[英]Assigning an AWS IAM role to an AWS EKS Jenkins Agent Pod
我正在使用不同的代理配置基於 AWS EKS 的 Jenkins 主站。 Jenkins 可以很好地啟動新的 pod。 問題是當我嘗試通過服務帳戶將 IAM 角色分配給該 Pod 時。 它只是不撿起來。 兩天前它起作用了,但我不得不刪除 jenkins_home 目錄,所以我又從頭開始了。
服務帳戶是這樣的:
$ kubectl get serviceaccount -n jenkins jenkins-agents -o yaml
apiVersion: v1
automountServiceAccountToken: false
kind: ServiceAccount
metadata:
annotations:
eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/clz_deployer_role
creationTimestamp: "2020-09-22T15:19:55Z"
name: jenkins-agents
namespace: jenkins
resourceVersion: "145998"
selfLink: /api/v1/namespaces/jenkins/serviceaccounts/jenkins-agents
uid: 8d55df19-140d-4703-bc61-886a25a20eac
secrets:
- name: jenkins-agents-token-mmxb8
我將服務帳戶的名稱傳遞給 Pod 配置:
metadata:
labels:
jenkins/label: jenkins-slave-aws-cli
name: awsclislave
# annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::1111111111111:role/clz_deployer_role
spec:
containers:
- image: pquery/jnlp-slave-docker:latest
imagePullPolicy: IfNotPresent
name: awsclislave
command:
- cat
resources:
limits:
memory: 512Mi
cpu: 512m
requests:
memory: 512Mi
cpu: 512m
tty: true
volumeMounts:
- mountPath: /home/jenkins
name: workspace-volume
readOnly: false
workingDir: /home/jenkins
hostNetwork: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: Never
serviceAccount: jenkins-agents
volumes:
- emptyDir:
medium: ""
name: workspace-volume
我嘗試使用注釋(評論)但它也不起作用。 錯誤消息始終相同:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:sts::1111111111111:assumed-role/shared_services20200922074522597500000008/i-0c1c41c96e96e82df is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::2222222222222:role/clz_aws_cicd_access (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: bfe43133-13c1-4cdb-b4b9-626cf11def58; Proxy: null)
它嘗試使用實例角色而不是附加到服務帳戶的角色來執行操作。 有誰知道問題是什么?
問題出在 clz_deployer_role IAM 角色信任關系上,其中命名空間錯誤。 更具體地說,內部條件:
"條件": { "StringEquals": { "oidc.eks.eu-west-1.amazonaws.com/id/C1B7F80BE15AC5C89956D55EF7E3FFC5:sub": "system:serviceaccount:jenkins:jenkins-agents" } }
“system:serviceaccount:jenkins:jenkins-agents”字符串是“system:serviceaccount::<service_account_name>”並且命名空間指向“default”,當它在“jenkins”中時它現在工作得很好
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.