amazon-web-servicesaws-lambdaamazon-eksbasic-authenticationaws-application-load-balancer

Why is the Lambda Target Group unsupported when modifying a Listener using ALB Ingress Controller on EKS?


I want to modify the HTTPS Listener of an EC2 ALB. Currently I'm creating the Load Balancers using the ALB Ingress Controller on Kubernetes (EKS). The thing is that now I want to implement Basic Auth temporarily on the LB and I point not routed traffic to a TargetGroup which is a Lambda Function to enforce the Basic auth.

All works but after the environment is up from being down at night all changes are then modified by the controller and removing the config I did from the AWS Console.

I tried adding an annotation to the Ingress to edit the default action and forward to the target group that is the Lambda Function but it says that Lambda is not a supported Target Group. Then why I'm able to do it from the AWS Console?

Is there a way to edit the default action of an HTTPS Listener to forward to a Lambda Target Group from the EKS Ingress using ALB Ingress Controller?


Solution

  • The AWS load balancer controller only supports 2 target types: ip and instance. It does not recognize Lambda as a target type. You may want to consider using a custom authorizer with API Gateway instead. See https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-use-lambda-authorizer.html for additional details. Since there is an ACK controller for API GW, you can provision and manage API GW through the Kubernetes API if you so choose. See https://aws-controllers-k8s.github.io/community/docs/tutorials/apigatewayv2-reference-example/ for an example. Out-of-band changes to load balancers provisioned by the controller will get overwritten when the controller reconciles the state in k8s with the state in AWS.