启用 AWS Group 访问 AWS EKS 集群 [英] Enabling AWS Group to access AWS EKS cluster

问题描述

这个问题本质上是将 IAM 组添加到 AWS EKS 中的 aws-auth configmap 的副本.但是，该问题没有公认的答案，我想提供更多背景信息.

This question is essentially a duplicate of Adding IAM Group to aws-auth configmap in AWS EKS. However, the question does not have an accepted answer and I would like to provide more context.

我知道 aws-auth ConfigMap 对象不允许直接映射 AWS 组.一种解决方法是映射 AWS 角色.我试过了，但无法让它工作.映射 AWS 用户没有问题.

I know that aws-auth ConfigMap object does not allow mapping AWS Group directly. A workaround would be to map an AWS Role instead. I tried that but were unable to get it working. Mapping an AWS User works without issues.

我设置了一个 AWS 角色 arn:aws:iam::027755483893:role/development-readwrite，账户 027755483893 作为受信任实体，并附加了以下信任策略:

I setup an AWS Role arn:aws:iam::027755483893:role/development-readwrite with account 027755483893 as being the trusted entity and attached the following trust policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::027755483893:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我设置了一个 AWS 组 arn:aws:iam::027755483893:group/development-readwrite 并附加了以下策略:

I setup an AWS Group arn:aws:iam::027755483893:group/development-readwrite and attached the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "arn:aws:iam::027755483893:role/development-readwrite"
            ]
        }
    ]
}

我将 aws-auth ConfigMap 设置如下:

I setup the aws-auth ConfigMap as follows:

apiVersion: v1
data:
  mapRoles: |
    # Other mappings omitted for clarity
    - groups:
      - system:masters
      rolearn: arn:aws:iam::027755483893:role/development-readwrite
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2019-08-21T08:25:15Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "62031092"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 33b33620-c3ed-11e9-83c0-029bc9dcca16

但是，该组中的所有用户均无权访问该集群.用户是否需要明确承担角色?还有什么我遗漏的吗?

However, none of the users in the group have access to the cluster. Do the users need to explicitly assume role? Is there anything else I'm missing?

推荐答案

在这种情况下，用户确实需要明确承担角色.用户可以承担角色的事实不足以让他们实际访问集群.

In this case the users indeed need to explicitly assume the role. The fact that the users can assume the role is not enough for them to actually have access to the cluster.

可以为您的用户简化它的一种方法是通过 使用 aws get token 调用创建 kubeconfig.这允许您指定要为集群承担的角色的 role_arn.

One approach that can simplify it for your users is by creating a kubeconfig with the aws get token call. This allows you to specify a role_arn of a role to assume for the cluster.

这篇关于启用 AWS Group 访问 AWS EKS 集群的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！