- Newest
- Most votes
- Most comments
Same error here with 3 clusters (21.15 + 11.18).
I'm not sure this is related your migration.
We can access to clusters through kubectl without any errors.
Are you running your clusters in different regions? Which ones?
We are getting the same with three 1.17 clusters in us-west-2 installed with eksctl and with non-managed nodegroups. It seems to me that this may be caused due to new features being rolled out per Re:Invent.
Hello!
I am actually globus68... Somehow the login messed up my user...
We are having our clusters in eu-west-1 for all environments, so it is strange it works in Production, but not in Sandbox and Staging. Yes, it may very well be some re:invent news...
Best regards
globus68
Same issue here. So far no solution. But it applies to also not updated clusters.
Help? :-(
This helps!
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"eks:AccessKubernetesApi"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
I've tried, it does not solve the issue.
BTW: If the user is using
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "",
"Resource": ""
}
]
}
...I would assume it should work any way.
@dbattula: I already tried that, but got the "Unrecognized action" message.
@gnwdtx: I also tried that, but still does not work
Thank you SriSaranBalajiVR@AWS!
Adding eks:AccessKubernetesApi to a policy for the developer role fixed it. However, using the Administrator role (having Allow--) we still are denied access.
Best regards
globus68
Hello globus68,
I sent a private message as well requesting for some information. If possible, can you paste the exact error message you're seeing and then we can verify whether its due to AWS Service AuthN/AuthZ issue or Kubernetes AuthN/AuthZ issue.
Thank you.
Hello,
Sorry for the inconvenience this has caused. We are updating our docs with more detailed info (https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/troubleshooting_iam.md#cant-see-workloads-or-nodes-and-see-error-loading-namespaces-in-the-aws-management-console)
TL;DR: Couple of days back, we launched new AWS console for EKS (https://aws.amazon.com/blogs/containers/introducing-the-new-amazon-eks-console/). As part of this launch, users can view their kubernetes objects in aws console for example, console now shows pods, deployments and other resources available in their EKS cluster.
New EKS console requires following two permissions to be available to view kubernetes objects
-
New IAM permission - eks:AccessKubernetesApi
Currently this permission can be updated by modifying the json policy in the console as explained here https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console. While we are actively pushing this new Permission to be available in IAM console, you can use API to update IAM permission until then you will notice "Unrecognized action" in the console. -
Access to Kubernetes Cluster
User using console should have their IAM entity in the kubernetes aws-auth configmap. If the mapping is in the configmap, make sure that the user or group is bound to a Kubernetes role or clusterrole has the necessary permissions to view the Kubernetes resources. If the IAM user or role isn't in the configmap or the Kubernetes role or clusterrole doesn't have permissions to view the Kubernetes resources, the console error may include "Unauthorized: Verify you have access to the Kubernetes cluster". For more information about adding IAM users or roles to the aws-auth configmap, please see https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html.
Existing content is moved under configuration tab and should be visible without any modification to the IAM entity. Also, this feature doesn't affect your cluster health or removes any of our existing permissions. Once again sorry for the inconvenience. Please do try it out and give us your feedback.
Thank you.
Problem solved thanks to srisaranbalajiataws!
I had to add the administrator role to the aws-auth configMap. The developer role was already in there.
globus68
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- asked a year ago
- asked 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated 2 years ago