如何让 kubectl 登录到 AWS EKS 集群?
How do you get kubectl to log in to an AWS EKS cluster?
从一个~空的 AWS 账户开始,我正在尝试关注 https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
所以这意味着我创建了一个 VPS 堆栈,然后安装了 aws-iam-authenticator、awscli 和 kubectl,然后直接创建了一个具有编程访问权限和 AmazonEKSAdminPolicy 的 IAM 用户
附上。
然后我使用该网站创建我的 EKS 集群并使用 aws configure 设置我的 IAM 用户的访问密钥和秘密。
aws eks update-kubeconfig --name wr-eks-cluster 工作正常,但是:
kubectl get svc
error: the server doesn't have a resource type "svc"
我还是继续创建我的工作节点堆栈,现在我陷入了死胡同:
kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)
aws-iam-authenticator token -i <my cluster name> 似乎工作正常。
我似乎缺少的是,当您创建集群时,您指定了一个 IAM 角色,但是当您创建用户(根据指南)时,您附加了一个策略。我的用户应该如何访问此集群?
或者最终,我如何使用 kubectl 继续访问我的集群?
- 如前所述in docs, the AWS IAM user created EKS cluster automatically receives
system:master permissions, and it's enough to get kubectl working. You need to use this user credentials (AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User).
- 主要魔法在集群中的
aws-auth ConfigMap 中 – 它包含 IAM 实体 -> kubernetes ServiceAccount 映射。
我不确定您如何传递 aws-iam-authenticator:
的凭据
- 如果您有
~/.aws/credentials 和 aws_profile_of_eks_iam_creator 那么您可以尝试 $ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces
- 此外,您可以使用环境变量
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces
它们都应该工作,因为 kubectl ... 将使用包含 aws-iam-authenticator token -i cluster_name 命令的生成的 ~/.kube/config。 aws-iam-authenticator 使用环境变量或 ~/.aws/credentials 给你一个令牌。
此外,this answer 可能有助于理解第一个 EKS 用户创建。
看完评论后我觉得你似乎:
- 已经用root用户创建了集群。
- 然后创建了一个 IAM 用户并为其创建了 AWS 凭证(
AWS_ACCESS_KEY_ID 和AWS_SECRET_ACCESS_KEY)。
- 在您的
kubeconfig 设置中使用了这些访问和密钥(不管如何 - 有多种方法)。
这是 docs 中描述的问题:
If you receive one of the following errors while running kubectl
commands, then your kubectl is not configured properly for Amazon EKS
or the IAM user or role credentials that you are using do not map to a
Kubernetes RBAC user with sufficient permissions in your Amazon EKS
cluster.
- could not get token: AccessDenied: Access denied
- error: You must be logged in to the server (Unauthorized)
- error: the server doesn't have a resource type "svc" <--- Your case
This could be because the cluster was created with one set of AWS
credentials (from an IAM user or role), and kubectl is using a
different set of credentials.
When an Amazon EKS cluster is created, the IAM entity (user or role)
that creates the cluster is added to the Kubernetes RBAC authorization
table as the administrator (with system:masters permissions).
Initially, only that IAM user can make calls to the Kubernetes API
server using kubectl.
For more information, see Managing users or IAM
roles for your cluster. If you use the console to create the cluster,
you must ensure that the same IAM user credentials are in the AWS SDK
credential chain when you are running kubectl commands on your
cluster.
这就是错误的原因。
如所接受的答案所述 - 您需要编辑 aws-auth 才能 manage users or IAM roles for your cluster。
请使用更新后的密钥 & 访问密钥 ID 连接 EKS 集群。
这是我使用 aws-cli
的步骤
$ export AWS_ACCESS_KEY_ID="something"
$ export AWS_SECRET_ACCESS_KEY="something"
$ export AWS_SESSION_TOKEN="something"
$ aws eks update-kubeconfig \
--region us-west-2 \
--name my-cluster
>> Added new context arn:aws:eks:us-west-2:#########:cluster/my-cluster to /home/john/.kube/config
奖金,使用 kubectx 切换 kubectl 上下文
$ kubectx
>> arn:aws:eks:us-west-2:#########:cluster/my-cluster-two arn:aws:eks:us-east-1:#####:cluster/my-cluster
$ kubectx arn:aws:eks:us-east-1:#####:cluster/my-cluster
>> Switched to context "arn:aws:eks:us-east-1:#####:cluster/my-cluster".
参考:https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html
在您的系统上设置 aws config 后,请检查当前身份以验证您使用的是对 Amazon EKS 集群具有权限的正确凭证:
aws sts get-caller-identity
之后使用:
aws eks --region region update-kubeconfig --name cluster_name
这将在您的主路径中创建 kubeconfig 所需的 kubernetes API 服务器 url 在 $HOME/.kube/config。
之后您可以按照 kubectl 说明进行安装,这应该会起作用。
从一个~空的 AWS 账户开始,我正在尝试关注 https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html
所以这意味着我创建了一个 VPS 堆栈,然后安装了 aws-iam-authenticator、awscli 和 kubectl,然后直接创建了一个具有编程访问权限和 AmazonEKSAdminPolicy 的 IAM 用户 附上。
然后我使用该网站创建我的 EKS 集群并使用 aws configure 设置我的 IAM 用户的访问密钥和秘密。
aws eks update-kubeconfig --name wr-eks-cluster 工作正常,但是:
kubectl get svc
error: the server doesn't have a resource type "svc"
我还是继续创建我的工作节点堆栈,现在我陷入了死胡同:
kubectl apply -f aws-auth-cm.yaml
error: You must be logged in to the server (the server has asked for the client to provide credentials)
aws-iam-authenticator token -i <my cluster name> 似乎工作正常。
我似乎缺少的是,当您创建集群时,您指定了一个 IAM 角色,但是当您创建用户(根据指南)时,您附加了一个策略。我的用户应该如何访问此集群?
或者最终,我如何使用 kubectl 继续访问我的集群?
- 如前所述in docs, the AWS IAM user created EKS cluster automatically receives
system:masterpermissions, and it's enough to getkubectlworking. You need to use this user credentials (AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY) to access the cluster. In case you didn't create a specific IAM user to create a cluster, then you probably created it using root AWS account. In this case, you can use root user credentials (Creating Access Keys for the Root User). - 主要魔法在集群中的
aws-authConfigMap 中 – 它包含 IAM 实体 -> kubernetes ServiceAccount 映射。
我不确定您如何传递 aws-iam-authenticator:
- 如果您有
~/.aws/credentials和aws_profile_of_eks_iam_creator那么您可以尝试$ AWS_PROFILE=aws_profile_of_eks_iam_creator kubectl get all --all-namespaces - 此外,您可以使用环境变量
$ AWS_ACCESS_KEY_ID=XXX AWS_SECRET_ACCESS_KEY=YYY AWS_DEFAULT_REGION=your-region-1 kubectl get all --all-namespaces
它们都应该工作,因为 kubectl ... 将使用包含 aws-iam-authenticator token -i cluster_name 命令的生成的 ~/.kube/config。 aws-iam-authenticator 使用环境变量或 ~/.aws/credentials 给你一个令牌。
此外,this answer 可能有助于理解第一个 EKS 用户创建。
看完评论后我觉得你似乎:
- 已经用root用户创建了集群。
- 然后创建了一个 IAM 用户并为其创建了 AWS 凭证(
AWS_ACCESS_KEY_ID和AWS_SECRET_ACCESS_KEY)。 - 在您的
kubeconfig设置中使用了这些访问和密钥(不管如何 - 有多种方法)。
这是 docs 中描述的问题:
If you receive one of the following errors while running kubectl commands, then your kubectl is not configured properly for Amazon EKS or the IAM user or role credentials that you are using do not map to a Kubernetes RBAC user with sufficient permissions in your Amazon EKS cluster.
- could not get token: AccessDenied: Access denied
- error: You must be logged in to the server (Unauthorized)
- error: the server doesn't have a resource type "svc" <--- Your case
This could be because the cluster was created with one set of AWS credentials (from an IAM user or role), and kubectl is using a different set of credentials.
When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the cluster is added to the Kubernetes RBAC authorization table as the administrator (with system:masters permissions).
Initially, only that IAM user can make calls to the Kubernetes API server using kubectl.
For more information, see Managing users or IAM roles for your cluster. If you use the console to create the cluster, you must ensure that the same IAM user credentials are in the AWS SDK credential chain when you are running kubectl commands on your cluster.
这就是错误的原因。
如所接受的答案所述 - 您需要编辑 aws-auth 才能 manage users or IAM roles for your cluster。
请使用更新后的密钥 & 访问密钥 ID 连接 EKS 集群。
这是我使用 aws-cli
的步骤
$ export AWS_ACCESS_KEY_ID="something"
$ export AWS_SECRET_ACCESS_KEY="something"
$ export AWS_SESSION_TOKEN="something"
$ aws eks update-kubeconfig \
--region us-west-2 \
--name my-cluster
>> Added new context arn:aws:eks:us-west-2:#########:cluster/my-cluster to /home/john/.kube/config
奖金,使用 kubectx 切换 kubectl 上下文
$ kubectx
>> arn:aws:eks:us-west-2:#########:cluster/my-cluster-two arn:aws:eks:us-east-1:#####:cluster/my-cluster
$ kubectx arn:aws:eks:us-east-1:#####:cluster/my-cluster
>> Switched to context "arn:aws:eks:us-east-1:#####:cluster/my-cluster".
参考:https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html
在您的系统上设置 aws config 后,请检查当前身份以验证您使用的是对 Amazon EKS 集群具有权限的正确凭证:
aws sts get-caller-identity
之后使用:
aws eks --region region update-kubeconfig --name cluster_name
这将在您的主路径中创建 kubeconfig 所需的 kubernetes API 服务器 url 在 $HOME/.kube/config。
之后您可以按照 kubectl 说明进行安装,这应该会起作用。