堆栈内存溢出
  简体   繁体   English

如何将相同的 RBAC 角色分配给两个不同的 IAM 角色以访问 EKS 中的集群?

[英]How can I assign the same RBAC role to two different IAM roles to access a cluster in EKS?

 原文  2020-07-23 20:06:27       kubernetes/ yaml/ amazon-iam/ rbac/ amazon-eks

问题描述

I would like to give a certain team access to the system:masters group in RBAC.我想授予某个团队访问system:masters组。 My team ( AWSReservedSSO_Admin_xxxxxxxxxx in example below) already has it and it works when I only add that one rolearn , but when I apply the configmap below with the additional rolearn , users under the AWSReservedSSO_Dev_xxxxxxxxxx role still get this error when trying to access the cluster: error: You must be logged in to the server (Unauthorized)我的团队(下面示例中的AWSReservedSSO_Admin_xxxxxxxxxx )已经拥有它,并且当我只添加一个rolearn时它可以工作,但是当我将下面的配置映射与额外的rolearn一起应用时, AWSReservedSSO_Dev_xxxxxxxxxx角色下的用户在尝试访问集群时仍然会收到此错误: error: You must be logged in to the server (Unauthorized)

(note: we are using AWS SSO, so the IAM roles are assumed): (注意:我们使用的是 AWS SSO,因此假定了 IAM 角色):

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin
metadata:
  name: aws-auth
  namespace: kube-system

2 个解决方案

解决方案1
 2  2020-07-24 00:57:49

I'm not sure how you are assuming the roles ❓ and your configuration looks fine, but the reason could be that you are mapping the same user to two different roles.我不确定您是如何承担角色 ❓ 并且您的配置看起来不错,但原因可能是您将同一个用户映射到两个不同的角色。 AWS IAM only allows a user to assume only one role at a time, basically, as an AWS IAM user, you can't assume multiple IAM roles at the same time . AWS IAM 只允许用户一次只承担一个角色, 基本上,作为 AWS IAM 用户,您不能同时承担多个 IAM 角色

You can try with different users and see it works for you.您可以尝试使用不同的用户,看看它是否适合您。

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin2
metadata:
  name: aws-auth
  namespace: kube-system

The other aspect that you may be missing is the 'Trust Relationship' in your arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx role that allows admin to assume the role.您可能缺少的另一个方面是您的arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx角色中的“信任关系”,该角色允许admin担任该角色。

图像1

✌️☮️ ✌️☮️

解决方案2
 1 已采纳  2020-09-11 13:57:18

Thanks Rico.谢谢里科。 When you sign in with SSO, you are assuming a role in STS.当您使用 SSO 登录时,您将承担 STS 中的角色。 You can verify this by running aws sts get-caller-identity .您可以通过运行aws sts get-caller-identity来验证这一点。

You werew right that that the username wrong but it didn't solve the whole issue.您认为用户名错误是对的,但它并没有解决整个问题。

Took a long time but my teammate finally found the solution for this in this guide花了很长时间,但我的队友终于在本指南中找到了解决方案

The problem was the ARN for the IAM Role:问题是 IAM 角色的 ARN:

rolearn: arn:aws:iam::xxxxxxxxxxx:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_Dev_xxxxxxxxxx

This part aws-reserved/sso.amazonaws.com/ needs to be removed from the name.这部分aws-reserved/sso.amazonaws.com/需要从名称中删除。 So in the end combined with Rico's suggested username fix:所以最后结合 Rico 建议的用户名修复:

---
apiVersion: v1
kind: ConfigMap
data:
  mapRoles: |
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/eks-node-group
      groups:
      - system:bootstrappers
      - system:nodes
      username: system:node:{{EC2PrivateDNSName}}
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Admin_xxxxxxxxxx
      groups:
      - system:masters
      username: admin
    - rolearn: arn:aws:iam::xxxxxxxxxxx:role/AWSReservedSSO_Dev_xxxxxxxxxx
      groups:
        - system:masters
      username: admin2
metadata:
  name: aws-auth
  namespace: kube-system

The issue is finally fixed, and SSO users assuming the role can run kubectl commands!问题终于解决了,承担该角色的 SSO 用户可以运行kubectl命令!

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Terraform中EKS集群的两个节点组如何使用同一个IAM角色? - How to use the same IAM role for two node groups in an EKS cluster in Terraform? 如何将 map IAM 组添加到 AWS 中的 EKS 集群? - How can I map IAM group to EKS cluster in AWS? 使用假定的 IAM 角色从 EKS pod 访问远程 EKS 集群 - Access remote EKS cluster from an EKS pod, using an assumed IAM role 如何在Azure Kubernetes集群中启用服务帐户权限(已启用RBAC)? - how can i assign permission to service account in azure kubernetes cluster( RBAC is enabled )? 无法使用创建它的角色访问 EKS 集群 - Unable to access EKS cluster using the role that created it 授予Kubernetes集群中的pod权限以访问Google存储(RBAC / IAM) - Give pod in Kubernetes cluster rights to access Google storage (RBAC/IAM) 尽管我的用户/角色 ARN 不是 aws-auth CM 的一部分,但我如何能够访问 EKS 集群? - How i am able to access EKS Cluster, though my User/Role ARN is not part of aws-auth CM? 您如何正确设置 Terraform 以使用跨账户 IAM 承担角色身份验证来管理 AWS EKS 集群? - How do you properly setup Terraform to manage an AWS EKS cluster using cross-account IAM assume role authentication? Terraform 为其他 IAM 用户启用 EKS 集群访问 - Terraform enable EKS cluster access for other IAM users GKE RBAC角色/角色绑定到集群中的访问节点状态 - GKE RBAC role / rolebinding to access node status in the cluster
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM