LOGS {"level":"info","ts":"2024-08-29T15:23:19Z","msg":"version","GitVersion":"v2.7.2","GitCommit":"fb6460383b75e937e24548e69b6732f49b88755c","BuildDate":"2024-03-22T21:39:56+0000"} {"level":"error","ts":"2024-08-29T15:23:22Z","logger":"setup","msg":"unable to initialize AWS cloud","error":"failed to introspect vpcID from EC2Metadata or Node name, specify --aws-vpc-id instead if EC2Metadata is unavailable: failed to fetch VPC ID from instance metadata: EC2MetadataError: failed to make EC2Metadata request
\tstatus code: 401, request id: "} I had to set it manually for it to work! + set { + name = "vpcId" + value = "vpc-01d18dacf3eb5b62c" # (1 unchanged attribute hidden) } autoscaler-aws-cluster-autoscaler-ffb695cd5-qj4r4 1/1 Running 0 65m How can I avoid this (passn' the vpc as input value to the chart)
it related to recent changes to controller, not you have provide it explicitly. i have updated code - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/15-aws-lbc.tf#L58-L59
🔴 - To support my channel, I’d like to offer Mentorship/On-the-Job Support/Consulting - me@antonputra.com
👉 [Playlist] AWS EKS Kubernetes Tutorial: ruclips.net/p/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l&si=wc6LIC5V2tD-Tzwl
👉 Kubernetes Tutorial for Beginners [Full Course]: ruclips.net/p/PLiMWaCMwGJXkYKFa_x0Ch38uznuv-4c3l
👉 AWS EKS Tutorial for Beginners [Full Course]: ruclips.net/video/kwq9EfELYII/видео.html
👉 Other Kubernetes Tutorials: ruclips.net/p/PLiMWaCMwGJXnKY6XmeifEpjIfkWRo9v2l
Came to hear the way u say load balancer :PPP No just kidding this playlist is gem!!
thank you!
I've watched/read many resources but none broken down like this. Awesome work!
thank you! i just spent a lot of time with eks
This playlist is pure gold!
Three more to go! 😀
@@AntonPutra 👏👏👏
Absolutly loving this series, so happy that i've found it right when i wanted to setup my own eks cluster
I'd like to see how deploying multiple apps would work with your guide, like Grafana, Prometheus and Loki for example, exposed with subdomain but also accessible from within the cluster by other services. Don't see that in the additional sections you've commented
Keep up the good work!
Thank you! I have few additional lessons on EKS that will cover client side VPN + Private Route 53 hosted zones and internal Ingresses (pushing private DNS as VPN config)
love you, you are professional, finally I understand ALB and ngress. thank you !!! I know how load balancer work now
thanks! 😊
dude you are rocking it. Thanks for this playlist.
❤
Loving these playlist
❤️
Great playlist!
I'm running into this error that shows up only in the aws-lbc-controller:
"msg":"Reconciler error","controller":"service","namespace":"5-example","name":"myapp","reconcileID":"some-id","error":"NoCredentialProviders: no valid providers in chain. Deprecated.
Any guidance would be appreciated, Thanks!
Thanks! That means you misconfigured access to your load balancer controller. Double-check everything in this file - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/15-aws-lbc.tf.
Nice Video and very informative
i took a bit different approach to do this not sure if it is correct
I create the necessary ALB using terraform
and target group creation is done using CRD's CustomResourceDefinition target group controller
which creates target group for alb and maps pod ip to target group
It's a totally valid approach. In this way, you don't need to delete the ALB Helm chart before you tear down your cluster.
@@AntonPutra Thanks
Thanks!
thank you!!
thanks
Great content again. Do you see any scenario that would benefit of using Application Load Balancer + Traefik or Nginx? For example the Load Balancer default route to Traefik and it takes care of the service forwarding.
ALB is more expensive and slower since it needs to parse HTTP requests in order to route them. It is possible to use it, but I wouldn't unless I have a very specific requirement that only this combination could solve.
@@AntonPutra I was thinking more like having TLS termination on ALB using ACM instead of using traefik(let's encrypt) for that. Then having traefik just for routing to the services running into EKS
@@thiagoscodeler5152 Why not to terminate TLS on the Network Load Balancer? It also supports that - aws.amazon.com/blogs/aws/new-tls-termination-for-network-load-balancers/
Thanks 🙏
welcome!
Thank you for the lesson! I have one question about certificates. Are there any ways to automate this, just like we can do with cert-manager + nginx ingress? If we don't want to store the certificate ARN directly in the kubernetes manifests... Because it seems to me that it's not very error-resistant in this case and we need always to update it manually in case of changing the certificate ARN for some reason
One way I can think of doing this is to create a higher abstraction. For example, to create and validate a certificate, you can use Terraform. Then, you can pass the ARN of the certificate from Terraform to the Helm chart as an argument responsible for deploying your application. The AWS Load Balancer Controller by itself does not provide any options to automate this.
Hello, Anton. Thank you for tutorials. One question I have, I installed argocd on EKS fargate, and not sure how to access UI.
I am assuming the only way to access it is by creating ingress which creates public LB. But according to this demo it is not recommended to. provision public LB for internal tools.
Hi, no matter what, never expose your internal services to the internet. The best option is to create a private ingress. You can configure it using annotations on the ingress resource, but you also need to set up a client VPN and push private Route 53 hosted zones to your machine. It's not difficult; take a look at AWS Client VPN managed service. The second best option is to port forward each time, but it's annoying.
@@AntonPutra thank you, it is actually what I ended up doing.
@@aidakhalelova3376 no problem, i have a little old tutorial but here is a source code for setting up self hosted openvpn and pushing routes & dns - github.com/antonputra/tutorials/tree/main/lessons/084
Thank you So much Genius, Could you please help me with ordered steps involved to upgrade eks cluster briefly ... i have followed below steps . could u pls validate and correct me if the order is not proper.
1. backup (kubectl get all --A -o yaml > backup.yaml
2. upgrade control plane throu aws console
3. upgrade node groups
4. upgrade addons (each verison at a time) by preserving
5. validate coredns etc...
Seems correct. However, from time to time, Kubernetes deprecates some APIs. For example, it deprecated the Ingress beta API. So, you should check before upgrading your cluster to see if you have anything that needs to be updated.
Excellent !!
It will be helpful if you share the exact link for git to get the terraform code.
thanks, it's in description - github.com/antonputra/tutorials/tree/main/lessons/195
Amazing tutorial and tracklist Anton, you rock ! - I'm facing an issue regarding AWS LBC when it comes to generating load balancers for my service on "5-example" folder: Failed build model due to AccessDenied: User: arn:aws:sts:::assumed-role/staging-demo-eks-nodes/i- is not authorized to perform: elasticloadbalancing:DescribeLoadBalancers because no identity-based policy allows the elasticloadbalancing:DescribeLoadBalancers action - Since I did create the AWS LBC verbatim as your tutorial also using the "AWSLoadBalancerController" json file for these permissions, I'm not sure what could I've done wrong here? Any suggestions? Really appreciated : )
thanks! based on this error "rn:aws:sts:::assumed-role/staging-demo-eks-nodes/i-" looks like your service trying to assume default k8s node role, meaning you misconfigured access. Double check namespace, and service account name for the k8s
@@AntonPutra thank you for your response ! I've managed to solve it by `terraform destroy` and `terraform apply` all over again. It might have been an error on my side when creating the kubernetes groups. Thank you so much for all your effort and videos ! It is truly top quality : ) Cheers from The Netherlands !
@@juanroldan1989 cool, thanks!
Great content! I'm following the tutorial and pretty much copying pasting the GitHub code. When I try to create the resource "helm_release" "aws_lbc", it hangs and doesn't create the lbc correctly. But, if I set vpcId for the resource, it gets created. However, then when applying the deployment and service the external ip doesn't get created (so, registered target remains 0). Would you have any hint how to investigate this?
Actually, this was solved by removing the Terraform files and doing a clean Terraform init and applying again.
The playlist has been smooth up till this point. Also have an issue with the alb. Deployed both Terraform and kubectl apply -f 5-example: no errors but ALB isn't deployed. where do I look for errors to understand why it didn't deploy?
best way to find the errors is in the aws load balancer controller logs, example "kubectl logs -f aws-load-balancer-controller-78556cfd88-zb4gc -n kube-system"
pls let me know when you find the issue if i need to update anything
Apps can use the same ALB with a simple groupname annotation
They can, but there are some limitations - kubernetes-sigs.github.io/aws-load-balancer-controller/v2.8/guide/ingress/annotations/#ingressgroup
Hi, very good playlist, thanks a lot. I am facing an error when I try to install alb controller: "unable to initialize AWS cloud","error":"failed to introspect vpcID from EC2Metadata or Node name, specify --aws-vpc-id instead if EC2Metadata", I am using the same scripts, The only difference is the cluster version, I am using 1.30.
try to use the latest helm chart version for the aws load balancer controller, I'll test 1.30 in about a week and update the terraform code
Run to get the latest verion:
helm repo update
helm search repo aws-load-balancer-controller
@@AntonPutra Hi, I try with 1.8.2 version, but it doesnt work. So I used cluster version 1.29 and It works. Thanks for your answer.
@@jesdavidgomez well, eks 1.30 was introduce a week or two ago, maybe it wasn't enough time to update load balancer controller. But like I said I'll be updating source code for this playlist 1 or 2 times a month moving forward.
For what it's worth, I seem to be running into the same issue no matter which version of EKS and the ALB controller I pick. (Edit: I had to provide the VPC ID, and then it worked.)
@@epgui yes, for 1.30 you need to provide vpc id - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/15-aws-lbc.tf#L57-L60
is there any video available for eks security group ?
Is there anything specific you are interested in? In part 9, I use EKS security groups to allow access to the EFS file system.
Something like this:
resource "aws_efs_mount_target" "zone_a" {
file_system_id = aws_efs_file_system.eks.id
subnet_id = aws_subnet.private_zone1.id
security_groups = [aws_eks_cluster.eks.vpc_config[0].cluster_security_group_id]
}
@@AntonPutra yes sir like pod security group means you can directly attach security groups to pods and like how to attach security group to eks using terraform
@@kalpeshkolap3525 got it will do- docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html
Hello @AntonPutra
Why is the controller unable to retrieve the VPC ID from the EC2 instance metadata the instance automatically yet the nodegroup iam role includes `AmazonEKSWorkerNodePolicy` policy as well as the controller iam policy includes all permissions?
aws-load-balancer-controller-5675bcffbb-mpz7z 0/1 CrashLoopBackOff 1 (11s ago) 19s
### POD LOGS
{"level":"info","ts":"2024-08-29T15:23:19Z","msg":"version","GitVersion":"v2.7.2","GitCommit":"fb6460383b75e937e24548e69b6732f49b88755c","BuildDate":"2024-03-22T21:39:56+0000"}
{"level":"error","ts":"2024-08-29T15:23:22Z","logger":"setup","msg":"unable to initialize AWS cloud","error":"failed to introspect vpcID from EC2Metadata or Node name, specify --aws-vpc-id instead if EC2Metadata is unavailable: failed to fetch VPC ID from instance metadata: EC2MetadataError: failed to make EC2Metadata request
\tstatus code: 401, request id: "}
I had to set it manually for it to work!
+ set {
+ name = "vpcId"
+ value = "vpc-01d18dacf3eb5b62c"
# (1 unchanged attribute hidden)
}
autoscaler-aws-cluster-autoscaler-ffb695cd5-qj4r4 1/1 Running 0 65m
How can I avoid this (passn' the vpc as input value to the chart)
it related to recent changes to controller, not you have provide it explicitly. i have updated code - github.com/antonputra/tutorials/blob/main/lessons/196/terraform/15-aws-lbc.tf#L58-L59