那里
Eks正试图使用外部机密,但发生了相关错误。
{"级别":50,"消息时间":"2021-08-17T14:01:55.862Z","pid":17,"主机名":"knowre-kubernetes-external-secrets-68dff667d9-t9zvs","有效载荷":{"消息":"丢失配置中的凭据,如果使用AWS_config_FILE,则设置LOAD_ CONFIG=1"代码":"CredentialsError"时间":"2021-08-17T14:01:55.862Z"requestId":"44fceebd-67df-47d6-89a7-8d8470326d87〃"statusCode":403;可重试":false;retryDelay":71.51677548097439;originalError":{"消息":"可以不从加载凭据ChainableTemporaryCredentials"代码":"CredentialsError"时间":"2021-08-17T14:01:55.862Z"requestId":"44fceebd-67df-47d6-89a7-8d8470326d87〃"statusCode":403;可重试":false;retryDelay":71.51677548097439;originalError":{"消息":"用户:arn:aws:sts::*******:假定角色/eks节点/i-0f522dc3109b242448为未被授权对资源执行:sts:AsseumeRolearn:aws:iam::*****:角色/外部秘密"quot;代码":"AccessDenied"时间":"2021-08-17T14:01:55.862Z"requestId":"44fceebd-67df-47d6-89a7-8d8470326d87〃"statusCode":403;可重试":false;retryDelay":71.51677548097439}},";msg":"失败在轮询秘密管理/外部秘密"}时
授予管理员权限的所有权限
这是我的yaml。
spec:
backendType: systemManager
# optional: specify role to assume when retrieving the data
roleArn: arn:aws:iam::********:role/external-secret
# optional: specify region
region: ap-northeast-2
data:
- key: EKS_TEST
name: test
--
imagePullPolicy: IfNotPresent
resources:
{}
env:
- name: "AWS_REGION"
value: "ap-northeast-2"
- name: "POLLER_INTERVAL_MILLISECONDS"
value: "15000"
# Params for env vars populated from k8s secrets
securityContext:
fsGroup: 65534
runAsNonRoot: false
授权oidc并建立aws角色的信任。
外部秘密操作员,默认创建服务帐户,检查舵图值
因此,这里的问题可能是服务帐户可能没有足够的权限,即
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds"
],
"Resource": [
"arn:aws:secretsmanager:us-west-2:111122223333:secret:dev-*",
]
}
]
}
您可以在安装过程中使用支持的舵图值(即)创建角色并指定角色
serviceAccount:
# Specifies whether a service account should be created
create: true
# Specifies annotations for this service account
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT_ID:role/IAM_ROLE_NAME
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: my-service-account
附言:这个项目已被否决。我建议迁移到外部机密。