【发布时间】:2020-02-13 20:09:44
【问题描述】:
按照官方文档https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html,我添加了aws-auth设置和ConfigMap
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userarn: arn:aws:iam::555555555555:user/admin
username: admin
groups:
- system:masters
- userarn: arn:aws:iam::111122223333:user/ops-user
username: ops-user
groups:
- system:masters
但我目前没有为用户 ops-user 分配任何策略。
[ops-user]
region = ap-southeast-2
aws_secret_access_key = xxxx
aws_access_key_id = xxxx
切换到 aws 配置文件后,我可以看到用户详细信息
$ export AWS_PROFILE=ops-user
$ aws sts get-caller-identity
{
"UserId": "AIDAJLD7JDWRXORLFXWYO",
"Account": "123456789012",
"Arn": "arn:aws:iam::123456789012:user/ops-user"
}
但当我尝试管理 EKS 集群 pod、svc 等时,出现以下错误
$ kubectl get pods
error: You must be logged in to the server (Unauthorized)
如果我想让这个 iam 用户只在 EKS kubernetes 集群中工作,应该为它分配什么策略。
我不希望用户管理其他 aws 资源。
顺便说一句,我可以使用具有管理员策略的 iam 用户进行所有管理
【问题讨论】:
标签: kubernetes amazon-iam amazon-eks