EKS

[EKS] kubectl 권한 에러

su''@ 2025. 2. 23. 23:28

1. 클러스터 생성 후 상태 확인

  • AWS CLI 자격증명을 설정하는 방법
  1. aws configure
  2. IAM역할을 aws-auth configmap에 사용자/역할 추가
    • 2번의 경우 클러스터 관리자 권한이 필요한 경우 system:masters 그룹에 매핑하거나 제한된 권한이 필요한 경우 적절한 RBAC 그룹에 매핑하면 됨.
  • aws cli 자격증명 설정 - configure 등록
$ aws configure
AWS Access Key ID [None]: 
AWS Secret Access Key [None]: 
Default region name [None]: ap-northeast-2
Default output format [None]:

 

  • eks config update
$ aws eks update-kubeconfig --region ap-northeast-2 --name [클러스터명] --alias [클러스터명]
Added new context test-cluster to /home/ec2-user/.kube/config

# config 확인
$ cat config
apiVersion: v1
clusters:
- cluster:
    certificate-authority-data: 
    server: <https://xxxxxxxxx.sk1.ap-northeast-2.eks.amazonaws.com>
  name: arn:aws:eks:ap-northeast-2:509399617708:cluster/test
contexts:
- context:
    cluster: arn:aws:eks:ap-northeast-2:xxxxxxxxxxx:cluster/test
    user: arn:aws:eks:ap-northeast-2:xxxxxxxxxxx:cluster/test
  name: test-cluster
current-context: test-cluster
kind: Config
preferences: {}
users:
- name: arn:aws:eks:ap-northeast-2:xxxxxxxxxxx:cluster/test
  user:
    exec:
      apiVersion: client.authentication.k8s.io/v1beta1
      args:
      - --region
      - ap-northeast-2
      - eks
      - get-token
      - --cluster-name
      - test
      - --output
      - json
      command: aws

 

  • cluster 연결 확인
    • kubectl이 권한
$ kubectl cluster-info
E0130 10:12:06.368345    2863 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E0130 10:12:07.098304    2863 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E0130 10:12:07.798164    2863 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E0130 10:12:08.502655    2863 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"
E0130 10:12:09.204821    2863 memcache.go:265] "Unhandled Error" err="couldn't get current server API group list: the server has asked for the client to provide credentials"

 

  • access entry 확인
  • access entry에 user가 등록되지 않은 것을 확인하고 user 등록
  • user 등록 후 User "test-eks-admin" cannot list resource "services" in API group "" in the namespace "kube-system" 에러 발생
$ aws eks create-access-entry \\
  --cluster-name [클러스터명] \\
  --principal-arn [출력된 Arn 값] \\
  --username [user명] \\
  --type STANDARD
  
$ kubectl cluster-info
To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.
Error from server (Forbidden): services is forbidden: User "test-eks-admin" cannot list resource "services" in API group "" in the namespace "kube-system"

 

  • access entry를 생성한 후에는 접근 정책(access policy)을 연결해줘야 권한이 부여되기 때문에 **AmazonEKSClusterAdminPolicy**정책 연결.
    • test-eks-admin 사용자에게 클러스터 관리자 권한 부여