只读用户拥有完全访问权限

时间:2020-02-18 09:03:22

标签: amazon-web-services kubernetes kubectl amazon-eks

目标是为我的EKS集群的生产名称空间创建一个只读用户。但是,我看到用户具有完全访问权限。由于我是EKS和Kubernetes的新手,请让我知道我注入的错误。

我创建了一个IAM用户,未添加任何权限。 ARN是:arn:aws:iam::460764xxxxxx:user/eks-prod-readonly-user。另外,我记下了访问密钥ID和秘密访问密钥-

aws_access_key_id= AKIAWWxxxxxxxxxxxxx
aws_secret_access_key= lAbtyv3zlbAMPxym8Jktal+xxxxxxxxxxxxxxxxxxxx

然后,我创建了生产名称空间,角色和角色绑定,如下所示– 

ubuntu@ip-172-16-0-252:~$ sudo kubectl create namespace production

ubuntu@ip-172-16-0-252:~$ cat role.yaml
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  namespace: production
  name: prod-viewer-role
rules:
- apiGroups: ["", "extensions", "apps"]
  resources: ["*"]  
  verbs: ["get", "list", "watch"]

ubuntu@ip-172-16-0-252:~$ sudo kubectl apply -f role.yaml

ubuntu@ip-172-16-0-252:~$ cat rolebinding.yaml
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: prod-viewer-binding
  namespace: production
subjects:
- kind: User
  name: eks-prod-readonly-user
  apiGroup: ""
roleRef:
  kind: Role
  name: prod-viewer-role
  apiGroup: ""

ubuntu@ip-172-16-0-252:~$ sudo kubectl apply -f rolebinding.yaml

然后,我们将新创建的用户添加到了aws-auth配置图,并应用了更改-

ubuntu@ip-172-16-0-252:~$ sudo kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth-configmap.yaml
ubuntu@ip-172-16-0-252:~$ vi aws-auth-configmap.yaml

以下部分添加在“ mapUsers”下– 

- userarn: arn:aws:iam::460764xxxxxx:user/eks-prod-readonly-user
      username: eks-prod-readonly-user
      groups:
        - prod-viewer-role

ubuntu@ip-172-16-0-252:~$ sudo kubectl apply -f aws-auth-configmap.yaml

现在,我将此用户详细信息作为新部分包括在AWS凭证文件(~/.aws/credentials内)中,以便可以向Kubernetes的API服务器进行身份验证-

[eksprodreadonlyuser]
aws_access_key_id= AKIAWWxxxxxxxxxxxxx
aws_secret_access_key= lAbtyv3zlbAMPxym8Jktal+xxxxxxxxxxxxxxxxxxxx
region=eu-west-2
output=json

我激活了这个AWS配置文件-

ubuntu@ip-172-16-0-252:~$ export AWS_PROFILE="eksprodreadonlyuser"
ubuntu@ip-172-16-0-252:~$ aws sts get-caller-identity

我们在get-caller-identity命令的输出中看到正确的用户ARN。

在尝试查看默认命名空间的容器时,它可以工作。理想情况下,不应仅向用户授予生产名称空间上的访问权限-

ubuntu@ip-172-16-0-252:~$ sudo kubectl get pods
NAME                              READY   STATUS    RESTARTS   AGE
test-autoscaler-697b95d8b-5wl5d   1/1     Running   0          7d20h
ubuntu@ip-172-16-0-252:~$

让我们知道要解决的指针。预先感谢!

1 个答案:

答案 0 :(得分:0)

请首先尝试将您的所有凭据作为环境变量export到终端,而不要使用配置文件:

export AWS_ACCESS_KEY_ID=XXX
export AWS_SECRET_ACCESS_KEY=XXX
export AWS_DEFAULT_REGION=us-east-2

这仅用于调试并确保问题不在您的配置中。

如果这不起作用,请尝试使用以下配置。

ClusterRoleBinding和ClusterRole:

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks-ro-user-binding
subjects:
- kind: User
  name: eks-ro-user
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: eks-ro-user-cluster-role
  apiGroup: rbac.authorization.k8s.io

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks-ro-user-cluster-role
rules:
- apiGroups:
  - ""
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - extensions
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - apps
  resources:
  - '*'
  verbs:
  - get
  - list
  - watch

AWS身份验证配置映射(创建IAM用户之后):

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - rolearn: arn:aws:iam::<account-id>:role/eks-node-group-role
      username: system:node:{{EC2PrivateDNSName}}
      groups:
        - system:bootstrappers
        - system:nodes
  mapUsers: |
    - userarn: arn:aws:iam::<account-id>:user/eks-ro-user
      username: eks-ro-user
相关问题
最新问题