EKS aws-auth Config Map

0

Hi,

I have this configuration for my aws-auth config map:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::999999999999:role/ec2-managed-node
      username: system:node:{{EC2PrivateDNSName}}

    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: adrian
    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: bruce   
    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: nicko

I'd like to know whether I'm doing something wrong, because whenever I try to access a forbidden resource, even I'm logged as "adrian" or "bruce" I receive a message saying:

Error from server (Forbidden): pods is forbidden: User "nicko" cannot list resource "pods" in API group "" in the namespace "default"

Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: alt:team-leader
  namespace: iron
rules:
- apiGroups: ["*"]
  resources: [
    "pods", 
    "pods/log",
    "deployments", 
    "services",
    "replicasets",
    "daemonsets",
    "statefulsets",
    "configmaps", 
    "secrets", 
    "jobs", 
    "cronjobs",
    "ingresses",
    "networkpolicies",
    "serviceaccounts",
    "persistentvolumes",
    "persistentvolumeclaims",
    "namespaces"
  ]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: alt:team-leader
  namespace: iron
subjects:
- kind: Group
  name: alt:team-leader
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: alt:team-leader
  apiGroup: rbac.authorization.k8s.io
feita há 8 meses243 visualizações
2 Respostas
1
Resposta aceita

Fixed that using the variable {{SessionName}}:

- rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
   username: team-leader:{{SessionName}}
   groups:
   - sso:team-leader  
respondido há 8 meses
profile picture
ESPECIALISTA
avaliado há 7 meses
0

Hi,

Your Role and RoleBinding are for Namespace: iron, and you are trying to list default

profile picture
ESPECIALISTA
respondido há 8 meses
  • Yes, but the problem is about the message, the message is related to a different user than the one I am using.

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas