如何允许联邦用户访问k8s集群

【问题标题】:How to allow federated users to access k8s cluster如何允许联邦用户访问k8s集群
【发布时间】:2021-09-01 13:39:35
【问题描述】:

用户正在使用 saml federated 访问 aws。我需要给他 K9s 访问权限。 IAM 角色具有可信实体,并且 k8s 读取策略与 accessKubernetesApi。 IAM 角色

IAM 角色 arn:arn:aws:iam::123456789:role/CT/PUsers

政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "eks:ListFargateProfiles",
                "eks:ListNodegroups",
                "eks:ListTagsForResource",
                "eks:DescribeIdentityProviderConfig",
                "eks:ListUpdates",
                "eks:DescribeUpdate",
                "eks:AccessKubernetesApi",
                "eks:ListAddons",
                "eks:DescribeCluster",
                "eks:ListIdentityProviderConfigs"
            ],
            "Resource": [
                "arn:aws:eks:us-east-1:123456789:cluster/cluster-name",
                "arn:aws:eks:*:123456789:identityproviderconfig/*/*/*/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "eks:ListClusters",
                "eks:DescribeAddonVersions"
            ],
            "Resource": "*"
        }
    ]

错误:kubectl version

客户端版本:version.Info{Major:"1", Minor:"21", GitVersion:"v1.21.1", GitCommit:"5e58841cce77d4bc13713ad2b91fa0d961e69192", GitTreeState:"archive", BuildDate:"1980-01-01T00 :00:00Z", GoVersion:"go1.16.4", 编译器:"gc", 平台:"darwin/amd64"} 错误:您必须登录到服务器(服务器已要求客户端提供凭据)

他的 kubeconfig

apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: xxxxxxx
    server: https://xxxxxx.gr7.us-east-1.eks.amazonaws.com
  name: arn:aws:eks:us-east-1:123456789:cluster/amp-eks18
contexts:
- context:
    cluster: arn:aws:eks:us-east-1:123456789:cluster/cluster-name
    user: arn:aws:eks:us-east-1:123456789:cluster/cluster-name
  name: stage18
current-context: stage18
kind: Config
preferences: {}
users:
- name: arn:aws:eks:us-east-1:123456789:cluster/amp-eks18
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1alpha1
      args:
      - --region
      - us-east-1
      - eks
      - get-token
      - --cluster-name
      - cluster-name
      command: aws
      env: null

aws sts 获取调用者身份

{
    "UserId": "xxxxxxxxxxxxxx:name@xxx.com",
    "Account": "123456789",
    "Arn": "arn:aws:sts::123456789:assumed-role/PUsers/name@xxx.com"
}

RBAC

Data
====
mapRoles:
----

- groups:
  - xx:developers
  rolearn: arn:aws:sts::123456789:assumed-role/PUsers/name@xxx.com
  username: name@xxx.com

IAM 凭证是从 https://github.com/Nike-Inc/gimme-aws-creds 生成的

[DEFAULT]
okta_org_url = https://xxxx.okta.com
okta_auth_server =
client_id =
gimme_creds_server = appurl
aws_appname =
aws_rolename =
write_aws_creds = True
cred_profile = ihm
okta_username = xxxx@xxx.com
app_url = https://xxxx.okta.com/home/amazon_aws/xxxxx/272
resolve_aws_alias = True
include_path = True
preferred_mfa_type = push
remember_device = True
aws_default_duration = 28800
device_token =
output_format = export

谁能指出我错过了什么。

【问题讨论】:

    标签: amazon-web-services amazon-iam amazon-eks


    【解决方案1】:

    您需要在集群中创建 RBAC 并将其映射到用户所承担的 IAM 角色。你可以阅读更多here

    【讨论】:

    • 是的,RBAC 已经添加,映射到具有 saml 访问权限的 IAM 角色。
    • 尝试将 rolearn 更改为 arn:aws:iam::123456789:role/PUsers
    猜你喜欢
    • 2022-08-13
    • 2023-03-03
    • 2022-07-28
    • 2019-11-06
    • 2021-06-05
    • 2014-06-27
    • 2019-03-26
    • 2021-08-28
    • 1970-01-01
    相关资源
    最近更新 更多
    热门标签
    Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode