无法从 CodeBuild 访问 EKS 集群
Can't access EKS cluster from CodeBuild
已经看到这个特别的 post 并遵循了 AWS 的一些指南,但仍然没有成功..
我正在创建 CI/CD 管道。但 CodeBuild 显然无权访问 EKS 集群。我转到特定的 CodeBuild 角色并添加了以下策略:
- AWSCodeCommitFullAccess
- AmazonEC2ContainerRegistryFullAccess
- AmazonS3FullAccess
- CloudWatchLogsFullAccess
- AWSCodeBuildAdminAccess
还创建并添加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:*",
"Resource": "*"
}
]
}
之后,我在创建 EKS 集群的终端中执行了以下命令:eksctl create iamidentitymapping --cluster <my_cluster_name> --arn <arn_from_the_codebuild_role> --group system:masters --username admin
并通过 运行 命令 kubectl get configmaps aws-auth -n kube-system -o yaml
检查它是否成功添加到 aws-auth。它返回:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::********:role/*********
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::*****:role/service-role/*******
username: ******
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2021-11-10T07:37:06Z"
name: aws-auth
namespace: kube-system
resourceVersion: *******
uid: *********
我仍然收到未授权的错误。下面是 buildspec.yml 文件:
version: 0.2
run-as: root
phases:
install:
commands:
- echo Installing app dependencies...
- chmod +x prereqs.sh
- sh prereqs.sh
- source ~/.bashrc
- echo Check kubectl version
- kubectl version --short --client
pre_build:
commands:
- echo Logging in to Amazon EKS...
- aws eks --region eu-west-2 update-kubeconfig --name <my-cluster-name>
- echo Check config
- kubectl config view
- echo Check kubectl access
- kubectl get svc
post_build:
commands:
- echo Push the latest image to cluster
- kubectl apply -n mattermost-operator -f mattermost-operator.yml
- kubectl rollout restart -n mattermost-operator -f mattermost-operator.yml
编辑:
运行 CodeBuild 中的命令 kubectl config view
returns:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://**********eu-west-2.eks.amazonaws.com
name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
contexts:
- context:
cluster: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
user: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
current-context: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- eu-west-2
- eks
- get-token
- --cluster-name
- <cluster_name>
- --role
- arn:aws:iam::*********:role/service-role/<codebuild_role>
command: aws
env: null
运行 在我创建 EKS 集群的终端中的命令 kubectl config view
returns:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: ***********eu-west-2.eks.amazonaws.com
name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- cluster:
certificate-authority-data: DATA+OMITTED
server: *********eu-west-2.eks.amazonaws.com
name: <cluster_name>.eu-west-2.eksctl.io
contexts:
- context:
cluster: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
user: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- context:
cluster: <cluster_name>.eu-west-2.eksctl.io
user: ******@<cluster_name>.eu-west-2.eksctl.io
name: ******@<cluster_name>.eu-west-2.eksctl.io
current-context: arn:aws:eks:eu-west-2:********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- eu-west-2
- eks
- get-token
- --cluster-name
- <cluster_name>
command: aws
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
- name: ******@******.eu-west-2.eksctl.io
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- <cluster_name>
command: aws-iam-authenticator
env:
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
- name: AWS_DEFAULT_REGION
value: eu-west-2
interactiveMode: IfAvailable
provideClusterInfo: false
有人有想法吗? :D
知道了!
我使用了 CodeBuild 自动创建的角色。但是通过使用强制策略创建一个新角色并在 CodeBuild 中编辑它,上述步骤将会成功。
如果有人能进一步解释这一点,那就太好了!
已经看到这个特别的 post
我正在创建 CI/CD 管道。但 CodeBuild 显然无权访问 EKS 集群。我转到特定的 CodeBuild 角色并添加了以下策略:
- AWSCodeCommitFullAccess
- AmazonEC2ContainerRegistryFullAccess
- AmazonS3FullAccess
- CloudWatchLogsFullAccess
- AWSCodeBuildAdminAccess
还创建并添加了以下策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "eks:*",
"Resource": "*"
}
]
}
之后,我在创建 EKS 集群的终端中执行了以下命令:eksctl create iamidentitymapping --cluster <my_cluster_name> --arn <arn_from_the_codebuild_role> --group system:masters --username admin
并通过 运行 命令 kubectl get configmaps aws-auth -n kube-system -o yaml
检查它是否成功添加到 aws-auth。它返回:
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::********:role/*********
username: system:node:{{EC2PrivateDNSName}}
- groups:
- system:masters
rolearn: arn:aws:iam::*****:role/service-role/*******
username: ******
mapUsers: |
[]
kind: ConfigMap
metadata:
creationTimestamp: "2021-11-10T07:37:06Z"
name: aws-auth
namespace: kube-system
resourceVersion: *******
uid: *********
我仍然收到未授权的错误。下面是 buildspec.yml 文件:
version: 0.2
run-as: root
phases:
install:
commands:
- echo Installing app dependencies...
- chmod +x prereqs.sh
- sh prereqs.sh
- source ~/.bashrc
- echo Check kubectl version
- kubectl version --short --client
pre_build:
commands:
- echo Logging in to Amazon EKS...
- aws eks --region eu-west-2 update-kubeconfig --name <my-cluster-name>
- echo Check config
- kubectl config view
- echo Check kubectl access
- kubectl get svc
post_build:
commands:
- echo Push the latest image to cluster
- kubectl apply -n mattermost-operator -f mattermost-operator.yml
- kubectl rollout restart -n mattermost-operator -f mattermost-operator.yml
编辑:
运行 CodeBuild 中的命令 kubectl config view
returns:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: https://**********eu-west-2.eks.amazonaws.com
name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
contexts:
- context:
cluster: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
user: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
current-context: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- eu-west-2
- eks
- get-token
- --cluster-name
- <cluster_name>
- --role
- arn:aws:iam::*********:role/service-role/<codebuild_role>
command: aws
env: null
运行 在我创建 EKS 集群的终端中的命令 kubectl config view
returns:
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: DATA+OMITTED
server: ***********eu-west-2.eks.amazonaws.com
name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- cluster:
certificate-authority-data: DATA+OMITTED
server: *********eu-west-2.eks.amazonaws.com
name: <cluster_name>.eu-west-2.eksctl.io
contexts:
- context:
cluster: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
user: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- context:
cluster: <cluster_name>.eu-west-2.eksctl.io
user: ******@<cluster_name>.eu-west-2.eksctl.io
name: ******@<cluster_name>.eu-west-2.eksctl.io
current-context: arn:aws:eks:eu-west-2:********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- eu-west-2
- eks
- get-token
- --cluster-name
- <cluster_name>
command: aws
env: null
interactiveMode: IfAvailable
provideClusterInfo: false
- name: ******@******.eu-west-2.eksctl.io
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- <cluster_name>
command: aws-iam-authenticator
env:
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
- name: AWS_DEFAULT_REGION
value: eu-west-2
interactiveMode: IfAvailable
provideClusterInfo: false
有人有想法吗? :D
知道了!
我使用了 CodeBuild 自动创建的角色。但是通过使用强制策略创建一个新角色并在 CodeBuild 中编辑它,上述步骤将会成功。 如果有人能进一步解释这一点,那就太好了!