我正在尝试将 cluster-autoscaler 部署到现有的 EKS 集群。这是我的 terraform 代码:
resource "aws_iam_policy" "cluster_autoscaler" {
name = "ClusterAutoscalerPolicy"
path = "/"
description = "Policy for allowing the cluster autoscaler to modify cluster resources. Managed by Terraform."
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeAutoScalingInstances",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeTags",
"ec2:DescribeInstanceTypes",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"ec2:DescribeImages",
"ec2:GetInstanceTypesFromInstanceRequirements",
"eks:DescribeNodegroup"
],
"Resource": ["*"]
}
]
}
EOF
}
resource "aws_iam_role" "cluster_autoscaler" {
name = "EKS-ClusterAutoscaler-Role"
assume_role_policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Principal = {
Federated = "${var.oidc_prvider_arn}"
},
Action = "sts:AssumeRoleWithWebIdentity",
Condition = {
StringEquals = {
"${var.oidc_prvider}:sub" : "system:serviceaccount:kube-system:cluster-autoscaler"
}
}
},
]
})
}
resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
policy_arn = aws_iam_policy.cluster_autoscaler.arn
role = aws_iam_role.cluster_autoscaler.name
resource "helm_release" "cluster_autoscaler" {
name = "cluster-autoscaler"
repository = "https://kubernetes.github.io/autoscaler"
chart = "cluster-autoscaler"
version = "v9.35.0"
namespace = "kube-system"
set {
name = "autoDiscovery.clusterName"
value = var.cluster_name
}
set {
name = "awsRegion"
value = "eu-west-2"
}
set {
name = "rbac.create"
value = "true"
}
set {
name = "serviceAccount.create"
value = "true"
}
set {
name = "serviceAccount.name"
value = "cluster-autoscaler"
}
set {
name = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
value = var.cluster_autoscaler_role_arn
}
}
我这里有两个问题:
- cluster-autoscaler 似乎忽略了设置的值,例如“describe pod”显示它在 kubernetes 中以不同名称的帐户运行 - 服务帐户:cluster-autoscaler-aws-cluster-autoscaler
2.手动修补并根据以下说明为该服务帐户添加角色注释https://repost.aws/knowledge-center/eks-load-balancer-webidentityerr使 cluster-autoscaler 进入崩溃循环
无法重新生成 ASG 缓存:WebIdentityErr:无法检索凭据,原因为:AccessDenied:未授权执行 sts:AssumeRoleWithWebIdentity^ 我在这里做错了什么?非常感谢您的帮助。我在这里做错了什么?非常感谢您的帮助。