如何允许其他 AWS 用户访问 EKS?

tag-icon tag-icon amazon-web-services kubernetes amazon-eks
如何允许其他 AWS 用户访问 EKS?

我正在尝试做:

[ec2-user@xxxxxxxxx x]$ aws eks update-kubeconfig --name prod-eks-v2 --role-arn arn:aws:iam::9xxxxxxxxxxeks-v2-cluster-ServiceRole-xxxxxxxxxx

An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:iam::xxxxxxxxxxx:user/ecr is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:eu-west-1:xxxxxxxxxxxxxxx:cluster/prod-eks-v2

这是为了额外的我已添加的用户。我已aws-auth通过添加以下内容将它们添加到 configmap 中:

  mapUsers: |
    - userarn: arn:aws:iam::xxxxxxxxxxxx:user/xxxxxxxxx
    username: admin
    groups:
        - system:masters

尝试手动承担该角色:

aws sts assume-role --role-arn arn:aws:iam::xxxxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-xxxx --role-session-name test-eks-role

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::xxxxxxxxxx:user/ecr is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-xxxxxxxxxxxxxx

这是 cluster-ServiceRole 的信任关系 json...:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

我该如何解决这个问题?我按照以下文档进行操作https://aws.amazon.com/premiumsupport/knowledge-center/amazon-eks-cluster-access/

更新

我修改了信任关系,现在如下:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "eks.amazonaws.com",
        "AWS": "arn:aws:iam::xxxxxxx:user/xxxxxx"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

并且可以成功做到:

aws sts assume-role --role-arn arn:aws:iam::xxxxxxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-OCH0HY9R9WGS --role-session-name test-eks-role

但我...is not authorized to perform: eks:DescribeCluster on resourc...在做的时候仍然会遇到aws eks update-kubeconfig --name prod-eks-v2

更新 2:

我将用户添加到AmazonEKSWorkerNodePolicy角色中,现在我可以使用 ... 成功生成配置,aws eks update-kubeconfig但是当我error: You must be logged in to the server (Unauthorized)通过kubectl...尝试任何操作时,会出现一个错误。

kubeconfig 文件的底部如下所示:

users:
- name: arn:aws:eks:eu-west-1:xxxxxxxxxxxx:cluster/prod-eks-v2
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - -i
      - prod-eks-v2
      - -r
      - arn:aws:iam::xxxxxx:role/eksctl-prod-eks-v2-cluster-ServiceRole-xxxxxxxxxx
      command: aws-iam-authenticator

更新 3:

非常困惑...我可以手动生成令牌并使用以下命令进行验证:

aws-iam-authenticator token -i prod-eks-v2 -r...
aws-iam-authenticator verify -t ...

但正如提到过做任何与kubectl表演有关的事情error: You must be logged in to the server (Unauthorized)……

正在做kubectl get pods -v=10:显示:

...
I1115 12:36:42.163298   10509 request.go:942] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
...

相关内容