使用eksctl设置时无法通过ssh到达EKS工作节点

时间:2018-10-08 06:49:02

标签: amazon-eks aws-eks

在使用eksctl工具在AWS上创建EKS集群后,无法使用ssh来访问辅助计算机。怎么了?

Marcs-MBP:kubernetes tests marc$ eksctl create cluster --name=mycluster --ssh-public-key=~/.ssh/id_rsa.pub 
2018-10-08T08:09:17+02:00 [ℹ]  setting availability zones to [us-west-2c us-west-2b us-west-2a]
2018-10-08T08:09:17+02:00 [ℹ]  using "ami-08cab282f9979fc7a" for nodes
2018-10-08T08:09:17+02:00 [ℹ]  creating EKS cluster "mycluster" in "us-west-2" region
2018-10-08T08:09:17+02:00 [ℹ]  will create 2 separate CloudFormation stacks for cluster itself and the initial nodegroup
2018-10-08T08:09:17+02:00 [ℹ]  if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=us-west-2 --name=mycluster'
2018-10-08T08:09:17+02:00 [ℹ]  creating cluster stack "eksctl-mycluster-cluster"
2018-10-08T08:21:12+02:00 [ℹ]  creating nodegroup stack "eksctl-mycluster-nodegroup-0"
2018-10-08T08:24:54+02:00 [✔]  all EKS cluster resource for "mycluster" had been created
2018-10-08T08:24:54+02:00 [✔]  saved kubeconfig as "/Users/marc/.kube/config"
2018-10-08T08:24:56+02:00 [ℹ]  the cluster has 0 nodes
2018-10-08T08:24:56+02:00 [ℹ]  waiting for at least 2 nodes to become ready
2018-10-08T08:25:29+02:00 [ℹ]  the cluster has 2 nodes
2018-10-08T08:25:29+02:00 [ℹ]  node "ip-192-168-121-173.us-west-2.compute.internal" is ready
2018-10-08T08:25:29+02:00 [ℹ]  node "ip-192-168-228-63.us-west-2.compute.internal" is ready
2018-10-08T08:25:32+02:00 [ℹ]  kubectl command should work with "/Users/marc/.kube/config", try 'kubectl get nodes'
2018-10-08T08:25:32+02:00 [✔]  EKS cluster "mycluster" in "us-west-2" region is ready

现在将SSH访问从任何位置添加到安全组:sg-09a1acc782f2222cd,名称为eksctl-mycluster-nodegroup-0-SG-4KUHPKAY90D1。

Marcs-MBP:kubernetes tests marc$ ssh -i ~/.ssh/id_rsa.pub ec2-user@ec2-35-166-200-64.us-west-2.compute.amazonaws.com
The authenticity of host 'ec2-35-166-200-64.us-west-2.compute.amazonaws.com (35.166.200.64)' can't be established.
ECDSA key fingerprint is SHA256:dDeYNRVqovc+pb3oEm271J4K+2OAcFvXSddUoZJTHRk.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ec2-35-166-200-64.us-west-2.compute.amazonaws.com,35.166.200.64' (ECDSA) to the list of known hosts.
ec2-user@ec2-35-166-200-64.us-west-2.compute.amazonaws.com: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Marcs-MBP:kubernetes tests marc$ 

我不清楚如何使用ssh来访问我的工作机。知道怎么了吗?

使用eksctl版本

Marcs-MacBook-Pro:~ marc$ eksctl version
2018-10-08T08:44:49+02:00 [ℹ]  versionInfo = map[string]string{"builtAt":"2018-09-12T14:57:03Z", "gitCommit":"2f553a2c54eb1390a7eb6746ccdc5da106fe518b", "gitTag":"0.1.2"}

2 个答案:

答案 0 :(得分:3)

运行--ssh-access时需要指定eksctl create cluster选项。指定后,您可以在创建过程中看到以下日志消息:

[ℹ]  importing SSH public key "/home/<USER_NAME>/.ssh/id_rsa.pub" as "eksctl-xxx-nodegroup-ng-a4cd5bb2-xx:xx:xx:xx:xx:xx:xx"

然后,您可以由ec2-user ssh进入主机:

 ssh -i /home/<USER_NAME>/.ssh/id_rsa.pub ec2-user@ec2-xx-xx-xx-xx

答案 1 :(得分:0)

ssh选项-i接受对应于公共密钥的私有密钥,而您传递了包含公共密钥本身的文件名。

尝试

ssh -i ~/.ssh/id_rsa ec2-user@ec2-35-166-200-64.us-west-2.compute.amazonaws.com

顺便说一句,~/.ssh/id_rsa通常是默认的私钥,因此很简单

ssh ec2-user@ec2-35-166-200-64.us-west-2.compute.amazonaws.com

也应该起作用。