aws sso 和 EKS rbac 访问被拒绝
aws sso and EKS rbac access denied
我正在尝试配置 AWS sso 访问我的 EKS 集群,这些集群位于我作为管理员的子账户中。我在引用 this document and 。但是,当我使用 SSO 登录子帐户时,不断出现 RBAC 错误。我该如何正确配置呢?我现在仍然启用了 IAM 访问权限。
控制台错误:
Your current user or role does not have access to Kubernetes objects on this EKS cluster
This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.
角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default:sso-admin
namespace: default
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
配置图:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- rolearn: arn:aws:iam::xxxxx:role/AWSReservedSSOxxxxx
username: me:{{SessionName}}
groups:
- default:sso-admin
官方文档中详细描述了此问题的解决方案:
Short description
You receive this error when you use the AWS Management Console with an
AWS Identity and Access Management (IAM) role or user that's not in
your Amazon EKS cluster's aws-auth ConfigMap.
When you create an Amazon EKS cluster, the IAM user or role (such as a
federated user that creates the cluster) is automatically granted
system:masters permissions in the cluster's RBAC configuration. If you
access the Amazon EKS console and your IAM user or role isn't part of
the aws-auth ConfigMap, then you can't see your Kubernetes workloads
or overview details for the cluster.
To grant additional AWS users or roles the ability to interact with
your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
Resolution
Note: If you receive errors when running AWS Command Line Interface
(AWS CLI) commands, make sure that you’re using the most recent AWS
CLI version.
您可以按照此处描述的步骤来解决您的问题。
我正在尝试配置 AWS sso 访问我的 EKS 集群,这些集群位于我作为管理员的子账户中。我在引用 this document and
控制台错误:
Your current user or role does not have access to Kubernetes objects on this EKS cluster
This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.
角色:
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: default:sso-admin
namespace: default
rules:
- apiGroups: ["*"]
resources: ["*"]
verbs: ["*"]
配置图:
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapUsers: |
- rolearn: arn:aws:iam::xxxxx:role/AWSReservedSSOxxxxx
username: me:{{SessionName}}
groups:
- default:sso-admin
官方文档中详细描述了此问题的解决方案:
Short description
You receive this error when you use the AWS Management Console with an AWS Identity and Access Management (IAM) role or user that's not in your Amazon EKS cluster's aws-auth ConfigMap.
When you create an Amazon EKS cluster, the IAM user or role (such as a federated user that creates the cluster) is automatically granted system:masters permissions in the cluster's RBAC configuration. If you access the Amazon EKS console and your IAM user or role isn't part of the aws-auth ConfigMap, then you can't see your Kubernetes workloads or overview details for the cluster.
To grant additional AWS users or roles the ability to interact with your cluster, you must edit the aws-auth ConfigMap within Kubernetes.
Resolution
Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.
您可以按照此处描述的步骤来解决您的问题。