我试图将AWS IAM角色(联合)映射到EKS RBAC,尝试遵循this教程,但仍然会出错
➜ kubectl edit configmap aws-auth -n kube-system
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapAccounts: |
[]
mapRoles: |
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::xxx:role/edna-dev-eks200000005"
"username": "system:node:{{EC2PrivateDNSName}}"
- "rolearn": "arn:aws:iam::xxx:role/team-developers"
"username": "developer"
"groups":
- "system:master"
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2020-06-11T19:40:47Z"
name: aws-auth
namespace: kube-system
resourceVersion: "4627634"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 137288f1-ae32-4a6f-b3d5-8dbd1da1e21d
➜ k get pods -n edna
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "edna"
我是否需要使用名称“ developer”为该用户创建RBAC并映射所有权限? 如果是这样,那么正确的做法是什么?
我已经用kubectl krew安装了rakkess,如果我尝试使用AWS安全短期证书来获取它,
➜ k access-matrix -n edna
NAME LIST CREATE UPDATE DELETE
bindings ✖
certificaterequests.cert-manager.io ✖ ✖ ✖ ✖
certificates.cert-manager.io ✖ ✖ ✖ ✖
challenges.acme.cert-manager.io ✖ ✖ ✖ ✖
configmaps ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖
endpoints ✖ ✖ ✖ ✖
events ✖ ✖ ✖ ✖
events.events.k8s.io ✖ ✖ ✖ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖
issuers.cert-manager.io ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io ✖
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖
orders.acme.cert-manager.io ✖ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖
pods ✖ ✖ ✖ ✖
podtemplates ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖
serviceaccounts ✖ ✖ ✖ ✖
services ✖ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖
谢谢, 德米特里
答案 0 :(得分:1)
您需要具有角色和角色绑定才能列出该命名空间的Pod
创建角色
@Input()
set loading(loading: boolean) {
this._loading = loading;
setTimeout(()=>{
this.dtTrigger.next();
}, 10);
}
该角色的角色绑定
kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=edna
运行此命令后,检查是否可以访问。
kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n edna,此命令将返回kubectl auth can-i get pods -n edna --as developer,然后您的问题已解决。
有关更多信息,请参阅此文档
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding