RBAC 的 EKS Kubernetes 用户被视为 system:anonymous
EKS Kubernetes user with RBAC seen as system:anonymous
我一直在关注 this post 创建用户对我的 kubernetes 集群的访问权限(运行ning 在 Amazon EKS 上)。我确实创建了密钥,csr,批准了请求并为用户下载了证书。然后我用密钥和 crt 创建了一个 kubeconfig 文件。当我使用这个 kubeconfig 运行 kubectl 时,我被识别为 system:anonymous.
$ kubectl --kubeconfig test-user-2.kube.yaml get pods
Error from server (Forbidden): pods is forbidden: User "system:anonymous" cannot list pods in the namespace "default"
我希望用户能够被识别但被拒绝访问。
$ kubectl --kubeconfig test-user-2.kube.yaml version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-18T11:37:06Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-28T20:13:43Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
$ kubectl --kubeconfig test-user-2.kube.yaml config view
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: REDACTED
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: test-user-2
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: test-user-2
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# running with my other account (which uses heptio-authenticator-aws)
$ kubectl describe certificatesigningrequest.certificates.k8s.io/user-request-test-user-2
Name: user-request-test-user-2
Labels: <none>
Annotations: <none>
CreationTimestamp: Wed, 01 Aug 2018 15:20:15 +0200
Requesting User:
Status: Approved,Issued
Subject:
Common Name: test-user-2
Serial Number:
Events: <none>
我确实为该用户创建了一个具有 admin(也尝试过 cluster-admin)角色的 ClusterRoleBinding,但这对这一步应该无关紧要。我不确定如何进一步调试 1) 是否创建了用户或 2) 如果我错过了一些配置。
感谢任何帮助!
这似乎是 EKS 的限制。即使 CSR 已获批准,用户也无法进行身份验证。我在另一个 kubernetes 集群上使用了相同的程序,它运行良好。
如本文所述article:
When you create an Amazon EKS cluster, the IAM entity user or role (for example, for federated users) that creates the cluster is automatically granted system:master permissions in the cluster's RBAC configuration. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
检查您的集群是否应用了 aws-auth ConfigMap:
kubectl describe configmap -n kube-system aws-auth
如果存在ConfigMap,则跳过此步骤并继续执行步骤3。
如果尚未应用 ConfigMap,则应执行以下操作:
下载库存 ConfigMap:
curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/aws-auth-cm.yaml
使用 rolearn: 中的 NodeInstanceRole ARN 对其进行调整。要获取 NodeInstanceRole 值,请查看 this manual,您将在步骤 3.8 - 3.10 中找到它。
data:
mapRoles: |
- rolearn: <ARN of instance role (not instance profile)>
将此配置映射应用到集群:
kubectl apply -f aws-auth-cm.yaml
等待集群节点准备就绪:
kubectl get nodes --watch
编辑 aws-auth ConfigMap 并根据以下示例将用户添加到其中:
kubectl edit -n kube-system configmap/aws-auth
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
mapUsers: |
- userarn: arn:aws:iam::555555555555:user/admin
username: admin
groups:
- system:masters
- userarn: arn:aws:iam::111122223333:user/ops-user
username: ops-user
groups:
- system:masters
保存并退出编辑器。
- 按照 this manual.
为您的 IAM 用户创建 kubeconfig
我今天从 AWS 支持那里得到了这个。
Thanks for your patience. I have just heard back from the EKS team. They have confirmed that the aws-iam-authenticator has to be used with EKS and, because of that, it is not possible to authenticate using certificates.
没听说以后会不会支持这个,目前肯定是坏掉了
我一直在关注 this post 创建用户对我的 kubernetes 集群的访问权限(运行ning 在 Amazon EKS 上)。我确实创建了密钥,csr,批准了请求并为用户下载了证书。然后我用密钥和 crt 创建了一个 kubeconfig 文件。当我使用这个 kubeconfig 运行 kubectl 时,我被识别为 system:anonymous.
$ kubectl --kubeconfig test-user-2.kube.yaml get pods
Error from server (Forbidden): pods is forbidden: User "system:anonymous" cannot list pods in the namespace "default"
我希望用户能够被识别但被拒绝访问。
$ kubectl --kubeconfig test-user-2.kube.yaml version
Client Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-18T11:37:06Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-28T20:13:43Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"}
$ kubectl --kubeconfig test-user-2.kube.yaml config view
apiVersion: v1
clusters:
- cluster:
insecure-skip-tls-verify: true
server: REDACTED
name: kubernetes
contexts:
- context:
cluster: kubernetes
user: test-user-2
name: kubernetes
current-context: kubernetes
kind: Config
preferences: {}
users:
- name: test-user-2
user:
client-certificate-data: REDACTED
client-key-data: REDACTED
# running with my other account (which uses heptio-authenticator-aws)
$ kubectl describe certificatesigningrequest.certificates.k8s.io/user-request-test-user-2
Name: user-request-test-user-2
Labels: <none>
Annotations: <none>
CreationTimestamp: Wed, 01 Aug 2018 15:20:15 +0200
Requesting User:
Status: Approved,Issued
Subject:
Common Name: test-user-2
Serial Number:
Events: <none>
我确实为该用户创建了一个具有 admin(也尝试过 cluster-admin)角色的 ClusterRoleBinding,但这对这一步应该无关紧要。我不确定如何进一步调试 1) 是否创建了用户或 2) 如果我错过了一些配置。
感谢任何帮助!
这似乎是 EKS 的限制。即使 CSR 已获批准,用户也无法进行身份验证。我在另一个 kubernetes 集群上使用了相同的程序,它运行良好。
如本文所述article:
When you create an Amazon EKS cluster, the IAM entity user or role (for example, for federated users) that creates the cluster is automatically granted system:master permissions in the cluster's RBAC configuration. To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
检查您的集群是否应用了 aws-auth ConfigMap:
kubectl describe configmap -n kube-system aws-auth如果存在ConfigMap,则跳过此步骤并继续执行步骤3。 如果尚未应用 ConfigMap,则应执行以下操作:
下载库存 ConfigMap:
curl -O https://amazon-eks.s3-us-west-2.amazonaws.com/1.10.3/2018-07-26/aws-auth-cm.yaml
使用 rolearn: 中的 NodeInstanceRole ARN 对其进行调整。要获取 NodeInstanceRole 值,请查看 this manual,您将在步骤 3.8 - 3.10 中找到它。
data:
mapRoles: |
- rolearn: <ARN of instance role (not instance profile)>
将此配置映射应用到集群:
kubectl apply -f aws-auth-cm.yaml
等待集群节点准备就绪:
kubectl get nodes --watch
编辑
aws-authConfigMap 并根据以下示例将用户添加到其中:kubectl edit -n kube-system configmap/aws-auth # Please edit the object below. Lines beginning with a '#' will be ignored, # and an empty file will abort the edit. If an error occurs while saving this file will be # reopened with the relevant failures. # apiVersion: v1 data: mapRoles: | - rolearn: arn:aws:iam::555555555555:role/devel-worker-nodes-NodeInstanceRole-74RF4UBDUKL6 username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes mapUsers: | - userarn: arn:aws:iam::555555555555:user/admin username: admin groups: - system:masters - userarn: arn:aws:iam::111122223333:user/ops-user username: ops-user groups: - system:masters
保存并退出编辑器。
- 按照 this manual. 为您的 IAM 用户创建 kubeconfig
我今天从 AWS 支持那里得到了这个。
Thanks for your patience. I have just heard back from the EKS team. They have confirmed that the aws-iam-authenticator has to be used with EKS and, because of that, it is not possible to authenticate using certificates.
没听说以后会不会支持这个,目前肯定是坏掉了