问题描述
我希望这个主题有意义.
I hope that subject makes sense.
我正在尝试在我的EKS集群上设置RBAC,并使用此出色的演练作为指南, Kubernetes身份验证.
I'm trying to setup RBAC on my EKS cluster, and am using this excellent walkthrough as a guide, Kubernetes Authentication.
因此,我创建了一个名为 EKSClusterAdminRole
的IAM角色,该角色具有 AmazonEKSClusterPolicy
托管策略,以允许该角色管理EKS集群.该角色具有这种信任关系
So I created an IAM role, called EKSClusterAdminRole
that has the AmazonEKSClusterPolicy
managed policy, to allow the role to manage an EKS cluster. The role has this trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后,我创建了一个 EKSAdminGroup
,它具有一个可以担当该角色的内联策略,就像这样
Then I created an EKSAdminGroup
that has an inline policy that can assume that role, like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::0123456789:role/EKSClusterAdminRole"
}
]
}
,然后将现有的 jenkins
用户添加到该组中,如下所示
and I added my existing jenkins
user to that group, as shown here
$ aws iam get-group --group-name EKSAdminGroup
{
"Group": {
"Path": "/",
"CreateDate": "2021-02-27T18:31:34Z",
"GroupId": "QRSTUVWXYZ",
"Arn": "arn:aws:iam::0123456789:group/EKSAdminGroup",
"GroupName": "EKSAdminGroup"
},
"Users": [
{
"UserName": "jenkins",
"Path": "/",
"CreateDate": "2014-11-04T14:03:17Z",
"UserId": "ABCEDFGHIJKLMNOP",
"Arn": "arn:aws:iam::0123456789:user/jenkins"
}
]
}
这是我的ClusterRole和ClusterRoleBinding清单
Here's my ClusterRole and ClusterRoleBinding manifest
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-admin-role
rules:
- apiGroups:
- ""
- "apps"
- "batch"
- "extensions"
resources:
- "configmaps"
- "cronjobs"
- "deployments"
- "events"
- "ingresses"
- "jobs"
- "pods"
- "pods/attach"
- "pods/exec"
- "pods/log"
- "pods/portforward"
- "secrets"
- "services"
verbs:
- "create"
- "delete"
- "describe"
- "get"
- "list"
- "patch"
- "update"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cluster-admin-rolebinding
subjects:
- kind: Group
name: cluster-admins
roleRef:
kind: ClusterRole
name: cluster-admin-role
apiGroup: rbac.authorization.k8s.io
现在,我正在使用在〜/.aws/credentials
中具有上述 jenkins
用户凭据的计算机上.我想在那里执行 kubectl
命令.所以我
Now I'm on a machine that has the above jenkins
user credentials in ~/.aws/credentials
. I want to execute kubectl
commands there. So I do
$ cat ~/.aws/credentials
[default]
aws_access_key_id = ABCEDFGHIJKLMNOP
aws_secret_access_key = *****
$ aws eks update-kubeconfig --name sandbox --region us-east-1 --role-arn arn:aws:iam::0123456789:role/EKSClusterAdminRole
Updated context arn:aws:eks:us-east-1:0123456789:cluster/sandbox in /home/ubuntu/.kube/config
$ kubectl config view
apiVersion: v1
kind: Config
...
users:
- name: arn:aws:eks:us-east-1:0123456789:cluster/sandbox
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- us-east-1
- eks
- get-token
- --cluster-name
- sandbox
- --role
- arn:aws:iam::0123456789:role/EKSClusterAdminRole
command: aws
env: null
provideClusterInfo: false
这是我的EKS群集的aws-auth ConfigMap(的一部分)
Here's (part of) my EKS cluster's aws-auth ConfigMap
apiVersion: v1
kind: ConfigMap
data:
mapRoles: |
- rolearn: arn:aws:iam::0123456789:role/EKSClusterAdminRole
username: cluster-admins
例如,我明白了
$ kubectl get ns
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::0123456789:user/jenkins is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::0123456789:role/EKSClusterAdminRole
Unable to connect to the server: getting credentials: exec: executable aws failed with exit code 255
什么是腌菜?好像我在对IAM角色进行故障排除一样与我的问题有关.
What's the deal pickle? It seems like I did everything in Trouubleshooting IAM roles that's pertinent to my issue.
推荐答案
要使其正常工作,至少在我的用户可以担任该角色的位置,我必须将其添加到IAM EKSClusterAdminRole的信任关系中
To make this work, at least where my user can assume the role, I had to add this to my IAM EKSClusterAdminRole's trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com",
"AWS": "arn:aws:iam::0123456789:root" <-- add this line
},
"Action": "sts:AssumeRole"
}
]
}
这篇关于属于IAM组的AWS IAM用户不能承担允许IAM组承担的IAM角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!