我使用了RBAC启用的kubernetes集群 kops版本 1.8.0-beta.1 ,我正在尝试运行一个nginx pod,它应该附加预先创建的EBS卷并且pod应该启动。但即使我是 admin 用户,也会将问题视为未获授权。任何帮助将受到高度赞赏。
kubectl version Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-09T07:27:47Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-08T18:27:48Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
namespace:default
cat test-ebs.yml
apiVersion: v1
kind: Pod
metadata:
name: test-ebs
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test-ebs
name: test-volume
volumes:
- name: test-volume
awsElasticBlockStore:
volumeID: <vol-IDhere>
fsType: ext4
我收到以下错误:
Warning FailedMount 8m attachdetach AttachVolume.Attach failed for volume "test-volume" : Error attaching EBS volume "<vol-ID>" to instance "<i-instanceID>": "UnauthorizedOperation: You are not authorized to perform this operation
答案 0 :(得分:6)
在kops 1.8.0-beta.1中,主节点要求您使用以下标记标记AWS卷:
KubernetesCluster: <clustername-here>
如果你使用像这样的kops创建了k8s集群:
kops create cluster --name=k8s.yourdomain.com [other-args-here]
您在EBS卷上的标记需要
KubernetesCluster: k8s.yourdomain.com
master上的策略将包含一个块,其中包含:
{
"Sid": "kopsK8sEC2MasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "k8s.yourdomain.com"
}
}
}
该条件表示master-policy具有仅附加包含正确标记的卷的权限。
答案 1 :(得分:1)
问题是因为kops1.8版本。回滚到kops版本v1.7.1。它现在正在工作。