所以,如果有人遇到相同的问题。
解决方案是,在创建rbac角色时,从rbac-role.yaml(根据here提供)中注释掉创建服务帐户的最后一部分。
由于我们已经使用eksctl创建了一个服务帐户并将aws策略附加到该帐户,因此我们也可以将rbac权限附加到该服务帐户。然后,可以在入口控制器窗格中正常使用此服务帐户,以达到其神奇效果。
,
根据文档,需要获得对ALB进行CRUD的权限。如果您想尝试仅给ALB驱动程序Pod一个具有权限的角色,则可以创建ALB,但我尚未对其进行测试,并且不确定是否很重要,如果您的整个调度程序均已获得使用ALB驱动程序/ pod的访问权限在AWS上创建这些对象。
我没有使用EKS 3.0的集群创建工具,而是由于组织的额外安全要求,我有自己的CFT用于创建工作程序。
我已经创建了波纹管管理策略,并将其附加到需要创建ALB的工人身上,并且它可以正常工作。
ALBPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Description: Allows workers to CRUD alb's
PolicyDocument:
Version: "2012-10-17"
Statement:
-
Effect: "Allow"
Action:
- "acm:DescribeCertificate"
- "acm:ListCertificates"
- "acm:GetCertificate"
Resource: "*"
-
Effect: "Allow"
Action:
- "ec2:AuthorizeSecurityGroupIngress"
- "ec2:CreateSecurityGroup"
- "ec2:CreateTags"
- "ec2:DeleteTags"
- "ec2:DeleteSecurityGroup"
- "ec2:DescribeAccountAttributes"
- "ec2:DescribeAddresses"
- "ec2:DescribeInstances"
- "ec2:DescribeInstanceStatus"
- "ec2:DescribeInternetGateways"
- "ec2:DescribeNetworkInterfaces"
- "ec2:DescribeSecurityGroups"
- "ec2:DescribeSubnets"
- "ec2:DescribeTags"
- "ec2:DescribeVpcs"
- "ec2:ModifyInstanceAttribute"
- "ec2:ModifyNetworkInterfaceAttribute"
- "ec2:RevokeSecurityGroupIngress"
Resource: "*"
-
Effect: "Allow"
Action:
- "elasticloadbalancing:AddListenerCertificates"
- "elasticloadbalancing:AddTags"
- "elasticloadbalancing:CreateListener"
- "elasticloadbalancing:CreateLoadBalancer"
- "elasticloadbalancing:CreateRule"
- "elasticloadbalancing:CreateTargetGroup"
- "elasticloadbalancing:DeleteListener"
- "elasticloadbalancing:DeleteLoadBalancer"
- "elasticloadbalancing:DeleteRule"
- "elasticloadbalancing:DeleteTargetGroup"
- "elasticloadbalancing:DeregisterTargets"
- "elasticloadbalancing:DescribeListenerCertificates"
- "elasticloadbalancing:DescribeListeners"
- "elasticloadbalancing:DescribeLoadBalancers"
- "elasticloadbalancing:DescribeLoadBalancerAttributes"
- "elasticloadbalancing:DescribeRules"
- "elasticloadbalancing:DescribeSSLPolicies"
- "elasticloadbalancing:DescribeTags"
- "elasticloadbalancing:DescribeTargetGroups"
- "elasticloadbalancing:DescribeTargetGroupAttributes"
- "elasticloadbalancing:DescribeTargetHealth"
- "elasticloadbalancing:ModifyListener"
- "elasticloadbalancing:ModifyLoadBalancerAttributes"
- "elasticloadbalancing:ModifyRule"
- "elasticloadbalancing:ModifyTargetGroup"
- "elasticloadbalancing:ModifyTargetGroupAttributes"
- "elasticloadbalancing:RegisterTargets"
- "elasticloadbalancing:RemoveListenerCertificates"
- "elasticloadbalancing:RemoveTags"
- "elasticloadbalancing:SetIpAddressType"
- "elasticloadbalancing:SetSecurityGroups"
- "elasticloadbalancing:SetSubnets"
- "elasticloadbalancing:SetWebACL"
Resource: "*"
-
Effect: "Allow"
Action:
- "iam:CreateServiceLinkedRole"
- "iam:GetServerCertificate"
- "iam:ListServerCertificates"
Resource: "*"
-
Effect: "Allow"
Action:
- "cognito-idp:DescribeUserPoolClient"
Resource: "*"
-
Effect: "Allow"
Action:
- "waf-regional:GetWebACLForResource"
- "waf-regional:GetWebACL"
- "waf-regional:AssociateWebACL"
- "waf-regional:DisassociateWebACL"
Resource: "*"
-
Effect: "Allow"
Action:
- "tag:GetResources"
- "tag:TagResources"
Resource: "*"
-
Effect: "Allow"
Action:
- "waf:GetWebACL"
Resource: "*"
,
使用此控制器的v1.1.8版本时,我遇到类似的错误(不完全相同):
kubebuilder / controller“ msg” =“协调器
错误“ =”失败获取
WAFv2 webACL for负载均衡器arn:aws:elasticloadbalancing:...:
AccessDeniedException:用户:
arn:aws:sts ::: assumed-role / eks-node-group-role /
无权执行:资源上的wafv2:GetWebACLForResource:
arn:aws:wafv2:us-east-2 :: regional / webacl / * \ n \ t状态代码:
400,要求编号:...“
“控制器” =“ alb-ingress-controller”
“ request” = {“命名空间”:“默认”,“名称”:“ aws-alb-ingress”}
我将其添加是因为我认为它可以帮助在相同错误消息下进行搜索的人们。
发生上述错误的原因是,此控制器v1.1.7的版本needs new IAM permissions在节点组角色的 *PolicyALBIngress
policy中。
(!)请注意,即使不使用wafv2批注,也需要新的IAM权限。
解决方案1
在wafv2
部分添加允许对策略执行操作:
{
"Effect": "Allow","Action": [
"wafv2:GetWebACL","wafv2:GetWebACLForResource","wafv2:AssociateWebACL","wafv2:DisassociateWebACL"
],"Resource": "*"
}
解决方案2
可以通过here中提到的控制器标志来禁用WAFV2支持。
A)如果通过kubectl安装它,请将- --feature-gates=waf=false
添加到spec -> containers -> args
部分。
B)如果通过头盔安装,请在头盔升级命令中添加--set extraArgs."feature-gates"='waf=false'
。
请注意,此要求已经是updated in the eksctl工具(也在here中进行了审查)。
其他reference。
本文链接:https://www.f2er.com/2970718.html