Service account for Application Load Balancer tools in Yandex Managed Service for Kubernetes
Tip
We recommend using the new Yandex Cloud Gwin controller instead of an ALB Ingress controller and Gateway API.
Managed Service for Kubernetes Application Load Balancer tools, e.g., ingress controller and Gateway API, use a service account to deploy infrastructure. This account requires the following permissions:
| Service | Type of permission required | Minimum required permissions |
|---|---|---|
| Application Load Balancer (roles) |
Service resource management | alb.editor |
| Virtual Private Cloud (roles) |
Managing internal or external connectivity based on the load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Obtaining HTTPS load balancer certificates | certificate-manager.certificates.downloader |
| Compute Cloud (roles) |
Getting information about Managed Service for Kubernetes cluster node VMs | compute.viewer |
| Service | Type of permission required | Minimum required permissions |
|---|---|---|
| Application Load Balancer (roles) |
Service resource management | alb.editor |
| Virtual Private Cloud (roles) |
Managing internal or external connectivity based on the load balancer type | vpc.publicAdmin (external)vpc.privateAdmin (internal) |
| Certificate Manager (roles) |
Managing HTTPS load balancer certificates | certificate-manager.certificates.admin |
| Compute Cloud (roles) |
Getting information about Managed Service for Kubernetes cluster node VMs | compute.viewer |
The service account authenticates using an authorized key. You must specify this key in the saKeySecretKey field when deploying a Helm chart with an ingress controller or Gateway API. For example, if you created your authorized key using the yc iam key create CLI command and stored it to sa-key.json, the Helm chart installation command may look like this:
helm install \
--namespace yc-alb \
--set-file saKeySecretKey=sa-key.json \
...
The system will store the authorized key as either Secret yc-alb-ingress-controller-sa-key or Secret yc-alb-gateway-api-controller-sa-key in the namespace specified during Helm chart deployment, e.g., yc-alb.