来自 EC2 实例的 AWS / Heptio Authenticator
AWS / Heptio Authenticator from an EC2 instance
所以我按照 AWS 文章 Deploying the Heptio Authenticator to kops 进行了操作,并且能够成功地获得东西 运行ning。在我的笔记本电脑上,它具有完全配置的 AWSCLI 设置,我可以 运行 任何 kubectl
命令,因为我是管理员。令牌是通过在我的 ~/.kube/config
文件中使用以下命令获得的:
users:
- name: mycluster-exec
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- --cluster-id
- mycluster
- --role
- arn:aws:iam::<account-number>:role/KubernetesAdministrator
command: aws-iam-authenticator
env: null
现在我想做的基本上在 GitHub 问题 EKS heptio authentication using IAM without AWSCLI 中有所描述。我没有使用 EKS,但原理是一样的。我有 EC2 实例 运行ning 我的 CI 系统的构建代理,我希望这些构建代理 NOT 具有静态的硬编码凭据(即静态 AWS ID 和密钥)。我更希望这些节点也使用 aws-iam-authenticator
二进制文件根据需要临时获取凭据以部署/更改我的 Kubernetes 集群。
我创建了一个名为 KubernetesCIRole
的角色/实例配置文件,并将该 IAM 角色附加到我的 EC2 构建代理节点。然后我将以下内容添加到 ConfigMap
:
apiVersion: v1
data:
config.yaml: |
clusterID: mycluster
server:
mapRoles:
- roleARN: arn:aws:iam::<account-number>:role/KubernetesAdministrator
username: kubernetes-admin
groups:
- system:masters
- roleARN: arn:aws:iam::<account-number>:role/KubernetesCIRole
username: kubernetes-admin
groups:
- system:masters
kind: ConfigMap
metadata:
labels:
k8s-app: heptio-authenticator-aws
name: heptio-authenticator-aws
namespace: kube-system
但是,当我在该 EC2 构建代理机器上配置 ~/.kube/config
,然后 运行 像 kubectl --v=10 get pods
这样简单的东西时,我收到以下信息:
I0828 10:16:30.605964 5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.606744 5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.607704 5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
...
I0828 10:16:33.092683 5196 round_trippers.go:386] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.11.2 (linux/amd64) kubernetes/bb9ffb1" 'https://api.mycluster.k8s.mycompany.com/api?timeout=32s'
I0828 10:16:33.605698 5196 round_trippers.go:405] GET https://api.mycluster.k8s.mycompany.com/api?timeout=32s 401 Unauthorized in 512 milliseconds
I0828 10:16:33.605727 5196 round_trippers.go:411] Response Headers:
I0828 10:16:33.605734 5196 round_trippers.go:414] Content-Type: application/json
I0828 10:16:33.605749 5196 round_trippers.go:414] Www-Authenticate: Basic realm="kubernetes-master"
I0828 10:16:33.605758 5196 round_trippers.go:414] Content-Length: 129
I0828 10:16:33.605767 5196 round_trippers.go:414] Date: Tue, 28 Aug 2018 10:16:33 GMT
I0828 10:16:33.608443 5196 request.go:897] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I0828 10:16:33.610858 5196 cached_discovery.go:111] skipped caching discovery info due to Unauthorized
F0828 10:16:33.610901 5196 helpers.go:119] error: the server doesn't have a resource type "pods"
为什么这不起作用?如果我在 Heptio / AWS IAM Authenticator ConfigMap
中指定给定角色具有集群管理员访问权限(或任何其他相关权限),我不应该能够进行身份验证吗?
提前感谢您的帮助!
终于想通了。 AWS 文档 Managing Users or IAM Roles for your Cluster 包含所需的部分:
首先,您需要创建一个具有以下基本权限的 IAM 角色(和相应的实例配置文件),并将其附加到您的 EC2 实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后您需要使用如下内容更新 ConfigMap
:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <ARN of instance role (not instance profile)>
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:masters
关键部分是用户名system:node:{{EC2PrivateDNSName}}
。我想 {{EC2PrivateDNSName}}
可以作为任何 EC2 实例的占位符,并附加相应的 rolearn
。
所以我按照 AWS 文章 Deploying the Heptio Authenticator to kops 进行了操作,并且能够成功地获得东西 运行ning。在我的笔记本电脑上,它具有完全配置的 AWSCLI 设置,我可以 运行 任何 kubectl
命令,因为我是管理员。令牌是通过在我的 ~/.kube/config
文件中使用以下命令获得的:
users:
- name: mycluster-exec
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- --cluster-id
- mycluster
- --role
- arn:aws:iam::<account-number>:role/KubernetesAdministrator
command: aws-iam-authenticator
env: null
现在我想做的基本上在 GitHub 问题 EKS heptio authentication using IAM without AWSCLI 中有所描述。我没有使用 EKS,但原理是一样的。我有 EC2 实例 运行ning 我的 CI 系统的构建代理,我希望这些构建代理 NOT 具有静态的硬编码凭据(即静态 AWS ID 和密钥)。我更希望这些节点也使用 aws-iam-authenticator
二进制文件根据需要临时获取凭据以部署/更改我的 Kubernetes 集群。
我创建了一个名为 KubernetesCIRole
的角色/实例配置文件,并将该 IAM 角色附加到我的 EC2 构建代理节点。然后我将以下内容添加到 ConfigMap
:
apiVersion: v1
data:
config.yaml: |
clusterID: mycluster
server:
mapRoles:
- roleARN: arn:aws:iam::<account-number>:role/KubernetesAdministrator
username: kubernetes-admin
groups:
- system:masters
- roleARN: arn:aws:iam::<account-number>:role/KubernetesCIRole
username: kubernetes-admin
groups:
- system:masters
kind: ConfigMap
metadata:
labels:
k8s-app: heptio-authenticator-aws
name: heptio-authenticator-aws
namespace: kube-system
但是,当我在该 EC2 构建代理机器上配置 ~/.kube/config
,然后 运行 像 kubectl --v=10 get pods
这样简单的东西时,我收到以下信息:
I0828 10:16:30.605964 5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.606744 5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
I0828 10:16:30.607704 5196 loader.go:359] Config loaded from file /home/ubuntu/.kube/config
...
I0828 10:16:33.092683 5196 round_trippers.go:386] curl -k -v -XGET -H "Accept: application/json, */*" -H "User-Agent: kubectl/v1.11.2 (linux/amd64) kubernetes/bb9ffb1" 'https://api.mycluster.k8s.mycompany.com/api?timeout=32s'
I0828 10:16:33.605698 5196 round_trippers.go:405] GET https://api.mycluster.k8s.mycompany.com/api?timeout=32s 401 Unauthorized in 512 milliseconds
I0828 10:16:33.605727 5196 round_trippers.go:411] Response Headers:
I0828 10:16:33.605734 5196 round_trippers.go:414] Content-Type: application/json
I0828 10:16:33.605749 5196 round_trippers.go:414] Www-Authenticate: Basic realm="kubernetes-master"
I0828 10:16:33.605758 5196 round_trippers.go:414] Content-Length: 129
I0828 10:16:33.605767 5196 round_trippers.go:414] Date: Tue, 28 Aug 2018 10:16:33 GMT
I0828 10:16:33.608443 5196 request.go:897] Response Body: {"kind":"Status","apiVersion":"v1","metadata":{},"status":"Failure","message":"Unauthorized","reason":"Unauthorized","code":401}
I0828 10:16:33.610858 5196 cached_discovery.go:111] skipped caching discovery info due to Unauthorized
F0828 10:16:33.610901 5196 helpers.go:119] error: the server doesn't have a resource type "pods"
为什么这不起作用?如果我在 Heptio / AWS IAM Authenticator ConfigMap
中指定给定角色具有集群管理员访问权限(或任何其他相关权限),我不应该能够进行身份验证吗?
提前感谢您的帮助!
终于想通了。 AWS 文档 Managing Users or IAM Roles for your Cluster 包含所需的部分:
首先,您需要创建一个具有以下基本权限的 IAM 角色(和相应的实例配置文件),并将其附加到您的 EC2 实例:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后您需要使用如下内容更新 ConfigMap
:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: <ARN of instance role (not instance profile)>
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:masters
关键部分是用户名system:node:{{EC2PrivateDNSName}}
。我想 {{EC2PrivateDNSName}}
可以作为任何 EC2 实例的占位符,并附加相应的 rolearn
。