作者:琪琪 | 来源:互联网 | 2022-12-09 11:07
我已经按照文档提出了一个EKS集群,该集群表示要在某些策略中发挥服务作用.
https://docs.aws.amazon.com/eks/latest/userguide/eks-ug.pdf
To create your Amazon EKS service role
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Roles, then Create role.
3. Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.
4. Choose Next: Review.
5. For Role name, enter a unique name for your role, such as eksServiceRole, then choose Create role.
当我创建一个基本的hello world应用程序时,它会抛出AccessDenied错误.
Error creating load balancer (will retry): failed to ensure load balancer for service default/nginx:
AccessDenied: User: arn:aws:sts::*************:assumed-role/eks-service-role/************* is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::*************:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
添加的两个策略(AmazonEKSClusterPolicy,AmazonEKSServicePolicy)不允许使用iam:CreateServiceLinkedRole操作.我们是否应该在指南中定义的政策之外添加此内容?或者这是否应包含在EKS政策中?
1> 小智..:
似乎EKS用户指南假定您在创建EKS群集之前已在AWS账户中创建了负载均衡器,因此在AWS IAM中具有现有AWSServiceRoleForElasticLoadBalancing服务角色.
如https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-service-linked-roles.html#create-service-linked-role中所述
You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load Balancing creates this role for you when you create a load balancer.
EKS正在尝试为您执行此操作,导致使用默认策略的访问被拒绝异常.
在EKS群集创建之前显式创建服务链接角色的其他选项包括:
AWS CLI
aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
Terraform
resource "aws_iam_service_linked_role" "elasticloadbalancing" {
aws_service_name = "elasticloadbalancing.amazonaws.com"
}
或者,从UI控制台手动创建负载均衡器.
无论配置选项如何,当您在AWS IAM中看到以下角色时,您应该知道事情会起作用
arn:aws:iam:::role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing