EKS aws-auth Config Map

0

Hi,

I have this configuration for my aws-auth config map:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::999999999999:role/ec2-managed-node
      username: system:node:{{EC2PrivateDNSName}}

    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: adrian
    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: bruce   
    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: nicko

I'd like to know whether I'm doing something wrong, because whenever I try to access a forbidden resource, even I'm logged as "adrian" or "bruce" I receive a message saying:

Error from server (Forbidden): pods is forbidden: User "nicko" cannot list resource "pods" in API group "" in the namespace "default"

Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: alt:team-leader
  namespace: iron
rules:
- apiGroups: ["*"]
  resources: [
    "pods", 
    "pods/log",
    "deployments", 
    "services",
    "replicasets",
    "daemonsets",
    "statefulsets",
    "configmaps", 
    "secrets", 
    "jobs", 
    "cronjobs",
    "ingresses",
    "networkpolicies",
    "serviceaccounts",
    "persistentvolumes",
    "persistentvolumeclaims",
    "namespaces"
  ]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: alt:team-leader
  namespace: iron
subjects:
- kind: Group
  name: alt:team-leader
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: alt:team-leader
  apiGroup: rbac.authorization.k8s.io
gefragt vor 8 Monaten243 Aufrufe
2 Antworten
1
Akzeptierte Antwort

Fixed that using the variable {{SessionName}}:

- rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
   username: team-leader:{{SessionName}}
   groups:
   - sso:team-leader  
beantwortet vor 8 Monaten
profile picture
EXPERTE
überprüft vor 7 Monaten
0

Hi,

Your Role and RoleBinding are for Namespace: iron, and you are trying to list default

profile picture
EXPERTE
beantwortet vor 8 Monaten
  • Yes, but the problem is about the message, the message is related to a different user than the one I am using.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen