问题
I am new to Kubernetes and trying to create a AWS CodePipeline to deploy service to EKS stack.
I am following this tutorial I have followed all the steps including creating a role and adding permissions, so that CodeBuild will be able to talk with EKS.
The issue I am facing right now is when CodePipeline runs, it is failing for below command in the CodeBuild phase.
kubectl apply -f hello-k8s.yml
and giving this error
[Container] 2019/12/04 07:41:43 Running command kubectl apply -f hello-k8s.yml
unable to recognize "hello-k8s.yml": Unauthorized
unable to recognize "hello-k8s.yml": Unauthorized
I am not very much sure whether its a credentials issue, because I have used all the steps to add user/role as per tutorial.
Can anyone please help me on this?
回答1:
Deploying Yaml manifests to Kubernetes from CodeBuild requires these steps:
The high-level process includes the following steps:
Create an IAM Service role for CodeBuild
Map the CodeBuild Service role in EKS using “aws-auth” ConfigMap
Create source files in Code repository
Create and Start a CodeBuild Project
Confirm the required objects are created in EKS cluster
Create an IAM Service role for CodeBuild (Don't use existing service role as it includes a '/path/')
Run the following commands to Create a CodeBuild Service Role and attach the required policies:
TRUST = "{ \"Version\": \"2012-10-17\", \"Statement\": [ { \"Effect\": \"Allow\", \"Principal\": { \"Service\": \"codebuild.amazonaws.com\" }, \"Action\": \"sts:AssumeRole\" } ] }"
$ echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:Describe*", "Resource": "*" } ] }' > /tmp/iam-role-policy
$ aws iam create-role --role-name CodeBuildKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'
$ aws iam put-role-policy --role-name CodeBuildKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy
$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess
$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess
Map the CodeBuild Service role in EKS using “aws-auth” ConfigMap
Edit the ‘aws-auth’ ConfigMap and add the Role Mapping for the CodeBuild service role:
$ vi aws-auth.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: arn:aws:iam::AccountId:role/devel-worker-nodes-NodeInstanceRole-14W1I3VCZQHU7
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
- rolearn: arn:aws:iam::AccountId:role/CodeBuildKubectlRole
username: build
groups:
- system:masters
$ kubectl apply -f aws-auth.yaml
Create source files in Code repository
Create a repository in Github/CodeCommit with sample files as follows:
.
├── buildspec.yml
└── deployment
└── pod.yaml
A sample repository is located here: https://github.com/shariqmus/codebuild-to-eks
Notes:
The buildspec.yml file installs kubectl, aws-iam-authenticator and configure kubectl in CodeBuild environment
Update the buildspec.yml file with the correct region and cluster_name on Line 16
Add the deployment YAML files in the “deployment” directory
Create and Start a Build Project
Open the CodeBuild console
Click ‘Create Build Project’ button
Name the Project
Use a CodeCommit repository where you have added the attached files : “buildspec.yml” and “pod.yaml”
Use Managed Image > Ubuntu > Standard 1.0
In the Role Name, select “CodeBuildKubectlRole”
Click ‘Create Build Project’ button
Create ‘Start Build’ button to start a Build
Confirm the required objects are created in EKS cluster
You can confirm this with a simple command, e.g.
$ kubectl get all --all-namespaces
来源:https://stackoverflow.com/questions/59171413/getting-unable-to-recognize-hello-k8s-yml-unauthorized-error-when-running