Using the AWS Marketplace Ingress Controller Image
This document will walk you through the steps needed to use the NGINX Ingress Controller through the AWS Marketplace. There are additional steps that must be followed in order for the AWS Marketplace NGINX Ingress Controller to work properly.
IMPORTANT: This document uses EKS version 1.19. EKS versions < 1.19 require additional security settings within the NGINX Pod to work properly with marketplace images. This document discusses using eksctl to perform necessary steps to enable the Kubernetes cluster access to deploy NGINX Ingress Controller from the Marketplace. Please make sure you are running a newer version of eksctl and AWS cli.
NOTE: NGINX Ingress controller from the Marketplace does NOT work in AWS Region US-West-1.
Instructions for using AWS Marketplace:
Ensure you have a working AWS EKS cluster. If you do not have a EKS cluster, you can create one using either the AWS console, or using the AWS tool eksctl. See this guide for details on getting started with EKS using eksctl.
You must create a new IAM role that will be associated with the Service Account created for the NGINX Ingress Controller. This IAM role will have a specific IAM policy that allows you to monitor the usage of the AWS NGINX Ingress Controller image. This is a required step. If it is omitted, AWS Marketplace NGINX Ingress Controller will not work properly and NGINX Ingress will not start. Please see the AWS EKS IAM documentation here and the documentation detailing the policy required for the AWS Marketplace here.
You must associate this IAM role with your service account in your EKS cluster. When you do so, your service account Kubernetes object will have a annotation, showing the link to the IAM role.
NB You must associate your AWS EKS cluster with an OIDC provider before you can create your IAM Service account! This is required.
This assumes you have an existing EKS cluster up and running. If not, please create one before proceeding. This also assumes the namespace for the NGINX Ingress Controller already exists.
- Associate your EKS cluster with a “OIDC IAM provider” (replace
--region <region>with the values of your environment).
eksctl utils associate-iam-oidc-provider --region=eu-west-1 --cluster=json-eu-east1 --approve
- Now create your IAM role and service account for your cluster. Substitute
--region <region>with your values.
eksctl create iamserviceaccount --name nginx-ingress --namespace nginx-ingress --cluster json-test01 --region us-east-2 --attach-policy-arn arn:aws:iam::aws:policy/AWSMarketplaceMeteringRegisterUsage --approve
This will create the IAM role with the required policy attached, create the service account if it doesn’t already exist, and add the annotations needed for your AWS cluster. See the documentation here. Since eksctl is creating it for you, you do not need to apply any service account yaml files for your NGINX Ingress Controller deployments.
apiVersion: v1 kind: ServiceAccount metadata: annotations: EKS.amazonaws.com/role-arn: arn:aws:iam::001234567890:role/eksctl-json-us-west2-addon-iamserviceaccount-Role1-IJJ6CF9Y8IPY labels: app.kubernetes.io/managed-by: eksctl name: nginx-ingress namespace: nginx-ingress secrets: - name: nginx-ingress-token-zm728
Make sure you match the name you are creating for the service account, to the account that will be in the
rbac.yaml file for manifest deployment.
Sample output from the
rbac.yaml file, matching the IAM service account that was created above:
kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: nginx-ingress subjects: - kind: ServiceAccount name: nginx-ingress namespace: nginx-ingress roleRef: kind: ClusterRole name: nginx-ingress apiGroup: rbac.authorization.k8s.io
- Log into the AWS ECR registry that is specified in the instructions from the AWS Marketplace portal.
Note: AWS Labs also provides a credential helper - see their GitHub repo for instructions on how to setup and configure.
- Update the image in the