![]() I1031 14:09:51.084438 576 loader.go:375] Config loaded from file: clusters/dev-expanse/kubeconfig/kubeconfig There has to be a way to map a group of users to Kubernetesīack to the aws-iam-authenticator docs to see what I can do in the configmap While this works, I can’t possibly add each new user with their own mappings. However, I want to map groups of users and not individual users This is starting to look good and seeing what I am expecting. Ready master 51m v1.13.10Īws-iam-authenticator logs are now showing:Īws-iam-authenticator-h58c8 aws-iam-authenticator time = "" level =info msg = "STS response" accountid =123456789 arn = "arn:aws:iam::123456789:user/garland.kan" client = "127.0.0.1:34008" method =POST path =/authenticate session = userid =KEIEPOWIEKELEOQIEURIWĪws-iam-authenticator-h58c8 aws-iam-authenticator time = "" level =info msg = "access granted" arn = "arn:aws:iam::123456789:user/garland.kan" client = "127.0.0.1:34008" groups = "" method =POST path =/authenticate uid = "aws-iam-authenticator:123456789:KEIEPOWIEKELEOQIEURIW" username =garland.kan The keys I have in that shell is for another account.Įxporting the correct AWS keys and trying again Looks like a legit failed auth? Going to focus on the aws-iam-authenticator nowįrom the logs it looks like the aws-iam-authenticator is telling me that it tried to auth and got an access denied back from AWS. ![]() Kube api logs on a failed attemptĪws-iam-authenticator-lzjt6 aws-iam-authenticator time = "" level =info msg = "STS response" accountid =1234567890 arn = "arn:aws:iam::1234567890:user/dev-garland" client = "127.0.0.1:55534" method =POST path =/authenticate session = userid =AIDAJOZJZRVACX2SX5NPEĪws-iam-authenticator-lzjt6 aws-iam-authenticator time = "" level =warning msg = "access denied" arn = "arn:aws:iam::1234567890:user/dev-garland" client = "127.0.0.1:55534" error = "ARN is not mapped: arn:aws:iam::1234567890:user/dev-garland" method =POST path =/authenticateįailing but looking did more than before ![]() It is time to upgrade since 0.3 is pretty old: Searching around, Kops did update the aws-iam-authenticator from 0.3 to 0.4 in later releases. Lets go to a later version of Kops Using Kops 1.13 with Kubernetes 1.13.x It has the “certificate-authority-data” so it should not complain about a self signed cert? Looks like it is using this file to auth since we see “” in the aws-iam-authenticatorĬheck if the aws-iam-authenticator’s config map is there:ĪpiVersion : v1 clusters : - cluster : certificate-authority-data : LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUMwekNDQWJ1Z0F3SUJBZ0lNRmRMU1M2MW45YXhWVzlBbE1BMEdDU3FHU0liM0RRRUJDd1VBTUJVeEV6QVIKQmdOVkJBTVRDbXQxWW1WeWJtVjBaWE13SGhjTk1Ua3hNREk1TVRrek5EQXlXaGNOTWpreE1ESTRNVGt6TkRBeQpXakFWTVJNd0VRWURWUVFERXdwcmRXSmxjbTVsZEdWek1JSUJJakFOQmdrcWhraUc5dzBCQVFFRkFBT0NBUThBCk1JSUJDZ0tDQVFFQXhrNS9DN3dNZTZocGFDWnIwYXoyNEovNExOZk5TOU1HV0R0= server : name : contexts : - context : cluster : user : name : current-context : kind : Config preferences : There don’t seem to be that many steps from the Kops configuration side.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |