带有 EKS 的 Terraform Kubernetes 提供程序在 configmap 上失败 [英] Terraform Kubernetes provider with EKS fails on configmap

问题描述

我已按照说明使用 Terraform 在 AWS 中创建 EKS 集群.

I've followed the instructions to create an EKS cluster in AWS using Terraform.

https://www.terraform.io/docs/providers/aws/guides/eks-getting-started.html

我还将连接到集群的输出复制到 ~/.kube/config-eks.我已经验证这可以成功，因为我已经能够连接到集群并手动部署容器.但是，现在我正在尝试使用 Terraform Kubernetes 提供程序连接到集群，但似乎无法正确配置提供程序.

I've also copied the output for connecting to the cluster to ~/.kube/config-eks. I've verified this successfully works as I've been able to connect to the cluster and manually deploy containers. However, now i'm trying to use the Terraform Kubernetes provider to connect to the cluster but cannot seem to be able to configure the provider properly.

我已将提供程序配置为使用我的 kubectl 配置，但是在尝试推送简单的 configmap 时，我收到一条错误消息:

I've configured the provider to use my kubectl configuration but when attempting to push a simple configmap, i get an error stating the following:

禁止配置映射:用户system:anonymous"无法在命名空间kube-system"中创建配置映射

configmaps is forbidden: User "system:anonymous" cannot create configmaps in the namespace "kube-system"

我知道提供商正在获取部分配置，但我似乎无法对其进行身份验证.我怀疑这是因为 EKS 使用 heptio 进行身份验证，我不确定 Terraform 使用的 K8s Go 客户端是否支持 heptio.但是，鉴于 Terraform 在 EKS 正式发布时发布了他们的 AWS EKS 支持，我怀疑他们不会也更新他们的 Terraform 提供程序以使用它.

I know that the provider is picking up part of the configuration but I cannot seem to get it to authenticate. I suspect this is because EKS uses heptio for authentication and i'm not sure if the K8s Go client used by Terraform can support heptio. However, given that Terraform released their AWS EKS support when EKS went GA, I'd doubt that they wouldn't also update their Terraform provider to work with it.

现在还能做到吗?有替代品吗?

Is it possible to even do this now? Are there alternatives?

推荐答案

此处添加了执行身份验证:https://github.com/kubernetes/client-go/commit/19c591bac28a94ca793a2f18a0cf0f2e800fad04

Exec auth was added here: https://github.com/kubernetes/client-go/commit/19c591bac28a94ca793a2f18a0cf0f2e800fad04

这是用于自定义身份验证插件的内容，于 2 月 7 日发布.

This is what is utilized for custom authentication plugins and was published Feb 7th.

目前，Terraform 不支持新的基于 exec 的身份验证提供程序，但存在一个解决方法:https://github.com/terraform-providers/terraform-provider-kubernetes/issues/161

Right now, Terraform doesn't support the new exec-based authentication provider, but there is an issue open with a workaround: https://github.com/terraform-providers/terraform-provider-kubernetes/issues/161

也就是说，如果我有空闲时间，我会做 PR.

That said, if I get some free time I will work on a PR.

这篇关于带有 EKS 的 Terraform Kubernetes 提供程序在 configmap 上失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！