kubectl错误访问EKS集群时必须登录到服务器(未经授权) [英] kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster
问题描述
我一直在尝试遵循EKS入门指南.
当我尝试致电kubectl get service时,出现以下消息:错误:您必须登录到服务器(未授权)
这是我所做的:
1.创建了EKS集群.
2.创建配置文件,如下所示:
I have been trying to follow the getting started guide to EKS.
When I tried to call kubectl get service I got the message: error: You must be logged in to the server (Unauthorized)
Here is what I did:
1. Created the EKS cluster.
2. Created the config file as follows:
apiVersion: v1
clusters:
- cluster:
server: https://*********.yl4.us-west-2.eks.amazonaws.com
certificate-authority-data: *********
name: *********
contexts:
- context:
cluster: *********
user: aws
name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "*********"
- "-r"
- "arn:aws:iam::*****:role/******"
- 下载并安装了最新的AWS CLI
- Ran aws为我的IAM用户和该地区配置凭据并将其设置为us-west-2
- 为IAM用户的sts:AssumeRole为EKS角色添加了一个策略,并将其设置为受信任的关系
- 设置kubectl以使用配置文件
当我运行heptio-authenticator-aws令牌-r arn:aws:iam :: **********:role/********* -i时可以获得令牌我的集群 但是,当我尝试访问群集时,我始终收到错误消息:您必须登录到服务器(未经授权)
I can get a token when I run heptio-authenticator-aws token -r arn:aws:iam::**********:role/********* -i my-cluster-ame However when I try to access the cluster I keep receiving error: You must be logged in to the server (Unauthorized)
您知道如何解决此问题吗?
Any idea how to fix this issue?
推荐答案
创建Amazon EKS集群后,创建集群的IAM实体(用户或角色)将以管理员身份添加到Kubernetes RBAC授权表中.最初,只有该IAM用户可以使用kubectl调用Kubernetes API服务器.
When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator. Initially, only that IAM user can make calls to the Kubernetes API server using kubectl.
首先要添加对其他 aws 用户的访问权限 您必须编辑ConfigMap才能将IAM用户或角色添加到Amazon EKS集群.
So to add access to other aws users, first you must edit ConfigMap to add an IAM user or role to an Amazon EKS cluster.
您可以通过执行以下操作来编辑ConfigMap文件:
kubectl edit -n kube-system configmap/aws-auth
,之后将授予您用于映射新用户的编辑器.
You can edit the ConfigMap file by executing:
kubectl edit -n kube-system configmap/aws-auth
, after which you will be granted with editor with which you map new users.
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userarn: arn:aws:iam::111122223333:user/ops-user
username: ops-user
groups:
- system:masters
mapAccounts: |
- "111122223333"
将要在其中添加 ops-user 的mapUsers
与mapAccounts
标签一起映射,该标签将 AWS 用户帐户与用户名映射到Kubernetes集群上. /p>
Mind the mapUsers
where you're adding ops-user together with mapAccounts
label which maps the AWS user account with a username on Kubernetes cluster.
但是,仅此操作不会在RBAC中提供任何权限;您仍然必须在集群中创建角色绑定以提供这些实体权限.
However, no permissions are provided in RBAC by this action alone; you must still create role bindings in your cluster to provide these entities permissions.
作为亚马逊文档( iam-docs )指出您需要在kubernetes集群上为ConfigMap中指定的用户创建角色绑定.您可以通过执行休闲命令来做到这一点( kub-docs ):
As the amazon documentation(iam-docs) states you need to create a role binding on the kubernetes cluster for the user specified in the ConfigMap. You can do that by executing fallowing command (kub-docs):
kubectl create clusterrolebinding ops-user-cluster-admin-binding --clusterrole=cluster-admin --user=ops-user
授予整个群集中名为 ops-user 的用户cluster-admin ClusterRole
.
which grants the cluster-admin ClusterRole
to a user named ops-user across the entire cluster.
这篇关于kubectl错误访问EKS集群时必须登录到服务器(未经授权)的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!