Kubernetes 不能'；找不到目标区域：找不到MYWEBSITEURLHERE.com的区域：拒绝访问：

我正试图在我的kubernetes集群上部署logstash。我使用的是K8SV1.6.1，印花布作为网络

我遇到的问题是pod正在旋转，但似乎无法注册DNS，为了安全起见，我已剥离了我的域名：

route53-kubernetes-551223410-wf89w route53-kubernetes W0516 19:47:32.715753       1 service_listener.go:151] Couldn't find destination zone: No zone found for MYWEBSITEURLHERE.com: AccessDenied: User: arn:aws:sts::056146032236:assumed-role/nodes.k8s-uw2.MYWEBSITEURLHERE.com/i-01cac4656e7ee0c4e is not authorized to perform: route53:ListHostedZonesByName
route53-kubernetes-551223410-wf89w route53-kubernetes   status code: 403, request id: 809c62fa-3a70-11e7-bccf-9daca39d7850

现在奇怪的是，我已经确认IAM creds已经为该角色正确设置：

{
    "RoleName": "nodes.k8s-uw2.MYWEBSITEURLHERE.com",
    "PolicyDocument": {
        "Statement": [
            {
                "Effect": "Allow",
                "Resource": [
                    "*"
                ],
                "Action": [
                    "ec2:Describe*"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "*"
                ],
                "Action": [
                    "elasticloadbalancing:DescribeLoadBalancers"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "*"
                ],
                "Action": [
                    "ecr:GetAuthorizationToken",
                    "ecr:BatchCheckLayerAvailability",
                    "ecr:GetDownloadUrlForLayer",
                    "ecr:GetRepositoryPolicy",
                    "ecr:DescribeRepositories",
                    "ecr:ListImages",
                    "ecr:BatchGetImage"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:route53:::hostedzone/Z1ILWH3JAW6GTW"
                ],
                "Action": [
                    "route53:ChangeResourceRecordSets",
                    "route53:ListResourceRecordSets",
                    "route53:GetHostedZone",
                    "route53:ListHostedZonesByName"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:route53:::change/*"
                ],
                "Action": [
                    "route53:GetChange"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "*"
                ],
                "Action": [
                    "route53:ListHostedZones"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::k8s-uw2-sightmachine-com-state-store/k8s-uw2.MYWEBSITEURLHERE.com",
                    "arn:aws:s3:::k8s-uw2-sightmachine-com-state-store/k8s-uw2.MYWEBSITEURLHERE.com/*"
                ],
                "Action": [
                    "s3:*"
                ]
            },
            {
                "Effect": "Allow",
                "Resource": [
                    "arn:aws:s3:::k8s-uw2-sightmachine-com-state-store"
                ],
                "Action": [
                    "s3:GetBucketLocation",
                    "s3:ListBucket"
                ]
            }
        ],
        "Version": "2012-10-17"
    },
    "PolicyName": "nodes.k8s-uw2.MYWEBSITEURLHERE.com"
}

更奇怪的是，我能够创建我的elasticsearch服务以及kibana，这两个服务都很好。只是我的logstash服务不太好

以下是我的日志存储服务定义：

apiVersion: v1
kind: Service
metadata:
  name: logstash
  namespace: inf
  labels:
    app: logstash
    component: server
    role: monitoring
    dns: route53
  annotations:
    domainName: logstash.k8s-uw2.MYWEBSITEURLHERE.com
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
  type: LoadBalancer
  selector:
    app: logstash
    component: server
    role: monitoring
  ports:
  - name: lumberjack
    port: 5043
    protocol: TCP
  - name: beats
    port: 5044
    protocol: TCP
  - name: http
    port: 31311
    protocol: TCP

apiVersion: v1
kind: Service
metadata:
  name: elasticsearch
  namespace: inf
  labels:
    app: elasticsearch
    component: client
    role: monitoring
    dns: route53
  annotations:
      domainName: elasticsearch.k8s-uw2.sightmachine.com
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
  type: LoadBalancer
  selector:
    app: elasticsearch
    component: client
    role: monitoring
  ports:
  - name: http
    port: 9200
    protocol: TCP

以下是我的elasticsearch服务定义：

apiVersion: v1
kind: Service
metadata:
  name: logstash
  namespace: inf
  labels:
    app: logstash
    component: server
    role: monitoring
    dns: route53
  annotations:
    domainName: logstash.k8s-uw2.MYWEBSITEURLHERE.com
    service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
  type: LoadBalancer
  selector:
    app: logstash
    component: server
    role: monitoring
  ports:
  - name: lumberjack
    port: 5043
    protocol: TCP
  - name: beats
    port: 5044
    protocol: TCP
  - name: http
    port: 31311
    protocol: TCP

apiVersion: v1
kind: Service
metadata:
  name: elasticsearch
  namespace: inf
  labels:
    app: elasticsearch
    component: client
    role: monitoring
    dns: route53
  annotations:
      domainName: elasticsearch.k8s-uw2.sightmachine.com
      service.beta.kubernetes.io/aws-load-balancer-internal: 0.0.0.0/0
spec:
  type: LoadBalancer
  selector:
    app: elasticsearch
    component: client
    role: monitoring
  ports:
  - name: http
    port: 9200
    protocol: TCP

我还确认了区域ID确实是正确的

---

任何帮助都将不胜感激，因为这些都是从传统设置中抽象出来的，对我来说调试起来比较困难。

解决方案只是增加允许的访问控制量，而不是像以下那样使角色细化：

"arn:aws:route53:::hostedzone/Z1ILWH3JAW6GTW"
"arn:aws:route53:::change/*"

成为：

*