EKS工作者节点IAM角色优先于POD的服务帐户IAM角色

时间:2020-05-21 21:14:46

标签: amazon-iam eks

serviceAccount.yaml 

apiVersion: v1
kind: ServiceAccount
metadata:
  name: demo
  namespace: demo
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::11111111:role/demo-role

deployment.yaml 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: eks-iam-test
  namespace: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: eks-iam-test
  template:
    metadata:
      labels:
        app: eks-iam-test
    spec:
      serviceAccountName: demo-role
      containers:
      - name: eks-iam-test
        image: httpd
        ports:
        - containerPort: 80

kubectl -n demo exec -it demo-2sjk1 — bash 

env |grep AWS
AWS_ROLE_ARN=arn:aws:iam::11111111:role/demo-role
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token

当我在调试模式下的Pod中运行aws cli命令时,eks-master-nodes-ec2-role(ec2 workernode-role)获得优先权。未使用在POD中分配给服务帐户的角色。 

020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: custom-process
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: config-file
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: ec2-credentials-file
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: boto-config
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: container-role
2020-05-21 20:35:53,630 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: iam-role
2020-05-21 20:35:53,631 - MainThread - urllib3.util.retry - DEBUG - Converted retries value: False -> Retry(total=False, connect=None, read=None, redirect=0, status=None)
2020-05-21 20:35:53,631 - MainThread - urllib3.connectionpool - DEBUG - Starting new HTTP connection (1): xx.xx.xx.xx:80
2020-05-21 20:35:53,632 - MainThread - urllib3.connectionpool - DEBUG - http://xx.xx.xx.xx:80 "GET /latest/meta-data/iam/security-credentials/ HTTP/1.1" 200 37
2020-05-21 20:35:53,633 - MainThread - urllib3.util.retry - DEBUG - Converted retries value: False -> Retry(total=False, connect=None, read=None, redirect=0, status=None)
2020-05-21 20:35:53,633 - MainThread - urllib3.connectionpool - DEBUG - Resetting dropped connection: xx.xx.xx.xx
2020-05-21 20:35:53,633 - MainThread - urllib3.connectionpool - DEBUG - http://xx.xx.xx.xx:80 "GET /latest/meta-data/iam/security-credentials/eks-master-nodes-ec2-role HTTP/1.1" 200 1310
2020-05-21 20:35:53,634 - MainThread - botocore.credentials - DEBUG - Found credentials from IAM Role: eks-master-nodes-ec2-role

如何强制POD使用与服务帐户关联的角色?

AWS EKS Kubernetes版本-1.14

1 个答案:

答案 0 :(得分:0)

我在使用外部机密掌舵图时遇到了这个问题,我按照此处的说明解决了https://github.com/external-secrets/kubernetes-external-secrets/issues/452

securityContext:
  runAsNonRoot: true
  fsGroup: 65534
相关问题
最新问题