AWS 角色和用户没有任何策略,为什么我仍然可以访问 K8s 集群?
AWS role and user have not any policy,why I still can access K8s cluster?
我的问题:我没有任何权限,为什么我可以访问K8s
[vagrant@localhost ~]$ kubectl get deployment --namespace=development
No resources found in development namespace.
下面是我的配置。
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <my certificate-authority-data>
server: https://2C1A77626A2087EBA1D1123EA9398DAF.gr7.ap-northeast-1.eks.amazonaws.com
name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
contexts:
- context:
cluster: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
user: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
current-context: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- ap-northeast-1
- eks
- get-token
- --cluster-name
- eksworkshop-eksctl
- --role
- arn:aws:iam::056844949861:role/k8sDev
command: aws
这是我的角色,权限中没有任何内容:
这是我的用户,这里只是内联策略:
这是我的组和内联策略的内容:
您能够访问它的原因是因为您正在访问集群的IAM 用户与用于创建集群的用户相同。 documenation 状态:
When you create an Amazon EKS cluster, the IAM entity user or role,
such as a federated user that creates the cluster, is automatically
granted system:masters permissions in the cluster's RBAC
configuration.
在EKS中,使用IAM用户进行鉴权,但IAM角色不控制授权。授权还是通过kubernetes RBAC系统来处理。
我的问题:我没有任何权限,为什么我可以访问K8s
[vagrant@localhost ~]$ kubectl get deployment --namespace=development
No resources found in development namespace.
下面是我的配置。
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <my certificate-authority-data>
server: https://2C1A77626A2087EBA1D1123EA9398DAF.gr7.ap-northeast-1.eks.amazonaws.com
name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
contexts:
- context:
cluster: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
user: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
current-context: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- ap-northeast-1
- eks
- get-token
- --cluster-name
- eksworkshop-eksctl
- --role
- arn:aws:iam::056844949861:role/k8sDev
command: aws
这是我的角色,权限中没有任何内容:
这是我的用户,这里只是内联策略:
这是我的组和内联策略的内容:
您能够访问它的原因是因为您正在访问集群的IAM 用户与用于创建集群的用户相同。 documenation 状态:
When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration.
在EKS中,使用IAM用户进行鉴权,但IAM角色不控制授权。授权还是通过kubernetes RBAC系统来处理。