本文介绍了在auth config中找不到Pod执行角色,或者没有所有必需的权限.我该如何调试?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我希望能够使用Fargate部署AWS EKS.我已经成功地使用 node_group 进行了部署.但是,当我转而使用Fargate时,似乎所有吊舱都卡在了待处理状态.

I want o be able to deploy AWS EKS using Fargate. I have successfully made the deployment work with a node_group. However, when I shifted to using Fargate, it seems that the pods are all stuck in the pending state.

我正在使用Terraform进行配置(不一定要寻找Terraform答案).这就是我创建EKS集群的方式:

I am provisioning using Terraform (not necessarily looking for a Terraform answer). This is how I create my EKS Cluster:

module "eks_cluster" {
  source                            = "terraform-aws-modules/eks/aws"
  version                           = "13.2.1"
  cluster_name                      = "${var.project_name}-${var.env_name}"
  cluster_version                   = var.cluster_version
  vpc_id                            = var.vpc_id
  cluster_enabled_log_types         = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  enable_irsa                       = true
  subnets                           = concat(var.private_subnet_ids, var.public_subnet_ids)
  create_fargate_pod_execution_role = true
  write_kubeconfig                  = false
  fargate_pod_execution_role_name   = "${var.project_name}-role"
  # Assigning worker groups
  node_groups = {
    my_nodes = {
      desired_capacity = 1
      max_capacity     = 1
      min_capacity     = 1
      instance_type    = var.nodes_instance_type
      subnets          = var.private_subnet_ids
    }
  }
}

这是我提供Fargate配置文件的方式:

And this is how I provision the Fargate profile:

//#  Create EKS Fargate profile
resource "aws_eks_fargate_profile" "fargate_profile" {
  cluster_name           = module.eks_cluster.cluster_id
  fargate_profile_name   = "${var.project_name}-fargate-profile-${var.env_name}"
  pod_execution_role_arn = aws_iam_role.fargate_iam_role.arn
  subnet_ids             = var.private_subnet_ids

  selector {
    namespace = var.project_name
  }
}

这就是我创建和附加所需策略的方式:

And this is how I created and attach the required policies:

//# Create IAM Role for Fargate Profile
resource "aws_iam_role" "fargate_iam_role" {
  name                  = "${var.project_name}-fargate-role-${var.env_name}"
  force_detach_policies = true
  assume_role_policy    = jsonencode({
    Statement = [{
      Action    = "sts:AssumeRole"
      Effect    = "Allow"
      Principal = {
        Service = "eks-fargate-pods.amazonaws.com"
      }
    }]
    Version   = "2012-10-17"
  })
}

# Attach IAM Policy for Fargate
resource "aws_iam_role_policy_attachment" "fargate_pod_execution" {
  role       = aws_iam_role.fargate_iam_role.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonEKSFargatePodExecutionRolePolicy"
}

我尝试过但似乎没用的东西

运行 kubectl描述吊舱我得到:

Events:
  Type     Reason            Age   From               Message
  ----     ------            ----  ----               -------
  Warning  FailedScheduling  14s   fargate-scheduler  Misconfigured Fargate Profile: fargate profile fargate-airflow-fargate-profile-dev blocked for new launches due to: Pod execution role is not found in auth config or does not have all required permissions for launching fargate pods.

其他我尝试过但没有成功的事情

我尝试通过以下模块的功能映射角色:

Other things I have tried but without success

I have tried mapping the role via the module's feature like:

module "eks_cluster" {
  source                            = "terraform-aws-modules/eks/aws"
  version                           = "13.2.1"
  cluster_name                      = "${var.project_name}-${var.env_name}"
  cluster_version                   = var.cluster_version
  vpc_id                            = var.vpc_id
  cluster_enabled_log_types         = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
  enable_irsa                       = true
  subnets                           = concat(var.private_subnet_ids, var.public_subnet_ids)
  create_fargate_pod_execution_role = true
  write_kubeconfig                  = false
  fargate_pod_execution_role_name   = "${var.project_name}-role"
  # Assigning worker groups
  node_groups = {
    my_nodes = {
      desired_capacity = 1
      max_capacity     = 1
      min_capacity     = 1
      instance_type    = var.nodes_instance_type
      subnets          = var.private_subnet_ids
    }
  }
# Trying to map role
  map_roles = [
    {
      rolearn  = aws_eks_fargate_profile.airflow.arn
      username = aws_eks_fargate_profile.airflow.fargate_profile_name
      groups   = ["system:*"]
    }
  ]
}

但是我的尝试没有成功.如何调试此问题?造成这种情况的原因是什么?

But my attempt was not successful. How can I debug this issue? And what is the cause behind it?

推荐答案

好的,我看到了您的问题.我也固定了我的,尽管我使用了不同的方法.

Okay, I see your problems. I just fixed mine, too, though I used different methods.

在您的 eks_cluster 模块中,您已经告诉该模块创建角色并为其提供名称,因此以后无需创建角色资源.该模块应该为您处理它,包括在Kubernetes中填充 aws-auth 配置图.

In your eks_cluster module, you already tell the module to create the role and provide a name to it, so there's no need to create a role resource later. The module should handle it for you, including populating the aws-auth configmap within Kubernetes.

在您的 aws_eks_fargate_profile 资源中,您应该使用模块提供的角色,即 pod_execution_role_arn = module.eks_cluster.fargate_profile_arns [0] .

In your aws_eks_fargate_profile resource, you should use the role provided by the module, i.e. pod_execution_role_arn = module.eks_cluster.fargate_profile_arns[0].

我相信修复这些问题应该会在首次配置时解决您的问题.

I believe fixing those up should solve your issue for the first configuration attempt.

第二次尝试, map_roles 输入是针对IAM角色的,但是您要提供有关Fargate配置文件的信息.您想做两件事之一:

For your second attempt, the map_roles input is for IAM roles, but you're supplying info about Fargate profiles. You want to do one of two things:

  1. 禁用创建角色的模块( create_fargate_pod_execution_role fargate_pod_execution_role_name ),而是创建自己的IAM角色,类似于您在第一种配置中所做的,然后将该信息提供给 map_roles .
  2. 删除 map_roles ,并在Fargate档案中引用该模块生成的IAM角色,类似于您的第一个配置的解决方案.
  1. Disable the module creating your roles (create_fargate_pod_execution_role and fargate_pod_execution_role_name) and instead create your own IAM role similarly to how you did in the first configuration and supply that info to map_roles.
  2. Remove map_roles and in your Fargate profile reference the IAM role generated by the module, similarly to the solution for your first configuration.

如果有任何令人困惑的地方,请告诉我.看来您真的很亲密!

If any of this is confusing, please let me know. It seems you're really close!

这篇关于在auth config中找不到Pod执行角色,或者没有所有必需的权限.我该如何调试?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-01 20:41