我正在尝试为我的k8s集群设置AWS IAM Authenticator。我有两个AWS帐户:A和B。
k8s帐户在B帐户中运行。
我已经在A帐户中创建了以下资源:
政策
Description: Grants permissions to assume the kubernetes-admin role
Policy:
Statement:
- Action: sts:*
Effect: Allow
Resource: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
Sid: KubernetesAdmin
Version: 2012-10-17
该策略与组相关联,我将IAM用户添加到该组中。
在B帐户中,我创建了以下角色:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS: arn:aws:iam::<AccountID-A>:root
Version: 2012-10-17
这是ConfigMap,用于配置aws-iam-authenticator:
apiVersion: v1
data:
config.yaml: |
# a unique-per-cluster identifier to prevent replay attacks
# (good choices are a random token or a domain name that will be unique to your cluster)
clusterID: k8s.mycluster.net
server:
# each mapRoles entry maps an IAM role to a username and set of groups
# Each username and group can optionally contain template parameters:
# "{{AccountID}}" is the 12 digit AWS ID.
# "{{SessionName}}" is the role session name.
mapRoles:
- roleARN: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
username: kubernetes-admin:{{AccountID}}:{{SessionName}}
groups:
- system:masters
kind: ConfigMap
metadata:
creationTimestamp: 2018-12-13T19:41:39Z
labels:
k8s-app: aws-iam-authenticator
name: aws-iam-authenticator
namespace: kube-system
resourceVersion: "87401"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-iam-authenticator
uid: 1bc39653-ff0f-11e8-a580-02b4590539ba
kubeconfig是:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <certificate>
server: https://api.k8s.mycluster.net
name: k8s.mycluster.net
contexts:
- context:
cluster: k8s.mycluster.net
namespace: kube-system
user: k8s.mycluster.net
name: k8s.mycluster.net
current-context: k8s.mycluster.net
kind: Config
preferences: {}
users:
- name: k8s.mycluster.net
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
env:
- name: "AWS_PROFILE"
value: "myaccount"
args:
- "token"
- "-i"
- "k8s.mycluster.net"
- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"
结果是:
could not get token: AccessDenied: Access denied
status code: 403, request id: 6ceac161-ff2f-11e8-b263-2b0e32831969
Unable to connect to the server: getting token: exec: exit status 1
有什么主意吗?我不明白我所缺少的。
答案 0 :(得分:2)
为此添加-我的解决方案是执行以下操作:
在〜/ .kube目录中:
aws eks update-kubeconfig --name eks-dev-cluster --role-arn=XXXXXXXXXXXX
这将创建一个文件config-my-eks-cluster
vi config-my-eks-cluster
注释上述两行:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- eks-dev-cluster
#- -r
#- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
command: aws-iam-authenticator
然后确保您使用以下方式导出用户个人资料:
export AWS_PROFILE = XXXXXXXXX(您用于在控制台或cli中创建集群的用户)
运行:
kubectl get svc --v=10
这将使输出进入详细模式,并为您提供有关爬升的任何错误的详细信息。
答案 1 :(得分:1)
使其正常工作的方法是删除
- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"
并将要承担的角色传递给AWS_PROFILE env var