“服务是禁止的:用户\”系统:服务帐户:蜱:外部-dns\“不能列出资源\”的API组\"\“在集群范围内

Question

我一直在跟踪演练，为我的应用程序创建一个AWS侵入控制器，它也部署在EKS集群中。

似乎一切都好，类似于演练的答案，但是当涉及到外部DNS的设置时，我得到了错误：

kubectl logs -f $(kubectl get po | egrep -o 'external-dns[A-Za-z0-9-]+')

time="2020-02-20T16:21:57Z“level=error msg=”服务被禁止:用户\“系统:服务帐户:滴答:外部-dns\”不能在集群范围内“time="2020-02-20T16:22:58Z”level=error msg=“无法列出资源\”组中的资源\“level=error msg=”服务是禁止的:用户\“系统:服务帐户:勾选:外部-dns\”不能列出资源\“服务\”在API组\"\“在集群范围内”“。

每隔一分钟。我确保所有的权限都是必需的，所以不应该是因为这个原因。

我尝试了这里的解决方案，但没有任何帮助，我找不到任何其他解决方案。

这个错误实际上意味着什么？我该怎么做才能修好它？

更新，编辑我的external-dns配置，如下所示：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::*my*account*id*:role/EKSRole
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: external-dns
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: external-dns-viewer
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns
subjects:
- kind: ServiceAccount
  name: external-dns
  namespace: tick
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: external-dns
spec:
  selector:
    matchLabels:
      app: external-dns
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app: external-dns
      annotations:
        iam.amazonaws.com/role: arn:aws:iam::*my*account*id*:role/EKSRole
    spec:
      serviceAccountName: external-dns
      containers:
      - name: external-dns
        image: registry.opensource.zalan.do/teapot/external-dns:v0.5.9
        args:
        - --source=service
        - --source=ingress
        - --domain-filter=external-dns-test.my-org.com   #external-dns-test.my-org.com # will make ExternalDNS see only the hosted zones matching provided domain, omit to process all available hosted zones
        - --provider=aws
        - --policy=upsert-only # would prevent ExternalDNS from deleting any records, omit to enable full synchronization
        - --aws-zone-type=public # only look at public hosted zones (valid values are public, private or no value for both)
        - --registry=txt
        - --txt-owner-id=my-identifier
      securityContext:
        fsGroup: 65534

Answer 1

您的错误表明，名称为external-dns的服务帐户在tick命名空间中不能执行某些操作。在本例中，它是list服务。要解决这个问题，您可以应用以下内容：

apiVersion: v1
kind: ServiceAccount
metadata:
  name: external-dns
  namespace: tick
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
  name: external-dns-role
rules:
- apiGroups: [""]
  resources: ["services"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["pods"]
  verbs: ["get","watch","list"]
- apiGroups: ["extensions"]
  resources: ["ingresses"]
  verbs: ["get","watch","list"]
- apiGroups: [""]
  resources: ["nodes"]
  verbs: ["list","watch"]
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: external-dns-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: external-dns-role
subjects:
- kind: ServiceAccount
  name: external-dns
  namespace: tick

注意，ClusterRole中的第一条规则是授予在"“apiGroup中列出服务的正确权限，这解决了您在问题中报告的错误。

Answer 2

我认为您正在将Amazon与服务帐户的IAM角色一起使用，因此遵循这应该可以工作。您所遵循的演练，在外部DNS部分步骤中，2 yaml文件没有

annotations:
    # Substitute your account ID and IAM service role name below.
    eks.amazonaws.com/role-arn: arn:aws:iam::ACCOUNT-ID:role/IAM-SERVICE-ROLE-NAME

此错误实际上意味着您的服务帐户(外部dns)没有访问kubernetes api服务器的权限。