时间戳

首页 > 解决方案 > 通过 IAM 角色访问 EKS 集群

amazon-web-services - 通过 IAM 角色访问 EKS 集群

问题描述

请帮助了解我收到的原因

错误:您必须登录到服务器(未经授权)

我创建了一个空的 EKS 主机并通过手动创建了内部角色:

eksctl create iamidentitymapping \
  --cluster eks-cluster \
  --arn arn:aws:iam::account_number:role/eks_test_full_role \
  --username admin \
  --group system:masters

它正在工作

eksctl get iamidentitymapping --cluster eks-cluster
ARN                                             USERNAME                GROUPS
arn:aws:iam::account_number:role/eks_test_full_role                     admin                   system:masters
arn:aws:iam::account_number:role/eks-cluster-eks-workers-iam-role   system:node:{{EC2PrivateDNSName}}   system:bootstrappers,system:nodes

在我创建了 IAM 用户之后,该用户可以担任具有所有必需权限的已创建角色

aws sts assume-role --role-arn arn:aws:iam::account_number:role/eks_test_full_role --role-session-name test
{
    "Credentials": {
        "AccessKeyId": "",
        "SecretAccessKey": "",
        "SessionToken": "",
        "Expiration": "2021-02-04T10:24:59Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "Role_id:test",
        "Arn": "arn:aws:sts::account_number:assumed-role/eks_test_full_role/test"
    }
}

我错过了什么让它起作用的步骤?

PS我的角色和角色绑定

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  namespace: dev
  name: get-pods
rules:
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get", "watch", "list"]

apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: get-pods-bind
  namespace: dev
subjects:
- kind: User
  name: admin
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: get-pods
  apiGroup: rbac.authorization.k8s.io

标签: amazon-web-servicesamazon-iamamazon-eks

解决方案

您将需要编辑 aws-auth configmap 并允许这个不同的 IAM 用户访问集群。如下所示:

1. kubectl edit cm aws-auth -n kube-system
  1. 添加以下配置并编辑用户名占位符和帐户 ID 占位符。如果mapusers已经存在,那么只需从-下一行开始添加一个新条目:
mapUsers: |
    - userarn: arn:aws:iam::<account-id>:user/<name of IAM user>
      username: <name of IAM user>
      groups:
        - system:masters

推荐阅读