AWS EKS 集群管理相较于阿里云 ACK 更繁琐严谨一些,需要在受信环境获取 kubeconfig 文件,同时在集群内部也需要对用户/角色进行绑定并授权。
配置 aws cli 工具
安装 aws-cli
# Ubuntu
$ apt install awscli
# Centos
$ yum install awscli
# Alpine
$ apk add aws-cli
配置 aws-cli
$ aws configure
填写 Key、密钥、区域,输出建议填写 json,然后查看用户身份信息。
$ aws sts get-caller-identity
{
"UserId": "AIDA22TMKIAK23NRY7I2U",
"Account": "74433**59173",
"Arn": "arn:aws:iam::74433**59173:user/username@myemail.com"
}
记住用户的 ARN,后续会用。
为 AWS 用户/角色添加查看集群的权限
授权给用户/角色访问集群的权限,未授权时报错如下:
An error occurred (AccessDeniedException) when calling the DescribeCluster operation: User: arn:aws:sts::74433**59173:assumed-role/dev_ec2_role/i-05a47d36f6ce1b8a0 is not authorized to perform: eks:DescribeCluster on resource: arn:aws:eks:us-east-1:74433**59173:cluster/my-eks-name
获取 kubeconfig 文件
通过 aws 命令获取 EKS 集群的 kubeconfig 文件
$ aws eks update-kubeconfig --region us-east-1 --name my-eks-name
Updated context arn:aws:eks:us-east-1:74433**59173:cluster/my-eks-name in /home/ubuntu/.kube/config
集群内操作授权
执行 kubectl 命令
$ kubectl version
如果客户端版本与集群版本不匹配,则会报错(如果版本没问题,也可能是机器环境问题导致的,需要换个机器进行测试)
error: exec plugin: invalid apiVersion “client.authentication.k8s.io/v1alpha1
版本没问题的情况,执行命令会报错如下:
$ kubectl get pods
E1213 06:53:38.816495 3836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E1213 06:53:43.183670 3836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E1213 06:53:47.280917 3836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E1213 06:53:51.386354 3836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
E1213 06:53:55.207002 3836 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
error: You must be logged in to the server (the server has asked for the client to provide credentials)
可以执行命令获取更加详细的输出:
E1213 06:57:34.495458 3960 memcache.go:265] couldn't get current server API group list: the server has asked for the client to provide credentials
I1213 06:57:34.495470 3960 cached_discovery.go:120] skipped caching discovery info due to the server has asked for the client to provide credentials
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
I1213 06:57:34.495648 3960 helpers.go:246] server response object: [{
"metadata": {},
"status": "Failure",
"message": "the server has asked for the client to provide credentials",
"reason": "Unauthorized",
"details": {
"causes": [
{
"reason": "UnexpectedServerResponse",
"message": "unknown"
}
]
},
"code": 401
}]
error: You must be logged in to the server (the server has asked for the client to provide credentials)
将 IAM 用户/角色的详细信息映射到 AWS-Auth
联系集群管理员,编辑 aws-auth 配置
$ kubectl edit configmap aws-auth -n kube-system
添加你的用户到配置(以下示例配置注意替换)
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::81420**88517:role/eksctl-custom-cluster-nodegroup-ng-NodeInstanceRole-ieXb6Zk7Og64
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::74433**59173:user/username@myemail.com
username: username@myemail.com
groups:
- system:masters
- rolearn: arn:aws:iam::81420**88517:role/test-role
username: test-role
groups:
- system:masters
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
system:masters 组是管理员组,拥有较高权限,生产环境建议分配有限的权限。
管理员添加后,可以使用命令校验输出
$ eksctl get iamidentitymapping --cluster custom-cluster-name --region us-east-1
访问集群验证
$ kubectl version
Client Version: v1.28.4
Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
Server Version: v1.28.4-eks-8cb36c9
$ kubectl run test-pod --image=nginx --restart=Never
pod/test-pod created
$ kubectl get pods
NAME READY STATUS RESTARTS AGE
test-pod 1/1 Running 0 15s