[英]kubectl : error: You must be logged in to the server (Unauthorized)
I have created kops cluster and getting below error when logging to the cluster.我创建了 kops 集群并在登录到集群时出现以下错误。
Error log :错误日志:
*****INFO! KUBECONFIG env var set to /home/user/scripts/kube/kubeconfig.yaml
INFO! Testing kubectl connection....
error: You must be logged in to the server (Unauthorized)
ERROR! Test Failed, AWS role might not be recongized by cluster*****
Using script for iam-authentication and logged in to server with proper role before connecting.使用脚本进行 iam-authentication 并在连接之前以适当的角色登录到服务器。 I am able to login to other server which is in the same environment.
我能够登录到同一环境中的其他服务器。 tried with diff k8s version and diff configuration.
尝试使用 diff k8s 版本和 diff 配置。
KUBECONFIG doesn't have any problem and same entry and token details like other cluster.
KUBECONFIG 没有任何问题,并且与其他集群相同的条目和令牌详细信息。 I can see the token with 'aws-iam-authenticator' command
我可以使用“aws-iam-authenticator”命令查看令牌
Went through most of the articles and didn't helped浏览了大部分文章并没有帮助
It seems as a AWS authorization issue.这似乎是一个 AWS 授权问题。 At cluster creation only the IAM user who created the cluster has admin rights on it , so you may need to add your own IAM User first.
在创建集群时,只有创建集群的 IAM 用户对其拥有管理员权限,因此您可能需要先添加自己的 IAM 用户。
1- Start by verifying the IAM user identity used implicitly in all commands: aws sts get-caller-identity
1- 首先验证所有命令中隐式使用的 IAM 用户身份:
aws sts get-caller-identity
If your aws-cli is set correctly you will have an output similar to this:如果您的 aws-cli 设置正确,您将获得类似于以下内容的输出:
{
"UserId": "ABCDEFGHIJK",
"Account": "12344455555",
"Arn": "arn:aws:iam::1234577777:user/Toto"
}
we will refer to the value in Account
as YOUR_AWS_ACCOUNT_ID
in step 3. (in this example YOUR_AWS_ACCOUNT_ID="12344455555"
我们将在第 3 步中将
Account
的值称为YOUR_AWS_ACCOUNT_ID
。(在本例中YOUR_AWS_ACCOUNT_ID="12344455555"
2- Once you have this identity you have to add it to AWS role binding to get EKS permissions . 2- 拥有此身份后,您必须将其添加到 AWS 角色绑定以获取 EKS 权限。
3- You will need to edit the ConfigMap file used by kubectl to add your user kubectl edit -n kube-system configmap/aws-auth
In the editor opened, create a username you want to use to refer to yourself using the cluster YOUR_USER_NAME
(for simplicity you may use the same as your aws user name, example Toto
in step 2) , you will need it in step 4, and use the aws account id (don't forget to keep the quotes ""),you found it in your identity info at step 1 YOUR_AWS_ACCOUNT_ID
, as follows in sections mapUsers
and mapAccounts
. 3- 您将需要编辑 kubectl 使用的 ConfigMap 文件以添加您的用户
kubectl edit -n kube-system configmap/aws-auth
在打开的编辑器中,创建一个用户名,用于使用集群YOUR_USER_NAME
(为简单起见,您可以使用与您的 aws 用户名相同的名称,例如步骤 2) 中的Toto
,您将在步骤 4 中使用它,并使用 aws 帐户 ID(不要忘记保留引号“”),您找到了在您的身份信息中的第 1 步YOUR_AWS_ACCOUNT_ID
,如下所示在mapUsers
和mapAccounts
部分中。
mapUsers: |
- userarn: arn:aws:iam::111122223333:user/ops-user
username: YOUR_USER_NAME
groups:
- system:masters
mapAccounts: |
- "YOUR_AWS_ACCOUNT_ID"
4- Finally you need to create a role binding on the kubernetes cluster for the user specified in the ConfigMap 4- 最后,您需要为 ConfigMap 中指定的用户在 kubernetes 集群上创建角色绑定
kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole cluster-admin \
--user YOUR_USER_NAME
with kops vs1.19 you need to add --admin
or --user
to update your kubernetes cluster and each time you log out of your server you have to export the cluster name and the storage bucket and then update the cluster again.对于 kops vs1.19,您需要添加
--admin
或--user
来更新您的 kubernetes 集群,并且每次您退出服务器时,您都必须导出集群名称和存储桶,然后再次更新集群。 this will work.这会起作用。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.