Question

因此，我关注了AWS文章Deploying the Heptio Authenticator to kops，并成功地使事情得以运行。由于我是管理员，因此在具有完全配置的AWSCLI设置的便携式计算机上，我可以运行任何kubectl命令。通过在我的~/.kube/config文件中使用以下命令来获取令牌：

users:
- name: mycluster-exec
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - --cluster-id
      - mycluster
      - --role
      - arn:aws:iam::<account-number>:role/KubernetesAdministrator
      command: aws-iam-authenticator
      env: null

现在我想做的事情基本上在GitHub第EKS heptio authentication using IAM without AWSCLI号中进行了介绍。我没有使用EKS，但是原理是相同的。我有正在运行CI系统的构建代理的EC2实例，我希望这些构建代理不具有静态的硬编码凭据（即静态的AWS ID和秘密密钥）。我希望这些节点也可以使用aws-iam-authenticator二进制文件临时捕获凭据，以根据需要部署/更改我的Kubernetes集群。

我创建了一个名为KubernetesCIRole的角色/实例配置文件，并将该IAM角色附加到我的EC2构建代理节点。然后，我将以下内容添加到ConfigMap：

apiVersion: v1
data:
  config.yaml: |
    clusterID: mycluster
    server:
      mapRoles:
      - roleARN: arn:aws:iam::<account-number>:role/KubernetesAdministrator
        username: kubernetes-admin
        groups:
        - system:masters
      - roleARN: arn:aws:iam::<account-number>:role/KubernetesCIRole
        username: kubernetes-admin
        groups:
        - system:masters
kind: ConfigMap
metadata:
  labels:
    k8s-app: heptio-authenticator-aws
  name: heptio-authenticator-aws
  namespace: kube-system

但是，当我在该EC2构建代理机器上配置~/.kube/config并运行诸如kubectl --v=10 get pods之类的简单程序时，会收到以下消息：

I0828 10:16:30.605964    5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.606744    5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.607704    5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
...
I0828 10:16:33.092683    5196 round_trippers.go:386] curl -k -v -XGET  -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.11.2 (linux/amd64) kubernetes/bb9ffb1" 'https://api.mycluster.k8s.mycompany.com/api?timeout=32s'
I0828 10:16:33.605698    5196 round_trippers.go:405] GET https://api.mycluster.k8s.mycompany.com/api?timeout=32s 401 Unauthorized in 512 milliseconds
I0828 10:16:33.605727    5196 round_trippers.go:411] Response Headers:
I0828 10:16:33.605734    5196 round_trippers.go:414]     Content-Type: application/json
I0828 10:16:33.605749    5196 round_trippers.go:414]     Www-Authenticate: Basic realm="kubernetes-master"
I0828 10:16:33.605758    5196 round_trippers.go:414]     Content-Length: 129
I0828 10:16:33.605767    5196 round_trippers.go:414]     Date: Tue, 28 Aug 2018 10:16:33 GMT
I0828 10:16:33.608443    5196 request.go:897] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I0828 10:16:33.610858    5196 cached_discovery.go:111] skipped caching discovery info due to Unauthorized
F0828 10:16:33.610901    5196 helpers.go:119] error: the server doesn't have a resource type "pods"

为什么这行不通？如果我在Heptio / AWS IAM Authenticator ConfigMap中指定给定角色具有集群管理员访问权限（或其他任何原因），我是否应该能够进行身份验证？

谢谢您的帮助！

Answer 1

最后弄清楚了。 AWS文档Managing Users or IAM Roles for your Cluster包含所需的部分：

首先，您需要创建一个具有以下基本权限的IAM角色（和相应的实例配置文件），并将其附加到您的EC2实例：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

然后，您需要使用以下内容更新ConfigMap：

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: <ARN of instance role (not instance profile)>
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:masters

关键部分是用户名system:node:{{EC2PrivateDNSName}}。我猜想{{EC2PrivateDNSName}}可以充当任何EC2实例的占位符，并附加了相应的rolearn。

来自EC2实例的AWS / Heptio Authenticator

1 个答案: