Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Como resolvo problemas de permissão do gerenciador de complemento do Amazon EKS ao instalar o driver CSI do EBS?
Quero instalar o driver da Interface de armazenamento de contêiner (Container Storage Interface, CSI) do Amazon Elastic Block Store (Amazon EBS). Mas recebo uma mensagem de erro de permissão com o gerenciador de complemento do Amazon Elastic Kubernetes Service (Amazon EKS).
Breve descrição
Se as permissões do gerenciador de complemento do Amazon EKS estiverem configuradas incorretamente, você poderá receber a seguinte mensagem de erro ao tentar instalar o driver CSI do Amazon EBS:
"Namespaces "kube-system" is forbidden: User "eks:addon-manager" cannot patch resource "namespaces" in API group "" in the namespace "kube-system"."
Você recebe essa mensagem de erro quando o eks:addon-cluster-admin ClusterRoleBinding está ausente. Sem essa vinculação, seu cluster do Amazon EKS continua operando, mas o Amazon EKS não pode gerenciar nenhum complemento. Para obter mais informações, consulte Considerações.
Resolução
É uma prática recomendada verificar todos os perfis e vinculações associados ao controle de acesso baseado em perfis (role-based access control, RBAC).
A seguir estão os perfis do cluster e suas permissões.
Em ClusterRole cluster-admin:
PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- *.* [] [] [*] [*] [] [*]
Em ClusterRole eks-addon-manager:
PolicyRule: Resources Non-Resource URLs Resource Names Verbs --------- ----------------- -------------- ----- customresourcedefinitions.apiextensions.k8s.io [] [eniconfigs.crd.k8s.amazonaws.com] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [aws-node] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [ebs-csi-attacher-binding] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [ebs-csi-node-binding] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [ebs-csi-node-getter-binding] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [ebs-csi-provisioner-binding] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [ebs-csi-resizer-binding] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [ebs-csi-snapshotter-binding] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [eks:kube-proxy] [create delete get list patch update watch] clusterrolebindings.rbac.authorization.k8s.io [] [system:coredns] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [aws-node] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [ebs-csi-node-role] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [ebs-external-attacher-role] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [ebs-external-provisioner-role] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [ebs-external-resizer-role] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [ebs-external-snapshotter-role] [create delete get list patch update watch] clusterroles.rbac.authorization.k8s.io [] [system:coredns] [create delete get list patch update watch] csidrivers.storage.k8s.io [] [ebs.csi.aws.com] [create delete get list patch update watch] persistentvolumes [] [] [create delete get list watch update patch] volumesnapshotcontents.snapshot.storage.k8s.io [] [] [create get list watch update delete patch] nodes [] [] [get list update watch] volumeattachments.storage.k8s.io [] [] [get list watch update patch] persistentvolumeclaims [] [] [get list watch update] namespaces [] [] [get list watch] pods [] [] [get list watch] replicasets.apps [] [] [get list watch] eniconfigs.crd.k8s.amazonaws.com [] [] [get list watch] csinodeinfos.csi.storage.k8s.io [] [] [get list watch] volumesnapshotclasses.snapshot.storage.k8s.io [] [] [get list watch] csinodes.storage.k8s.io [] [] [get list watch] storageclasses.storage.k8s.io [] [] [get list watch] secrets [] [] [get list] volumesnapshots.snapshot.storage.k8s.io [] [] [get list] leases.coordination.k8s.io [] [] [get watch list delete update create] events [] [] [list watch create patch update] events.events.k8s.io [] [] [list watch create patch update] endpoints [] [] [list watch] services [] [] [list watch] endpointslices.discovery.k8s.io [] [] [list watch] *.extensions [] [] [list watch] volumeattachments.storage.k8s.io/status [] [] [patch] persistentvolumeclaims/status [] [] [update patch] volumesnapshotcontents.snapshot.storage.k8s.io/status [] [] [update]
Conclua as etapas a seguir:
-
Confirme se o ClusterRole e o ClusterRoleBinding necessários estão presentes. Execute o seguinte comando:
kubectl get clusterrole,clusterrolebinding | grep addonSaída:
clusterrole.rbac.authorization.k8s.io/eks:addon-manager clusterrolebinding.rbac.authorization.k8s.io/eks:addon-cluster-admin clusterrolebinding.rbac.authorization.k8s.io/eks:addon-manager -
Se o perfil eks:addon-cluster-admin estiver ausente, use o seguinte manifesto.yaml para criá-lo:
cat << EOF > ClusterRoleBinding.yaml kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 metadata: name: eks:addon-cluster-admin subjects: - kind: User name: eks:addon-manager apiGroup: rbac.authorization.k8s.io roleRef: kind: ClusterRole name: cluster-admin apiGroup: rbac.authorization.k8s.io EOF kubectl apply -f ClusterRoleBinding.yaml
- Tópicos
- Containers
- Idioma
- Português
Conteúdo relevante
- AWS OFICIALAtualizada há 7 meses
