Terraform 为其他 IAM 用户启用 EKS 集群访问
Terraform enable EKS cluster access for other IAM users
我想设置一个 EKS 集群,使其他 IAM 用户能够连接并修改该集群。为此,AWS recommends patching a config map,我做到了。现在我想使用 terraform 启用相同的“功能”。
我使用 terraforms EKS 提供程序并阅读 in the documentation 部分“由于过多的工具 a...”,基本上身份验证取决于我自己。
现在我使用 Terraform Kubernetes provider 更新此配置映射:
resource "kubernetes_config_map" "aws_auth" {
depends_on = [module.eks.cluster_id]
metadata {
name = "aws-auth"
namespace = "kube-system"
}
data = THATS_MY_UPDATED_CONFIG
}
但是没有成功,出现如下错误:
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: 2022/01/07 15:49:55 [DEBUG] Kubernetes API Response Details:
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: ---[ RESPONSE ]--------------------------------------
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: HTTP/2.0 409 Conflict
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Content-Length: 206
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Audit-Id: 15....
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Cache-Control: no-cache, private
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Content-Type: application/json
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Date: Fri, 07 Jan 2022 14:49:55 GMT
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: X-Kubernetes-Pf-Flowschema-Uid: f43...
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: X-Kubernetes-Pf-Prioritylevel-Uid: 0054...
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5:
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: {
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "kind": "Status",
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "apiVersion": "v1",
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "metadata": {},
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "status": "Failure",
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "message": "configmaps \"aws-auth\" already exists",
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "reason": "AlreadyExists",
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "details": {
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "name": "aws-auth",
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "kind": "configmaps"
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: },
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "code": 409
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: }
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5:
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: -----------------------------------------------------
2022-01-07T15:49:55.775+0100 [ERROR] vertex "module.main.module.eks.kubernetes_config_map.aws_auth" error: configmaps "aws-auth" already exists
╷
│ Error: configmaps "aws-auth" already exists
│
│ with module.main.module.eks.kubernetes_config_map.aws_auth,
│ on ../../modules/eks/eks-iam-map-users.tf line 44, in resource "kubernetes_config_map" "aws_auth":
│ 44: resource "kubernetes_config_map" "aws_auth" {
│
╵
这似乎是一个有争议的问题,因为每个使用 EKS 和 Terraform 的人都应该有这个问题 – 我问自己如何解决这个问题? related issue, 很接近....我有点迷路了,有人有想法吗?
我使用以下版本:
terraform {
required_providers {
# https://registry.terraform.io/providers/hashicorp/aws/latest
aws = {
source = "hashicorp/aws"
version = "~> 3.70"
}
# https://registry.terraform.io/providers/hashicorp/kubernetes/latest
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.7.1"
}
required_version = ">= 1.1.2"
}
...
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.0.3"
...
我使用 17.24.0,不知道 18.0.3 有什么新功能。
就我而言,我遵循以下示例:
https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v17.24.0/examples/complete/main.tf
我的main.tf
locals {
eks_map_roles = []
eks_map_users = []
}
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
module "eks" {
source = "..."
...
eks_map_roles = local.eks_map_roles
eks_map_users = local.eks_map_users
...
}
要添加其他用户,您可以按照此文档操作:https://aws.amazon.com/premiumsupport/knowledge-center/eks-api-server-unauthorized-error/
我认为你应该添加角色(不要忘记删除路径)。
map_users 在 eks module 的 v18.x 中被弃用:
Support for managing aws-auth configmap has been removed. This change also removes the dependency on the Kubernetes Terraform provider, the local dependency on aws-iam-authenticator for users, as well as the reliance on the forked http provider to wait and poll on cluster creation. To aid users in this change, an output variable aws_auth_configmap_yaml has been provided which renders the aws-auth configmap necessary to support at least the IAM roles used by the module (additional mapRoles/mapUsers definitions to be provided by users)
我想设置一个 EKS 集群,使其他 IAM 用户能够连接并修改该集群。为此,AWS recommends patching a config map,我做到了。现在我想使用 terraform 启用相同的“功能”。
我使用 terraforms EKS 提供程序并阅读 in the documentation 部分“由于过多的工具 a...”,基本上身份验证取决于我自己。
现在我使用 Terraform Kubernetes provider 更新此配置映射:
resource "kubernetes_config_map" "aws_auth" {
depends_on = [module.eks.cluster_id]
metadata {
name = "aws-auth"
namespace = "kube-system"
}
data = THATS_MY_UPDATED_CONFIG
}
但是没有成功,出现如下错误:
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: 2022/01/07 15:49:55 [DEBUG] Kubernetes API Response Details:
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: ---[ RESPONSE ]--------------------------------------
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: HTTP/2.0 409 Conflict
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Content-Length: 206
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Audit-Id: 15....
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Cache-Control: no-cache, private
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Content-Type: application/json
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: Date: Fri, 07 Jan 2022 14:49:55 GMT
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: X-Kubernetes-Pf-Flowschema-Uid: f43...
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: X-Kubernetes-Pf-Prioritylevel-Uid: 0054...
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5:
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: {
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "kind": "Status",
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "apiVersion": "v1",
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "metadata": {},
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "status": "Failure",
2022-01-07T15:49:55.732+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "message": "configmaps \"aws-auth\" already exists",
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "reason": "AlreadyExists",
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "details": {
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "name": "aws-auth",
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "kind": "configmaps"
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: },
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: "code": 409
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: }
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5:
2022-01-07T15:49:55.733+0100 [DEBUG] provider.terraform-provider-kubernetes_v2.7.1_x5: -----------------------------------------------------
2022-01-07T15:49:55.775+0100 [ERROR] vertex "module.main.module.eks.kubernetes_config_map.aws_auth" error: configmaps "aws-auth" already exists
╷
│ Error: configmaps "aws-auth" already exists
│
│ with module.main.module.eks.kubernetes_config_map.aws_auth,
│ on ../../modules/eks/eks-iam-map-users.tf line 44, in resource "kubernetes_config_map" "aws_auth":
│ 44: resource "kubernetes_config_map" "aws_auth" {
│
╵
这似乎是一个有争议的问题,因为每个使用 EKS 和 Terraform 的人都应该有这个问题 – 我问自己如何解决这个问题? related issue,
我使用以下版本:
terraform {
required_providers {
# https://registry.terraform.io/providers/hashicorp/aws/latest
aws = {
source = "hashicorp/aws"
version = "~> 3.70"
}
# https://registry.terraform.io/providers/hashicorp/kubernetes/latest
kubernetes = {
source = "hashicorp/kubernetes"
version = "~> 2.7.1"
}
required_version = ">= 1.1.2"
}
...
module "eks" {
source = "terraform-aws-modules/eks/aws"
version = "18.0.3"
...
我使用 17.24.0,不知道 18.0.3 有什么新功能。
就我而言,我遵循以下示例: https://github.com/terraform-aws-modules/terraform-aws-eks/blob/v17.24.0/examples/complete/main.tf
我的main.tf
locals {
eks_map_roles = []
eks_map_users = []
}
data "aws_eks_cluster" "cluster" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "cluster" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.cluster.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.cluster.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.cluster.token
}
module "eks" {
source = "..."
...
eks_map_roles = local.eks_map_roles
eks_map_users = local.eks_map_users
...
}
要添加其他用户,您可以按照此文档操作:https://aws.amazon.com/premiumsupport/knowledge-center/eks-api-server-unauthorized-error/
我认为你应该添加角色(不要忘记删除路径)。
map_users 在 eks module 的 v18.x 中被弃用:
Support for managing aws-auth configmap has been removed. This change also removes the dependency on the Kubernetes Terraform provider, the local dependency on aws-iam-authenticator for users, as well as the reliance on the forked http provider to wait and poll on cluster creation. To aid users in this change, an output variable aws_auth_configmap_yaml has been provided which renders the aws-auth configmap necessary to support at least the IAM roles used by the module (additional mapRoles/mapUsers definitions to be provided by users)