terraform eks 设置 - 命名空间被禁止:用户无法列出资源

terraform eks setup - namespaces is forbidden: User cannot list resource

我一直在关注有关如何使用 Terraform 设置 AWS EKS 的指南。 https://learn.hashicorp.com/tutorials/terraform/eks

我在需要验证仪表板的部分。 https://learn.hashicorp.com/tutorials/terraform/eks#authenticate-the-dashboard

  1. 我已经创建了集群滚动绑定
$ kubectl apply -f https://raw.githubusercontent.com/hashicorp/learn-terraform-provision-eks-cluster/master/kubernetes-dashboard-admin.rbac.yaml
  1. 我已经生成了令牌
kubectl -n kube-system describe secret $(kubectl -n kube-system get secret | grep service-controller-token | awk '{print }')
  1. 我已经使用令牌登录到 kubernetes 仪表板。 kubectl proxy

但是在我登录并尝试单击任何面板以查看资源后,我收到了一组类似于以下内容的错误。

namespaces is forbidden: User "system:serviceaccount:kube-system:service-controller" cannot list resource "namespaces" in API group "" at the cluster scope

cronjobs.batch is forbidden: User "system:serviceaccount:kube-system:service-controller" cannot list resource "cronjobs" in API group "batch" in the namespace "default"

这些消息向我提示我通过令牌登录的用户没有查看这些资源的权限。虽然我可以使用 kubectl cli 工具查看它们。

kubectl describe clusterrole kubernetes-dashboard
Name:         kubernetes-dashboard
Labels:       k8s-app=kubernetes-dashboard
Annotations:  <none>
PolicyRule:
  Resources             Non-Resource URLs  Resource Names  Verbs
  ---------             -----------------  --------------  -----
  nodes.metrics.k8s.io  []                 []              [get list watch]
  pods.metrics.k8s.io   []                 []              [get list watch]

以下将以 admin-user 身份登录,这似乎是您正在寻找的行为。

$ ADMIN_USER_TOKEN_NAME=$(kubectl -n kube-system get secret | grep admin-user-token | cut -d' ' -f1)
$ echo $ADMIN_USER_TOKEN_NAME

admin-user-token-k4s7r
# The suffix is auto-generated

$ ADMIN_USER_TOKEN_VALUE=$(kubectl -n kube-system get secret "$ADMIN_USER_TOKEN_NAME" -o jsonpath='{.data.token}' | base64 --decode)
$ echo "$ADMIN_USER_TOKEN_VALUE"

eyJhbGciOiJ ...
.....................-Tg
# Copy this token and use it on the Kubernetes Dashboard login page

教程中使用的服务帐户是service-controller,似乎权限很少

$ kubectl -n kube-system describe clusterrole system:controller:service-controller
Name:         system:controller:service-controller
Labels:       kubernetes.io/bootstrapping=rbac-defaults
Annotations:  rbac.authorization.kubernetes.io/autoupdate: true
PolicyRule:
  Resources             Non-Resource URLs  Resource Names  Verbs
  ---------             -----------------  --------------  -----
  events                []                 []              [create patch update]
  events.events.k8s.io  []                 []              [create patch update]
  services              []                 []              [get list watch]
  nodes                 []                 []              [list watch]
  services/status       []                 []              [patch update]

如果您有任何问题,请告诉我。