根据官方kubernetes documentation,为了让您的节点能够访问AWS ECR,需要将以下标志添加到~/.kube/config:
iam:
allowContainerRegistry: true
legacy: false
然后,在更新群集后,应将以下权限添加到ec2实例:
{
"Sid": "kopsK8sECR",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:ListImages"
],
"Resource": [
"*"
]
}
但是,我刚刚使用kops在AWS上创建了一个集群,我的节点已经具有这些权限,而我没有做任何额外的配置。
这是正常的吗?
$ kops version
Version 1.8.0 (git-5099bc5)
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:27:35Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.4", GitCommit:"9befc2b8928a9426501d3bf62f72849d5cbcd5a3", GitTreeState:"clean", BuildDate:"2017-11-20T05:17:43Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
答案 0 :(得分:0)
According to the kops documentation,这些角色是为您创建的,并分配给正确的ec2实例:
为群集创建了两个IAM角色:一个用于主服务器,另一个用于节点。
默认情况下,Strict IAM标志不会授予节点访问AWS EC2 Container Registry(ECR)的权限,如上面的示例策略文档所示。要授予对ECR的访问权限,请使用以下内容更新Cluster Spec,然后执行群集更新:
iam: allowContainerRegistry: true legacy: false
据我了解,如果您添加allowContainerRegistry: true, kops 会将这些权限添加到自动创建的IAM角色中。