我在aws上使用kops创建了我的Kubernetes集群。群集已成功创建。
当我尝试使用AWS的网络负载均衡器部署nginx入口控制器时,它显示了一个not authorized
错误。我被卡住了,不确定这个错误表明了什么。
$ kubectl -n nginx-ingress get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
lb-ingress-nginx-controller LoadBalancer 100.65.99.173 <pending> 80:30319/TCP,443:31790/TCP 25m
lb-ingress-nginx-controller-admission ClusterIP 100.65.34.134 <none> 443/TCP 25m
$ kubectl -n nginx-ingress get service lb-ingress-nginx-controller -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: lb
meta.helm.sh/release-namespace: nginx-ingress
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
creationTimestamp: "2022-04-07T16:56:28Z"
finalizers:
- service.kubernetes.io/load-balancer-cleanup
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: lb
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.3
helm.sh/chart: ingress-nginx-4.0.19
name: lb-ingress-nginx-controller
namespace: nginx-ingress
resourceVersion: "5087"
uid: bf1a7ae0-6ab4-4164-b739-8d0966ea47d6
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 100.65.99.173
clusterIPs:
- 100.65.99.173
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
nodePort: 30319
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
nodePort: 31790
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: lb
app.kubernetes.io/name: ingress-nginx
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer: {}
在事件中,我可以看到:
$ kubectl get events -n nginx-ingress
26m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 91efdfe4-5c0d-48c5-b38d-5d4c11042c43"
26m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 30d00f40-1f23-47ef-bda5-8ec255df40fa"
26m Normal CREATE configmap/lb-ingress-nginx-controller ConfigMap nginx-ingress/lb-ingress-nginx-controller
26m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: d346cebd-2a17-4682-a425-969d86380159"
25m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 8942201d-a51d-4464-acc1-edc2db92e455"
25m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: c6992eff-8bcb-4613-b0de-4f51d1642fe8"
23m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: c089e12d-0e81-4c70-ba67-129f9235b0f4"
21m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: ae9c57d6-1d4c-4ec8-b5c1-e47adf681bc5"
16m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: cb3bcc2c-8ff9-4daa-99d9-6c9f1846e9b9"
11m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 9bb449ee-b245-47c0-bc9b-20694d33ccf4"
69s Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller (combined from similar events): Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 9f771f53-786b-4af2-b4e7-37e289084b3d"
您认识IAM角色masters.kops.example.com吗?您有一个组件,其IAM角色名称为masters.kops.example.com,而该角色没有足够的权限,特别是对于ec2:DescribeInternetGateways。
AWS的kops指南指出:
kops
用户将需要以下IAM权限才能正常工作:
AmazonEC2FullAccess
AmazonRoute53FullAccess
AmazonS3FullAccess
IAMFullAccess
AmazonVPCFullAccess
AmazonSQSFullAccess
AmazonEventBridgeFullAccess
ec2:DescribeInternetGateways
权限是AmazonEC2FullAccess
托管角色中权限的子集。
您是否为kops用户创建了正确的IAM角色?