使用 rbac & 错误地更新了 configmap aws-auth无法访问集群 [英] Mistakenly updated configmap aws-auth with rbac & lost access to the cluster

问题描述

试图通过 AWS EKS 集群的 rbac 限制 IAM 用户.错误地从 kube-system 命名空间更新了配置映射aws-auth".这删除了对 EKS 集群的完全访问权限.

Was trying to restrict IAM users with the rbac of AWS EKS cluster. Mistakenly updated the configmap "aws-auth" from kube-system namespace. This removed the complete access to the EKS cluster.

未能在用户的配置映射中添加组:.

Missed to add the groups: in the configmap for the user.

尝试提供对 configmap 中最后提到的用户/角色的完全管理员访问权限，但没有运气.

Tried providing full admin access to the user/role that is lastly mentioned in the configmap, But no luck.

任何恢复对集群的访问的想法都非常值得赞赏.

Any idea of recovering access to the cluster would be highly appreciable.

config-map.yaml:

The config-map.yaml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapUsers: |
    - userarn: arn:aws:iam::1234567:user/test-user
      username: test-user

推荐答案

为此问题做了一个变通方法:

Did a work-around for this issue:

由于默认情况下创建 EKS 集群的 IAM 用户拥有对集群的完全访问权限，尽管存在 aws-auth 配置映射.由于创建的 IAM 用户已被删除，因此我们重新创建了 IAM 用户，因为它将具有相同的 arn(如果创建的 IAM 用户与之前的名称相同).

Since the IAM user who created the EKS Cluster by default possess complete access over the cluster, inspite of the aws-auth configmap. Since the IAM user who created, had been deleted, we re-created the IAM user, as it would have the same arn (if IAM user is created with the same name as before).

一旦为用户创建了用户凭据(访问和密钥)，我们就可以重新访问 EKS 集群.之后，我们根据需要修改了 config-map.

Once created the user credentials(access & secret keys) for the user, we got back access to the EKS cluster. Following which, we modified the config-map as required.

这篇关于使用 rbac & 错误地更新了 configmap aws-auth无法访问集群的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！