我已使用 IAM 用户创建了 EKS 集群。所以现在 system:creator 是我自己的 IAM 用户。 我已配置 aws CLI 和 kubectl 命令行工具以正确使用凭证,并且命令行工具、aws 和 kubectl 都工作正常。
现在,我尝试使用下面的curl命令调用API来列出kube-system命名空间中的POD。
curl -v https://abc.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system/pods?limit=500 --header "Authorization: Bearer $TOKEN" --cacert test.crt
我使用以下命令获取了令牌:
TOKEN': TOKEN=$(aws eks get-token --cluster-name test-clus --profile default)
test.crt 文件包含 EKS 集群提供的 Base64 格式的证书颁发机构字符串(EKS 集群的详细信息页面)
但是,我收到未经授权的错误:
* TLSv1.2 (IN), TLS header, Supplemental data (23):
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
* Connection #0 to host abc.gr7.us-east-1.eks.amazonaws.com left intact
}
环境详情:
EKS版本:1.24
aws cli 版本:aws-cli/2.9.15
kubectl 版本:
WARNING: This version information is deprecated and will be replaced with the output from kubectl version --short. Use --output=yaml|json to get the full version.
Client Version: version.Info{Major:"1", Minor:"26", GitVersion:"v1.26.0", GitCommit:"b46a3f887ca979b1a5d14fd39cb1af43e7e5d12d", GitTreeState:"clean", BuildDate:"2022-12-08T19:58:30Z", GoVersion:"go1.19.4", Compiler:"gc", Platform:"linux/amd64"}
Kustomize Version: v4.5.7
Server Version: version.Info{Major:"1", Minor:"24+", GitVersion:"v1.24.8-eks-ffeb93d", GitCommit:"abb98ec0631dfe573ec5eae40dc48fd8f2017424", GitTreeState:"clean", BuildDate:"2022-11-29T18:45:03Z", GoVersion:"go1.18.8", Compiler:"gc", Platform:"linux/amd64"}
WARNING: version difference between client (1.26) and server (1.24) exceeds the supported minor version skew of +/-1
没有得到,这是什么问题。令人惊讶的是,我是 EKS 集群的创建者,仍然无法访问 API 。
请推荐
首先,你需要从你的配置文件中解密CA证书,你可以这样做。
CLUSTER_ARN="cluster_name"
kubectl config view --raw -o jsonpath="{.clusters[?(@.name == \"${CLUSTER_ARN}\")].cluster.certificate-authority-data}" | base64 --decode > cert.crt
现在您可以生成令牌,并创建对API的curl请求:
CLUSTER_NAME=$(echo $CLUSTER_ARN | cut -d'/' -f2)
AWS_PROFILE=<profile>
AWS_REGION=<region>
TOKEN=$(aws --region ${AWS_REGION} eks get-token --cluster-name ${CLUSTER_NAME} --output json --profile ${AWS_PROFILE} | jq -r '.status.token')
curl https://XXX.gr7.eu-west-1.eks.amazonaws.com --cacert cert.crt -H "Authorization: Bearer $TOKEN"
问候