Service account for Application Load Balancer tools for Managed Service for Kubernetes
The Application Load Balancer tools for Managed Service for Kubernetes, i.e., Ingress controller and Gateway API, deploy the infrastructure on behalf of a service account. This account requires the following permissions:
| Service | Type of permission required | Minimum role |
|---|---|---|
| Application Load Balancer (roles) |
Manage service resources | alb.editor |
| Virtual Private Cloud (roles) |
Manage internal or external connectivity depending on load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Obtain certificates (for HTTPS load balancers) | certificate-manager.certificates.downloader |
| Compute Cloud (roles) |
Get information on virtual machines created as Managed Service for Kubernetes cluster nodes | compute.viewer |
| Service | Type of permission required | Minimum role |
|---|---|---|
| Application Load Balancer (roles) |
Manage service resources | alb.editor |
| Virtual Private Cloud (roles) |
Manage internal or external connectivity depending on load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Manage certificates (for HTTPS load balancers) | certificate-manager.certificates.admin |
| Compute Cloud (roles) |
Get information on virtual machines created as Managed Service for Kubernetes cluster nodes | compute.viewer |
An authorized key is used to authenticate the service account. The key must be specified in the saKeySecretKey value when installing a Helm chart with an Ingress controller or Gateway API. For instance, if you created the key via the yc iam key create CLI command and saved it to sa-key.json, the chart installation command may look like this:
helm install \
--namespace yc-alb \
--set-file saKeySecretKey=sa-key.json \
...
The key will be stored in the yc-alb-ingress-controller-sa-key or yc-alb-gateway-api-controller-sa-key secret in the namespace specified when installing the chart (yc-alb in the above example).