Reputation: 11
Messed up with configmap aws-auth
I was trying to add permission to view nodes to my admin IAM using information in this article (https://aws.amazon.com/premiumsupport/knowledge-center/eks-kubernetes-object-access-error/) and ended up saving the configmap with a malformed mapUsers section (didn't include the username at all)
Now every kubectl command return an error like this: Error from server (Forbidden): nodes is forbidden: User "" cannot list resource "nodes" in API group "" at the cluster scope
How can I circumvent corrupted configmap and regain access to the cluster? I found two questions at Stackoverflow but as I am very new to kubernetes and still buffled as to exactly I need to do.
Mistakenly updated configmap aws-auth with rbac & lost access to the cluster
I have an access to root user but kubectl doesn't work for this user, too.
Is there another way to authenticate to the cluster?
Update 1
Yesterday I recreated this problem on a new cluster: I still got this error even if I am the root user.
The structure of the configmap goes like this:
apiVersion: v1
data:
mapRoles: <default options>
mapUsers: |
- userarn: arn:aws:iam::<root id>:root
username: #there should be a username value on this line, but it's missing in my configmap; presumable this is the cause
groups:
- system:bootstrappers
- system:nodes
Update 2
Tried to use serviceAccount token, got an error:
Error from server (Forbidden): configmaps "aws-auth" is forbidden: User "system:serviceaccount:kube-system:aws-node" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
Upvotes: 1
Views: 3832
Answers (1)
Reputation: 9997
How did you create your cluster? The IAM user, or IAM role, that you used to actually create it, is grandfathered in as a sysadmin. So long as you use the same credentials that you used for
aws eks create-cluster
You can do
aws eks update-kubeconfig, followed by using kubectl to modify the configmap and give other entites the permissions.
You haven't said what you actually tried. Lets do some more troubleshooting-
system:serviceaccount:kube-system:aws-nodethis is saying that THIS kubernetes user does not have permission to modify configmaps. But, that is completely correct- it SHOULDNT. What command did you run to get that error? What were the contents of your kubeconfig context to generate that message? Did you run the command from a worker node maybe?You said "I have access to the root user". Access in what way? Through the console? With an
AWS_SECRET_ACCESS_KEY? You'll need the second - assuming thats the case runaws iam get-caller-identityand post the results.Root user or not, the only user that has guaranteed access to the cluster is the one that created it. Are there ANY OTHER IAM users or roles in your account? Do you have cloudtrail enabled? If so, you could go back and check the logs and verify that it was the root user that issued the create cluster command.
After running
get-caller-identity, remove your .kube/config file and runaws eks update-kubeconfig. Tell us the output from the command, and the contents of the new config file.Run
kubectl auth can-i '*' '*'with the new config and let us know the result.
Upvotes: 1
Related Questions
- Kubectl command throwing error: Unable to connect to the server: getting credentials: exec: exit status 2
- configmaps "aws-auth" not found
- Setting up AWS EKS - Don't know username and password for config
- Kubectl Forbidden error in EKS after modifying the configmap
- Cannot update EKS NodeGroup because of aws-auth ConfigMap issues
- AWS eks user gets error: You must be logged in to the server (Unauthorized)
- kubectl error You must be logged in to the server (Unauthorized) - EKS cluster
- Mistakenly updated configmap aws-auth with rbac & lost access to the cluster
- Kubernetes on AWS using Kops - kube-apiserver authentication for kubectl
- KUBECTL ERROR: the server has asked for the client to provide credentials