来自EC2实例的AWS / Heptio Authenticator

时间:2018-08-28 10:20:10

标签: amazon-web-services authentication kubernetes amazon-iam kubectl

因此,我关注了AWS文章Deploying the Heptio Authenticator to kops,并成功地使事情得以运行。由于我是管理员,因此在具有完全配置的AWSCLI设置的便携式计算机上,我可以运行任何kubectl命令。通过在我的~/.kube/config文件中使用以下命令来获取令牌:

users:
- name: mycluster-exec
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - --cluster-id
      - mycluster
      - --role
      - arn:aws:iam::<account-number>:role/KubernetesAdministrator
      command: aws-iam-authenticator
      env: null

现在我想做的事情基本上在GitHub第EKS heptio authentication using IAM without AWSCLI号中进行了介绍。我没有使用EKS,但是原理是相同的。我有正在运行CI系统的构建代理的EC2实例,我希望这些构建代理具有静态的硬编码凭据(即静态的AWS ID和秘密密钥)。我希望这些节点也可以使用aws-iam-authenticator二进制文件临时捕获凭据,以根据需要部署/更改我的Kubernetes集群。

我创建了一个名为KubernetesCIRole的角色/实例配置文件,并将该IAM角色附加到我的EC2构建代理节点。然后,我将以下内容添加到ConfigMap

apiVersion: v1
data:
  config.yaml: |
    clusterID: mycluster
    server:
      mapRoles:
      - roleARN: arn:aws:iam::<account-number>:role/KubernetesAdministrator
        username: kubernetes-admin
        groups:
        - system:masters
      - roleARN: arn:aws:iam::<account-number>:role/KubernetesCIRole
        username: kubernetes-admin
        groups:
        - system:masters
kind: ConfigMap
metadata:
  labels:
    k8s-app: heptio-authenticator-aws
  name: heptio-authenticator-aws
  namespace: kube-system

但是,当我在该EC2构建代理机器上配置~/.kube/config并运行诸如kubectl --v=10 get pods之类的简单程序时,会收到以下消息:

I0828 10:16:30.605964    5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.606744    5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.607704    5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
...
I0828 10:16:33.092683    5196 round_trippers.go:386] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.11.2 (linux/amd64) kubernetes/bb9ffb1" 'https://api.mycluster.k8s.mycompany.com/api?timeout=32s'
I0828 10:16:33.605698    5196 round_trippers.go:405] GET https://api.mycluster.k8s.mycompany.com/api?timeout=32s 401 Unauthorized in 512 milliseconds
I0828 10:16:33.605727    5196 round_trippers.go:411] Response Headers:
I0828 10:16:33.605734    5196 round_trippers.go:414]     Content-Type: application/json
I0828 10:16:33.605749    5196 round_trippers.go:414]     Www-Authenticate: Basic realm="kubernetes-master"
I0828 10:16:33.605758    5196 round_trippers.go:414]     Content-Length: 129
I0828 10:16:33.605767    5196 round_trippers.go:414]     Date: Tue, 28 Aug 2018 10:16:33 GMT
I0828 10:16:33.608443    5196 request.go:897] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I0828 10:16:33.610858    5196 cached_discovery.go:111] skipped caching discovery info due to Unauthorized
F0828 10:16:33.610901    5196 helpers.go:119] error: the server doesn't have a resource type "pods"

为什么这行不通?如果我在Heptio / AWS IAM Authenticator ConfigMap中指定给定角色具有集群管理员访问权限(或其他任何原因),我是否应该能够进行身份验证?

谢谢您的帮助!

1 个答案:

答案 0 :(得分:0)

最后弄清楚了。 AWS文档Managing Users or IAM Roles for your Cluster包含所需的部分:

首先,您需要创建一个具有以下基本权限的IAM角色(和相应的实例配置文件),并将其附加到您的EC2实例:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

然后,您需要使用以下内容更新ConfigMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <ARN of instance role (not instance profile)>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

关键部分是用户名system:node:{{EC2PrivateDNSName}}。我猜想{{EC2PrivateDNSName}}可以充当任何EC2实例的占位符,并附加了相应的rolearn