Service account for Application Load Balancer ingress controller
Written by
A Application Load Balancer ingress controller for Managed Service for Kubernetes deploys infrastructure on behalf of a service account. This account requires the following permissions:
| Service | Type of permission required | Minimum role |
|---|---|---|
| Application Load Balancer (roles) |
Manage service resources | alb.editor |
| Virtual Private Cloud (roles) |
Manage internal or external connectivity depending on load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Obtain certificates (for HTTPS load balancers) | certificate-manager.certificates.downloader |
| Compute Cloud (roles) |
Get information on virtual machines created as Managed Service for Kubernetes cluster nodes | compute.viewer |
An authorized key is used to authenticate the service account. The key must be specified in the saKeySecretKey value when installing a Helm chart with an ingress controller. For instance, if you created the key via the yc iam key create CLI command and saved it to sa-key.json, the chart install command could look like this:
helm install \
--namespace yc-alb-ingress \
--set-file saKeySecretKey=sa-key.json \
...
The key will be stored in the yc-alb-ingress-controller-sa-key secret in the namespace entered when installing the chart (yc-alb-ingress in the above example).