我正在尝试为我的 k8s 集群设置 AWS IAM 身份验证器。我有两个 AWS 账户:A 和 B。
k8s账号运行在B账号下。
我在 A 帐户中创建了以下资源:
政策
Description: Grants permissions to assume the kubernetes-admin role
Policy:
Statement:
- Action: sts:*
Effect: Allow
Resource: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
Sid: KubernetesAdmin
Version: 2012-10-17
该策略与一个组相关联,我将我的 IAM 用户添加到该组。
在 B 帐户中,我创建了以下角色:
AssumeRolePolicyDocument:
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
AWS: arn:aws:iam::<AccountID-A>:root
Version: 2012-10-17
这是配置 aws-iam-authenticator 的 ConfigMap
:
apiVersion: v1
data:
config.yaml: |
# a unique-per-cluster identifier to prevent replay attacks
# (good choices are a random token or a domain name that will be unique to your cluster)
clusterID: k8s.mycluster.net
server:
# each mapRoles entry maps an IAM role to a username and set of groups
# Each username and group can optionally contain template parameters:
# "{{AccountID}}" is the 12 digit AWS ID.
# "{{SessionName}}" is the role session name.
mapRoles:
- roleARN: arn:aws:iam::<AccountID-B>:role/kubernetes-admin
username: kubernetes-admin:{{AccountID}}:{{SessionName}}
groups:
- system:masters
kind: ConfigMap
metadata:
creationTimestamp: 2018-12-13T19:41:39Z
labels:
k8s-app: aws-iam-authenticator
name: aws-iam-authenticator
namespace: kube-system
resourceVersion: "87401"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-iam-authenticator
uid: 1bc39653-ff0f-11e8-a580-02b4590539ba
kubeconfig 是:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <certificate>
server: https://api.k8s.mycluster.net
name: k8s.mycluster.net
contexts:
- context:
cluster: k8s.mycluster.net
namespace: kube-system
user: k8s.mycluster.net
name: k8s.mycluster.net
current-context: k8s.mycluster.net
kind: Config
preferences: {}
users:
- name: k8s.mycluster.net
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
env:
- name: "AWS_PROFILE"
value: "myaccount"
args:
- "token"
- "-i"
- "k8s.mycluster.net"
- "-r"
- "arn:aws:iam::<AccountID-B>:role/kubernetes-admin"
结果是:
could not get token: AccessDenied: Access denied
status code: 403, request id: 6ceac161-ff2f-11e8-b263-2b0e32831969
Unable to connect to the server: getting token: exec: exit status 1
有什么想法吗?我不明白我错过了什么。
最佳答案
添加到此 - 我的解决方案是执行以下操作:
在 ~/.kube 目录中:
aws eks update-kubeconfig --name eks-dev-cluster --role-arn=XXXXXXXXXXXX
这会创建一个文件 config-my-eks-cluster
vi config-my-eks-cluster
将上面提到的两行注释掉:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- eks-dev-cluster
#- -r
#- arn:aws:iam::XXXXXXXXX:role/eks-dev-role (the role you made for eks)
command: aws-iam-authenticator
然后确保您使用以下方式导出您的用户配置文件:
export AWS_PROFILE=XXXXXXXXX(你在控制台或通过cli创建集群时使用的用户)
运行:
kubectl get svc --v=10
这会将输出置于详细模式,并为您提供有关出现的任何错误的详细信息。
关于amazon-web-services - 无法使用 AWS IAM 身份验证器获取 token 访问被拒绝,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/53771593/