我是Kubernetes的新手,并试图创建一个AWS CodePipeline将服务部署到EKS堆栈。
我正在关注this教程我已按照所有步骤进行操作,包括创建角色和添加权限,以便CodeBuild将能够与EKS进行对话。
我现在面临的问题是CodePipeline运行时,在[[CodeBuild阶段,下面的命令失败。
kubectl apply -f hello-k8s.yml并给出此错误
[Container] 2019/12/04 07:41:43 Running command kubectl apply -f hello-k8s.yml
unable to recognize "hello-k8s.yml": Unauthorized
unable to recognize "hello-k8s.yml": Unauthorized
我不太确定是否是凭据问题,因为我已经按照教程中的所有步骤添加了用户/角色。有人可以帮我吗?
高级过程包括以下步骤:
为CodeBuild创建IAM服务角色(不要使用现有的服务角色,因为它包含'/ path /')
TRUST = "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"codebuild.amazonaws.com\" }, \"Action\": \"sts:AssumeRole\" } ] }"
$ echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:Describe*", "Resource": "*" } ] }' > /tmp/iam-role-policy
$ aws iam create-role --role-name CodeBuildKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'
$ aws iam put-role-policy --role-name CodeBuildKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy
$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess
使用“ aws-auth” ConfigMap在EKS中映射CodeBuild服务角色编辑“ aws-auth” ConfigMap并为CodeBuild服务角色添加角色映射:
$ vi aws-auth.yaml apiVersion: v1 kind: ConfigMap metadata: name: aws-auth namespace: kube-system data: mapRoles: | - rolearn: arn:aws:iam::AccountId:role/devel-worker-nodes-NodeInstanceRole-14W1I3VCZQHU7 username: system:node:{{EC2PrivateDNSName}} groups: - system:bootstrappers - system:nodes - rolearn: arn:aws:iam::AccountId:role/CodeBuildKubectlRole username: build groups: - system:masters $ kubectl apply -f aws-auth.yaml
在代码存储库中创建源文件在Github / CodeCommit中使用示例文件创建存储库,如下所示:
. ├── buildspec.yml └── deployment └── pod.yaml
样本存储库位于:https://github.com/shariqmus/codebuild-to-eks注意:
创建并开始构建项目
确认所需的对象已在EKS群集中创建
$ kubectl get all --all-namespaces