I’ve tried signing as the root user, and also a new user with the AdministratorAccess
policy. I’m not able to view any Kubernetes objects with either of these users:
The error says:
Your current user or role does not have access to Kubernetes objects on this EKS cluster
This may be due to the current user or role not having Kubernetes RBAC permissions to describe cluster resources or not having an entry in the cluster’s auth config map.
Link: Troubleshooting IAM - Amazon EKS
My IAM user needs this:
- Has a mapping to a Kubernetes user or group in the
aws-auth
configmap. For more information about adding IAM users or roles to the aws-auth
configmap, see Managing users or IAM roles for your cluster. If the user or role isn’t mapped, the console error may include Unauthorized: Verify you have access to the Kubernetes cluster
I found this file in convox/rack, which seems to set up aws-auth
for k8s: rack/cluster.yml.tmpl at 51bd19bdbe5905c146a0686e4f6c33dbf022a696 · convox/rack · GitHub
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: {{.NodesRole}}
username: system:node:{{"{{"}}EC2PrivateDNSName{{"}}"}}
groups:
- system:bootstrappers
- system:nodes
{{ with .AdminUser }}
mapUsers: |
- userarn: {{.}}
username: admin
groups:
- system:masters
{{ end }}
Another docs page: Managing users or IAM roles for your cluster - Amazon EKS
I’m a bit stuck now, and I also don’t know how to set up kubectl
to access the k8s cluster. How can I fix my authentication so that I have permission to view EKS?
I found the Direct Kubernetes Access page in the docs: Convox Docs
The Configure kubectl to Point at Your Rack section was really helpful, so thanks for this!
These instructions worked, and now I can view namespaces and pods, etc.:
$ kubectl get namespace
NAME STATUS AGE
cert-manager Active 3h5m
default Active 3h11m
ds-test3-myapp Active 3h
ds-test3-system Active 3h5m
kube-node-lease Active 3h11m
kube-public Active 3h11m
kube-system Active 3h11m
$ kubectl get pods --namespace=ds-test3-myapp
NAME READY STATUS RESTARTS AGE
resource-database-7b9cb5ddb5-vznrb 1/1 Running 0 25m
resource-redis-5fc7577b9d-h52tv 1/1 Running 0 25m
web-97898fd59-72n7c 1/1 Running 0 36m
web-97898fd59-dvcxm 1/1 Running 0 36m
web-97898fd59-j2dlp 1/1 Running 0 14m
web-97898fd59-vv77m 1/1 Running 0 15m
worker-84c997fb55-2mmxs 1/1 Running 0 14m
worker-84c997fb55-wczpb 1/1 Running 0 25m
worker-84c997fb55-zfx85 1/1 Running 0 36m
Woohoo, I figured it out!
After I got kubectl
working, I could follow the “To add an IAM user or role to an Amazon EKS cluster” instructions on this page: Managing users or IAM roles for your cluster - Amazon EKS
Tip: Run export KUBE_EDITOR=vim
to edit the config in vim.
$ export KUBE_EDITOR=vim
$ kubectl edit -n kube-system configmap/aws-auth
This opened vim with the k8s auth config. I added the mapUsers
section to add an “admin” user to the system:masters
group:
# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
mapRoles: |
- groups:
- system:bootstrappers
- system:nodes
rolearn: arn:aws:iam::1234123412341234:role/ds-test3-nodes
username: system:node:{{EC2PrivateDNSName}}
mapUsers: |
- userarn: arn:aws:iam::1234123412341234:user/nathan
username: admin
groups:
- system:masters
kind: ConfigMap
metadata:
creationTimestamp: "2021-09-16T22:30:37Z"
name: aws-auth
namespace: kube-system
resourceVersion: "859"
selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
uid: *****
After I saved the file and quit vim, I was able to view the k8s resources for the EKS cluster:
1 Like