AWS EKS에서 Kubernetes 클러스터에 사용자 추가하기
이전 글에서 Terraform으로 AWS EKS에 Kubernetes 클러스터 프로비저닝하는 방법을 살펴봤는데 여기서는 kubectl로 클러스터에 접근하려면 EKS 클러스터를 만든 AWS 사용자만 가능했다. 개인 계정이라서 혼자 사용하긴 하지만 Terraform을 실행하는 AWS 계정을 따로 쓰고 있어서 로컬에서 사용하는 AWS 계정으로도 접근하기 위해 권한을 부여해야 했다.
aws-auth ConfigMap
찾아보니 EKS 클러스터에 권한을 부여하려면 aws-auth ConfigMap에 사용자나 역할을 지정해야 한다는 걸 알게 되었다. 일단 ConfigMap을 조회해 보자.
1$ kubectl -n kube-system get cm
2NAME DATA AGE
3aws-auth 1 10d
4coredns 1 10d
5cp-vpc-resource-controller 0 10d
6eks-certificates-controller 0 10d
7extension-apiserver-authentication 6 10d
8kube-proxy 1 10d
9kube-proxy-config 1 10d
10kube-root-ca.crt 1 10d
kube-system 네임스페이스에서 ConfigMap을 확인해 보면 aws-auth라는 ConfigMap이 있는 걸 확인할 수 있다.
1$ kubectl -n kube-system get cm/aws-auth -o yaml
2apiVersion: v1
3data:
4 mapRoles: |
5 - groups:
6 - system:bootstrappers
7 - system:nodes
8 rolearn: arn:aws:iam::12345678:role/default_node_group-eks-node-group-202207261234600000004
9 username: system:node:{{EC2PrivateDNSName}}
10kind: ConfigMap
11metadata:
12 creationTimestamp: "2022-07-26T18:55:41Z"
13 name: aws-auth
14 namespace: kube-system
15 resourceVersion: "988"
16 uid: bc75e1be-4857-4927-89e4-0eb51d6822e4
이 ConfigMap의 내용을 살펴보면 mapRoles에 하나만 지정되어 있는데 정확히 뭔지는 모르지만 이름으로 봤을 때 노드 그룹에 대한 IAM 역할이 지정된 것으로 보인다. 지금 kubectl을 사용하고 있는 사용자는 여기에 지정되어 있지 않은데 AWS 문서를 보면 자동으로 system:masters 권한이 부여된다는 것을 알 수 있었다.
Amazon EKS 클러스터를 생성할 경우 클러스터를 생성하는 AWS Identity and Access Management(IAM) 엔터티 사용자 또는 역할(예: 페더레이션 사용자)에는 Amazon EKS 제어 영역의 클러스터 역할 기반 액세스 제어(RBAC) 구성에 system:masters 권한이 자동으로 부여됩니다.
Role/ClusterRole
위처럼 mapRoles IAM 역할을 지정하고 groups에 Kubernetes의 RoleBinding와 ClusterRoleBinding를 지정해서 권한을 부여할 수 있다. RoleBinding/ClusterRoleBinding를 살펴보기 전에 먼저 Role/ClusterRole을 조회해 보자.(좀 길지만 일단 결과를 다 적었다.)
1$ kubectl get roles -A
2NAMESPACE NAME CREATED AT
3kube-public system:controller:bootstrap-signer 2022-07-26T18:52:02Z
4kube-system eks-vpc-resource-controller-role 2022-07-26T18:52:13Z
5kube-system eks:addon-manager 2022-07-26T18:52:10Z
6kube-system eks:authenticator 2022-07-26T18:52:05Z
7kube-system eks:certificate-controller 2022-07-26T18:52:05Z
8kube-system eks:fargate-manager 2022-07-26T18:52:10Z
9kube-system eks:k8s-metrics 2022-07-26T18:52:05Z
10kube-system eks:node-manager 2022-07-26T18:52:09Z
11kube-system extension-apiserver-authentication-reader 2022-07-26T18:52:02Z
12kube-system system::leader-locking-kube-controller-manager 2022-07-26T18:52:02Z
13kube-system system::leader-locking-kube-scheduler 2022-07-26T18:52:02Z
14kube-system system:controller:bootstrap-signer 2022-07-26T18:52:02Z
15kube-system system:controller:cloud-provider 2022-07-26T18:52:02Z
16kube-system system:controller:token-cleaner 2022-07-26T18:52:02Z
17kube-system vpc-resource-controller-leader-election-role 2022-07-26T18:52:13Z
Role은 네임스페이스 내에서 권한을 부여하므로 네임스페이스가 같이 출력된다.
1$ kubectl get clusterroles
2NAME CREATED AT
3admin 2022-07-26T18:52:01Z
4aws-node 2022-07-26T18:52:09Z
5cluster-admin 2022-07-26T18:52:01Z
6edit 2022-07-26T18:52:01Z
7eks:addon-manager 2022-07-26T18:52:09Z
8eks:certificate-controller-approver 2022-07-26T18:52:05Z
9eks:certificate-controller-signer 2022-07-26T18:52:05Z
10eks:cloud-controller-manager 2022-07-26T18:52:05Z
11eks:cloud-provider-extraction-migration 2022-07-26T18:52:06Z
12eks:cluster-event-watcher 2022-07-26T18:52:05Z
13eks:fargate-manager 2022-07-26T18:52:10Z
14eks:fargate-scheduler 2022-07-26T18:52:05Z
15eks:k8s-metrics 2022-07-26T18:52:05Z
16eks:node-bootstrapper 2022-07-26T18:52:10Z
17eks:node-manager 2022-07-26T18:52:09Z
18eks:nodewatcher 2022-07-26T18:52:05Z
19eks:pod-identity-mutating-webhook 2022-07-26T18:52:05Z
20eks:podsecuritypolicy:privileged 2022-07-26T18:52:10Z
21eks:tagging-controller 2022-07-26T18:52:06Z
22system:aggregate-to-admin 2022-07-26T18:52:01Z
23system:aggregate-to-edit 2022-07-26T18:52:01Z
24system:aggregate-to-view 2022-07-26T18:52:01Z
25system:auth-delegator 2022-07-26T18:52:01Z
26system:basic-user 2022-07-26T18:52:01Z
27system:certificates.k8s.io:certificatesigningrequests:nodeclient 2022-07-26T18:52:01Z
28system:certificates.k8s.io:certificatesigningrequests:selfnodeclient 2022-07-26T18:52:01Z
29system:certificates.k8s.io:kube-apiserver-client-approver 2022-07-26T18:52:01Z
30system:certificates.k8s.io:kube-apiserver-client-kubelet-approver 2022-07-26T18:52:01Z
31system:certificates.k8s.io:kubelet-serving-approver 2022-07-26T18:52:01Z
32system:certificates.k8s.io:legacy-unknown-approver 2022-07-26T18:52:01Z
33system:controller:attachdetach-controller 2022-07-26T18:52:01Z
34system:controller:certificate-controller 2022-07-26T18:52:01Z
35system:controller:clusterrole-aggregation-controller 2022-07-26T18:52:01Z
36system:controller:cronjob-controller 2022-07-26T18:52:01Z
37system:controller:daemon-set-controller 2022-07-26T18:52:01Z
38system:controller:deployment-controller 2022-07-26T18:52:01Z
39system:controller:disruption-controller 2022-07-26T18:52:01Z
40system:controller:endpoint-controller 2022-07-26T18:52:01Z
41system:controller:endpointslice-controller 2022-07-26T18:52:01Z
42system:controller:endpointslicemirroring-controller 2022-07-26T18:52:01Z
43system:controller:ephemeral-volume-controller 2022-07-26T18:52:01Z
44system:controller:expand-controller 2022-07-26T18:52:01Z
45system:controller:generic-garbage-collector 2022-07-26T18:52:01Z
46system:controller:horizontal-pod-autoscaler 2022-07-26T18:52:01Z
47system:controller:job-controller 2022-07-26T18:52:01Z
48system:controller:namespace-controller 2022-07-26T18:52:01Z
49system:controller:node-controller 2022-07-26T18:52:01Z
50system:controller:persistent-volume-binder 2022-07-26T18:52:01Z
51system:controller:pod-garbage-collector 2022-07-26T18:52:01Z
52system:controller:pv-protection-controller 2022-07-26T18:52:01Z
53system:controller:pvc-protection-controller 2022-07-26T18:52:01Z
54system:controller:replicaset-controller 2022-07-26T18:52:01Z
55system:controller:replication-controller 2022-07-26T18:52:01Z
56system:controller:resourcequota-controller 2022-07-26T18:52:01Z
57system:controller:root-ca-cert-publisher 2022-07-26T18:52:01Z
58system:controller:route-controller 2022-07-26T18:52:01Z
59system:controller:service-account-controller 2022-07-26T18:52:01Z
60system:controller:service-controller 2022-07-26T18:52:01Z
61system:controller:statefulset-controller 2022-07-26T18:52:01Z
62system:controller:ttl-after-finished-controller 2022-07-26T18:52:01Z
63system:controller:ttl-controller 2022-07-26T18:52:01Z
64system:coredns 2022-07-26T18:52:09Z
65system:discovery 2022-07-26T18:52:01Z
66system:heapster 2022-07-26T18:52:01Z
67system:kube-aggregator 2022-07-26T18:52:01Z
68system:kube-controller-manager 2022-07-26T18:52:01Z
69system:kube-dns 2022-07-26T18:52:01Z
70system:kube-scheduler 2022-07-26T18:52:01Z
71system:kubelet-api-admin 2022-07-26T18:52:01Z
72system:monitoring 2022-07-26T18:52:01Z
73system:node 2022-07-26T18:52:01Z
74system:node-bootstrapper 2022-07-26T18:52:01Z
75system:node-problem-detector 2022-07-26T18:52:01Z
76system:node-proxier 2022-07-26T18:52:01Z
77system:persistent-volume-provisioner 2022-07-26T18:52:01Z
78system:public-info-viewer 2022-07-26T18:52:01Z
79system:service-account-issuer-discovery 2022-07-26T18:52:01Z
80system:volume-scheduler 2022-07-26T18:52:01Z
81view 2022-07-26T18:52:01Z
82vpc-resource-controller-role 2022-07-26T18:52:13Z
ClusterRole은 네임스페이스에 국한된 역할이고 앞에 system: 접두사가 붙은 것은 클러스터 컨트롤 플레인에서 직접 제어하는 Role을 의미한다.
system:masters, system:bootstrappers, system:nodes
하지만 앞에서 보았던 system:masters, system:bootstrappers, system:nodes은 찾을 수가 없었다. 여기가 아닌가 싶었지만 Kubernetes 소스코드에 하드코딩된 well-known 그룹이었다.
1// well-known user and group names
2const (
3 SystemPrivilegedGroup = "system:masters"
4 NodesGroup = "system:nodes"
5 MonitoringGroup = "system:monitoring"
6 AllUnauthenticated = "system:unauthenticated"
7 AllAuthenticated = "system:authenticated"
8
9 Anonymous = "system:anonymous"
10 APIServerUser = "system:apiserver"
11
12 // core kubernetes process identities
13 KubeProxy = "system:kube-proxy"
14 KubeControllerManager = "system:kube-controller-manager"
15 KubeScheduler = "system:kube-scheduler"
16)
Role/ClusterRole의 권한
다시 Role/ClusterRole로 돌아가 보자. 여기서는 클러스터를 관리할 사용자를 추가할 예정이므로 ClusterRole만 봐도 된다. 이미 만들어 진 것 중에 사용할 수 있을 걸로 보이는 건 admin, cluster-admin 등이 있었다.
이 권한을 조회해 보자.
1$ kubectl describe clusterrole admin
2Name: admin
3Labels: kubernetes.io/bootstrapping=rbac-defaults
4Annotations: rbac.authorization.kubernetes.io/autoupdate: true
5PolicyRule:
6 Resources Non-Resource URLs Resource Names Verbs
7 --------- ----------------- -------------- -----
8 rolebindings.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
9 roles.rbac.authorization.k8s.io [] [] [create delete deletecollection get list patch update watch]
10 configmaps [] [] [create delete deletecollection patch update get list watch]
11 events [] [] [create delete deletecollection patch update get list watch]
12 persistentvolumeclaims [] [] [create delete deletecollection patch update get list watch]
13 pods [] [] [create delete deletecollection patch update get list watch]
14 replicationcontrollers/scale [] [] [create delete deletecollection patch update get list watch]
15 replicationcontrollers [] [] [create delete deletecollection patch update get list watch]
16 services [] [] [create delete deletecollection patch update get list watch]
17 daemonsets.apps [] [] [create delete deletecollection patch update get list watch]
18 deployments.apps/scale [] [] [create delete deletecollection patch update get list watch]
19 deployments.apps [] [] [create delete deletecollection patch update get list watch]
20 replicasets.apps/scale [] [] [create delete deletecollection patch update get list watch]
21 replicasets.apps [] [] [create delete deletecollection patch update get list watch]
22 statefulsets.apps/scale [] [] [create delete deletecollection patch update get list watch]
23 statefulsets.apps [] [] [create delete deletecollection patch update get list watch]
24 horizontalpodautoscalers.autoscaling [] [] [create delete deletecollection patch update get list watch]
25 cronjobs.batch [] [] [create delete deletecollection patch update get list watch]
26 jobs.batch [] [] [create delete deletecollection patch update get list watch]
27 daemonsets.extensions [] [] [create delete deletecollection patch update get list watch]
28 deployments.extensions/scale [] [] [create delete deletecollection patch update get list watch]
29 deployments.extensions [] [] [create delete deletecollection patch update get list watch]
30 ingresses.extensions [] [] [create delete deletecollection patch update get list watch]
31 networkpolicies.extensions [] [] [create delete deletecollection patch update get list watch]
32 replicasets.extensions/scale [] [] [create delete deletecollection patch update get list watch]
33 replicasets.extensions [] [] [create delete deletecollection patch update get list watch]
34 replicationcontrollers.extensions/scale [] [] [create delete deletecollection patch update get list watch]
35 ingresses.networking.k8s.io [] [] [create delete deletecollection patch update get list watch]
36 networkpolicies.networking.k8s.io [] [] [create delete deletecollection patch update get list watch]
37 poddisruptionbudgets.policy [] [] [create delete deletecollection patch update get list watch]
38 deployments.apps/rollback [] [] [create delete deletecollection patch update]
39 deployments.extensions/rollback [] [] [create delete deletecollection patch update]
40 localsubjectaccessreviews.authorization.k8s.io [] [] [create]
41 pods/attach [] [] [get list watch create delete deletecollection patch update]
42 pods/exec [] [] [get list watch create delete deletecollection patch update]
43 pods/portforward [] [] [get list watch create delete deletecollection patch update]
44 pods/proxy [] [] [get list watch create delete deletecollection patch update]
45 secrets [] [] [get list watch create delete deletecollection patch update]
46 services/proxy [] [] [get list watch create delete deletecollection patch update]
47 bindings [] [] [get list watch]
48 endpoints [] [] [get list watch]
49 limitranges [] [] [get list watch]
50 namespaces/status [] [] [get list watch]
51 namespaces [] [] [get list watch]
52 persistentvolumeclaims/status [] [] [get list watch]
53 pods/log [] [] [get list watch]
54 pods/status [] [] [get list watch]
55 replicationcontrollers/status [] [] [get list watch]
56 resourcequotas/status [] [] [get list watch]
57 resourcequotas [] [] [get list watch]
58 services/status [] [] [get list watch]
59 controllerrevisions.apps [] [] [get list watch]
60 daemonsets.apps/status [] [] [get list watch]
61 deployments.apps/status [] [] [get list watch]
62 replicasets.apps/status [] [] [get list watch]
63 statefulsets.apps/status [] [] [get list watch]
64 horizontalpodautoscalers.autoscaling/status [] [] [get list watch]
65 cronjobs.batch/status [] [] [get list watch]
66 jobs.batch/status [] [] [get list watch]
67 endpointslices.discovery.k8s.io [] [] [get list watch]
68 daemonsets.extensions/status [] [] [get list watch]
69 deployments.extensions/status [] [] [get list watch]
70 ingresses.extensions/status [] [] [get list watch]
71 replicasets.extensions/status [] [] [get list watch]
72 ingresses.networking.k8s.io/status [] [] [get list watch]
73 poddisruptionbudgets.policy/status [] [] [get list watch]
74 serviceaccounts [] [] [impersonate create delete deletecollection patch update get list watch]
접근할 수 있는 리소스 목록이 있고 리소스에 따라서 Verbs로 읽기만 가능한지 쓰기, 삭제도 가능한지가 나열되어 있다.
1$ kubectl describe clusterrole cluster-admin
2Name: cluster-admin
3Labels: kubernetes.io/bootstrapping=rbac-defaults
4Annotations: rbac.authorization.kubernetes.io/autoupdate: true
5PolicyRule:
6 Resources Non-Resource URLs Resource Names Verbs
7 --------- ----------------- -------------- -----
8 *.* [] [] [*]
9 [*] [] [*]
cluster-admin ClusterRole의 권한을 보면 와일드카드로 표시된 것을 알 수 있다. 필요한 권한 그룹을 만들어서 쓰면 되겠지만 일단 RBAC을 파악하는 게 이 글의 목적은 아니므로 넘어가자.
RoleBinding/ClusterRoleBinding
IAM 사용자에서는 RoleBinding이나 ClusterRoleBinding를 써야 하므로 이 둘을 살펴봐야 하는데 여기서는 클러스터 권한을 지정할 것이므로 ClusterRoleBinding만 살펴보자.(RoleBinding은 kubectl get rolebindings -A로 조회해 볼 수 있다.)
1$ kubectl get clusterrolebindings
2NAME ROLE AGE
3aws-node ClusterRole/aws-node 10d
4cluster-admin ClusterRole/cluster-admin 10d
5eks:addon-manager ClusterRole/eks:addon-manager 10d
6eks:certificate-controller ClusterRole/system:controller:certificate-controller 10d
7eks:certificate-controller-approver ClusterRole/eks:certificate-controller-approver 10d
8eks:certificate-controller-signer ClusterRole/eks:certificate-controller-signer 10d
9eks:cloud-controller-manager ClusterRole/eks:cloud-controller-manager 10d
10eks:cloud-provider-extraction-migration ClusterRole/eks:cloud-provider-extraction-migration 10d
11eks:cluster-event-watcher ClusterRole/eks:cluster-event-watcher 10d
12eks:fargate-manager ClusterRole/eks:fargate-manager 10d
13eks:fargate-scheduler ClusterRole/eks:fargate-scheduler 10d
14eks:k8s-metrics ClusterRole/eks:k8s-metrics 10d
15eks:kube-proxy ClusterRole/system:node-proxier 10d
16eks:kube-proxy-fargate ClusterRole/system:node-proxier 10d
17eks:kube-proxy-windows ClusterRole/system:node-proxier 10d
18eks:node-bootstrapper ClusterRole/eks:node-bootstrapper 10d
19eks:node-manager ClusterRole/eks:node-manager 10d
20eks:nodewatcher ClusterRole/eks:nodewatcher 10d
21eks:pod-identity-mutating-webhook ClusterRole/eks:pod-identity-mutating-webhook 10d
22eks:podsecuritypolicy:authenticated ClusterRole/eks:podsecuritypolicy:privileged 10d
23eks:tagging-controller ClusterRole/eks:tagging-controller 10d
24system:basic-user ClusterRole/system:basic-user 10d
25system:controller:attachdetach-controller ClusterRole/system:controller:attachdetach-controller 10d
26system:controller:certificate-controller ClusterRole/system:controller:certificate-controller 10d
27system:controller:clusterrole-aggregation-controller ClusterRole/system:controller:clusterrole-aggregation-controller 10d
28system:controller:cronjob-controller ClusterRole/system:controller:cronjob-controller 10d
29system:controller:daemon-set-controller ClusterRole/system:controller:daemon-set-controller 10d
30system:controller:deployment-controller ClusterRole/system:controller:deployment-controller 10d
31system:controller:disruption-controller ClusterRole/system:controller:disruption-controller 10d
32system:controller:endpoint-controller ClusterRole/system:controller:endpoint-controller 10d
33system:controller:endpointslice-controller ClusterRole/system:controller:endpointslice-controller 10d
34system:controller:endpointslicemirroring-controller ClusterRole/system:controller:endpointslicemirroring-controller 10d
35system:controller:ephemeral-volume-controller ClusterRole/system:controller:ephemeral-volume-controller 10d
36system:controller:expand-controller ClusterRole/system:controller:expand-controller 10d
37system:controller:generic-garbage-collector ClusterRole/system:controller:generic-garbage-collector 10d
38system:controller:horizontal-pod-autoscaler ClusterRole/system:controller:horizontal-pod-autoscaler 10d
39system:controller:job-controller ClusterRole/system:controller:job-controller 10d
40system:controller:namespace-controller ClusterRole/system:controller:namespace-controller 10d
41system:controller:node-controller ClusterRole/system:controller:node-controller 10d
42system:controller:persistent-volume-binder ClusterRole/system:controller:persistent-volume-binder 10d
43system:controller:pod-garbage-collector ClusterRole/system:controller:pod-garbage-collector 10d
44system:controller:pv-protection-controller ClusterRole/system:controller:pv-protection-controller 10d
45system:controller:pvc-protection-controller ClusterRole/system:controller:pvc-protection-controller 10d
46system:controller:replicaset-controller ClusterRole/system:controller:replicaset-controller 10d
47system:controller:replication-controller ClusterRole/system:controller:replication-controller 10d
48system:controller:resourcequota-controller ClusterRole/system:controller:resourcequota-controller 10d
49system:controller:root-ca-cert-publisher ClusterRole/system:controller:root-ca-cert-publisher 10d
50system:controller:route-controller ClusterRole/system:controller:route-controller 10d
51system:controller:service-account-controller ClusterRole/system:controller:service-account-controller 10d
52system:controller:service-controller ClusterRole/system:controller:service-controller 10d
53system:controller:statefulset-controller ClusterRole/system:controller:statefulset-controller 10d
54system:controller:ttl-after-finished-controller ClusterRole/system:controller:ttl-after-finished-controller 10d
55system:controller:ttl-controller ClusterRole/system:controller:ttl-controller 10d
56system:coredns ClusterRole/system:coredns 10d
57system:discovery ClusterRole/system:discovery 10d
58system:kube-controller-manager ClusterRole/system:kube-controller-manager 10d
59system:kube-dns ClusterRole/system:kube-dns 10d
60system:kube-scheduler ClusterRole/system:kube-scheduler 10d
61system:monitoring ClusterRole/system:monitoring 10d
62system:node ClusterRole/system:node 10d
63system:node-proxier ClusterRole/system:node-proxier 10d
64system:public-info-viewer ClusterRole/system:public-info-viewer 10d
65system:service-account-issuer-discovery ClusterRole/system:service-account-issuer-discovery 10d
66system:volume-scheduler ClusterRole/system:volume-scheduler 10d
67vpc-resource-controller-rolebinding ClusterRole/vpc-resource-controller-role 10d
ClusterRoleBinding의 이름이 있고 바인딩 된 ClusterRole이 있다. 다행히 ClusterRole/cluster-admin에 바인딩 된 cluster-admin도 있는걸 볼 수 있다.
1$ kubectl describe clusterrolebinding cluster-admin
2Name: cluster-admin
3Labels: kubernetes.io/bootstrapping=rbac-defaults
4Annotations: rbac.authorization.kubernetes.io/autoupdate: true
5Role:
6 Kind: ClusterRole
7 Name: cluster-admin
8Subjects:
9 Kind Name Namespace
10 ---- ---- ---------
11 Group system:masters
내용을 조회하니 여기도 system:master 그룹이 표시되어 있는지 모르겠지만 정확한 의미를 RBAC 공부하면서 봐야겠다.
IAM 사용자 추가
이제 약간의 지식을 더 얻었으니 사용자를 추가해보자. aws-auth ConfigMap을 수정해보자.
1$ kubectl edit configmap aws-auth --namespace kube-system
2configmap/aws-auth edited
직접 붙어서 수정했는데 아래처럼 mapUsers 부분을 추가해서 IAM 사용자를 연결했고 앞에서 본 system:masters를 그룹으로 지정했다. 사용자는 mapUsers에 지정하고 역할은 mapRoles에 지정하면 된다.
1apiVersion: v1
2data:
3 mapRoles: |
4 - groups:
5 - system:bootstrappers
6 - system:nodes
7 rolearn: arn:aws:iam::1234567890:role/default_node_group-eks-node-group-20220726184621476500000004
8 username: system:node:{{EC2PrivateDNSName}}
9 mapUsers: |
10 - groups:
11 - system:masters
12 userarn: arn:aws:iam::1234567890:user/outsider
13 username: outsider
14kind: ConfigMap
15metadata:
16 creationTimestamp: "2022-07-26T18:55:41Z"
17 name: aws-auth
18 namespace: kube-system
19 resourceVersion: "2569874"
20 uid: bc75e1be-4857-4927-89e4-0eb51d6822e
이제 로컬의 kubeconfig에서 AWS의 사용자를 클러스터를 생성한 사용자가 아닌 위에서 지정한 outsider 사용자로 지정해서 kubectl을 사용하면 전처럼 Unauthorized 오류가 나지 않고 잘 접근되는 것을 알 수 있다.
1$ kubectl get ns
2NAME STATUS AGE
3default Active 10d
4kube-node-lease Active 10d
5kube-public Active 10d
6kube-system Active 10d
기분으로는 그룹에 cluster-admin을 지정해도 되었는데 cluster-admin만 지정하면 Unauthorized는 안 나지만 권한이 없다고 Error from server (Forbidden): pods is forbidden: User "outsider" cannot list resource "pods" in API group "" in the namespace "default"같은 오류가 발생한다.
RBAC은 차차 공부하기로 하고 일단 사용자를 추가하는 방법은 알게 되었다. 이걸 Terraform으로 관리하고 싶은데 방법을 더 찾아봐야겠다.
Comments