即使在设置 RBAC 授权后,Lambda 连接到 EKS 也失败
[英]Lambda connecting to EKS failed even after setting up RBAC authorization
问题描述
I have setup a lamdba function that needs to call connect to EKS and call the API server to get the list of nodes.
我已经设置了一个 lamdba 函数,该函数需要调用连接到 EKS 并调用 API 服务器来获取节点列表。 I have setup the authorization correctly however I still see that the API server is recognizing the lambda as anonymous Below is the error I get我已经正确设置了授权但是我仍然看到 API 服务器将 lambda 识别为anonymous下面是我得到的错误
HTTP response body:
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "nodes is forbidden: User \"system:anonymous\" cannot list resource \"nodes\" in API group \"\" at the cluster scope",
"reason": "Forbidden",
"details": {
"kind": "nodes"
},
"code": 403
}
I have the added the lambda role arn in my aws-auth configmap.我在我的 aws-auth configmap 中添加了 lambda 角色 arn。
- groups:
- system:masters
rolearn: arn:aws:iam::{account_id}:role/{lambda_name}
Also the lambda has permissions to perform all actions on all the resources in the eks in its policy.此外,lambda 有权对其策略中 eks 中的所有资源执行所有操作。
Any idea what I may be missing here?知道我在这里可能缺少什么吗?
1 个解决方案
解决方案1
0 2022-07-21 04:30:36
Seeing system:anonymous in the response makes me think the request isn't being authenticated correctly.在响应中看到system:anonymous让我认为请求未正确验证。
EKS expects a bearer token built from a presigned STS get-caller-identity URL. EKS 需要从预签名的 STS get-caller-identity URL 构建的不记名令牌。 The code for this is here: https://github.com/kubernetes-sigs/aws-iam-authenticator#api-authorization-from-outside-a-cluster代码在这里: https ://github.com/kubernetes-sigs/aws-iam-authenticator#api-authorization-from-outside-a-cluster
You can configure the client from a dictionary very similar to the kubeconfig file.您可以从与 kubeconfig 文件非常相似的字典中配置客户端。 You'll need the cluster_ca and cluster_endpoint which you can get from the describe_cluster API.您需要可以从describe_cluster API 获得的cluster_ca和cluster_endpoint 。
kubeconfig = {
'apiVersion': 'v1',
'clusters': [{
'name': 'cluster1',
'cluster': {
'certificate-authority-data': cluster_ca,
'server': cluster_endpoint}
}],
'contexts': [{'name': 'context1', 'context': {'cluster': 'cluster1', "user": "user1"}}],
'current-context': 'context1',
'kind': 'Config',
'preferences': {},
'users': [{'name': 'user1', "user" : {'token': get_bearer_token()}}]
}
config.load_kube_config_from_dict(config_dict=kubeconfig)
v1_api = client.CoreV1Api()
If you are still getting an error enable control plane authenticator logging.如果您仍然收到错误,请启用控制平面身份验证器日志记录。 You'll see 'access denied' messages in there that include the identity ARN.您将在其中看到包含身份 ARN 的“拒绝访问”消息。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.