Amazon web services 无法使用AWS IAM身份验证器拒绝令牌访问
我正在尝试为我的k8s群集设置AWS IAM验证器。我有两个AWS帐户:A和B k8s帐户在B帐户中运行 我已在A帐户中创建了以下资源: 政策Amazon web services 无法使用AWS IAM身份验证器拒绝令牌访问,amazon-web-services,kubernetes,amazon-iam,Amazon Web Services,Kubernetes,Amazon Iam,我正在尝试为我的k8s群集设置AWS IAM验证器。我有两个AWS帐户:A和B k8s帐户在B帐户中运行 我已在A帐户中创建了以下资源: 政策 Description: Grants permissions to assume the kubernetes-admin role Policy: Statement: - Action: sts:* Effect: Allow Resource: arn:aws:iam::<AccountID-B>:
Description: Grants permissions to assume the kubernetes-admin role
Policy:
Statement:
- Action: sts:*
Effect: Allow
Resource: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
Sid: KubernetesAdmin
Version: 2012-10-17
kubeconfig是:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <certificate>
server: https://api.k8s.mycluster.net
name: k8s.mycluster.net
contexts:
- context:
cluster: k8s.mycluster.net
namespace: kube-system
user: k8s.mycluster.net
name: k8s.mycluster.net
current-context: k8s.mycluster.net
kind: Config
preferences: {}
users:
- name: k8s.mycluster.net
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
env:
- name: "AWS_PROFILE"
value: "myaccount"
args:
- "token"
- "-i"
- "k8s.mycluster.net"
- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"
有什么想法吗?我没有得到我所缺少的东西。让它正常工作的方法是删除
- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"
-“-r”
-“arn:aws:iam:::角色/kubernetes管理员”
并将要承担的角色传递给
AWS_PROFILE
env var以添加到该角色中-我的解决方案是执行以下操作:
在~/.kube目录中:
aws eks update-kubeconfig --name eks-dev-cluster --role-arn=XXXXXXXXXXXX
这将创建一个配置my eks群集的文件
vi config-my-eks-cluster
注释掉上面提到的两行:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- eks-dev-cluster
#- -r
#- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
command: aws-iam-authenticator
然后确保导出用户配置文件时使用:
导出AWS_PROFILE=XXXXXXXXX(用于在控制台或通过cli创建群集的用户)
跑步:
kubectl get svc --v=10
这将使输出进入详细模式,并为您提供有关逐渐出现的任何错误的详细信息。您使用什么来配置集群?您需要设置Kubernetes API服务器,以将aws iam authenticator包含为身份验证方法。我已经解决了这个问题。我会用解决方案回复下来。请发布解决方案,以便对其他人有所帮助。
vi config-my-eks-cluster
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- eks-dev-cluster
#- -r
#- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
command: aws-iam-authenticator
kubectl get svc --v=10