EKS aws-auth Config Map

0

Hi,

I have this configuration for my aws-auth config map:

apiVersion: v1
kind: ConfigMap
metadata:
  name: aws-auth
  namespace: kube-system
data:
  mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::999999999999:role/ec2-managed-node
      username: system:node:{{EC2PrivateDNSName}}

    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: adrian
    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: bruce   
    - groups:
      - sso:team-leader
      rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
      username: nicko

I'd like to know whether I'm doing something wrong, because whenever I try to access a forbidden resource, even I'm logged as "adrian" or "bruce" I receive a message saying:

Error from server (Forbidden): pods is forbidden: User "nicko" cannot list resource "pods" in API group "" in the namespace "default"

Role:

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: alt:team-leader
  namespace: iron
rules:
- apiGroups: ["*"]
  resources: [
    "pods", 
    "pods/log",
    "deployments", 
    "services",
    "replicasets",
    "daemonsets",
    "statefulsets",
    "configmaps", 
    "secrets", 
    "jobs", 
    "cronjobs",
    "ingresses",
    "networkpolicies",
    "serviceaccounts",
    "persistentvolumes",
    "persistentvolumeclaims",
    "namespaces"
  ]
  verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: alt:team-leader
  namespace: iron
subjects:
- kind: Group
  name: alt:team-leader
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: alt:team-leader
  apiGroup: rbac.authorization.k8s.io
已提问 7 个月前241 查看次数
2 回答
1
已接受的回答

Fixed that using the variable {{SessionName}}:

- rolearn: arn:aws:iam::999999999999:role/AWSReservedSSO_TeamLeader_33388d9125f61c2c
   username: team-leader:{{SessionName}}
   groups:
   - sso:team-leader  
已回答 7 个月前
profile picture
专家
已审核 7 个月前
0

Hi,

Your Role and RoleBinding are for Namespace: iron, and you are trying to list default

profile picture
专家
已回答 7 个月前
  • Yes, but the problem is about the message, the message is related to a different user than the one I am using.

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则