Nico
Reputation: 1545
Can't execute kubectl top nodes in amazon EKS cluster
The scenario is simple to reproduce:
- Create eks cluster with Role TempAdmin (we followed this documentation)
- Configuring my credentials with TempAdmin, I can do:
kubectl top nodes
- The documentation says that the user/rol that created the cluster is automatically granted system:masters permissions. Create a new role (Admin) and grant system:masters permissions to that role:
$ kubectl get configmap -n kube-system aws-auth -o yaml
apiVersion: v1
data:
mapRoles: |
- rolearn: arn:aws:iam::xxxxxxxxxxxx:role/EKS-Workers2-NodeInstanceRole-HWD4HSSO7NP1
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::xxxxxxxxxxxx:role/Admin
groups:
- system:masters
kind: ConfigMap
...
- Now, configuring my credentials to use the Admin role, I can do almost anything: I can create namespaces, edit aws-auth configmap, get nodes. However, when I try top nodes:
$ kubectl top nodes
Error from server (Forbidden): nodes.metrics.k8s.io is forbidden: User "system:anonymous" cannot list nodes.metrics.k8s.io at the cluster scope: no RBAC policy matched
Adititonal info:
$ kubectl version
Client Version: version.Info{Major:"1", Minor:"13", GitVersion:"v1.13.2", GitCommit:"cff46ab41ff0bb44d8584413b598ad8360ec1def", GitTreeState:"clean", BuildDate:"2019-01-10T23:35:51Z", GoVersion:"go1.11.4", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.10-eks-2e569f", GitCommit:"2e569fd887357952e506846ed47fc30cc385409a", GitTreeState:"clean", BuildDate:"2019-07-25T23:13:33Z", GoVersion:"go1.10.8", Compiler:"gc", Platform:"linux/amd64"}
Upvotes: 0
Views: 1322
Answers (1)
marcincuber
Reputation: 3791
As I mentioned in my comment, the solution is to add username regardless of whether you are using IAM roles or IAM users in AWS. Mapping must be specified in your configmap otherwise that username will never be created in the kubernetes cluster and so it won’t be mapped to any permissions.
So you are missing username part in your newly added block to mapRoles.
Docs are a bit old in places and it is always good to be explicit in configmaps. This is at least something I usually try to follow.
I am happy you managed to make it work. :)
Upvotes: 2
Related Questions
- Kubectl command throwing error: Unable to connect to the server: getting credentials: exec: exit status 2
- Error Creating aws EKS Kubernetes cluster using eksctl
- Unable to create AWS EKS cluster with eksctl
- Connecting to existing EKS cluster using kubectl or eksctl
- Error creating cluster using eks anywhere
- EKS with Kubectl keeps saying Unauthorized
- I do not see my cluster under Amazon EKS after creation via eksctl
- Inherited EKS Cluster, don't have access to run kubectl commands
- can't get cluster resource after deploying EKS cluster using eksctl
- kubectl error You must be logged in to the server (Unauthorized) - EKS cluster