Lesson learned- EKS w/Fargate and ALB

This post is about lesson learned from earlier effort to get EKS cluster running with fargate compute and expose the apps with aws alb. You may read Run Serverless Kubernetes Pods Using Amazon EKS and AWS Fargate post if you have not gone through the steps. Earlier, everything worked except the ALB!

So, what was wrong? ALB ran into errors because I quoted the values in the args section of alb-ingress-controller. See the corrected version of deployment script below-

aws-alb-ingress-controller

I posted the issue at aws-alb-ingress-controller on github and one of the developer pointed out the problem area after I shared the logs from the controller POD.

kubectl logs -f alb-ingress-controller-5db898488b-bqrf6 -n kube-system

E0324 01:30:51.391739 1 controller.go:217] kubebuilder/controller "msg"="Reconciler error" "error"="failed to build LoadBalancer configuration due to unable to fetch subnets. Error: WebIdentityErr: fa
iled to retrieve credentials\ncaused by: RequestError: send request failed\ncaused by: Post https://sts.'us-east-1'.amazonaws.com/: dial tcp: lookup sts.'us-east-1'.amazonaws.com: no such host" "controller
"="alb-ingress-controller" "request"={"Namespace":"default","Name":"aspnetapp-ingress"} 

Once I deleted the alb-ingress-controller and recreated, ALB was provisioned along with listener, rules, targets, security group, etc. based on the ingress resource definition. Now I can see the address and port fields are populated at the ingress.:)-

alb ingress

Advantages of letting aws manage the alb-

  • Anytime you change the replicateset to scale the number of PODs, alb automatically adjust the targets. ALB knows the underlying POD ip’s.
  • If/when you change the ingress resources, alb automatically configure rules and targets.
  • No of hop from alb to app is always one- alb targets are POD ip’s. This is definitely a performance boost- no need to go through another load balancer!
app with 3 PODs
alb targets with ip of PODs

Now, I am going to scale down the app to 2 PODS by changing the replicaset to 2. One of the POD will be terminated.

app with 2 PODs

I have not done anything to alb and targets are auto adjusted to match the number of pods. This is so nice!

How did the alb knows the POD ip and routed the traffic directly from alb to the POD? I guess, it know from the ingress resources where backends are configured as kubernetes services and service knows the PODs! See ingress resource below-

apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
   name: "aspnetapp-ingress"
   namespace: "default"
   annotations:
     kubernetes.io/ingress.class: alb
     alb.ingress.kubernetes.io/scheme: internet-facing
     alb.ingress.kubernetes.io/subnets: subnet-05dcc22c3f08db9be, subnet-06817ac3b3572158a
   labels:
     app: aspnetapp-ingress
 spec:
   rules:
 http:   paths: path: /nginx
 backend:
  serviceName: "nginx-service"
  servicePort: 80
 path: /*
 backend:
  serviceName: "aspnetapp-service"
  servicePort: 80 

Proper security groups must be attached to alb for inbound traffic flow from internet to public subnet and public subnet to private subnet. They are automatically created and configured but you will need to check/update based on your security requirements.

managed LoadBalancer securityGroup by ALB Ingress Controller
EKS created security group applied to ENI that is attached to EKS Control Plane master nodes, as well as any managed workloads

Finally, we can access our both the apps from internet via alb http://3d3f0c08-default-aspnetapp-752a-1923703002.us-east-1.elb.amazonaws.com/ or http://3d3f0c08-default-aspnetapp-752a-1923703002.us-east-1.elb.amazonaws.com/nginx. Of course, you can configure custom domain to make the urls friendly.

Leave a Reply