我正在尝试将AWS IAM角色(联合(映射到EKS RBAC,尝试遵循本教程,但仍然会得到错误
➜ kubectl edit configmap aws-auth -n kube-system
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapAccounts: |
[]
mapRoles: |
- "groups":
- "system:bootstrappers"
- "system:nodes"
"rolearn": "arn:aws:iam::xxx:role/edna-dev-eks200000005"
"username": "system:node:{{EC2PrivateDNSName}}"
- "rolearn": "arn:aws:iam::xxx:role/team-developers"
"username": "developer"
"groups":
- "system:master"
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2020-06-11T19:40:47Z"
name: aws-auth
namespace: kube-system
resourceVersion: "4627634"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: 137288f1-ae32-4a6f-b3d5-8dbd1da1e21d
➜ k get pods -n edna
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "edna"
我需要为名称为"的用户创建RBAC吗;显影剂";并映射所有权限?如果是这样的话,做这件事的正确方法是什么?
我已经用kubectl krew安装了rakkes,如果我用AWS安全短期凭据尝试,我会得到这个:
➜ k access-matrix -n edna
NAME LIST CREATE UPDATE DELETE
bindings ✖
certificaterequests.cert-manager.io ✖ ✖ ✖ ✖
certificates.cert-manager.io ✖ ✖ ✖ ✖
challenges.acme.cert-manager.io ✖ ✖ ✖ ✖
configmaps ✖ ✖ ✖ ✖
controllerrevisions.apps ✖ ✖ ✖ ✖
cronjobs.batch ✖ ✖ ✖ ✖
daemonsets.apps ✖ ✖ ✖ ✖
deployments.apps ✖ ✖ ✖ ✖
endpoints ✖ ✖ ✖ ✖
events ✖ ✖ ✖ ✖
events.events.k8s.io ✖ ✖ ✖ ✖
horizontalpodautoscalers.autoscaling ✖ ✖ ✖ ✖
ingresses.extensions ✖ ✖ ✖ ✖
ingresses.networking.k8s.io ✖ ✖ ✖ ✖
issuers.cert-manager.io ✖ ✖ ✖ ✖
jobs.batch ✖ ✖ ✖ ✖
leases.coordination.k8s.io ✖ ✖ ✖ ✖
limitranges ✖ ✖ ✖ ✖
localsubjectaccessreviews.authorization.k8s.io ✖
networkpolicies.networking.k8s.io ✖ ✖ ✖ ✖
orders.acme.cert-manager.io ✖ ✖ ✖ ✖
persistentvolumeclaims ✖ ✖ ✖ ✖
poddisruptionbudgets.policy ✖ ✖ ✖ ✖
pods ✖ ✖ ✖ ✖
podtemplates ✖ ✖ ✖ ✖
replicasets.apps ✖ ✖ ✖ ✖
replicationcontrollers ✖ ✖ ✖ ✖
resourcequotas ✖ ✖ ✖ ✖
rolebindings.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
roles.rbac.authorization.k8s.io ✖ ✖ ✖ ✖
secrets ✖ ✖ ✖ ✖
serviceaccounts ✖ ✖ ✖ ✖
services ✖ ✖ ✖ ✖
statefulsets.apps ✖ ✖ ✖ ✖
谢谢,德米特里
您需要拥有角色和角色绑定来列出该命名空间的pod
-
创建角色
kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=edna -
该角色的角色绑定
kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n edna -
在此之后,运行此命令以检查是否可以访问。
kubectl auth can-i get pods -n edna --as developer,此命令将返回yes,然后您的问题得到解决。
有关更多信息,请参阅本文档
https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-和集群角色绑定