英文:
Relationship between IAM roles and RBAC in Kubernetes
问题
与我主要使用的角色和K8s中的RBAC之间有什么关系?
具体来说,当我运行 kubectl describe -n kube-system configmap/aws-auth 命令时,我在这里看到了这个角色:myAmazonEKSNodeRole,如 此处 所描述的。
但是,当我查看AWS IAM控制台中的角色权限时,我期望看到以下内容:
[jenia@archlinux ibn-battuta]$ kubectl get rolebindings -ANAMESPACE NAME ROLE AGEkube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 11dkube-system eks-vpc-resource-controller-rolebinding Role/eks-vpc-resource-controller-role 11dkube-system eks:addon-manager Role/eks:addon-manager 11dkube-system eks:authenticator Role/eks:authenticator 11dkube-system eks:az-poller Role/eks:az-poller 11dkube-system eks:certificate-controller Role/eks:certificate-controller 11dkube-system eks:cloud-controller-manager:apiserver-authentication-reader Role/extension-apiserver-authentication-reader 11dkube-system eks:fargate-manager Role/eks:fargate-manager 11dkube-system eks:k8s-metrics Role/eks:k8s-metrics 11dkube-system eks:node-manager Role/eks:node-manager 11dkube-system eks:service-operations Role/eks:service-operations-configmaps 11dkube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 11dkube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 11dkube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 11dkube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 11dkube-system system:controller:cloud-provider Role/system:controller:cloud-provider 11dkube-system system:controller:token-cleaner Role/system:controller:token-cleaner 11d
但是在IAM控制台中,我看到的是这个:
"ecr:GetAuthorizationToken","ecr:BatchCheckLayerAvailability","ecr:GetDownloadUrlForLayer","ecr:GetRepositoryPolicy","ecr:DescribeRepositories","ecr:ListImages","ecr:DescribeImages","ecr:BatchGetImage","ecr:GetLifecyclePolicy","ecr:GetLifecyclePolicyPreview","ecr:ListTagsForResource","ecr:DescribeImageScanFindings"
在IAM控制台中,似乎完全没有与CLI角色 myAmazonEKSNodeRole 在K8s集群中的RBAC权限之间的连接。这令人困惑。我如何控制特定IAM角色在我的K8s集群中具有哪些权限?
英文:
What is the relationship between the role my principal is using and the RBAC in k8s?
Specifically, when I do kubectl describe -n kube-system configmap/aws-auth I see this role: myAmazonEKSNodeRole as described here.
But when I look in the role permission in AWS IAM console, I expect to see this:
[jenia@archlinux ibn-battuta]$ kubectl get rolebindings -ANAMESPACE NAME ROLE AGEkube-public system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 11dkube-system eks-vpc-resource-controller-rolebinding Role/eks-vpc-resource-controller-role 11dkube-system eks:addon-manager Role/eks:addon-manager 11dkube-system eks:authenticator Role/eks:authenticator 11dkube-system eks:az-poller Role/eks:az-poller 11dkube-system eks:certificate-controller Role/eks:certificate-controller 11dkube-system eks:cloud-controller-manager:apiserver-authentication-reader Role/extension-apiserver-authentication-reader 11dkube-system eks:fargate-manager Role/eks:fargate-manager 11dkube-system eks:k8s-metrics Role/eks:k8s-metrics 11dkube-system eks:node-manager Role/eks:node-manager 11dkube-system eks:service-operations Role/eks:service-operations-configmaps 11dkube-system system::extension-apiserver-authentication-reader Role/extension-apiserver-authentication-reader 11dkube-system system::leader-locking-kube-controller-manager Role/system::leader-locking-kube-controller-manager 11dkube-system system::leader-locking-kube-scheduler Role/system::leader-locking-kube-scheduler 11dkube-system system:controller:bootstrap-signer Role/system:controller:bootstrap-signer 11dkube-system system:controller:cloud-provider Role/system:controller:cloud-provider 11dkube-system system:controller:token-cleaner Role/system:controller:token-cleaner 11d
But instead in the IAM console I see this:
"ecr:GetAuthorizationToken","ecr:BatchCheckLayerAvailability","ecr:GetDownloadUrlForLayer","ecr:GetRepositoryPolicy","ecr:DescribeRepositories","ecr:ListImages","ecr:DescribeImages","ecr:BatchGetImage","ecr:GetLifecyclePolicy","ecr:GetLifecyclePolicyPreview","ecr:ListTagsForResource","ecr:DescribeImageScanFindings"
There seems to be no connection whatsoever between the permissions in the IAM console for the CLI role myAmazonEKSNodeRole and the RBAC in k8s. This is puzzling. How do I control which permission a specific IAM role has in my k8s cluster?
答案1
得分: 2
The aws-auth ConfigMap maintains a mapping between IAM principles and Kubernetes RBAC groups. Granting access to EKS clusters is a multi-step process.
- 创建一个集群角色或角色,定义 RBAC 权限
- 创建一个集群角色绑定或角色绑定,将集群角色或角色与 RBAC 组关联
- 向 aws-auth ConfigMap 添加一个条目,将 IAM 原则映射到 RBAC 组,例如 system:masters
虽然可以手动更新 aws-auth ConfigMap,但我建议使用 eksctl 或 aws-iam-authenticator,因为使用这些工具更不容易损坏 aws-auth ConfigMap。
在 AWS 控制台中查看的角色是分配给工作节点的 IAM 角色。它需要这些权限来从 ECR 拉取镜像。
英文:
The aws-auth ConfigMap maintains a mapping between IAM principles and Kubernetes RBAC groups. Granting access to EKS clusters is a multi-step process.
- Create a cluster role or a role that defines the RBAC permissions
- Create a cluster role binding or role binding that associates the cluster role or role with an RBAC group
- Add an entry to the aws-auth ConfigMap that maps an IAM principle to an RBAC group, e.g. system:masters
While its possible to update the aws-auth ConfigMap manually, I recommend using eksctl or the aws-iam-authenticator instead because you're less likely to corrupt your aws-auth ConfigMap with those tools.
The role you're looking at in the AWS console is the IAM role assigned to the worker node. It needs those permissions to fetch images from ECR.
答案2
得分: 0
答案是:当您创建一个Amazon EKS集群时,创建集群的IAM主体会自动在Amazon EKS控制平面的集群基于角色的访问控制(RBAC)配置中被授予system:masters权限。
英文:
The answer is: When you create an Amazon EKS cluster, the IAM principal that creates the cluster is automatically granted system:masters permissions in the cluster's role-based access control (RBAC) configuration in the Amazon EKS control plane
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论