英文:
kubectl needs credentials: You must be logged in to the server
问题
当我运行kubectl get svc
命令时,来自教程,我正在跟随它。
我得到的错误是:错误:您必须登录到服务器(服务器要求客户端提供凭据)。
当我查看我的~/.kube/config
文件时,一切看起来都很好。那里的用户正是我用来创建集群的那个。
所以我看到两个选项:
- 用户没有允许运行kubectl get svc的IAM策略,这很可能是因为我的所有问题都与IAM有关。
- 这与IAM原则有关。
所以我的问题是,我需要哪些IAM策略来运行kubectl get svc
,或者,如何向EKS集群添加IAM原则?文档正在使用kubectl向集群添加IAM原则,但那似乎是一个无休止的循环。
英文:
When I run the command kubectl get svc
from the tutorial I'm following.
I get: error: You must be logged in to the server (the server has asked for the client to provide credentials).
When I look at my ~/.kube/config
file all looks good. The user there is the exact same one that I used to create the cluster in the first place.
So I see two options:
- The user has no IAM policy that allows it to run kubectl get svc which is very probably because all my problems are from IAM
- It has something to do with the IAM principle.
So my questions are, what IAM prolicies do I need to run kubectl get svc
or alternatively, how do I add an IAM principle to the EKS cluster? The doc is using kubectl to add the IAM principle to the cluster which... that's a loop with no end in sight
答案1
得分: 1
以下是一些故障排除步骤,您可以尝试来解决错误:
- 检查凭据或证书是否已过期。
尝试运行
$ gcloud container clusters get-credentials [cluster-name]
在更新 Kubernetes 证书时,将文件 \~/.kube/config
中的 client-certificate-data
和 client-key-data
值替换为相同名称的更新文件中 /etc/kubernetes/kubelet.conf
中的值。
-
身份验证与使用具有无效令牌等问题的服务帐户的一个 Pod 相关。
-
创建 EKS 集群时,创建集群的用户(或角色)会自动被授予集群的 RBAC 配置中的 system:master 权限。其他需要与您的集群进行交互的用户或角色需要显式添加。请参考此链接 here 获取相关信息。
您还可以参考此 GitHub 链接 link 获取更多信息。
英文:
Here are some troubleshooting steps which you can try to fix the error:
- Check if the credentials or certificates are expired.
Try running
$ gcloud container clusters get-credentials [cluster-name]
While renewing kubernetes certificates, replace the values client-certificate-data
and client-key-data
in file \~/.kube/config
with the values from the updated file in /etc/kubernetes/kubelet.conf
of the same name.
-
The authentication is related to one of the pods which is using a service account that has issues like invalid token.
-
When an EKS cluster is created, the user (or role) that creates the cluster is automatically granted with the system:master permissions in the cluster's RBAC configuration. Other users or roles that need the ability to interact with your cluster, it needs to be added explicitly. Refer to the link here for the related info.
You can also refer to this github link for additional information.
答案2
得分: 0
问题是aws
CLI中的用户是IAM用户,但根据说明,在AWS Web界面中创建集群的用户是根用户:
因此,您需要做的是,不要在Web控制台UI中执行此操作,而是需要使用您的aws
CLI 创建集群:
aws eks create-cluster --region region-code --name my-cluster --kubernetes-version 1.27 \
--role-arn arn:aws:iam::111122223333:role/myAmazonEKSClusterRole \
--resources-vpc-config subnetIds=subnet-ExampleID1,subnet-ExampleID2,securityGroupIds=sg-ExampleID1
您需要将子网ID和安全组替换为您在原始教程的先前步骤中创建的那些。
此外,您还需要为aws
CLI用户/组授予一些额外的权限,如传递角色以及其他一些权限...
P.S. 我不明白为什么在AWS入门教程中关于Kubernetes的RBAC权限存在如此重大的错误:这是一个事实,当您创建Amazon EKS集群时,创建集群的IAM主体会自动在Amazon EKS控制平面的角色基础访问控制(RBAC)配置中被授予system:masters权限。此主体在任何可见配置中都不会出现,因此请确保跟踪最初创建集群的主体。
这对于创建教程的人来说是一个非常疯狂的错误。
此外,这里有一个关于如何将其他IAM用户添加到EKS集群以便他们也可以使用kubectl并访问您的集群的指南。
英文:
So the problem is that the user in the aws
CLI is an IAM user but the user creating the cluster in the AWS web UI is the root user as per instructions:
Therefore what you need to do is, instead of doing this in your web console UI, you need to create the cluster using your aws
cli:
aws eks create-cluster --region region-code --name my-cluster --kubernetes-version 1.27 \
--role-arn arn:aws:iam::111122223333:role/myAmazonEKSClusterRole \
--resources-vpc-config subnetIds=subnet-ExampleID1,subnet-ExampleID2,securityGroupIds=sg-ExampleID1
You need to substitute the subnet IDs and security groups to the ones you created in the previous steps in the original tutorial.
Also, you will need to give the aws
cli user/group a few additional permissions like pass role and a few others too...
P.S. I do not understand why in the AWS introduction tutorial there is a such a monumental error regarding the RBAC permissions of kubernetes: it's a fact When you create an Amazon EKS cluster, the IAM principal that creates the cluster is automatically granted system:masters permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane. This principal doesn't appear in any visible configuration, so make sure to keep track of which principal originally created the cluster
. It's a really crazy error on the part of the person creating the tutorial.
Also, here is a guide on how to add additional IAM users to the EKS cluster so that they too can use kubectl and access your cluster.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论