如何使用@kubernetes/client-node通过loadFromOptions连接到EKS(正确验证)？

cidc1ykv 于 2023-04-29 发布在 Kubernetes

关注(0)|答案(1)|浏览(112)

我尝试使用@kubernetes/client-node来访问在AWS EKS上运行的kubernetes API。我已经设置了一个新的IAM用户，允许访问Kubernetes API（eks:AccessKubernetesApi）。
这是我的代码摘录，我对如何提供用户凭据感到困惑（因为在kube配置中，它们将由exec提供，我不确定它会解析为什么）。

const kubeConfigData = await getEksKubeConfigData(); // this gives me all clusters with relevant EKS data included

const clusters = kubeConfigData.map((cluster) => ({
  name: cluster.arn as string,
  server: cluster.endpoint as string,
  caData: cluster.certificateAuthority as string,
  skipTLSVerify: false,
}));

const contexts = kubeConfigData.map((cluster) => ({
  name: cluster.arn as string,
  cluster: cluster.arn as string,
  user: cluster.arn as string,
}));

/** 
As far as I understand here lies the problem.
I am unsure how to correctly authenticate against the api, can I provide the token here?
The access id and secret? 
I can't read a kube config from the filesystem, so I need to provide it either via STS token or through env variables, as far as I understand?
*/
const users = kubeConfigData.map((cluster) => ({
  name: cluster.arn as string,
  password: cluster.token as string,
}));

const currentContext = contexts[0].name;

kubeConfig.loadFromOptions({
  clusters,
  contexts,
  users,
  currentContext,
});

尝试使用此配置执行listNamespace()会导致以下响应正文：

body: {
    kind: 'Status',
    apiVersion: 'v1',
    metadata: {},
    status: 'Failure',
    message: 'namespaces is forbidden: User "system:anonymous" cannot list resource "namespaces" in API group "" at the cluster scope',
    reason: 'Forbidden',
    details: { kind: 'namespaces' },
    code: 403
  }

请告诉我我做错了什么。

kubernetes

来源：https://stackoverflow.com/questions/76119763/how-to-connect-correctly-authenticated-to-eks-with-loadfromoptions-using-ku

1条答案

按热度按时间

ct3nt3jp1#

好了，我的主要问题以及我认为需要使用loadFromOptions的原因是我缺少RBAC权限，并且在我的IAM用户和RBAC之间没有连接。
这是我做的，如果有人发现这一点，想知道：
先说重要的事使用创建EKS集群的原始帐户，通过应用以下yaml创建RBAC角色。在这里，我将其命名为rbac-add-reader.yaml，同时将对所有资源的读取权限赋予新角色reader：
kubectl apply -f rbac-add-reader.yaml

---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRole  
metadata:  
name: reader  
rules:  
- apiGroups: ["*"]  
resources: ["*"]  
verbs: ["get", "list", "watch"]  
---  
apiVersion: rbac.authorization.k8s.io/v1  
kind: ClusterRoleBinding  
metadata:  
name: reader  
subjects:  
- kind: Group  
name: reader  
apiGroup: rbac.authorization.k8s.io  
roleRef:  
kind: ClusterRole  
name: reader  
apiGroup: rbac.authorization.k8s.io

创建新的IAM用户。创建IAM策略（对所有eks属性的读取权限，以及获取会话令牌的能力）：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:DescribeNodegroup",
                "eks:ListNodegroups",
                "eks:DescribeCluster",
                "eks:ListClusters",
                "eks:AccessKubernetesApi",
                "eks:ListUpdates",
                "eks:ListFargateProfiles",
                "sts:GetSessionToken",
                "ssm:GetParameter",
                "eks:DescribeFargateProfile",
                "eks:DescribeAddonConfiguration",
                "eks:ListTagsForResource",
                "eks:ListAddons",
                "eks:DescribeAddon",
                "eks:DescribeIdentityProviderConfig",
                "eks:DescribeUpdate",
                "eks:DescribeAddonVersions",
                "eks:ListIdentityProviderConfigs"
            ],
            "Resource": "*"
        }
    ]
}

创建用户组，将策略添加到组中，然后将新创建的用户也添加到组中。
现在我们需要将IAM用户连接到RBAC角色（如果您不想使用vim prepend KUBE_EDITOR="nano"）：kubectl edit -n kube-system configmap/aws-auth
将IAM用户添加到mapUsers：

apiVersion: v1
data:
  mapAccounts: |
    []
  mapRoles: |
    []
  mapUsers: |
    - "userarn": "arn:aws:iam::XXXXXXXXXXX:user/<IAM-user-name>"
      "username": "<IAM-user-name>"
      "groups":
      - "reader"
kind: ConfigMap
.
.
.

切换到新用户。（如果没有，请使用aws configure --profile <your-new-profile-name>配置新的配置文件）
更新kubeConfig：aws eks update-kubeconfig --name <clustername> --profile <your-new-profile-name>
现在，您可以检查您的权限设置是否正确：kubectl auth can-i get pods应该返回yes，kubectl auth can-i create pods应该返回no。
现在你可以loadFromDefault()。

赞(0）回复(0）举报 2023-04-29

我来回答

如何使用@kubernetes/client-node通过loadFromOptions连接到EKS(正确验证)？

1条答案

相关问题

热门标签

最新问答