我使用创建了启用 RBAC 的 kubernetes 集群
kops 版本 1.8.0-beta.1 ,我正在尝试运行一个 nginx pod,它应该附加预先创建的 EBS 卷并且 pod 应该启动。但是即使我是 也遇到未授权的问题管理员 用户。任何帮助将不胜感激。
kubectl version Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-09T07:27:47Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.3", GitCommit:"f0efb3cb883751c5ffdbe6d515f3cb4fbe7b7acd", GitTreeState:"clean", BuildDate:"2017-11-08T18:27:48Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
namespace:default
cat test-ebs.yml
apiVersion: v1
kind: Pod
metadata:
name: test-ebs
spec:
containers:
- image: nginx
name: nginx
volumeMounts:
- mountPath: /test-ebs
name: test-volume
volumes:
- name: test-volume
awsElasticBlockStore:
volumeID: <vol-IDhere>
fsType: ext4
我收到以下错误:
Warning FailedMount 8m attachdetach AttachVolume.Attach failed for volume "test-volume" : Error attaching EBS volume "<vol-ID>" to instance "<i-instanceID>": "UnauthorizedOperation: You are not authorized to perform this operation
最佳答案
在 kops 1.8.0-beta.1 中,主节点要求您使用以下内容标记 AWS 卷:KubernetesCluster: <clustername-here>
如果您使用 kops 创建了 k8s 集群,如下所示:kops create cluster --name=k8s.yourdomain.com [other-args-here]
您在 EBS 卷上的标签需要是KubernetesCluster: k8s.yourdomain.com
并且 master 上的策略将包含一个块,其中将包含:
{
"Sid": "kopsK8sEC2MasterPermsTaggedResources",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DetachVolume",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"ec2:ResourceTag/KubernetesCluster": "k8s.yourdomain.com"
}
}
}
该条件表明 master-policy 有权仅附加包含正确标签的卷。
关于amazon-web-services - 需要有关 kubernetes 卷挂载问题的帮助,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/47278433/