按照本教程操作:https://archive.eksworkshop.com/beginner/091_iam-groups/test-cluster-access/- 我认为这忽略了它试图表达的观点,即直接在Test EKS page
我创建了一个名为的角色,k8sAdmin具有以下策略/信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
我创建了一个名为的用户组,k8sAdministrators其权限策略如下
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeOrganizationAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT:role/k8sAdmin"
}
]
}
我已经修改了kube-system aws-authConfigMap 来为k8sAdmin角色分配权限。
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::ACCOUNT:role/eksctl-production-nodegrou-NodeInstanceRole
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::ACCOUNT:role/k8sAdmin
username: admin
mapUsers: |
[]
当我直接担任该角色时,我可以访问集群。但目标是允许组中的任何用户k8sAdministrators访问集群,因为该组有权担任该角色。
不适用于当前配置,组成员无权访问集群。