ndb*_*ent 6 authentication amazon-web-services kubernetes
我真的很难遵循AWS文档“启用IAM用户和角色对集群的访问”。
当我跑步时kubectl edit -n kube-system configmap/aws-auth,我看到这个:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
文档告诉我运行kubectl get roles -A并kubectl get clusterroles查看我的角色和集群角色。然后kubectl describe role role-name -n kube-system和kubectl describe clusterrole cluster-role-name。
我想将我的 AWS IAM 用户设置为adminor cluster-admin,但当我使用此配置时它不起作用:
mapUsers: |
- userarn: arn:aws:iam::**********:user/nathan
username: nathan
groups:
- cluster-admin
我发现当我使用时我可以让它工作system:masters。但后来我查看了所有角色、集群角色、角色绑定和集群角色绑定,我看不到任何以下使用的“系统”角色configmap/aws-auth:
system:bootstrapperssystem:nodessystem:masters不过,我可以看到以下一些内容:
system:node(单数)system:node-bootstrapper我真的迷路了!我在这里误解了什么?什么是 中的“组” configmap/aws-auth,它与这些角色/集群角色有何关系?如果我想使用cluster-admin,我是否需要在它前面加上一些前缀,或者在某处添加“绑定”?
system:masters工作正常并允许我访问 EKS Web 控制台,但我只是想了解它是如何工作的。
这是我的roles全部clusterroles:
$ kubectl get roles -A
NAMESPACE NAME CREATED AT
europe-v3-system ingress-nginx 2022-04-26T01:21:05Z
kube-public system:controller:bootstrap-signer 2022-04-26T01:13:11Z
kube-system cert-manager-cainjector:leaderelection 2022-04-26T01:21:34Z
kube-system cert-manager:leaderelection 2022-04-26T01:21:34Z
kube-system cluster-autoscaler 2022-04-26T01:18:18Z
kube-system eks-vpc-resource-controller-role 2022-04-26T01:13:15Z
kube-system eks:addon-manager 2022-04-26T01:13:13Z
kube-system eks:certificate-controller 2022-04-26T01:13:12Z
kube-system eks:fargate-manager 2022-04-26T01:13:12Z
kube-system eks:node-manager 2022-04-26T01:13:12Z
kube-system extension-apiserver-authentication-reader 2022-04-26T01:13:10Z
kube-system system::leader-locking-kube-controller-manager 2022-04-26T01:13:11Z
kube-system system::leader-locking-kube-scheduler 2022-04-26T01:13:11Z
kube-system system:controller:bootstrap-signer 2022-04-26T01:13:10Z
kube-system system:controller:cloud-provider 2022-04-26T01:13:10Z
kube-system system:controller:token-cleaner 2022-04-26T01:13:11Z
kube-system vpc-resource-controller-leader-election-role 2022-04-26T01:13:14Z
$ kubectl get clusterroles
NAME CREATED AT
admin 2022-04-26T01:13:10Z
atom 2022-04-26T01:21:03Z
aws-node 2022-04-26T01:13:12Z
cert-manager-cainjector 2022-04-26T01:21:34Z
cert-manager-controller-certificates 2022-04-26T01:21:34Z
cert-manager-controller-challenges 2022-04-26T01:21:34Z
cert-manager-controller-clusterissuers 2022-04-26T01:21:34Z
cert-manager-controller-ingress-shim 2022-04-26T01:21:34Z
cert-manager-controller-issuers 2022-04-26T01:21:34Z
cert-manager-controller-orders 2022-04-26T01:21:34Z
cert-manager-edit 2022-04-26T01:21:34Z
cert-manager-view 2022-04-26T01:21:34Z
cert-manager-webhook:webhook-requester 2022-04-26T01:21:34Z
cloudwatch-agent-role 2022-06-05T02:20:04Z
cluster-admin 2022-04-26T01:13:10Z
cluster-autoscaler 2022-04-26T01:18:18Z
edit 2022-04-26T01:13:10Z
eks-console-dashboard-full-access-clusterrole 2022-04-26T02:03:47Z
eks:addon-manager 2022-04-26T01:13:12Z
eks:fargate-manager 2022-04-26T01:13:12Z
eks:node-bootstrapper 2022-04-26T01:13:13Z
eks:node-manager 2022-04-26T01:13:12Z
eks:podsecuritypolicy:privileged 2022-04-26T01:13:13Z
europe-v3-api 2022-04-26T01:21:03Z
europe-v3-fluentd 2022-04-26T01:21:04Z
ingress-nginx 2022-04-26T01:21:04Z
resolver 2022-04-26T01:21:03Z
system:aggregate-to-admin 2022-04-26T01:13:10Z
system:aggregate-to-edit 2022-04-26T01:13:10Z
system:aggregate-to-view 2022-04-26T01:13:10Z
system:aggregated-metrics-reader 2022-04-26T01:21:04Z
system:auth-delegator 2022-04-26T01:13:10Z
system:basic-user 2022-04-26T01:13:10Z
system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-04-26T01:13:10Z
system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-04-26T01:13:10Z
system:certificates.k8s.io:kube-apiserver-client-approver 2022-04-26T01:13:10Z
system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-04-26T01:13:10Z
system:certificates.k8s.io:kubelet-serving-approver 2022-04-26T01:13:10Z
system:certificates.k8s.io:legacy-unknown-approver 2022-04-26T01:13:10Z
system:controller:attachdetach-controller 2022-04-26T01:13:10Z
system:controller:certificate-controller 2022-04-26T01:13:10Z
system:controller:clusterrole-aggregation-controller 2022-04-26T01:13:10Z
system:controller:cronjob-controller 2022-04-26T01:13:10Z
system:controller:daemon-set-controller 2022-04-26T01:13:10Z
system:controller:deployment-controller 2022-04-26T01:13:10Z
system:controller:disruption-controller 2022-04-26T01:13:10Z
system:controller:endpoint-controller 2022-04-26T01:13:10Z
system:controller:endpointslice-controller 2022-04-26T01:13:10Z
system:controller:endpointslicemirroring-controller 2022-04-26T01:13:10Z
system:controller:expand-controller 2022-04-26T01:13:10Z
system:controller:generic-garbage-collector 2022-04-26T01:13:10Z
system:controller:horizontal-pod-autoscaler 2022-04-26T01:13:10Z
system:controller:job-controller 2022-04-26T01:13:10Z
system:controller:namespace-controller 2022-04-26T01:13:10Z
system:controller:node-controller 2022-04-26T01:13:10Z
system:controller:persistent-volume-binder 2022-04-26T01:13:10Z
system:controller:pod-garbage-collector 2022-04-26T01:13:10Z
system:controller:pv-protection-controller 2022-04-26T01:13:10Z
system:controller:pvc-protection-controller 2022-04-26T01:13:10Z
system:controller:replicaset-controller 2022-04-26T01:13:10Z
system:controller:replication-controller 2022-04-26T01:13:10Z
system:controller:resourcequota-controller 2022-04-26T01:13:10Z
system:controller:route-controller 2022-04-26T01:13:10Z
system:controller:service-account-controller 2022-04-26T01:13:10Z
system:controller:service-controller 2022-04-26T01:13:10Z
system:controller:statefulset-controller 2022-04-26T01:13:10Z
system:controller:ttl-controller 2022-04-26T01:13:10Z
system:coredns 2022-04-26T01:13:12Z
system:discovery 2022-04-26T01:13:10Z
system:heapster 2022-04-26T01:13:10Z
system:kube-aggregator 2022-04-26T01:13:10Z
system:kube-controller-manager 2022-04-26T01:13:10Z
system:kube-dns 2022-04-26T01:13:10Z
system:kube-scheduler 2022-04-26T01:13:10Z
system:kubelet-api-admin 2022-04-26T01:13:10Z
system:metrics-server 2022-04-26T01:21:04Z
system:node 2022-04-26T01:13:10Z
system:node-bootstrapper 2022-04-26T01:13:10Z
system:node-problem-detector 2022-04-26T01:13:10Z
system:node-proxier 2022-04-26T01:13:10Z
system:persistent-volume-provisioner 2022-04-26T01:13:10Z
system:public-info-viewer 2022-04-26T01:13:10Z
system:volume-scheduler 2022-04-26T01:13:10Z
view 2022-04-26T01:13:10Z
vpc-resource-controller-role 2022-04-26T01:13:14Z
谢谢!
您将找不到kubectl get任何身份验证主体的资源,因为它们不需要预分配。该组是硬编码到源代码中的几个众所周知的名称system:masters之一
configmap/aws-auth 中的“组”是什么
如果根据k8s x.509 auth 的CN=和术语构建它,则是单数主体名称, 是可用于(集群)角色绑定的任意数量的 authz 容器OU=username:groups:
它与这些角色/集群角色有何关系?如果我想使用 cluster-admin,我是否需要在它前面加上一些前缀,或者在某处添加“绑定”?
RoleBinding和 ClusterRoleBinding只是将提供的身份验证名称(除了少数硬编码的名称之外,是任意的)关联到k8s api 中的Role和对象ClusterRole
我不知道您是否也在询问 IAM 用户/角色如何映射到 k8s 主体,但如果是这样,那是因为aws eks get-token(由 的exec:节产生$KUBECONFIG)生成一个 JWT,该 JWT 对 AWS IAM OpenID Connect 进行编码sub:并由claims:AWS IAM OpenID Connect 签名然后由 apiserver 信任的提供商,就像 Google 或 GitLab 或您最喜欢的 OIDC 提供商一样
阅读aws-iam-authenticator 存储库可以了解有关该设置的详细信息
| 归档时间: |
|
| 查看次数: |
1768 次 |
| 最近记录: |