EKS Unauthorized | 郭大瞎のBlog

创建集群，但此次是由同事的IAM账号来创建，创建后的集群，默认只有创建者的可以访问，其他的iam账号（比如我的），就需要额外的做一步

[centos@ip-10-100-4-240 ~]$ cat /data/shelley/cluster.yaml
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: cs-k8s-cluster
  region: us-west-2
  version: '1.16'
  tags:
    'Owner': 'SoftwareDevDept'
vpc:
  id: "vpc-05b756b29c94fef66"  # (optional, must match VPC ID used for each subnet below)
  cidr: "10.100.0.0/16"       # (optional, must match CIDR used by the given VPC)
  subnets:
    # must provide 'private' and/or 'public' subnets by availibility zone as shown
    public:
      us-west-2a:
        id: "subnet-093837539ccacaae8"
        cidr: "10.100.0.0/19" # (optional, must match CIDR used by the given subnet)
      us-west-2b:
        id: "subnet-0b6b35e29c009928a"
        cidr: "10.100.32.0/19"  # (optional, must match CIDR used by the given subnet)
      us-west-2c:
        id: "subnet-01e3bfde4755f67e2"
        cidr: "10.100.64.0/19"   # (optional, must match CIDR used by the given subnet)
      us-west-2d:
        id: "subnet-0286c131713e85585"
        cidr: "10.100.96.0/19"   # (optional, must match CIDR used by the given subnet)
    private:
      us-west-2a:
        id: "subnet-0ca641ee980ff32f9"
        cidr: "10.100.128.0/19" # (optional, must match CIDR used by the given subnet)
      us-west-2b:
        id: "subnet-08c29d1387063d44e"
        cidr: "10.100.160.0/19"  # (optional, must match CIDR used by the given subnet)
      us-west-2c:
        id: "subnet-09c6c0901fb5237a4"
        cidr: "10.100.192.0/19"   # (optional, must match CIDR used by the given subnet)
      us-west-2d:
        id: "subnet-00d5c0082c082cf54"
        cidr: "10.100.224.0/19"   # (optional, must match CIDR used by the given subnet)

iam:
  serviceRoleARN: "arn:aws:iam::211394563914:role/eksServiceRole"
managedNodeGroups:
  - name: managed-public
    labels: { role: public }
    availabilityZones: ["us-west-2a", "us-west-2b", "us-west-2c", "us-west-2d"]
    instanceType: t2.medium
    minSize: 1
    maxSize: 5
    desiredCapacity: 1
    volumeSize: 100
    tags:
      'Owner': 'SoftwareDevDept'
      'snapshot_days': '7'
    ssh:
      allow: true
      publicKeyName: "Oregon_k8s"
      sourceSecurityGroupIds: ["sg-029e90d289e61032a"]
  - name: managed-private
    labels: { role: private }
    availabilityZones: ["us-west-2a", "us-west-2b", "us-west-2c", "us-west-2d"]
    instanceType: t2.medium
    privateNetworking: true
    minSize: 1
    maxSize: 10
    desiredCapacity: 1
    volumeSize: 100
    tags:
      'Owner': 'SoftwareDevDept'
      'snapshot_days': '7'
    ssh:
      allow: true
      publicKeyName: "Oregon_k8s"
      sourceSecurityGroupIds: ["sg-029e90d289e61032a"]
cloudWatch:
  clusterLogging:
    # enable specific types of cluster control plane logs
    enableTypes: ["audit", "authenticator", "controllerManager", "api", "scheduler"]
    # all supported types: "api", "audit", "authenticator", "controllerManager", "scheduler"
    # supported special values: "*" and "all"
[centos@ip-10-100-4-240 ~]$ eksctl create cluster -f cluster.yaml

按照官方文档，添加自己的用户到system:masters管理员组里。

kubectl edit -n kube-system configmap/aws-auth
添加以下用户信息
apiVersion: v1
data:
mapUsers: |
- userarn: arn:aws:iam::111122223333:user/chandler.guo
username: chandler.guo
groups:
- system:masters

那么此处问题来了，如果我只想给到view的权限呢？由应该如何处理。

在本地电脑上通过aws client 生成kube config配置。

aws eks --region us-west-2 update-kubeconfig --name cs-k8s-cluster
回顾：

客户端请求EKS API service 时，kubectl 先调用K8S的API时，aws identify 先验证身份，身份验证通过，才会将请求给到EKS集群，EKS中采用原生的RBAC鉴权，再返回到客户端。

在此基础上，我又再提出一个疑问