我已经使用terraform创建了一个新的eks集群,当两名开发人员试图在aws控制台中访问集群时,他们收到了以下错误。
有人能告诉我我缺了什么吗。
集群版本:1.18
User: arn:aws:iam::xxxx:user/yyy is not authorized to perform: eks:AccessKubernetesApi on resource: arn:aws:eks:us-east-1:xxxx:cluster/cluster
每个用户都附有此策略的
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}
我的aws身份验证配置看起来像
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxx:role/cluster182020111918162137770000002f
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- groups:
- system:masters
rolearn: arn:aws:iam::xxxx:role/abc-role
username: abc-xac
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::xxx:role/cluster_eks_worker_role
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- groups:
- system:developers
userarn: arn:aws:iam::xxx:user/yyy
username: yyy
....
已经提到用户错误地无法访问eks:AccessKubernetesApi。
只需将其添加到IAM角色中即可。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"eks:AccessKubernetesApi",
"eks:ListFargateProfiles",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:ListUpdates",
"eks:DescribeUpdate",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": "*"
}
]
}