我有一个具有fargate计算能力的eks集群。现在我添加eks节点组作为计算容量。我已经创建了terraform脚本来创建eks节点组,并为新的节点组启动模板。
当我使用eks集群所有者角色运行terraform脚本时。我收到以下错误消息。
Error: error waiting for EKS Node Group to create: unexpected state 'CREATE_FAILED', wanted target 'ACTIVE'. last error: 1 error occurred:
* : AccessDenied: The aws-auth ConfigMap in your cluster is invalid.
地形码
#--- setup launch template for eks nodegroups ---#
resource "aws_launch_template" "eks_launch_template" {
name = "launch-template"
key_name = var.ssh_key_name
block_device_mappings {
device_name = "/dev/xvda"
ebs {
volume_size = var.disk_size
}
}
tag_specifications{
resource_type= "instance"
tags = merge(var.tags, { Name = "${local.name_prefix}-eks-node" })
}
tag_specifications{
resource_type= "volume"
tags = var.tags
}
tag_specifications{
resource_type= "network-interface"
tags = var.tags
}
tag_specifications{
resource_type= "spot-instances-request"
tags = var.tags
}
vpc_security_group_ids =[aws_security_group.eks_worker_node_sg.id]
}
#--- setup eks ondemand nodegroup ---#
resource "aws_eks_node_group" "eks_on_demand" {
cluster_name = aws_eks_cluster.eks_cluster.name
node_group_name = "${local.name_prefix}-group"
node_role_arn = aws_iam_role.eks_ec2_role.arn
subnet_ids = var.private_subnets
instance_types = var.nodegroup_instance_types
launch_template {
id = aws_launch_template.eks_launch_template.id
version = aws_launch_template.eks_launch_template.latest_version
}
scaling_config {
desired_size = var.desire_size
max_size = var.max_size
min_size = var.min_size
}
update_config {
max_unavailable = 1
}
tags = var.tags
lifecycle {
ignore_changes = [scaling_config[0].desired_size]
}
}
#--- eks ec2 node iam role ---#
resource "aws_iam_role" "eks_ec2_role" {
name = "${local.name_prefix}-eks-node-role"
assume_role_policy = jsonencode({
Statement = [{
Action = "sts:AssumeRole"
Effect = "Allow"
Principal = {
Service = "ec2.amazonaws.com"
}
}]
Version = "2012-10-17"
})
}
#--- attach workernode policy to ec2---#
resource "aws_iam_role_policy_attachment" "eks_ec2_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
role = aws_iam_role.eks_ec2_role.name
}
#--- attach cni policy to ec2---#
resource "aws_iam_role_policy_attachment" "eks_ec2_CNI_Policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
role = aws_iam_role.eks_ec2_role.name
}
#-- attach ecr read access policy to ec2 ---#
resource "aws_iam_role_policy_attachment" "eks_ec2_ecr_read_policy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
role = aws_iam_role.eks_ec2_role.name
}
问题出现在我的aws-auth-configmap中。看起来aws-eks正在对configmap执行验证。如果你的角色映射包含通用用户名,那么它会抛出一个错误,例如
- groups:
- Dev-viewer
rolearn: arn:aws:iam::<>:role/<>
username: {{SessionName}}
- groups:
- Dev-manager
rolearn: arn:aws:iam::<>:role/<>
username: {{SessionName}}
- groups:
- Dev-admin
rolearn: arn:aws:iam::<>:role/<>
username: {{SessionName}}
我有更改每个角色的用户名部分。
- groups:
- Dev-viewer
rolearn: arn:aws:iam::<>:role/<>
username: view-{{SessionName}}
- groups:
- Dev-manager
rolearn: arn:aws:iam::<>:role/<>
username: manager-{{SessionName}}
- groups:
- Dev-admin
rolearn: arn:aws:iam::<>:role/<>
username: admin-{{SessionName}}