带有 Kubectl 的 EKS 一直显示未经授权
EKS with Kubectl keeps saying Unauthorized
我目前正在尝试使用 CloudFormation 在 AWS 上设置 EKS 集群。我一直在关注 https://en.sokube.ch/post/aws-kubernetes-aws-elastic-kubernetes-service-eks.
上的指南
但是,在我的 EKS 集群成功创建后,我无法通过 kubectl 与其交互,因为我总是得到 error: You must be logged in to the server (Unauthorized)。我一直坚持我做错了什么。
一个可能是问题的提示是我通过 AWS 控制台而不是 AWS CLI 创建了堆栈,因此它是不同的用户。但是我不明白为什么当 CLI 用户拥有完全权限时这应该是一个问题,而且我找不到关于如何在这种情况下允许其他 IAM 用户的信息。
我使用 AWS CLI 登录的 IMA 用户具有 AdministratorAccess 策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
控制台命令我运行
~/workspace/Archipelago(master*) » aws eks --region us-west-2 describe-cluster --name archipelago-alpha-eks --query "cluster.status" --output text | cat
ACTIVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/workspace/Archipelago(master*) » aws eks --region us-west-2 update-kubeconfig --name archipelago-alpha-eks
Added new context arn:aws:eks:us-west-2:075174350620:cluster/archipelago-alpha-eks to /home/kasper/.kube/config
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/workspace/Archipelago(master*) » kubectl get node
error: You must be logged in to the server (Unauthorized)
我的完整 CloudFormation
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Parameters:
env:
Type: "String"
Default: "local"
Mappings:
ServicePrincipals:
aws-cn:
ec2: ec2.amazonaws.com.cn
aws:
ec2: ec2.amazonaws.com
Resources:
eksVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-vpc"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-InternetGateway"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksVPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref eksInternetGateway
VpcId: !Ref eksVPC
eksPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-RouteTable"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicRoute:
DependsOn: eksVPCGatewayAttachment
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref eksPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref eksInternetGateway
eksPublicSubnet01:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-west-2a
MapPublicIpOnLaunch: true
CidrBlock: 10.0.0.0/24
VpcId:
Ref: eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-PublicSubnet01"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicSubnet02:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-west-2b
MapPublicIpOnLaunch: true
CidrBlock: 10.0.1.0/24
VpcId:
Ref: eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-PublicSubnet02"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicSubnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref eksPublicSubnet01
RouteTableId: !Ref eksPublicRouteTable
eksPublicSubnet02RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref eksPublicSubnet02
RouteTableId: !Ref eksPublicRouteTable
eksSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Cluster communication with worker nodes
VpcId: !Ref eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-SecurityGroup"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- eks.amazonaws.com
Action:
- "sts:AssumeRole"
RoleName: EKSClusterRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
eksCluster:
Type: AWS::EKS::Cluster
Properties:
Name: !Sub "archipelago-${env}-eks"
Version: 1.19
RoleArn:
"Fn::GetAtt": ["eksIAMRole", "Arn"]
ResourcesVpcConfig:
SecurityGroupIds:
- !Ref eksSecurityGroup
SubnetIds:
- !Ref eksPublicSubnet01
- !Ref eksPublicSubnet02
DependsOn: [eksIAMRole, eksPublicSubnet01, eksPublicSubnet02, eksSecurityGroup]
eksNodeInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- !FindInMap [ServicePrincipals, !Ref "AWS::Partition", ec2]
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
Path: /
eksNodeGroup:
Type: AWS::EKS::Nodegroup
Properties:
ClusterName: !Sub "archipelago-${env}-eks"
NodeRole:
"Fn::GetAtt": ["eksNodeInstanceRole", "Arn"]
AmiType: AL2_x86_64
InstanceTypes:
- t3a.medium
NodegroupName: !Sub "archipelago-${env}-eks-NodeGroup01"
RemoteAccess:
Ec2SshKey: !Sub "archipelago-${env}-eks-key"
ScalingConfig:
MinSize: 1
DesiredSize: 1
MaxSize: 3
Labels:
Project: !Sub "archipelago-${env}-eks"
Subnets:
- !Ref eksPublicSubnet01
- !Ref eksPublicSubnet02
DependsOn: [eksCluster, eksNodeInstanceRole]
创建 EKS 集群的用户或角色是唯一有权访问 EKS 集群的 IAM 实体。来自 documentation:
When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration in the control plane. This IAM entity does not appear in the ConfigMap, or any other visible configuration, so make sure to keep track of which IAM entity originally created the cluster. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
Kubernetes 有自己的权限模型,因此您需要使用上面的方法 link 将其他用户添加到您的 EKS 集群。
您可以将 aws-auth configmap 编辑为如下所示:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- userarn: YOUR_IAM_USER_ARN
username: YOUR_USER_NAME
groups:
- system:masters
我目前正在尝试使用 CloudFormation 在 AWS 上设置 EKS 集群。我一直在关注 https://en.sokube.ch/post/aws-kubernetes-aws-elastic-kubernetes-service-eks.
上的指南但是,在我的 EKS 集群成功创建后,我无法通过 kubectl 与其交互,因为我总是得到 error: You must be logged in to the server (Unauthorized)。我一直坚持我做错了什么。
一个可能是问题的提示是我通过 AWS 控制台而不是 AWS CLI 创建了堆栈,因此它是不同的用户。但是我不明白为什么当 CLI 用户拥有完全权限时这应该是一个问题,而且我找不到关于如何在这种情况下允许其他 IAM 用户的信息。
我使用 AWS CLI 登录的 IMA 用户具有 AdministratorAccess 策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
控制台命令我运行
~/workspace/Archipelago(master*) » aws eks --region us-west-2 describe-cluster --name archipelago-alpha-eks --query "cluster.status" --output text | cat
ACTIVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/workspace/Archipelago(master*) » aws eks --region us-west-2 update-kubeconfig --name archipelago-alpha-eks
Added new context arn:aws:eks:us-west-2:075174350620:cluster/archipelago-alpha-eks to /home/kasper/.kube/config
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/workspace/Archipelago(master*) » kubectl get node
error: You must be logged in to the server (Unauthorized)
我的完整 CloudFormation
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Parameters:
env:
Type: "String"
Default: "local"
Mappings:
ServicePrincipals:
aws-cn:
ec2: ec2.amazonaws.com.cn
aws:
ec2: ec2.amazonaws.com
Resources:
eksVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-vpc"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-InternetGateway"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksVPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref eksInternetGateway
VpcId: !Ref eksVPC
eksPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-RouteTable"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicRoute:
DependsOn: eksVPCGatewayAttachment
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref eksPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref eksInternetGateway
eksPublicSubnet01:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-west-2a
MapPublicIpOnLaunch: true
CidrBlock: 10.0.0.0/24
VpcId:
Ref: eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-PublicSubnet01"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicSubnet02:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-west-2b
MapPublicIpOnLaunch: true
CidrBlock: 10.0.1.0/24
VpcId:
Ref: eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-PublicSubnet02"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicSubnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref eksPublicSubnet01
RouteTableId: !Ref eksPublicRouteTable
eksPublicSubnet02RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref eksPublicSubnet02
RouteTableId: !Ref eksPublicRouteTable
eksSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Cluster communication with worker nodes
VpcId: !Ref eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-SecurityGroup"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- eks.amazonaws.com
Action:
- "sts:AssumeRole"
RoleName: EKSClusterRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
eksCluster:
Type: AWS::EKS::Cluster
Properties:
Name: !Sub "archipelago-${env}-eks"
Version: 1.19
RoleArn:
"Fn::GetAtt": ["eksIAMRole", "Arn"]
ResourcesVpcConfig:
SecurityGroupIds:
- !Ref eksSecurityGroup
SubnetIds:
- !Ref eksPublicSubnet01
- !Ref eksPublicSubnet02
DependsOn: [eksIAMRole, eksPublicSubnet01, eksPublicSubnet02, eksSecurityGroup]
eksNodeInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- !FindInMap [ServicePrincipals, !Ref "AWS::Partition", ec2]
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
Path: /
eksNodeGroup:
Type: AWS::EKS::Nodegroup
Properties:
ClusterName: !Sub "archipelago-${env}-eks"
NodeRole:
"Fn::GetAtt": ["eksNodeInstanceRole", "Arn"]
AmiType: AL2_x86_64
InstanceTypes:
- t3a.medium
NodegroupName: !Sub "archipelago-${env}-eks-NodeGroup01"
RemoteAccess:
Ec2SshKey: !Sub "archipelago-${env}-eks-key"
ScalingConfig:
MinSize: 1
DesiredSize: 1
MaxSize: 3
Labels:
Project: !Sub "archipelago-${env}-eks"
Subnets:
- !Ref eksPublicSubnet01
- !Ref eksPublicSubnet02
DependsOn: [eksCluster, eksNodeInstanceRole]
创建 EKS 集群的用户或角色是唯一有权访问 EKS 集群的 IAM 实体。来自 documentation:
When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration in the control plane. This IAM entity does not appear in the ConfigMap, or any other visible configuration, so make sure to keep track of which IAM entity originally created the cluster. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
Kubernetes 有自己的权限模型,因此您需要使用上面的方法 link 将其他用户添加到您的 EKS 集群。
您可以将 aws-auth configmap 编辑为如下所示:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- userarn: YOUR_IAM_USER_ARN
username: YOUR_USER_NAME
groups:
- system:masters