Terraform、EKS 和集群自动缩放器

tag-icon tag-icon kubernetes terraform eks
Terraform、EKS 和集群自动缩放器

我正在尝试将 cluster-autoscaler 部署到现有的 EKS 集群。这是我的 terraform 代码:

resource "aws_iam_policy" "cluster_autoscaler" {
  name        = "ClusterAutoscalerPolicy"
  path        = "/"
  description = "Policy for allowing the cluster autoscaler to modify cluster resources. Managed by Terraform."
  policy      = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DescribeTags",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeLaunchTemplateVersions"
      ],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:SetDesiredCapacity",
        "autoscaling:TerminateInstanceInAutoScalingGroup",
        "ec2:DescribeImages",
        "ec2:GetInstanceTypesFromInstanceRequirements",
        "eks:DescribeNodegroup"
      ],
      "Resource": ["*"]
    }
  ]
}
EOF
}

resource "aws_iam_role" "cluster_autoscaler" {
  name = "EKS-ClusterAutoscaler-Role"

  assume_role_policy = jsonencode({
    Version = "2012-10-17",
    Statement = [
      {
        Effect = "Allow",
        Principal = {
          Federated = "${var.oidc_prvider_arn}"
        },
        Action = "sts:AssumeRoleWithWebIdentity",
        Condition = {
          StringEquals = {
            "${var.oidc_prvider}:sub" : "system:serviceaccount:kube-system:cluster-autoscaler"
          }
        }
      },
    ]
  })
}

resource "aws_iam_role_policy_attachment" "cluster_autoscaler" {
  policy_arn = aws_iam_policy.cluster_autoscaler.arn
  role       = aws_iam_role.cluster_autoscaler.name

resource "helm_release" "cluster_autoscaler" {
  name       = "cluster-autoscaler"
  repository = "https://kubernetes.github.io/autoscaler"
  chart      = "cluster-autoscaler"
  version    = "v9.35.0"
  namespace  = "kube-system"

  set {
    name  = "autoDiscovery.clusterName"
    value = var.cluster_name
  }

  set {
    name  = "awsRegion"
    value = "eu-west-2"
  }

  set {
    name  = "rbac.create"
    value = "true"
  }

  set {
    name  = "serviceAccount.create"
    value = "true"
  }

  set {
    name  = "serviceAccount.name"
    value = "cluster-autoscaler"
  }

  set {
    name  = "serviceAccount.annotations.eks\\.amazonaws\\.com/role-arn"
    value = var.cluster_autoscaler_role_arn
  }
}

我这里有两个问题:

  1. cluster-autoscaler 似乎忽略了设置的值,例如“describe pod”显示它在 kubernetes 中以不同名称的帐户运行 - 服务帐户:cluster-autoscaler-aws-cluster-autoscaler

2.手动修补并根据以下说明为该服务帐户添加角色注释https://repost.aws/knowledge-center/eks-load-balancer-webidentityerr使 cluster-autoscaler 进入崩溃循环

无法重新生成 ASG 缓存:WebIdentityErr:无法检索凭据,原因为:AccessDenied:未授权执行 sts:AssumeRoleWithWebIdentity^ 我在这里做错了什么?非常感谢您的帮助。我在这里做错了什么?非常感谢您的帮助。

相关内容