文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >无法从CodeBuild访问EKS集群

无法从CodeBuild访问EKS集群
EN

Stack Overflow用户
提问于 2021-11-10 10:51:43
回答 1查看 645关注 0票数 0

已经看到了kubectl error You must be logged in to the server (Unauthorized) when accessing EKS cluster的这篇文章,并跟随了AWS的一些指南,但仍然没有成功。

我正在创建一个CI/CD管道。但是CodeBuild显然没有被授权访问EKS集群。我介绍了特定的CodeBuild角色,并添加了以下策略:

  • AWSCodeCommitFullAccess
  • AmazonEC2ContainerRegistryFullAccess
  • AmazonS3FullAccess
  • CloudWatchLogsFullAccess
  • AWSCodeBuildAdminAccess

还创建并添加了以下策略:

代码语言:javascript
复制
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": "*"
        }
    ]
}

之后,我在创建EKS集群的终端上执行了以下命令:eksctl create iamidentitymapping --cluster <my_cluster_name> --arn <arn_from_the_codebuild_role> --group system:masters --username admin

并检查它是否通过运行命令kubectl get configmaps aws-auth -n kube-system -o yaml成功地添加到auth中。它返回:

代码语言:javascript
复制
apiVersion: v1
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::********:role/*********
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - system:masters
      rolearn: arn:aws:iam::*****:role/service-role/*******
      username: ******
  mapUsers: |
    []
kind: ConfigMap
metadata:
  creationTimestamp: "2021-11-10T07:37:06Z"
  name: aws-auth
  namespace: kube-system
  resourceVersion: *******
  uid: *********

但我还是得到了错误,这是未经授权的..。下面是buildspec.yml文件:

代码语言:javascript
复制
version: 0.2
run-as: root

phases:

  install:
    commands:
      - echo Installing app dependencies...
      - chmod +x prereqs.sh
      - sh prereqs.sh
      - source ~/.bashrc
      - echo Check kubectl version
      - kubectl version --short --client

  pre_build:
    commands:
      - echo Logging in to Amazon EKS...
      - aws eks --region eu-west-2 update-kubeconfig --name <my-cluster-name>
      - echo Check config
      - kubectl config view
      - echo Check kubectl access
      - kubectl get svc

  post_build:
    commands:
      - echo Push the latest image to cluster
      - kubectl apply -n mattermost-operator -f mattermost-operator.yml
      - kubectl rollout restart -n mattermost-operator -f mattermost-operator.yml

编辑:

kubectl config view中运行命令CodeBuild返回:

代码语言:javascript
复制
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: https://**********eu-west-2.eks.amazonaws.com
  name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
contexts:
- context:
    cluster: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
    user: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
  name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
current-context: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:**********:cluster/<cluster_name>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-2
      - eks
      - get-token
      - --cluster-name
      - <cluster_name>
      - --role
      - arn:aws:iam::*********:role/service-role/<codebuild_role>
      command: aws
      env: null

在我创建EKS集群的终端中运行命令kubectl config view返回:

代码语言:javascript
复制
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: ***********eu-west-2.eks.amazonaws.com
  name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- cluster:
    certificate-authority-data: DATA+OMITTED
    server: *********eu-west-2.eks.amazonaws.com
  name: <cluster_name>.eu-west-2.eksctl.io
contexts:
- context:
    cluster: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
    user: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
  name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
- context:
    cluster: <cluster_name>.eu-west-2.eksctl.io
    user: ******@<cluster_name>.eu-west-2.eksctl.io
  name: ******@<cluster_name>.eu-west-2.eksctl.io
current-context: arn:aws:eks:eu-west-2:********:cluster/<cluster_name>
kind: Config
preferences: {}
users:
- name: arn:aws:eks:eu-west-2:*******:cluster/<cluster_name>
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - eu-west-2
      - eks
      - get-token
      - --cluster-name
      - <cluster_name>
      command: aws
      env: null
      interactiveMode: IfAvailable
      provideClusterInfo: false
- name: ******@******.eu-west-2.eksctl.io
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - token
      - -i
      - <cluster_name>
      command: aws-iam-authenticator
      env:
      - name: AWS_STS_REGIONAL_ENDPOINTS
        value: regional
      - name: AWS_DEFAULT_REGION
        value: eu-west-2
      interactiveMode: IfAvailable
      provideClusterInfo: false

有谁想过吗?

aws-codebuild
eksctl
amazon-web-services
amazon-iam
amazon-eks
EN

回答 1

Stack Overflow用户

回答已采纳

发布于 2021-11-10 12:43:18

明白了!

我使用了CodeBuild自动创建的角色。但是,通过使用强制策略创建一个新角色并在CodeBuild中对其进行编辑,上述步骤将成功。如果有人能进一步解释这一点,那就太好了!

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/69911966

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档