kube2iam-角色无效:与带注释的角色不匹配

时间:2019-04-30 15:01:55

标签: amazon-web-services kubernetes amazon-eks

我有一个运行良好的AWS EKS集群(1.12),为此我将kube2iam用于两个生产服务。但是,尝试将其他服务添加到我们的群集时出现错误,这让我感到困惑。我正在运行kube2iam 0.10.0。谢谢。

kube2iam日志中的错误

time="2019-04-29T21:21:57Z" level=info msg="GET /latest (200) took 654374 ns" req.method=GET req.path=/latest req.remote=172.18.3.44 res.duration=654374 res.status=200
time="2019-04-29T21:21:57Z" level=info msg="GET /latest/meta-data/iam/security-credentials/ (200) took 18485 ns" req.method=GET req.path=/latest/meta-data/iam/security-credentials/ req.remote=172.18.3.44 res.duration=18485 res.status=200
time="2019-04-29T21:21:57Z" level=info msg="GET /latest/meta-data/iam/security-credentials/ui-eb-instance (200) took 37702 ns" req.method=GET req.path=/latest/meta-data/iam/security-credentials/ui-eb-instance req.remote=172.18.3.44 res.duration=37702 res.status=200
time="2019-04-29T21:21:57Z" level=info msg="GET /latest/dynamic/instance-identity/document (200) took 869383 ns" req.method=GET req.path=/latest/dynamic/instance-identity/document req.remote=172.18.3.44 res.duration=869383 res.status=200
time="2019-04-29T21:21:57Z" level=info msg="GET /latest/meta-data/iam/info (200) took 574052 ns" req.method=GET req.path=/latest/meta-data/iam/info req.remote=172.18.3.44 res.duration=574052 res.status=200
time="2019-04-29T21:21:57Z" level=error msg="Invalid role: does not match annotated role" ns.name=apollo-ui params.iam.role=e2e3-XXXXXXXXXX pod.iam.role="arn:aws:iam::XXXXXXXXXX:role/ui-eb-instance" req.method=GET req.path=/latest/meta-data/iam/security-credentials/e2e3-XXXXXXXXXX req.remote=172.18.3.44
time="2019-04-29T21:21:57Z" level=info msg="GET /latest/meta-data/iam/security-credentials/e2e3-XXXXXXXXXX (403) took 36262 ns" req.method=GET req.path=/latest/meta-data/iam/security-credentials/e2e3-XXXXXXXXXX req.remote=172.18.3.44 res.duration=36262 res.status=403

我的kubernetes部署

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "1"
  creationTimestamp: "2019-04-29T20:13:44Z"
  generation: 1
  labels:
    app.kubernetes.io/instance: ui
    app.kubernetes.io/managed-by: Tiller
    app.kubernetes.io/name: ui
    helm.sh/chart: ui-0.1.0
  name: ui
  namespace: apollo-ui
  resourceVersion: "3267240"
  selfLink: /apis/extensions/v1beta1/namespaces/apollo-ui/deployments/ui
  uid: 4a3cf375-6abb-11e9-b606-063dfc51737e
spec:
  progressDeadlineSeconds: 600
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/instance: ui
      app.kubernetes.io/name: ui
  strategy:
    rollingUpdate:
      maxSurge: 50%
      maxUnavailable: 50%
    type: RollingUpdate
  template:
    metadata:
      annotations:
        iam.amazonaws.com/role: ui-eb-instance
      creationTimestamp: null
      labels:
        app.kubernetes.io/instance: ui
        app.kubernetes.io/name: ui
    spec:
      containers:
      - env:
        ...
        ...
        ...
        image: XXXXXXXXXX.dkr.ecr.us-west-2.amazonaws.com/ui:709870106
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /health_check
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        name: ui
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        readinessProbe:
          failureThreshold: 3
          httpGet:
            path: /health_check
            port: http
            scheme: HTTP
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 1
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
status:
  conditions:
  - lastTransitionTime: "2019-04-29T20:13:44Z"
    lastUpdateTime: "2019-04-29T20:13:44Z"
    message: Deployment does not have minimum availability.
    reason: MinimumReplicasUnavailable
    status: "False"
    type: Available
  - lastTransitionTime: "2019-04-29T21:21:33Z"
    lastUpdateTime: "2019-04-29T21:21:33Z"
    message: ReplicaSet "ui-756cf57f9b" is progressing.
    reason: ReplicaSetUpdated
    status: "True"
    type: Progressing
  observedGeneration: 1
  replicas: 2
  unavailableReplicas: 2
  updatedReplicas: 2

AWS角色“ ui-eb-instance”角色

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Effect": "Allow",
                    "Sid": ""
                },
                {
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "AWS": "arn:aws:iam::XXXXXXXXXX:role/e2e3-XXXXXXXXXX"
                    },
                    "Effect": "Allow",
                    "Sid": ""
                }
            ]
        },
        "MaxSessionDuration": 3600,
        "RoleId": "XXXXXXXXXX",
        "CreateDate": "2018-04-20T18:06:01Z",
        "RoleName": "ui-eb-instance",
        "Path": "/",
        "Arn": "arn:aws:iam::XXXXXXXXXX:role/ui-eb-instance"
    }
}

我的AWS EKS辅助节点e2e3-XXXXXXXXXX角色

{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Principal": {
                        "Service": "ec2.amazonaws.com"
                    },
                    "Effect": "Allow",
                    "Sid": "EKSWorkerAssumeRole"
                }
            ]
        },
        "MaxSessionDuration": 3600,
        "RoleId": "XXXXXXXXXX",
        "CreateDate": "2019-04-10T23:13:31Z",
        "RoleName": "e2e3-XXXXXXXXXX",
        "Path": "/",
        "Arn": "arn:aws:iam::XXXXXXXXXX:role/e2e3-XXXXXXXXXX"
    }
}

我的kube2iam守护程序

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  annotations:
    flux.weave.works/antecedent: infra:helmrelease/kube2iam
  creationTimestamp: "2019-04-16T18:37:54Z"
  generation: 3
  labels:
    app: kube2iam
    chart: kube2iam-0.9.1
    heritage: Tiller
    release: kube2iam
  name: kube2iam
  namespace: infra
  resourceVersion: "3252943"
  selfLink: /apis/extensions/v1beta1/namespaces/infra/daemonsets/kube2iam
  uid: bf258ef8-6076-11e9-b606-063dfc51737e
spec:
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app: kube2iam
      release: kube2iam
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: kube2iam
        release: kube2iam
    spec:
      containers:
      - args:
        - --host-interface=eni+
        - --node=$(NODE_NAME)
        - --host-ip=$(HOST_IP)
        - --iptables=true
        - --auto-discover-base-arn=true
        - --auto-discover-default-role=true
        - --app-port=8181
        env:
        - name: HOST_IP
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: status.podIP
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              apiVersion: v1
              fieldPath: spec.nodeName
        image: jtblin/kube2iam:0.10.0
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /healthz
            port: 8181
            scheme: HTTP
          initialDelaySeconds: 30
          periodSeconds: 5
          successThreshold: 1
          timeoutSeconds: 1
        name: kube2iam
        ports:
        - containerPort: 8181
          hostPort: 8181
          protocol: TCP
        resources: {}
        securityContext:
          privileged: true
          procMount: Default
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      hostNetwork: true
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: kube2iam
      serviceAccountName: kube2iam
      terminationGracePeriodSeconds: 30
  templateGeneration: 3
  updateStrategy:
    type: OnDelete
status:
  currentNumberScheduled: 2
  desiredNumberScheduled: 2
  numberAvailable: 2
  numberMisscheduled: 0
  numberReady: 2
  observedGeneration: 3
  updatedNumberScheduled: 2

验证有问题的ui吊舱内的kube2iam角色

bash-4.4#  curl http://169.254.169.254/latest/meta-data/iam/security-credentials/
ui-eb-instance

1 个答案:

答案 0 :(得分:0)

我能想到的几件事:

  1. 您的节点角色e2e3-XXXXXXXXXX无法承担ui-eb-instance角色可能是一个问题。您在这两个角色之间确实具有信任关系,但是您是否对e2e3-XXXXXXXXXX附加了任何权限策略?

    您可以putattach权限策略,并且可以从允许对所有资源获得AssumeRole权限的策略开始:

    {
      "Version": "2012-10-17",
       "Statement": [
        {
          "Action": [
            "sts:AssumeRole"
          ],
          "Effect": "Allow",
          "Resource": "*"
        }
      ]
    }
    

    这在kube2iam docs中也有描述。

  2. 也有可能您的基本角色arn没有被--auto-discover-base-arn自动发现,因此您也可以尝试:--base-role-arn=arn:aws:iam::xxxxxxx:role/