spi*_*ech 4 amazon-web-services kubernetes
我无法kubectl使用我的同事创建的 EKS Kubernetes 实例进行身份验证。我遵循了 文档:AWS CLI 可以运行aws eks命令(我是 AWS 完全管理员),并且 heptio 身份验证器在我的路径中并且可以生成令牌。
当我运行时,kubectl我收到此错误:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.4",
GitCommit:"5ca598b4ba5abb89bb773071ce452e33fb66339d", GitTreeState:"clean",
BuildDate:"2018-06-06T15:22:13Z", GoVersion:"go1.9.6", Compiler:"gc",
Platform:"darwin/amd64"}
error: You must be logged in to the server (the server has asked for the client
to provide credentials)
这是我的 ~/.kube/config 文件。这是我的同事可以成功使用的确切 kubeconfig。
apiVersion: v1
clusters:
- cluster:
server: https://myinstance.sk1.us-east-1.eks.amazonaws.com
certificate-authority-data: base64_cert name: kubernetes contexts: - context: cluster: kubernetes user: aws name: aws
current-context: aws
kind: Config
preferences: {}
users:
- name: aws
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "dev-qa"
# - "-r"
# - "<role-arn>"
根据这些 AWS 文档,我需要将我的 IAM 用户添加到mapUsersConfigMap的部分。configmap/aws-auth
您可以使用最初创建集群的同一 AWS 用户编辑 configmap。
$ kubectl edit -n kube-system configmap/aws-auth
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userarn: arn:aws:iam::555555555555:user/admin
username: admin
groups:
- system:masters
- userarn: arn:aws:iam::111122223333:user/ops-user
username: ops-user
groups:
- system:masters
mapAccounts: |
- "111122223333"
| 归档时间: |
|
| 查看次数: |
15328 次 |
| 最近记录: |