该场景很容易复制:
kubectl top nodes
$ kubectl get configmap -n kube-system aws-auth -o yaml
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxxx:role/EKS-Workers2-NodeInstanceRole-HWD4HSSO7NP1
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::xxxxxxxxxxxx:role/Admin
groups:
- system:masters
kind: ConfigMap
...
$ kubectl top nodes
Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "system:anonymous" cannot list nodes.metrics.k8s.io at the cluster scope: no RBAC policy matched
广告信息:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:35:51Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.10-eks-2e569f", GitCommit:"2e569fd887357952e506846ed47fc30cc385409a", GitTreeState:"clean", BuildDate:"2019-07-25T23:13:33Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
答案 0 :(得分:2)
正如我在评论中提到的那样,解决方案是添加用户名,而不管您是在AWS中使用IAM角色还是使用IAM用户。必须在您的configmap中指定映射,否则将永远不会在kubernetes集群中创建用户名,因此不会将其映射到任何权限。
因此,您在mapRoles的新添加块中缺少用户名部分。
文档在某些地方有点老,在configmaps中明确显示总是很好。至少我通常会尝试这样做。
很高兴您设法使它成功。 :)