我想授予某个团队访问RBAC中的system:masters
组的权限。我的团队(下面的示例中的AWSReservedSSO_Admin_xxxxxxxxxx
)已经有了它,并且当我仅添加一个rolearn
时它可以工作,但是当我将下面的configmap与其他rolearn
一起应用时,{尝试访问群集时,{1}}角色仍然收到此错误:AWSReservedSSO_Dev_xxxxxxxxxx
(注意:我们使用的是AWS SSO,因此假定使用IAM角色):
error: You must be logged in to the server (Unauthorized)
答案 0 :(得分:2)
我不确定您如何假设角色❓,并且您的配置看起来还不错,但是原因可能是您将同一用户映射到两个不同的角色。 AWS IAM仅允许用户一次basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time仅承担一个角色。
您可以尝试其他用户,然后查看它是否适合您。
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
您可能缺少的另一个方面是您的arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
角色中的“信任关系” {,该角色允许admin
担任该角色。
✌️☮️
答案 1 :(得分:1)
感谢Rico。使用SSO登录时,您将扮演STS角色。您可以通过运行aws sts get-caller-identity
进行验证。
您肯定用户名错误,但这并不能解决整个问题。
花了很长时间,但我的队友终于找到了解决方法in this guide
问题是IAM角色的ARN:
rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
这部分aws-reserved/sso.amazonaws.com/
需要从名称中删除。因此,最后结合了Rico建议的用户名修复:
---
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
groups:
- system:bootstrappers
- system:nodes
username: system:node:{{EC2PrivateDNSName}}
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
groups:
- system:masters
username: admin
- rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
groups:
- system:masters
username: admin2
metadata:
name: aws-auth
namespace: kube-system
问题最终得到解决,承担该角色的SSO用户可以运行kubectl
命令!