小贝子编程

由于权限问题,Kops nginx Ingress控制器无法创建AWS网络负载均衡器



我在aws上使用kops创建了我的Kubernetes集群。群集已成功创建。

当我尝试使用AWS的网络负载均衡器部署nginx入口控制器时,它显示了一个not authorized错误。我被卡住了,不确定这个错误表明了什么。

$ kubectl -n nginx-ingress get service 
NAME                                    TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
lb-ingress-nginx-controller             LoadBalancer   100.65.99.173   <pending>     80:30319/TCP,443:31790/TCP   25m
lb-ingress-nginx-controller-admission   ClusterIP      100.65.34.134   <none>        443/TCP                      25m
$ kubectl -n nginx-ingress get service lb-ingress-nginx-controller -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: lb
meta.helm.sh/release-namespace: nginx-ingress
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
creationTimestamp: "2022-04-07T16:56:28Z"
finalizers:
- service.kubernetes.io/load-balancer-cleanup
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: lb
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.3
helm.sh/chart: ingress-nginx-4.0.19
name: lb-ingress-nginx-controller
namespace: nginx-ingress
resourceVersion: "5087"
uid: bf1a7ae0-6ab4-4164-b739-8d0966ea47d6
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 100.65.99.173
clusterIPs:
- 100.65.99.173
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
nodePort: 30319
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
nodePort: 31790
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: lb
app.kubernetes.io/name: ingress-nginx
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer: {}

在事件中,我可以看到:

$ kubectl get events -n nginx-ingress 
26m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 91efdfe4-5c0d-48c5-b38d-5d4c11042c43"
26m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 30d00f40-1f23-47ef-bda5-8ec255df40fa"
26m         Normal    CREATE                   configmap/lb-ingress-nginx-controller               ConfigMap nginx-ingress/lb-ingress-nginx-controller
26m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: d346cebd-2a17-4682-a425-969d86380159"
25m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 8942201d-a51d-4464-acc1-edc2db92e455"
25m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: c6992eff-8bcb-4613-b0de-4f51d1642fe8"
23m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: c089e12d-0e81-4c70-ba67-129f9235b0f4"
21m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: ae9c57d6-1d4c-4ec8-b5c1-e47adf681bc5"
16m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: cb3bcc2c-8ff9-4daa-99d9-6c9f1846e9b9"
11m         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 9bb449ee-b245-47c0-bc9b-20694d33ccf4"
69s         Warning   SyncLoadBalancerFailed   service/lb-ingress-nginx-controller                 (combined from similar events): Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGatewaysntstatus code: 403, request id: 9f771f53-786b-4af2-b4e7-37e289084b3d"

您认识IAM角色masters.kops.example.com吗?您有一个组件,其IAM角色名称为masters.kops.example.com,而该角色没有足够的权限,特别是对于ec2:DescribeInternetGateways。

AWS的kops指南指出:

kops用户将需要以下IAM权限才能正常工作:
AmazonEC2FullAccess
AmazonRoute53FullAccess
AmazonS3FullAccess
IAMFullAccess
AmazonVPCFullAccess
AmazonSQSFullAccess
AmazonEventBridgeFullAccess

ec2:DescribeInternetGateways权限是AmazonEC2FullAccess托管角色中权限的子集。

您是否为kops用户创建了正确的IAM角色?

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium