如果您在运行 kubectl 命令时收到以下错误之一,则说明您的 kubectl 未针对 Amazon EKS 正确配置,或您使用的 IAM 用户或角色凭证未映射到 Amazon EKS 集群中具有足够权限的 Kubernetes RBAC 用户。
-
could not get token: AccessDenied: Access denied -
error: You must be logged in to the server (Unauthorized) -
error: the server doesn't have a resource type "svc"
这可能是因为集群是使用一组AWS凭证(来自 IAM 用户或角色)创建的,而 kubectl 使用的是另一组凭证。
创建 Amazon EKS 集群后,创建集群的 IAM 实体(用户或角色)将添加到 Kubernetes RBAC 授权表中作为管理员(具有 system:masters 权限)。最初,仅该 IAM 用户可以使用 kubectl 调用 Kubernetes API 服务器。有关更多信息,请参阅管理集群的用户或 IAM 角色。如果使用控制台创建集群,则必须确保在集群上运行 kubectl 命令时,相同的 IAM 用户凭证位于AWS开发工具包凭证链中。
如果安装和配置 AWS CLI,则可为用户配置 IAM 凭证。有关更多信息,请参阅 AWS Command Line Interface 用户指南中的配置 AWS CLI。
如果您已代入一个角色来创建 Amazon EKS 集群,则必须确保 kubectl 已配置为代入相同的角色。使用以下命令更新您的 kubeconfig 文件以使用 IAM 角色。有关更多信息,请参阅为 Amazon EKS 创建 kubeconfig。
aws eks update-kubeconfig \
--region <region-code> \
--name <cluster_name> \
--role-arn arn:aws:iam::<aws_account_id>:role/<role_name>
要将 IAM 用户映射到 Kubernetes RBAC 用户,请参阅管理集群的用户或 IAM 角色。
To add an IAM user or role to an Amazon EKS cluster
-
Ensure that the AWS credentials that
kubectlis using are already authorized for your cluster. The IAM user that created the cluster has these permissions by default. -
Open the
aws-authConfigMap.kubectl edit -n kube-system configmap/aws-authNote
If you receive an error stating "
Error from server (NotFound): configmaps "aws-auth" not found", then use the previous procedure to apply the stock ConfigMap.Example ConfigMap:
apiVersion: v1 data: mapRoles: | - groups: - system:bootstrappers - system:nodes rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF username: system:node:{{EC2PrivateDNSName}} kind: ConfigMap metadata: creationTimestamp: "2020-09-30T21:09:18Z" name: aws-auth namespace: kube-system resourceVersion: "1021" selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth uid: dcc31de5-3838-11e8-af26-02e00430057c -
Add your IAM users, roles, or AWS accounts to the configMap. You cannot add IAM groups to the configMap.
-
To add an IAM role (for example, for federated users): add the role details to the
mapRolessection of the ConfigMap, underdata. Add this section if it does not already exist in the file. Each entry supports the following parameters:-
rolearn: The ARN of the IAM role to add.
-
username: The user name within Kubernetes to map to the IAM role.
-
groups: A list of groups within Kubernetes to which the role is mapped. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.
-
-
To add an IAM user: add the user details to the
mapUserssection of the ConfigMap, underdata. Add this section if it does not already exist in the file. Each entry supports the following parameters:-
userarn: The ARN of the IAM user to add.
-
username: The user name within Kubernetes to map to the IAM user.
-
groups: A list of groups within Kubernetes to which the user is mapped to. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.
-
For example, the block below contains:
-
A
mapRolessection that adds the node instance role so that nodes can register themselves with the cluster. -
A
mapUserssection with the AWS usersadminfrom the default AWS account, andops-userfrom another AWS account. Both users are added to thesystem:mastersgroup.
Replace all
<example-values><># Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: mapRoles: | - rolearn: <arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF> username: <system:node:{{EC2PrivateDNSName}}> groups: - <system:bootstrappers> - <system:nodes> mapUsers: | - userarn: <arn:aws:iam::111122223333:user/admin> username: <admin> groups: - <system:masters> - userarn: <arn:aws:iam::111122223333:user/ops-user> username: <ops-user> groups: - <system:masters> -
-
Save the file and exit your text editor.
-
Ensure that the Kubernetes user or group that you mapped the IAM user or role to is bound to a Kubernetes role with a
RoleBindingorClusterRoleBinding. For more information, see Using RBAC Authorization in the Kubernetes documentation. You can download the following example manifests that create aclusterroleandclusterrolebindingor aroleandrolebinding:-
View Kubernetes resources in all namespaces – The group name in the file is
eks-console-dashboard-full-access-group, which is the group that your IAM user or role needs to be mapped to in theaws-authconfigmap. You can change the name of the group before applying it to your cluster, if desired, and then map your IAM user or role to that group in the configmap. Download the file from:https://amazon-eks.s3.us-west-2.amazonaws.com/docs/eks-console-full-access.yaml
-
View Kubernetes resources in a specific namespace – The namespace in this file is
default, so if you want to specify a different namespace, edit the file before applying it to your cluster. The group name in the file iseks-console-dashboard-restricted-access-group, which is the group that your IAM user or role needs to be mapped to in theaws-authconfigmap. You can change the name of the group before applying it to your cluster, if desired, and then map your IAM user or role to that group in the configmap. Download the file from:https://amazon-eks.s3.us-west-2.amazonaws.com/docs/eks-console-restricted-access.yaml
-
-
(Optional) If you want the users you've added to the configmap to be able to View nodes or View workloads in the AWS Management Console, then the user or role must have both of the the following types of permissions:
-
Kubernetes permissions to view the resources in Kubernetes
-
IAM permissions to view the resources in the AWS Management Console. For more information, see View nodes and workloads for all clusters in the AWS Management Console.
-
参考文档:
7184
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
