[英]Kops nginx-Ingress controller fails to create AWS Network Load Balancer due to permission issue
我在 aws 上使用 kops 創建了我的 Kube.netes 集群。 集群已成功創建。
當我嘗試使用來自 AWS 的網絡負載均衡器部署 nginx-ingress-controller 時,它顯示not authorized
錯誤。 我被卡住了,不確定這個錯誤表明什么。
$ kubectl -n nginx-ingress get service
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
lb-ingress-nginx-controller LoadBalancer 100.65.99.173 <pending> 80:30319/TCP,443:31790/TCP 25m
lb-ingress-nginx-controller-admission ClusterIP 100.65.34.134 <none> 443/TCP 25m
$ kubectl -n nginx-ingress get service lb-ingress-nginx-controller -o yaml
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: lb
meta.helm.sh/release-namespace: nginx-ingress
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
creationTimestamp: "2022-04-07T16:56:28Z"
finalizers:
- service.kubernetes.io/load-balancer-cleanup
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: lb
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.1.3
helm.sh/chart: ingress-nginx-4.0.19
name: lb-ingress-nginx-controller
namespace: nginx-ingress
resourceVersion: "5087"
uid: bf1a7ae0-6ab4-4164-b739-8d0966ea47d6
spec:
allocateLoadBalancerNodePorts: true
clusterIP: 100.65.99.173
clusterIPs:
- 100.65.99.173
externalTrafficPolicy: Cluster
internalTrafficPolicy: Cluster
ipFamilies:
- IPv4
ipFamilyPolicy: SingleStack
ports:
- appProtocol: http
name: http
nodePort: 30319
port: 80
protocol: TCP
targetPort: http
- appProtocol: https
name: https
nodePort: 31790
port: 443
protocol: TCP
targetPort: https
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: lb
app.kubernetes.io/name: ingress-nginx
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer: {}
在事件中,我可以看到:
$ kubectl get events -n nginx-ingress
26m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: 91efdfe4-5c0d-48c5-b38d-5d4c11042c43"
26m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: 30d00f40-1f23-47ef-bda5-8ec255df40fa"
26m Normal CREATE configmap/lb-ingress-nginx-controller ConfigMap nginx-ingress/lb-ingress-nginx-controller
26m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: d346cebd-2a17-4682-a425-969d86380159"
25m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: 8942201d-a51d-4464-acc1-edc2db92e455"
25m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: c6992eff-8bcb-4613-b0de-4f51d1642fe8"
23m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: c089e12d-0e81-4c70-ba67-129f9235b0f4"
21m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: ae9c57d6-1d4c-4ec8-b5c1-e47adf681bc5"
16m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: cb3bcc2c-8ff9-4daa-99d9-6c9f1846e9b9"
11m Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: 9bb449ee-b245-47c0-bc9b-20694d33ccf4"
69s Warning SyncLoadBalancerFailed service/lb-ingress-nginx-controller (combined from similar events): Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::944675846918:assumed-role/masters.kops.example.com/i-01bf8acf72b2ed01d is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: 9f771f53-786b-4af2-b4e7-37e289084b3d"
您認識 IAM 角色 masters.kops.example.com 嗎? 您有一個假設 IAM 角色名為 masters.kops.example.com 的組件,並且該角色沒有足夠的權限,特別是對於 ec2:DescribeInte.netGateways。
kops
用戶將需要以下 IAM 權限才能正確訪問 function:
亞馬遜 EC2 完全訪問
AmazonRoute53FullAccess
AmazonS3 完全訪問
IAM完全訪問
AmazonVPCFullAccess
AmazonSQSFullAccess
AmazonEventBridgeFullAccess
ec2:DescribeInte.netGateways
權限是AmazonEC2FullAccess
托管角色中權限的子集。
您是否為 kops 用戶創建了正確的 IAM 角色?
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.