2

我正在尝试将 AWS IAM 角色(联合)映射到 EKS RBAC,尝试按照教程进行操作,但仍然出现错误

➜ kubectl edit configmap aws-auth -n kube-system

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapAccounts: |
    []
  mapRoles: |
    - "groups":
      - "system:bootstrappers"
      - "system:nodes"
      "rolearn": "arn:aws:iam::xxx:role/edna-dev-eks200000005"
      "username": "system:node:{{EC2PrivateDNSName}}"
    - "rolearn": "arn:aws:iam::xxx:role/team-developers"
      "username": "developer"
      "groups":
        - "system:master"
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2020-06-11T19:40:47Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: "4627634"
  selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
  uid: 137288f1-ae32-4a6f-b3d5-8dbd1da1e21d


➜ k get pods -n edna
Error from server (Forbidden): pods is forbidden: User "developer" cannot list resource "pods" in API group "" in the namespace "edna"

我是否需要为名为“开发者”的用户创建 RBAC 并映射所有权限?如果是这样,那么正确的做法是什么?

我已经使用 kubectl krew 安装了 rakkess,如果我使用 AWS 安全短期凭证进行尝试,我会得到以下信息:

➜ k access-matrix -n edna           
NAME                                            LIST  CREATE  UPDATE  DELETE
bindings                                              ✖               
certificaterequests.cert-manager.io             ✖     ✖       ✖       ✖
certificates.cert-manager.io                    ✖     ✖       ✖       ✖
challenges.acme.cert-manager.io                 ✖     ✖       ✖       ✖
configmaps                                      ✖     ✖       ✖       ✖
controllerrevisions.apps                        ✖     ✖       ✖       ✖
cronjobs.batch                                  ✖     ✖       ✖       ✖
daemonsets.apps                                 ✖     ✖       ✖       ✖
deployments.apps                                ✖     ✖       ✖       ✖
endpoints                                       ✖     ✖       ✖       ✖
events                                          ✖     ✖       ✖       ✖
events.events.k8s.io                            ✖     ✖       ✖       ✖
horizontalpodautoscalers.autoscaling            ✖     ✖       ✖       ✖
ingresses.extensions                            ✖     ✖       ✖       ✖
ingresses.networking.k8s.io                     ✖     ✖       ✖       ✖
issuers.cert-manager.io                         ✖     ✖       ✖       ✖
jobs.batch                                      ✖     ✖       ✖       ✖
leases.coordination.k8s.io                      ✖     ✖       ✖       ✖
limitranges                                     ✖     ✖       ✖       ✖
localsubjectaccessreviews.authorization.k8s.io        ✖               
networkpolicies.networking.k8s.io               ✖     ✖       ✖       ✖
orders.acme.cert-manager.io                     ✖     ✖       ✖       ✖
persistentvolumeclaims                          ✖     ✖       ✖       ✖
poddisruptionbudgets.policy                     ✖     ✖       ✖       ✖
pods                                            ✖     ✖       ✖       ✖
podtemplates                                    ✖     ✖       ✖       ✖
replicasets.apps                                ✖     ✖       ✖       ✖
replicationcontrollers                          ✖     ✖       ✖       ✖
resourcequotas                                  ✖     ✖       ✖       ✖
rolebindings.rbac.authorization.k8s.io          ✖     ✖       ✖       ✖
roles.rbac.authorization.k8s.io                 ✖     ✖       ✖       ✖
secrets                                         ✖     ✖       ✖       ✖
serviceaccounts                                 ✖     ✖       ✖       ✖
services                                        ✖     ✖       ✖       ✖
statefulsets.apps                               ✖     ✖       ✖       ✖

谢谢,德米特里

4

1 回答 1

2

您需要具有角色和角色绑定才能列出该命名空间的 pod

  1. 创建角色

    kubectl create role developer --verb=get,list,watch --resource=pods,pods/status --namespace=edna

  2. 该角色的角色绑定

    kubectl create rolebinding developer-binding --role=developer --user=developer --serviceaccount=edna:default -n edna

  3. 在此之后运行此命令以检查您是否可以访问。

    kubectl auth can-i get pods -n edna --as developer这个命令将返回yes然后你的问题得到解决。

有关更多信息,请参阅此文档

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#rolebinding-and-clusterrolebinding

于 2020-07-16T17:52:19.927 回答