Aws-load-balancer-controller: Failed to build LoadBalancer configuration due to retrieval of subnets failed
When I explicitly list the subnets in the alb.ingress.kubernetes.io/subnets annotation the ALB comes up no problem as either internal or external depending on what I set the alb.ingress.kubernetes.io/scheme annotation. Without the subnets annotation I get the error below. So there seems to be a step I'm missing with tagging the subnets - I tried adding kubernetes.io/role/internal-elb and kubernetes.io/role/internal-elb in turn, with a value of "1" since I've not seen anything specifying what the value should be for either, but neither tag seems to resolve the issue.
What steps should I take to troubleshoot a problem like this?
E0305 21:14:12.385165 1 :0] kubebuilder/controller "msg"="Reconciler error" "error"="failed to build LoadBalancer configuration due to retrieval of subnets failed to resolve 2 qualified subnets. Subnets must contain the kubernetes.io/cluster/\u003ccluster name\u003e tag with a value of shared or owned and the kubernetes.io/role/internal-elb tag signifying it should be used for ALBs Additionally, there must be at least 2 subnets with unique availability zones as required by ALBs. Either tag subnets to meet this requirement or use the subnets annotation on the ingress resource to explicitly call out what subnets to use for ALB creation. The subnets that did resolve were []" "Controller"="alb-ingress-controller"...
zfLQ2qx2
All 13 comments
Hi, did your subnets tagged with kubernetes.io/cluster/clusterName: owned or kubernetes.io/cluster/clusterName: shared, where clusterName is what you specified in controller flags via - --cluster-name=clusterName
M00nF1sh
on 5 Mar 2019
@m00nF1sh Yes, they are tagged as shared
zfLQ2qx2
on 6 Mar 2019
Do they have the correct cluster-name set? That is what caused this same issue for me. I had tagged them with the wrong cluster name.
Blokje5
on 6 Mar 2019
@Blokje5 Yes, I double checked and the the kubernetes.io/cluster/clusterName tag was set by the AWS provided cloud formation template, it matches the cluster name in EKS, and I cut and pasted the name from the tag when I created the ALB, it seems an exact match. Going by the documentation it should be working (and does except for the subnet discovery).
zfLQ2qx2
on 6 Mar 2019
Hmm, I'm a bit stuck here too. I've also ensured the correct cluster tag is there, and I've added all of elb, internal-elb, and even alb-ingress as seen in the image here (plus alb-ingress-controller in case that actually means the controller's name) - on all three subnets:
(also tried along the way with 1 as the tag value, instead of blank)
Each of the above were added one by one and then the Ingress resource recreated each time, but I'm also still receiving ...The subnets that did resolve were []...
tdmalone
on 7 Mar 2019
@M00nF1sh Is there anything else I can do to try and diagnose the cause of this?
zfLQ2qx2
on 7 Mar 2019
@zfLQ2qx2 @tdmalone
Hi, would you help paste an screenshot of aws subnet console & alb ingress controller yaml here.
Also, did your subnets resides in your VPC(where your worker nodes runs)?
M00nF1sh
on 7 Mar 2019
@M00nF1sh Solved it! I did not enable RBAC when I installed aws-alb-ingress-controller. Everything snapped into place once I re-did that. Nothing in the logs pointed to that being the problem, I just happned upon it. Thank you for taking a moment to help me though, it is appreciated 馃憤
zfLQ2qx2
on 9 Mar 2019
@zfLQ2qx2 hi, can you direct me on how to enable RBAC? I am having the same issue.
luvpreetsingh
on 17 Jun 2019
hello @luvpreetsingh... @zfLQ2qx2 refer a rol permission for alb-ingress-controller:
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
name: alb-ingress-controller
rules:
- apiGroups:
- ""
- extensions
resources:
- configmaps
- endpoints
- events
- ingresses
- ingresses/status
- services
verbs:
- create
- get
- list
- update
- watch
- patch
- apiGroups:
- ""
- extensions
resources:
- nodes
- pods
- secrets
- services
- namespaces
verbs:
- get
- list
- watch
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
name: alb-ingress-controller
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: alb-ingress-controller
name: alb-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: alb-ingress-controller
subjects:
- kind: ServiceAccount
name: alb-ingress-controller
namespace: kube-system
angelcos
on 1 Aug 2019
@angelcos - We are using incubator/aws-alb-ingress-controller helm chart for setting up the controller and facing the similar issue.
We have verified twice for :
- subnet tags [both of them]
- K8s RBAC [the one shared above]
- IAM Roles [even tried with the admin access]
This is happening for both internal and internet-facing. It works well if I use the annotation - alb.ingress.kubernetes.io/subnets.
vishnuhd
on 9 Jan 2020
We are using
incubator/aws-alb-ingress-controllerhelm chart for setting up the controller and facing the similar issue.
Ohh it works, the problem was controller flags via - --cluster-name=clusterName. The clusterName was different from the one in the AWS tag, both have to be exactly the same.
vishnuhd
on 10 Jan 2020
I think this problem has another scenario: the subnet tag has two cluster tag ,because maybe you can create two kubernetes cluster with same subnet and the last tag will be used .
wjl120
on 4 Apr 2020
Related issues
ghostsquad
路
4Comments
NickEAVE
路
3Comments
hieu29791
路
4Comments
madhu131313
路
3Comments
rootd00d
路
4Comments
Most helpful comment
@M00nF1sh Solved it! I did not enable RBAC when I installed aws-alb-ingress-controller. Everything snapped into place once I re-did that. Nothing in the logs pointed to that being the problem, I just happned upon it. Thank you for taking a moment to help me though, it is appreciated 馃憤