AWS EKS 集群添加用户已部署EKS集群已配置AWSCLI并配置帐号(https://docs.aws.amazo

前提条件

已部署EKS集群
已配置AWSCLI并配置帐号(docs.aws.amazon.com/zh_cn/cli/l…)

创建EKS策略

aws iam create-policy --policy-name=**<policy-name>** --policy-document='{"Version": "2012-10-17", "Statement": {"Sid": "45345354354", "Effect": "Allow", "Action": ["eks:DescribeCluster", "eks:ListClusters" ], "Resource": "*" }}'

创建用户并绑定策略

aws iam create-user --user-name=**<user-name>**
aws iam attach-user-policy --user-name=**<user-name>** --policy-arn=arn:aws:iam::**<aws-iam-id>**:policy/**<policy-name>**
aws iam create-access-key --user-name=**<user-name>**

生成用户Key

aws iam create-access-key --user-name=**<user-name>**

加入集群

获取集群Auth Configmap

kubectl -n kube-system get configmap aws-auth -o yaml > aws-auth.yaml

修改aws-auth.yaml, 添加mapUsers部分

 mapUsers: |
    - userarn: arn:aws:iam::**<aws-iam-id>**:user/**<user-name>**
      username: **<user-name>**

更新集群

kubectl -n kube-system apply -f aws-auth.yaml

创建管理员Role，如：adminClusterRole.yaml

    kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: admin
    rules:
    - apiGroups: [ "*" ]
      resources: ["*"]
      verbs: ["*"]
    - nonResourceURLs: ["*"]
      verbs: ["*"]

创建普通用户Role，如：developerRole.yaml

    kind: Role
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: developer
      namespace: **<namespace>**
    rules:
    - apiGroups: ["*"]
      resources: ["*"]
      verbs: ["*"]

创建管理员RoleBinding，如：adminClusterRoleBinding.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: admin
subjects:
- kind: User
  name: **<user-name>**
  apiGroup: rbac.authorization.k8s.io

roleRef:
  kind: ClusterRole
  name: admin
  apiGroup: rbac.authorization.k8s.io

创建普通用户RoleBinding，如：developerRoleBinding.yaml

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: developer
  namespace: **<namespace>**
subjects:
- kind: User
  name: **<user-name>**
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: Role
  name: developer
  apiGroup: rbac.authorization.k8s.io

加入集群

kubectl apply -f adminClusterRole.yaml
kubectl apply -f developerRole.yaml
kubectl apply -f adminClusterRoleBinding.yaml
kubectl apply -f developerRoleBinding.yaml

获取用户kubeconfig

aws eks update-kubeconfig --name=<cluster-name>