大佬教程收集整理的这篇文章主要介绍了无权执行 sts:AssumeRoleWithWebIdentity- 403,大佬教程大佬觉得挺不错的,现在分享给大家,也给大家做个参考。
我一直在尝试使用 k8s-sig 组提供的指南运行外部 dns pod。我已按照指南的每一步进行操作,但出现以下错误。
time="2021-02-27T13:27:20Z" level=error msg="records retrIEval Failed: Failed to List hosted zones: WebIDentityErr: Failed to retrIEve credentials\ncaused by: AccessDenIEd: Not authorized to perform sts:AssumeRoleWithWebIDentity\n\tstatus code: 403,request ID: 87a3ca86-ceb0-47be-8f90-25d0c2de9f48"
我已使用 terraform 创建了 AWS IAM 策略,并且已成功创建。除了我使用 eksctl
的服务帐户的 IAM 角色外,其他所有内容均通过 terraform 生成。
但后来我掌握了这个 article,它说使用 awscli 创建 AWS IAM 策略可以消除这个错误。所以我删除了使用 terraform 创建的策略,并使用 awscli 重新创建它。然而,它抛出了同样的错误错误。
下面是我的外部 dns yaml 文件。
APIVersion: v1
kind: serviceAccount
Metadata:
name: external-dns
# If you're using Amazon EKS with IAM Roles for service Accounts,specify the following Annotation.
# Otherwise,you may safely omit it.
Annotations:
# Substitute your account ID and IAM service role name below.
eks.amazonaws.com/role-arn: arn:aws:iam::268xxxxxxx:role/eksctl-ats-Eks1-addon-iamserviceaccoun-Role1-WMLL93xxxx
---
APIVersion: rBAC.authorization.k8s.io/v1beta1
kind: ClusterRole
Metadata:
name: external-dns
rules:
- APIGroups: [""]
resources: ["services","endpoints","pods"]
verbs: ["get","watch","List"]
- APIGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get","List"]
- APIGroups: [""]
resources: ["nodes"]
verbs: ["List","watch"]
---
APIVersion: rBAC.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
Metadata:
name: external-dns-vIEwer
roleRef:
APIGroup: rBAC.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: serviceAccount
name: external-dns
namespace: default
---
APIVersion: apps/v1
kind: Deployment
Metadata:
name: external-dns
spec:
strategy:
type: Recreate
SELEctor:
matchLabels:
app: external-dns
template:
Metadata:
labels:
app: external-dns
spec:
serviceAccountname: external-dns
containers:
- name: external-dns
image: k8s.gcr.io/external-dns/external-dns:v0.7.6
args:
- --source=service
- --source=ingress
- --domain-filter=xyz.com # will make ExternalDNS see only the hosted zones matching provIDed domain,omit to process all available hosted zones
- --provIDer=aws
- --policy=upsert-only # would prevent ExternalDNS from deleting any records,omit to enable full synchronization
- --aws-zone-type=public # only look at public hosted zones (valID values are public,private or no value for both)
- --registry=txt
- --txt-owner-ID=Z0471542U7WSPZxxxx
securityContext:
fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files
我正在挠头,因为网络中的任何地方都没有针对此错误的适当解决方案。希望在本论坛中找到解决此问题的方法。
最终结果必须显示如下内容并填写托管区域中的记录。
time="2020-05-05T02:57:31Z" level=info msg="All records are already up to date"
我也遇到过这个错误。
问题在于信任关系的定义。
您可以在一些官方 aws 教程(如 this)中看到以下设置:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Principal": {
"Federated": "arn:aws:iam::${AWS_account_ID}:oidc-provider/${OIDC_PROVIDER}"
},"Action": "sts:AssumeRoleWithWebIdentity","Condition": {
"StringEquals": {
"${OIDC_PROVIDER}:sub": "system:serviceaccount:<my-namespace>:<my-service-account>"
}
}
}
]
}
失败的选项 1
我的问题是我在 @H_672_5@my-service-account 部分的 ${OIDC_PROVIDER}:sub
末尾传递了错误的 Condition
值。
失败的选项 2
在上一个修复之后 - 我仍然面临同样的错误 - 通过遵循 this aws tutorial 解决了这个问题,它显示了使用 eksctl 和以下命令的输出:
eksctl create iamserviceaccount \
--name my-serviceaccount \
--namespace <your-ns> \
--cluster <your-cluster-name> \
--attach-policy-arn arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--approve
当您查看 AWS Web 控制台中 信任关系 选项卡中的输出时 - 您可以看到添加了一个附加条件,后缀为 :aud
,值为 { {1}}:
所以这需要在 sts.amazonaws.com
条件之后添加。
我在这里有几种可能性。
首先,您的集群是否有与之关联的 OIDC 提供商?没有它,IRSA 将无法运作。
您可以在 AWS 控制台中或通过 CLI 进行检查:
aws eks describe-cluster --name {name} --query "cluster.identity.oidc.issuer"
第一
删除 iamserviceaccount
,重新创建它,从您的 ExternalDNS 清单(整个第一部分)中删除 serviceAccount
定义并重新应用它。
eksctl delete iamserviceaccount --name {name} --namespace {namespacE} --cluster {Cluster}
eksctl create iamserviceaccount --name {name} --namespace {namespacE} --cluster
{Cluster} --attach-policy-arn {policy-arn} --approve --override-exisTing-serviceaccounts
kubectl apply -n {namespacE} -f {your-externaldns-manifest.yaml}
可能会发生一些冲突,因为您通过在 ExternalDNS 清单中还指定了 eksctl createiamserviceaccount
覆盖了使用 serviceAccount
创建的内容。
第二
将您的集群升级到 v1.19(如果它还没有):
eksctl upgrade cluster --name {name}
会告诉你将要做什么;
eksctl upgrade cluster --name {name} --approve
会做的
第三
一些文档建议除了设置 securityContext.fsGroup: 65534
外,还需要设置 securityContext.runAsUser: 0
。
我能够从 Kubernetes Slack 获得帮助(向 @Rob Del 大喊),这就是我们想出的。文章中的 k8s rBAC 没有任何问题,问题在于 IAM 角色的编写方式。我正在使用 Terraform v0.12.24,但我相信类似于以下 .tf 的内容应该适用于 Terraform v0.14:
<html lang="en">
<head>
<title>Document</title>
<style>
* {margin: 0; padding: 0;}
body {padding: 20px;}
</style>
<script>
var eta_btn;
function eta_controllo(eta_btn) {
eta_btn = number(prompt("Inserisci la tua età"));
console.log(eta_btn);
}
function profession() {
var temp = document.getElementById("SELEct").SELEctedIndex;
if (temp == 0) {
document.getElementById("lavoratore_txt").style.display = "";
document.getElementById("studente_txt").style.display = "none";
} else if (temp == 1) {
document.getElementById("studente_txt").style.display = "";
document.getElementById("lavoratore_txt").style.display = "none";
} else {
document.getElementById("studente_txt").style.display = "none";
document.getElementById("lavoratore_txt").style.display = "none";
}
}
function send_to_server() {
if (!(eta_btn == document.getElementById("età").value)) {
alert("Le due età inserite non sono concordi");
return false;
}
else if (eta_btn == document.getElementById("età").value && eta_btn < 14) {
alert("Hai meno di 14 Anni!");
return false;
} else if (confirm("Sicuro di aver scelto la provincia " + document.querySELEctor('input[name="città"]:checked').value))
alert("Dati inviati correttamente");
else {
alert("Errore");
return false;
}
}
</script>
</head>
<body>
<form action="">
<p>NOME</p>
<input placeholder="scrivi qui il tuo nome" type="text"><br><br>
<p>passworD</p>
<input placeholder="scrivi qui la tua password" type="text"><br><br>
<p>ETA'</p>
<input placeholder="scrivi qui la tua età" type="text" id="età">
<button onclick="eta_controllo()">CONTROLLO</button><br><br>
<input name="città" type="radio">GENOVA<br>
<input name="città" type="radio">SAVONA<br>
<input name="città" type="radio">IMPERIA<br>
<input name="città" type="radio">LA SPEZIA<br><br>
<SELEct name="" id="SELEct" onchange="profession()">
<option value="lavoratore">Lavoratore</option>
<option value="studente">studente</option>
<option value="disoccupato">Disoccupato</option>
</SELEct>
<p id="studente_txt" style="display: none">Vai a studiare!</p><br>
<textarea id="lavoratore_txt" style="display: none;" name="" id="" cols="30" rows="10"></textarea><br><br>
<button>AnnULLA TUTTO</button>
<button onclick="send_to_server()">INVIA AL SERVER</button>
</form>
</body>
</html>
上述 .tf 假设您使用 terraform 创建了 eks 集群,并且您使用了 rBAC 清单 from the external-dns tutorial。
,在按照建议的设置 here
之后,我一直在为类似的问题而苦苦挣扎我在部署日志中发现了以下异常。
time="2021-05-10T06:40:17Z" level=error msg="records retrieval failed: failed to list hosted zones: WebIdentityErr: failed to retrieve credentials\ncaused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403,request id: 3fda6c69-2a0a-4bc9-b478-521b5131af9b"
time="2021-05-10T06:41:20Z" level=error msg="records retrieval failed: failed to list hosted zones: WebIdentityErr: failed to retrieve credentials\ncaused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403,request id: 7d3e07a2-c514-44fa-8e79-d49314d9adb6"
就我而言,这是映射到创建的新角色的错误服务帐户名称的问题。
这里有一个循序渐进的方法,可以轻松完成这项工作。
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"route53:ChangeresourceRecordSets"
],"resource": [
"arn:aws:route53:::hostedzone/*"
]
},{
"Effect": "Allow","Action": [
"route53:ListHostedZones","route53:ListresourceRecordSets"
],"resource": [
"*"
]
}
]
}
eksctl create iamserviceaccount \
--name external-dns-sa-eks \
--namespace default \
--cluster aecops-grpc-test \
--attach-policy-arn arn:aws:iam::xxxxxxxx:policy/external-dns-policy-eks \
--approve
--override-exisTing-serviceaccounts
@H_801_170@
aws route53 create-hosted-zone --name "hosted.domain.com." --caller-reference "grpc-endpoint-external-dns-test-$(date +%s )"
---
apiVersion: rBAC.authorization.k8s.io/v1beta1
kind: ClusterRole
metadata:
name: external-dns
rules:
- apiGroups: [""]
resources: ["services","endpoints","pods"]
verbs: ["get","watch","list"]
- apiGroups: ["extensions","networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get","list"]
- apiGroups: [""]
resources: ["nodes"]
verbs: ["list","watch"]
---
apiVersion: rBAC.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: external-dns-viewer
roleRef:
apiGroup: rBAC.authorization.k8s.io
kind: ClusterRole
name: external-dns
subjects:
- kind: serviceAccount
name: external-dns-sa-eks
namespace: default
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: external-dns
spec:
strategy:
type: Recreate
SELEctor:
matchLabels:
app: external-dns
template:
metadata:
labels:
app: external-dns
# If you're using kiam or kube2iam,specify the following Annotation.
# Otherwise,you may safely omit it.
Annotations:
iam.amazonaws.com/role: arn:aws:iam::***********:role/eksctl-eks-cluster-name-addon-iamserviceacco-Role1-156KP94SN7D7
spec:
serviceAccountName: external-dns-sa-eks
containers:
- name: external-dns
image: k8s.gcr.io/external-dns/external-dns:v0.7.6
args:
- --source=service
- --source=ingress
- --domain-filter=hosted.domain.com. # will make ExternalDNS see only the hosted zones matching provided domain,omit to process all available hosted zones
- --provider=aws
- --policy=upsert-only # would prevent ExternalDNS from deleting any records,omit to enable full synchronization
- --aws-zone-type=public # only look at public hosted zones (valid values are public,private or no value for both)
- --registry=txt
- --txt-owner-id=my-hostedzone-identifier
securityContext:
fsGroup: 65534 # For ExternalDNS to be able to read Kubernetes and AWS token files
对于入口对象,ExternalDNS 将根据为入口对象指定的主机创建 DNS 记录。
- host: myapp.hosted.domain.com
BASH-3.2$ aws route53 list-resource-record-sets --output json
--hosted-zone-id "/hostedzone/Z065*********" --query "resourceRecordSets[?Name == 'hosted.domain.com..']|[?Type == 'A']"
[
{
"Name": "myapp.hosted.domain.com..","Type": "A","AliasTarget": {
"HostedZonEID": "ZCT6F*******","DNSName": "****************.elb.ap-southeast-2.amazonaws.com.","EvaluateTargetHealth": true
}
} ]
以上是大佬教程为你收集整理的无权执行 sts:AssumeRoleWithWebIdentity- 403全部内容,希望文章能够帮你解决无权执行 sts:AssumeRoleWithWebIdentity- 403所遇到的程序开发问题。
如果觉得大佬教程网站内容还不错,欢迎将大佬教程推荐给程序员好友。
本图文内容来源于网友网络收集整理提供,作为学习参考使用,版权属于原作者。
如您有任何意见或建议可联系处理。小编QQ:384754419,请注明来意。