AWS 允许 IAM 用户访问 EKS Cluster
参考文章:
https://medium.com/@th3b3ginn3r/allowing-an-iam-user-to-access-an-eks-cluster-f7b537a50d82
https://antonputra.com/kubernetes/add-iam-user-and-iam-role-to-eks/#add-iam-user-to-eks-cluster
参考视频:https://www.youtube.com/watch?v=aIpHYYcR7oU
- 为新创建的IAM用户添加以下权限,或是创建新的policy,然后把policy绑定到IAM用户当中
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:DescribeCluster",
"eks:ListClusters",
"eks:AccessKubernetesApi",
"ssm:GetParameter",//需要谨慎给,因为会把ParameterStore给人拿到
"eks:ListUpdates",
"eks:ListFargateProfiles"
],
"Resource": "*"
}
]
}2. 需要在EKS Cluster当中创建ClusterRole和ClusterRoleBinding
– ClusterRole可以定义能够需要给与什么权限,然后绑定到ClusterRoleBinding当中
– 如果只是给于特定的namespace权限的话就配置Role和RoleBinding
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: reader-role
rules:
- apiGroups: ["*"]
resources: ["deployments", "configmaps", "pods", "secrets", "services"]
verbs: ["get", "list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: reader
subjects:
- kind: Group
name: reader-group
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: reader-role
apiGroup: rbac.authorization.k8s.io
3. 把IAM User的ARN和ClusterRoleBinding绑定到一起
eksctl create iamidentitymapping --cluster <YourClusterName> --region <YourRegion> --arn <IAM USER ARN> --group reader-group --username <IAM USERNAME>如果想要为新穿件的IAM USER添加eks群最高权限的话就执行以下命令
eksctl create iamidentitymapping --cluster <cluster-name> --region <regionName> --arn arn:aws:iam::<account_id>:user/<username> --group system:masters --username <username> 
Facebook评论