[英]AWS role and user have not any policy,why I still can access K8s cluster?
My question: I have not any permission,why I can access K8s我的问题:我没有任何权限,为什么我可以访问 K8s
[vagrant@localhost ~]$ kubectl get deployment --namespace=development
No resources found in development namespace.
Things below are my configuration.下面的东西是我的配置。
$ cat ~/.kube/config
apiVersion: v1
clusters:
- cluster:
certificate-authority-data: <my certificate-authority-data>
server: https://2C1A77626A2087EBA1D1123EA9398DAF.gr7.ap-northeast-1.eks.amazonaws.com
name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
contexts:
- context:
cluster: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
user: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
current-context: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-northeast-1:056844949861:cluster/eksworkshop-eksctl
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- --region
- ap-northeast-1
- eks
- get-token
- --cluster-name
- eksworkshop-eksctl
- --role
- arn:aws:iam::056844949861:role/k8sDev
command: aws
Here are my role and, nothing in Permissions:这是我的角色,权限中没有任何内容:
Here is my user, just inline policy here:这是我的用户,这里只是内联策略:
here are my group and content of inline policy:这是我的组和内联策略的内容:
The reason you are able to access it is because the IAM user you are accessing the cluster is the same as the one used to create the cluster.您能够访问它的原因是您访问集群的 IAM 用户与用于创建集群的用户相同。 The documenation states:该文档指出:
When you create an Amazon EKS cluster, the IAM entity user or role, such as a federated user that creates the cluster, is automatically granted system:masters permissions in the cluster's RBAC configuration.当您创建 Amazon EKS 集群时,IAM 实体用户或角色(例如创建集群的联合身份用户)会在集群的 RBAC 配置中自动获得 system:masters 权限。
In EKS, IAM users are used for authentication, but IAM roles do not control authorization.在 EKS 中,IAM 用户用于身份验证,但 IAM 角色不控制授权。 Authorization is still handled through the kubernetes RBAC system.授权仍通过 kubernetes RBAC 系统处理。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.