使用 rbac & 错误地更新了 configmap aws-auth无法访问集群 [英] Mistakenly updated configmap aws-auth with rbac & lost access to the cluster
问题描述
试图通过 AWS EKS 集群的 rbac 限制 IAM 用户.错误地从 kube-system 命名空间更新了配置映射aws-auth".这删除了对 EKS 集群的完全访问权限.
Was trying to restrict IAM users with the rbac of AWS EKS cluster. Mistakenly updated the configmap "aws-auth" from kube-system namespace. This removed the complete access to the EKS cluster.
未能在用户的配置映射中添加组:.
Missed to add the groups: in the configmap for the user.
尝试提供对 configmap 中最后提到的用户/角色的完全管理员访问权限,但没有运气.
Tried providing full admin access to the user/role that is lastly mentioned in the configmap, But no luck.
任何恢复对集群的访问的想法都非常值得赞赏.
Any idea of recovering access to the cluster would be highly appreciable.
config-map.yaml:
The config-map.yaml:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- userarn: arn:aws:iam::1234567:user/test-user
username: test-user
推荐答案
为此问题做了一个变通方法:
Did a work-around for this issue:
由于默认情况下创建 EKS 集群的 IAM 用户拥有对集群的完全访问权限,尽管存在 aws-auth 配置映射.由于创建的 IAM 用户已被删除,因此我们重新创建了 IAM 用户,因为它将具有相同的 arn(如果创建的 IAM 用户与之前的名称相同).
Since the IAM user who created the EKS Cluster by default possess complete access over the cluster, inspite of the aws-auth configmap. Since the IAM user who created, had been deleted, we re-created the IAM user, as it would have the same arn (if IAM user is created with the same name as before).
一旦为用户创建了用户凭据(访问和密钥),我们就可以重新访问 EKS 集群.之后,我们根据需要修改了 config-map.
Once created the user credentials(access & secret keys) for the user, we got back access to the EKS cluster. Following which, we modified the config-map as required.
这篇关于使用 rbac & 错误地更新了 configmap aws-auth无法访问集群的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!