解决AWS EKS 未经授权或访问被拒绝 (kubectl)_eks error: you must be logged in to the server (un

如果您在运行 kubectl 命令时收到以下错误之一，则说明您的 kubectl 未针对 Amazon EKS 正确配置，或您使用的 IAM 用户或角色凭证未映射到 Amazon EKS 集群中具有足够权限的 Kubernetes RBAC 用户。

• could not get token: AccessDenied: Access denied

• error: You must be logged in to the server (Unauthorized)

• error: the server doesn't have a resource type "svc"

这可能是因为集群是使用一组AWS凭证（来自 IAM 用户或角色）创建的，而 kubectl 使用的是另一组凭证。

创建 Amazon EKS 集群后，创建集群的 IAM 实体（用户或角色）将添加到 Kubernetes RBAC 授权表中作为管理员（具有 system:masters 权限）。最初，仅该 IAM 用户可以使用 kubectl 调用 Kubernetes API 服务器。有关更多信息，请参阅管理集群的用户或 IAM 角色。如果使用控制台创建集群，则必须确保在集群上运行 kubectl 命令时，相同的 IAM 用户凭证位于AWS开发工具包凭证链中。

如果安装和配置 AWS CLI，则可为用户配置 IAM 凭证。有关更多信息，请参阅 AWS Command Line Interface 用户指南中的配置 AWS CLI。

如果您已代入一个角色来创建 Amazon EKS 集群，则必须确保 kubectl 已配置为代入相同的角色。使用以下命令更新您的 kubeconfig 文件以使用 IAM 角色。有关更多信息，请参阅为 Amazon EKS 创建 kubeconfig。

aws eks update-kubeconfig \
    --region <region-code> \
    --name <cluster_name> \
    --role-arn arn:aws:iam::<aws_account_id>:role/<role_name>

要将 IAM 用户映射到 Kubernetes RBAC 用户，请参阅管理集群的用户或 IAM 角色。

To add an IAM user or role to an Amazon EKS cluster

1. Ensure that the AWS credentials that kubectl is using are already authorized for your cluster. The IAM user that created the cluster has these permissions by default.

2. Open the aws-auth ConfigMap.

   kubectl edit -n kube-system configmap/aws-auth

   Note

   If you receive an error stating "Error from server (NotFound): configmaps "aws-auth" not found", then use the previous procedure to apply the stock ConfigMap.

   Example ConfigMap:

   apiVersion: v1
   data:
     mapRoles: |
       - groups:
         - system:bootstrappers
         - system:nodes
         rolearn: arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF
         username: system:node:{{EC2PrivateDNSName}}
   kind: ConfigMap
   metadata:
     creationTimestamp: "2020-09-30T21:09:18Z"
     name: aws-auth
     namespace: kube-system
     resourceVersion: "1021"
     selfLink: /api/v1/namespaces/kube-system/configmaps/aws-auth
     uid: dcc31de5-3838-11e8-af26-02e00430057c
   

3. Add your IAM users, roles, or AWS accounts to the configMap. You cannot add IAM groups to the configMap.

   • To add an IAM role (for example, for federated users): add the role details to the mapRoles section of the ConfigMap, under data. Add this section if it does not already exist in the file. Each entry supports the following parameters:

     • rolearn: The ARN of the IAM role to add.

     • username: The user name within Kubernetes to map to the IAM role.

     • groups: A list of groups within Kubernetes to which the role is mapped. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.

   • To add an IAM user: add the user details to the mapUsers section of the ConfigMap, under data. Add this section if it does not already exist in the file. Each entry supports the following parameters:

     • userarn: The ARN of the IAM user to add.

     • username: The user name within Kubernetes to map to the IAM user.

     • groups: A list of groups within Kubernetes to which the user is mapped to. For more information, see Default Roles and Role Bindings in the Kubernetes documentation.

   For example, the block below contains:

   • A mapRoles section that adds the node instance role so that nodes can register themselves with the cluster.

   • A mapUsers section with the AWS users admin from the default AWS account, and ops-user from another AWS account. Both users are added to the system:masters group.

   Replace all <example-values> (including <>) with your own values.

   # Please edit the object below. Lines beginning with a '#' will be ignored,
   # and an empty file will abort the edit. If an error occurs while saving this file will be
   # reopened with the relevant failures.
   #
   apiVersion: v1
   data:
     mapRoles: |
       - rolearn: <arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF>
         username: <system:node:{{EC2PrivateDNSName}}>
         groups:
           - <system:bootstrappers>
           - <system:nodes>
     mapUsers: |
       - userarn: <arn:aws:iam::111122223333:user/admin>
         username: <admin>
         groups:
           - <system:masters>
       - userarn: <arn:aws:iam::111122223333:user/ops-user>
         username: <ops-user>
         groups:
           - <system:masters>
   

4. Save the file and exit your text editor.

5. Ensure that the Kubernetes user or group that you mapped the IAM user or role to is bound to a Kubernetes role with a RoleBinding or ClusterRoleBinding. For more information, see Using RBAC Authorization in the Kubernetes documentation. You can download the following example manifests that create a clusterrole and clusterrolebinding or a role and rolebinding:

   • View Kubernetes resources in all namespaces – The group name in the file is eks-console-dashboard-full-access-group, which is the group that your IAM user or role needs to be mapped to in the aws-auth configmap. You can change the name of the group before applying it to your cluster, if desired, and then map your IAM user or role to that group in the configmap. Download the file from:

     https://amazon-eks.s3.us-west-2.amazonaws.com/docs/eks-console-full-access.yaml
     

   • View Kubernetes resources in a specific namespace – The namespace in this file is default, so if you want to specify a different namespace, edit the file before applying it to your cluster. The group name in the file is eks-console-dashboard-restricted-access-group, which is the group that your IAM user or role needs to be mapped to in the aws-auth configmap. You can change the name of the group before applying it to your cluster, if desired, and then map your IAM user or role to that group in the configmap. Download the file from:

     https://amazon-eks.s3.us-west-2.amazonaws.com/docs/eks-console-restricted-access.yaml
     

6. (Optional) If you want the users you've added to the configmap to be able to View nodes or View workloads in the AWS Management Console, then the user or role must have both of the the following types of permissions:

   • Kubernetes permissions to view the resources in Kubernetes

   • IAM permissions to view the resources in the AWS Management Console. For more information, see View nodes and workloads for all clusters in the AWS Management Console.

参考文档：

Amazon EKS 故障排除 - Amazon EKS

Managing users or IAM roles for your cluster - Amazon EKS