eks:AccessKubernetesApi 上的 AWS EKS 访问问题
AWS EKS access issue on eks:AccessKubernetesApi
我使用 terraform 创建了一个新的 eks 集群,一些开发人员在 aws 控制台中尝试访问该集群时出现以下错误。
谁能指出我所缺少的东西。
集群版本:1.18
User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: eks:AccessKubernetesApi on resource: arn:aws:eks:us-east-1:xxxx:cluster/cluster
每个用户都附加了此政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
我的 aws-auth 配置看起来
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxx:role/cluster182020111918162137770000002f
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- groups:
- system:masters
rolearn: arn:aws:iam::xxxx:role/abc-role
username: abc-xac
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::xxx:role/cluster_eks_worker_role
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- groups:
- system:developers
userarn: arn:aws:iam::xxx:user/yyy
username: yyy
....
已经提到用户错误地无法访问 eks:AccessKubernetesApi。
只需将其添加到 IAM 角色即可。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
我使用 terraform 创建了一个新的 eks 集群,一些开发人员在 aws 控制台中尝试访问该集群时出现以下错误。
谁能指出我所缺少的东西。
集群版本:1.18
User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: eks:AccessKubernetesApi on resource: arn:aws:eks:us-east-1:xxxx:cluster/cluster
每个用户都附加了此政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
我的 aws-auth 配置看起来
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxx:role/cluster182020111918162137770000002f
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- groups:
- system:masters
rolearn: arn:aws:iam::xxxx:role/abc-role
username: abc-xac
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::xxx:role/cluster_eks_worker_role
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- groups:
- system:developers
userarn: arn:aws:iam::xxx:user/yyy
username: yyy
....
已经提到用户错误地无法访问 eks:AccessKubernetesApi。
只需将其添加到 IAM 角色即可。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}