Fatal编程技术网
  • amazon-web-services/
  • Amazon web services 无法使用AWS IAM身份验证器拒绝令牌访问

Amazon web services 无法使用AWS IAM身份验证器拒绝令牌访问

amazon-web-services kubernetes

Amazon web services 无法使用AWS IAM身份验证器拒绝令牌访问,amazon-web-services,kubernetes,amazon-iam,Amazon Web Services,Kubernetes,Amazon Iam,我正在尝试为我的k8s群集设置AWS IAM验证器。我有两个AWS帐户:A和B k8s帐户在B帐户中运行 我已在A帐户中创建了以下资源: 政策 Description: Grants permissions to assume the kubernetes-admin role Policy: Statement: - Action: sts:* Effect: Allow Resource: arn:aws:iam::<AccountID-B>:

我正在尝试为我的k8s群集设置AWS IAM验证器。我有两个AWS帐户:A和B

k8s帐户在B帐户中运行

我已在A帐户中创建了以下资源:

政策

Description: Grants permissions to assume the kubernetes-admin role
Policy:
  Statement:
    - Action: sts:*
      Effect: Allow
      Resource: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
      Sid: KubernetesAdmin
  Version: 2012-10-17
kubeconfig是:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: <certificate>
    server: https://api.k8s.mycluster.net
  name: k8s.mycluster.net
contexts:
- context:
    cluster: k8s.mycluster.net
    namespace: kube-system
    user: k8s.mycluster.net
  name: k8s.mycluster.net
current-context: k8s.mycluster.net
kind: Config
preferences: {}
users:
- name: k8s.mycluster.net
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      command: aws-iam-authenticator
      env:
      - name: "AWS_PROFILE"
        value: "myaccount"
      args:
        - "token"
        - "-i"
        - "k8s.mycluster.net"
        - "-r"
        - "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"
有什么想法吗?我没有得到我所缺少的东西。

让它正常工作的方法是删除

- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin" 

-“-r”
-“arn:aws:iam:::角色/kubernetes管理员”
并将要承担的角色传递给
AWS_PROFILE
env var

以添加到该角色中-我的解决方案是执行以下操作:

在~/.kube目录中:

aws eks update-kubeconfig --name eks-dev-cluster --role-arn=XXXXXXXXXXXX
这将创建一个配置my eks群集的文件

vi config-my-eks-cluster
注释掉上面提到的两行:

  apiVersion: client.authentication.k8s.io/v1alpha1
  args:
  - token
  - -i
  - eks-dev-cluster
  #- -r
  #- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
  command: aws-iam-authenticator
然后确保导出用户配置文件时使用:

导出AWS_PROFILE=XXXXXXXXX(用于在控制台或通过cli创建群集的用户)

跑步:

kubectl get svc --v=10
这将使输出进入详细模式,并为您提供有关逐渐出现的任何错误的详细信息。

您使用什么来配置集群?您需要设置Kubernetes API服务器,以将aws iam authenticator包含为身份验证方法。我已经解决了这个问题。我会用解决方案回复下来。请发布解决方案,以便对其他人有所帮助。 
vi config-my-eks-cluster

  apiVersion: client.authentication.k8s.io/v1alpha1
  args:
  - token
  - -i
  - eks-dev-cluster
  #- -r
  #- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
  command: aws-iam-authenticator

kubectl get svc --v=10