AWS EKS:无法将 IAM 角色附加到 pods
AWS EKS: unable to attach IAM role to pods
所以我创建了一个 AWS EKS 集群并继续尝试在 AWS EKS 上使用 AWS App Mesh 使用 EKS workshop 创建服务网格
& AWS App Mesh user guide。安装 appmesh 控制器。
kubectl get pods 确认。
NAMESPACE NAME READY STATUS RESTARTS AGE
appmesh-system appmesh-controller-847f957bc8-s2k7l 1/1 Running 0 57m
然后做了以下-
- 创建命名空间和网格(遵循用户指南)。使用以下 YAML 配置 -
apiVersion: v1
kind: Namespace
metadata:
name: example
labels:
mesh: v-mesh
gateway: ingress-gw
appmesh.k8s.aws/sidecarInjectorWebhook: enabled
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: Mesh
metadata:
name: v-mesh
spec:
namespaceSelector:
matchLabels:
mesh: v-mesh
egressFilter:
type: ALLOW_ALL
- 创建
IAM 服务帐户。 kubectl describe 对于服务帐户 returns 这个。
Name: example-svc-acct
Namespace: example
Labels: <none>
Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxx:role/eksctl-eks-addon-iamserviceaccount-example-Role1
Image pull secrets: <none>
Mountable secrets: example-svc-acct-token-lgrs2
Tokens: example-svc-acct-token-lgrs2
Events: <none>
我可以根据 this 看到所需的注释
3. 我使用 helm 部署我的服务。 kubectl get pods -n example 显示
NAME READY STATUS RESTARTS AGE
svc1-5d4b4d6485-m7t7g 1/2 Running 0 7s
svc2-76cb5fd545-nqgx5 2/3 Running 0 7s
svc2-76cb5fd545-vsbnj 2/3 Running 0 7s
svc3-84f97bd64f-q9hjx 1/2 Running 0 7s
envoy 容器无法进入就绪状态。
- 在容器中查找环境变量显示缺少变量
kubectl exec -n example svc3-84f97bd64f-q9hjx -c envoy env | grep AWS
AWS_REGION=us-east-2
根据 docs,这些 AWS_WEB_IDENTITY_TOKEN_FILE 和 AWS_ROLE_ARN 应该在那里。
kubectl logs 对于 envoy 容器显示权限问题
[2021-08-02 22:07:12.516][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example.
[2021-08-02 22:07:16.268][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example
[2021-08-02 22:07:21.402][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example.
[2021-08-02 22:07:42.125][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example.
附加到服务帐户的角色具有对所有资源允许的操作appmesh:StreamAggregatedResources。
我可以在第 3 步中看到问题。在不同的地方看了整整一天后,我无法弄清楚我缺少什么才能将所需的角色附加到容器,从而设置所需的环境变量。
任何指针将不胜感激。谢谢
更多信息:
$ eksctl version
0.42.0
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.11-eks-cfdc40", GitCommit:"cfdc40d4c1b7d14eb60152107963ae41aa2e4804", GitTreeState:"clean", BuildDate:"2020-09-17T17:10:39Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.8-eks-96780e", GitCommit:"96780e1b30acbf0a52c38b6030d7853e575bcdf3", GitTreeState:"clean", BuildDate:"2021-03-10T21:32:29Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
显然,在部署模板规范中遗漏 serviceAccountName 是一个愚蠢的错误。
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
添加了那个 & 问题就消失了。
所以我创建了一个 AWS EKS 集群并继续尝试在 AWS EKS 上使用 AWS App Mesh 使用 EKS workshop 创建服务网格
& AWS App Mesh user guide。安装 appmesh 控制器。
kubectl get pods 确认。
NAMESPACE NAME READY STATUS RESTARTS AGE
appmesh-system appmesh-controller-847f957bc8-s2k7l 1/1 Running 0 57m
然后做了以下-
- 创建命名空间和网格(遵循用户指南)。使用以下 YAML 配置 -
apiVersion: v1
kind: Namespace
metadata:
name: example
labels:
mesh: v-mesh
gateway: ingress-gw
appmesh.k8s.aws/sidecarInjectorWebhook: enabled
---
apiVersion: appmesh.k8s.aws/v1beta2
kind: Mesh
metadata:
name: v-mesh
spec:
namespaceSelector:
matchLabels:
mesh: v-mesh
egressFilter:
type: ALLOW_ALL
- 创建
IAM服务帐户。kubectl describe对于服务帐户 returns 这个。
Name: example-svc-acct
Namespace: example
Labels: <none>
Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::xxxxxxxx:role/eksctl-eks-addon-iamserviceaccount-example-Role1
Image pull secrets: <none>
Mountable secrets: example-svc-acct-token-lgrs2
Tokens: example-svc-acct-token-lgrs2
Events: <none>
我可以根据 this 看到所需的注释
3. 我使用 helm 部署我的服务。 kubectl get pods -n example 显示
NAME READY STATUS RESTARTS AGE
svc1-5d4b4d6485-m7t7g 1/2 Running 0 7s
svc2-76cb5fd545-nqgx5 2/3 Running 0 7s
svc2-76cb5fd545-vsbnj 2/3 Running 0 7s
svc3-84f97bd64f-q9hjx 1/2 Running 0 7s
envoy 容器无法进入就绪状态。
- 在容器中查找环境变量显示缺少变量
kubectl exec -n example svc3-84f97bd64f-q9hjx -c envoy env | grep AWS
AWS_REGION=us-east-2
根据 docs,这些 AWS_WEB_IDENTITY_TOKEN_FILE 和 AWS_ROLE_ARN 应该在那里。
kubectl logs对于envoy容器显示权限问题
[2021-08-02 22:07:12.516][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example.
[2021-08-02 22:07:16.268][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example
[2021-08-02 22:07:21.402][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example.
[2021-08-02 22:07:42.125][1][warning][config] [bazel-out/k8-opt/bin/source/common/config/_virtual_includes/grpc_stream_lib/common/config/grpc_stream.h:101] StreamAggregatedResources gRPC config stream closed: 7, Unauthorized to perform appmesh:StreamAggregatedResources for arn:aws:appmesh:us-east-2:xxxxx:mesh/v-mesh/virtualNode/svc3-vn_example.
附加到服务帐户的角色具有对所有资源允许的操作appmesh:StreamAggregatedResources。
我可以在第 3 步中看到问题。在不同的地方看了整整一天后,我无法弄清楚我缺少什么才能将所需的角色附加到容器,从而设置所需的环境变量。
任何指针将不胜感激。谢谢
更多信息:
$ eksctl version
0.42.0
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"17+", GitVersion:"v1.17.11-eks-cfdc40", GitCommit:"cfdc40d4c1b7d14eb60152107963ae41aa2e4804", GitTreeState:"clean", BuildDate:"2020-09-17T17:10:39Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"19+", GitVersion:"v1.19.8-eks-96780e", GitCommit:"96780e1b30acbf0a52c38b6030d7853e575bcdf3", GitTreeState:"clean", BuildDate:"2021-03-10T21:32:29Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
显然,在部署模板规范中遗漏 serviceAccountName 是一个愚蠢的错误。
spec:
serviceAccountName: {{ .Values.serviceAccount.name }}
添加了那个 & 问题就消失了。