/kind bug
1. What kops version are you running? The command kops version, will display
this information.
1.34.0
2. What Kubernetes version are you running? kubectl version will print the
version if a cluster is running or provide the Kubernetes version specified as
a kops flag.
1.34.1
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
Created a new Loadbalancer service.
5. What happened after the commands executed?
Service refuses to reconcile, Failed deploy model due to operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: ..., api error AccessDenied: User: arn:aws:sts::$AWS_ACCOUNT_ID:assumed-role/aws-load-balancer-controller.kube-system.sa.cluster.k-rfv75i/...... is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action. On the AWS Side the loadbalancer gets created but has no targets in the target groups.
6. What did you expect to happen?
Loadbalancer service being properly reconciled.
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yaml to display your cluster manifest.
You may want to remove your cluster name and other sensitive information.
# relevant config blocks:
spec:
awsLoadBalancerController:
enabled: true
networking:
cilium:
gatewayAPI:
enabled: true
enableNodePort: true
hubble:
enabled: true
ingress:
defaultLoadBalancerMode: shared
enabled: true
8. Please run the commands with most verbose logging by adding the -v 10 flag.
Paste the logs into this report, or in a gist and provide the gist link here.
Don't think it is needed here.
9. Anything else do we need to know?
Manually adding the permission to the assumed role does fix the issue and allows the service to reconcile.
/kind bug
1. What
kopsversion are you running? The commandkops version, will displaythis information.
1.34.0
2. What Kubernetes version are you running?
kubectl versionwill print theversion if a cluster is running or provide the Kubernetes version specified as
a
kopsflag.1.34.1
3. What cloud provider are you using?
AWS
4. What commands did you run? What is the simplest way to reproduce this issue?
Created a new Loadbalancer service.
5. What happened after the commands executed?
Service refuses to reconcile,
Failed deploy model due to operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: ..., api error AccessDenied: User: arn:aws:sts::$AWS_ACCOUNT_ID:assumed-role/aws-load-balancer-controller.kube-system.sa.cluster.k-rfv75i/...... is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action. On the AWS Side the loadbalancer gets created but has no targets in the target groups.6. What did you expect to happen?
Loadbalancer service being properly reconciled.
7. Please provide your cluster manifest. Execute
kops get --name my.example.com -o yamlto display your cluster manifest.You may want to remove your cluster name and other sensitive information.
8. Please run the commands with most verbose logging by adding the
-v 10flag.Paste the logs into this report, or in a gist and provide the gist link here.
Don't think it is needed here.
9. Anything else do we need to know?
Manually adding the permission to the assumed role does fix the issue and allows the service to reconcile.