无法从 CodeBuild 访问 EKS 集群

Can't access EKS cluster from CodeBuild

已经看到这个特别的 post 并遵循了 AWS 的一些指南,但仍然没有成功..

我正在创建 CI/CD 管道。但 CodeBuild 显然无权访问 EKS 集群。我转到特定的 CodeBuild 角色并添加了以下策略:

还创建并添加了以下策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": "*"
        }
    ]
}

之后,我在创建 EKS 集群的终端中执行了以下命令:eksctl create iamidentitymapping --cluster <my_cluster_name> --arn <arn_from_the_codebuild_role> --group system:masters --username admin

并通过 运行 命令 kubectl get configmaps aws-auth -n kube-system -o yaml 检查它是否成功添加到 aws-auth。它返回:

apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::********:role/*********
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - system:masters
      rolearn: arn:aws:iam::*****:role/service-role/*******
      username: ******
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2021-11-10T07:37:06Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: *******
  uid: *********

我仍然收到未授权的错误。下面是 buildspec.yml 文件:

version: 0.2
run-as: root

phases:

  install:
    commands:
      - echo Installing app dependencies...
      - chmod +x prereqs.sh
      - sh prereqs.sh
      - source ~/.bashrc
      - echo Check kubectl version
      - kubectl version --short --client

  pre_build:
    commands:
      - echo Logging in to Amazon EKS...
      - aws eks --region eu-west-2 update-kubeconfig --name <my-cluster-name>
      - echo Check config
      - kubectl config view
      - echo Check kubectl access
      - kubectl get svc

  post_build:
    commands:
      - echo Push the latest image to cluster
      - kubectl apply -n mattermost-operator -f mattermost-operator.yml
      - kubectl rollout restart -n mattermost-operator -f mattermost-operator.yml

编辑:

运行 CodeBuild 中的命令 kubectl config view returns:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://**********eu-west-2.eks.amazonaws.com
  name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
contexts:
- context:
    cluster: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
    user: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
  name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
current-context: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-2
      - eks
      - get-token
      - --cluster-name
      - <cluster_name>
      - --role
      - arn:aws:iam::*********:role/service-role/<codebuild_role>
      command: aws
      env: null

运行 在我创建 EKS 集群的终端中的命令 kubectl config view returns:

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: ***********eu-west-2.eks.amazonaws.com
  name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: *********eu-west-2.eks.amazonaws.com
  name: <cluster_name>.eu-west-2.eksctl.io
contexts:
- context:
    cluster: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
    user: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
  name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- context:
    cluster: <cluster_name>.eu-west-2.eksctl.io
    user: ******@<cluster_name>.eu-west-2.eksctl.io
  name: ******@<cluster_name>.eu-west-2.eksctl.io
current-context: arn:aws:eks:eu-west-2:********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-2
      - eks
      - get-token
      - --cluster-name
      - <cluster_name>
      command: aws
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false
- name: ******@******.eu-west-2.eksctl.io
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - -i
      - <cluster_name>
      command: aws-iam-authenticator
      env:
      - name: AWS_STS_REGIONAL_ENDPOINTS
        value: regional
      - name: AWS_DEFAULT_REGION
        value: eu-west-2
      interactiveMode: IfAvailable
      provideClusterInfo: false

有人有想法吗? :D

知道了!

我使用了 CodeBuild 自动创建的角色。但是通过使用强制策略创建一个新角色并在 CodeBuild 中编辑它,上述步骤将会成功。 如果有人能进一步解释这一点,那就太好了!