将AWS IAM角色分配给AWS EKS Jenkins Agent Pod

时间:2020-09-22 23:54:02

标签: amazon-web-services jenkins amazon-iam amazon-eks

我正在使用不同的代理配置基于AWS EKS的Jenkins主服务器。 Jenkins可以很好地旋转新豆荚。问题是当我尝试通过服务帐户将IAM角色分配给该吊舱时。它只是不接。它在两天前有效,但是我必须删除jenkins_home目录,所以我再次从头开始。

服务帐户类似于:

$ kubectl get serviceaccount -n jenkins jenkins-agents -o yaml 
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/clz_deployer_role
  creationTimestamp: "2020-09-22T15:19:55Z"
  name: jenkins-agents
  namespace: jenkins
  resourceVersion: "145998"
  selfLink: /api/v1/namespaces/jenkins/serviceaccounts/jenkins-agents
  uid: 8d55df19-140d-4703-bc61-886a25a20eac
secrets:
- name: jenkins-agents-token-mmxb8

,然后将服务帐户的名称传递给Pod配置:

metadata:
  labels:
    jenkins/label: jenkins-slave-aws-cli
  name: awsclislave
  # annotations:
  #   eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/clz_deployer_role
spec:
  containers:
    - image: pquery/jnlp-slave-docker:latest
      imagePullPolicy: IfNotPresent
      name: awsclislave
      command:
        - cat
      resources:
        limits:
          memory: 512Mi
          cpu: 512m
        requests:
          memory: 512Mi
          cpu: 512m
      tty: true
      volumeMounts:
        - mountPath: /home/jenkins
          name: workspace-volume
          readOnly: false
      workingDir: /home/jenkins
  hostNetwork: false
  nodeSelector:
    kubernetes.io/os: linux
  restartPolicy: Never
  serviceAccount: jenkins-agents
  volumes:
    - emptyDir:
        medium: ""
      name: workspace-volume

我尝试使用注释(有注释),但是也没有用。错误消息始终是相同的:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::1111111111111:assumed-role/shared_services20200922074522597500000008/i-0c1c41c96e96e82df is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::2222222222222:role/clz_aws_cicd_access (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: bfe43133-13c1-4cdb-b4b9-626cf11def58; Proxy: null)

它正在尝试使用实例角色来执行操作,而不是使用附加到服务帐户的角色。有人知道是什么问题吗?

1 个答案:

答案 0 :(得分:0)

问题出在名称空间错误的clz_deployer_role IAM角色信任关系上。更具体地说,内部条件:

“条件”:{ “ StringEquals”:{ “ oidc.eks.eu-west-1.amazonaws.com/id/C1B7F80BE15AC5C89956D55EF7E3FFC5:sub”:“系统:服务帐户:jenkins:jenkins-agents” } }

“ system:serviceaccount:jenkins:jenkins-agents”字符串是“ system:serviceaccount :: ” 当命名空间位于“ jenkins”中时,命名空间指向“默认” 现在效果很好

相关问题
最新问题