0

Learning to K8 with Kops within AWS (I'm ok in the AWS zone I think), I'm working through setting up a simple service described in this medium article: After deploying the service I get an IAM permissions error (redacted account number & domain name):

 Warning  SyncLoadBalancerFailed  19m                  service-controller  Error syncing load balancer: failed to ensure load balancer: Error creating load balancer: "AccessDenied: User: arn:aws:sts::${AWS::Account}:assumed-role/masters.myfirstcluster.kops.${domain_name}/i-08a3ce916f7e03e55 is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::${AWS::Account}:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\n\tstatus code: 403, request id: c1a0598a-cd23-4e2a-9fd6-58904cbe76d5"

The AWS IAM Role, which is created by the kops binary masters.myfirstcluster.kops., which has been assumed by i-08a3ce916f7e03e55, and indeed it does not have a policy which would allow the API request. The role is created by the kops binary upon intstall.

Is there a kops API method to set the required policy to the role, or it is necessary to do this via AWS API?

Richard Green
  • 143
  • 7
  • 1
    I don't know why, but it irritates the heck out of me when people reference kubernetes as `k8` instead of `k8s`. You've got to remember that the 8 is substituting the 8 characters between the `k` and the `s`. I'll run now before the mob pounces... – AnthonyK May 29 '22 at 08:55

1 Answers1

2

Answering own question:

It was necesssary to change the policy attached to the master role (see IAM Roles), adding the following section to the spec: key, kops edit cluster myfirstcluster.kops.${domain_name}:

  additionalPolicies:
    master: |
      [
        {
          "Effect": "Allow",
          "Action": [ "iam:CreateServiceLinkedRole"],
          "Resource": ["*"]
        }
      ]
Richard Green
  • 143
  • 7
  • 1
    for other `kops` newbies editing only edits the metadata in the state. you will need to preview/apply the update as well: preview: `kops update cluster myfirstcluster.kops.${domain_name}` then apply: `kops update cluster myfirstcluster.kops.${domain_name} --yes` Another related answer here: https://unix.stackexchange.com/questions/460113/kops-unable-to-deploy-elb-for-ingress-controller – Amir T Aug 01 '20 at 14:18
  • Thanks for posting your solution @RichardGreen - it is still relevant on kops 1.22.2. – AnthonyK May 29 '22 at 08:56