Service account for Managed Service for Kubernetes Application Load Balancer tools
Managed Service for Kubernetes Application Load Balancer tools, e.g., ingress controller and Gateway API, use a service account to deploy infrastructure. This account requires the following permissions:
Tip
We recommend using the new Yandex Cloud Gwin controller instead of an Application Load Balancer Ingress controller.
| Service | Type of permission required | Minimum required permissions |
|---|---|---|
| Application Load Balancer (roles) |
Service resource management | alb.editor |
| Virtual Private Cloud (roles) |
Managing internal or external connectivity based on the load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Obtaining HTTPS load balancer certificates | certificate-manager.certificates.downloader |
| Compute Cloud (roles) |
Getting information about Managed Service for Kubernetes cluster node VMs | compute.viewer |
| Service | Type of permission required | Minimum required permissions |
|---|---|---|
| Application Load Balancer (roles) |
Service resource management | alb.editor |
| Virtual Private Cloud (roles) |
Managing internal or external connectivity based on the load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Managing HTTPS load balancer certificates | certificate-manager.certificates.admin |
| Compute Cloud (roles) |
Getting information about Managed Service for Kubernetes cluster node VMs | compute.viewer |
The service account authenticates using an authorized key. You must specify this key in the saKeySecretKey field when deploying a Helm chart with an ingress controller or Gateway API. For example, if you created your authorized key using the yc iam key create CLI command and stored it to sa-key.json, the Helm chart installation command may look like this:
helm install \
--namespace yc-alb \
--set-file saKeySecretKey=sa-key.json \
...
The system will store the authorized key as either Secret yc-alb-ingress-controller-sa-key or Secret yc-alb-gateway-api-controller-sa-key in the namespace specified during Helm chart deployment, e.g.,yc-alb.