我目前正在尝试使用CloudFormation在AWS上建立一个EKS集群。我一直在遵循上的指南https://en.sokube.ch/post/aws-kubernetes-aws-elastic-kubernetes-service-eks.
然而,在我的EKS集群成功创建后,我无法通过kubectl与它交互,因为我总是得到error: You must be logged in to the server (Unauthorized)。我一直纠结于我做错了什么。
一个可能是问题的提示是,我是通过AWS控制台而不是AWS CLI创建堆栈的,所以它是不同的用户。但是,当CLI用户拥有完全权限时,我不明白为什么这会成为一个问题,而且在这种情况下,我找不到关于如何允许其他IAM用户的信息。
我使用AWS CLI登录的IMA用户具有AdministratorAccess策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
控制台命令我运行
~/workspace/Archipelago(master*) » aws eks --region us-west-2 describe-cluster --name archipelago-alpha-eks --query "cluster.status" --output text | cat
ACTIVE
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/workspace/Archipelago(master*) » aws eks --region us-west-2 update-kubeconfig --name archipelago-alpha-eks
Added new context arn:aws:eks:us-west-2:075174350620:cluster/archipelago-alpha-eks to /home/kasper/.kube/config
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
~/workspace/Archipelago(master*) » kubectl get node
error: You must be logged in to the server (Unauthorized)
我的完整CloudFormation
AWSTemplateFormatVersion: "2010-09-09"
Description: ""
Parameters:
env:
Type: "String"
Default: "local"
Mappings:
ServicePrincipals:
aws-cn:
ec2: ec2.amazonaws.com.cn
aws:
ec2: ec2.amazonaws.com
Resources:
eksVPC:
Type: AWS::EC2::VPC
Properties:
CidrBlock: 10.0.0.0/16
EnableDnsSupport: true
EnableDnsHostnames: true
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-vpc"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksInternetGateway:
Type: AWS::EC2::InternetGateway
Properties:
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-InternetGateway"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksVPCGatewayAttachment:
Type: AWS::EC2::VPCGatewayAttachment
Properties:
InternetGatewayId: !Ref eksInternetGateway
VpcId: !Ref eksVPC
eksPublicRouteTable:
Type: AWS::EC2::RouteTable
Properties:
VpcId: !Ref eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-RouteTable"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicRoute:
DependsOn: eksVPCGatewayAttachment
Type: AWS::EC2::Route
Properties:
RouteTableId: !Ref eksPublicRouteTable
DestinationCidrBlock: 0.0.0.0/0
GatewayId: !Ref eksInternetGateway
eksPublicSubnet01:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-west-2a
MapPublicIpOnLaunch: true
CidrBlock: 10.0.0.0/24
VpcId:
Ref: eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-PublicSubnet01"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicSubnet02:
Type: AWS::EC2::Subnet
Properties:
AvailabilityZone: us-west-2b
MapPublicIpOnLaunch: true
CidrBlock: 10.0.1.0/24
VpcId:
Ref: eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-PublicSubnet02"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksPublicSubnet01RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref eksPublicSubnet01
RouteTableId: !Ref eksPublicRouteTable
eksPublicSubnet02RouteTableAssociation:
Type: AWS::EC2::SubnetRouteTableAssociation
Properties:
SubnetId: !Ref eksPublicSubnet02
RouteTableId: !Ref eksPublicRouteTable
eksSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupDescription: Cluster communication with worker nodes
VpcId: !Ref eksVPC
Tags:
- Key: Name
Value: !Sub "archipelago-${env}-eks-SecurityGroup"
- Key: Project
Value: !Sub "archipelago-${env}-eks"
eksIAMRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- eks.amazonaws.com
Action:
- "sts:AssumeRole"
RoleName: EKSClusterRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
eksCluster:
Type: AWS::EKS::Cluster
Properties:
Name: !Sub "archipelago-${env}-eks"
Version: 1.19
RoleArn:
"Fn::GetAtt": ["eksIAMRole", "Arn"]
ResourcesVpcConfig:
SecurityGroupIds:
- !Ref eksSecurityGroup
SubnetIds:
- !Ref eksPublicSubnet01
- !Ref eksPublicSubnet02
DependsOn: [eksIAMRole, eksPublicSubnet01, eksPublicSubnet02, eksSecurityGroup]
eksNodeInstanceRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- !FindInMap [ServicePrincipals, !Ref "AWS::Partition", ec2]
Action:
- "sts:AssumeRole"
ManagedPolicyArns:
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKSWorkerNodePolicy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEKS_CNI_Policy"
- !Sub "arn:${AWS::Partition}:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
Path: /
eksNodeGroup:
Type: AWS::EKS::Nodegroup
Properties:
ClusterName: !Sub "archipelago-${env}-eks"
NodeRole:
"Fn::GetAtt": ["eksNodeInstanceRole", "Arn"]
AmiType: AL2_x86_64
InstanceTypes:
- t3a.medium
NodegroupName: !Sub "archipelago-${env}-eks-NodeGroup01"
RemoteAccess:
Ec2SshKey: !Sub "archipelago-${env}-eks-key"
ScalingConfig:
MinSize: 1
DesiredSize: 1
MaxSize: 3
Labels:
Project: !Sub "archipelago-${env}-eks"
Subnets:
- !Ref eksPublicSubnet01
- !Ref eksPublicSubnet02
DependsOn: [eksCluster, eksNodeInstanceRole]
创建EKS集群的用户或角色是唯一有权访问EKS集群IAM实体。来自文件:
创建Amazon EKS集群时,IAM实体用户或角色(如创建集群的联合用户(将在控制平面中的集群RBAC配置中自动授予system:masters权限。此IAM实体未出现在ConfigMap或任何其他可见配置中,因此请确保跟踪最初创建群集的IAM实体。要授予其他AWS用户或角色与集群交互的能力,您必须在Kubernetes中编辑AWS-auth-ConfigMap。
Kubernetes有自己的权限模型,所以您需要使用上面的链接将其他用户添加到您的EKS集群中。
您可以编辑aws-auth-configmap如下所示:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- userarn: YOUR_IAM_USER_ARN
username: YOUR_USER_NAME
groups:
- system:masters