EKS cluster access - aws-auth : add groups in mapRoles

Question

i try to access an EKS cluster on AWS with AWS Account (same i use for the console)

steps i followed :

aws configure with info provided in the "Command line or programmatic access" (AWS Access Key Id/AWS Secret access key) + add the AWS session token in the credential file.

aws eks update-kubeconfig --name XXXXXXX --region eu-west-1

in the ConfigMap : aws-auth file i added - system:masters in the groups of my role is it ok to add this here ?

mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::XXXXXXXX:role/XXXXXXXX-group-role
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - eks-console-dashboard-full-access-group
      - system:masters    <<--- [[ is it ok to add this group here ?? ]]
      rolearn: arn:aws:iam::MYACCOUNT:role/AWSReservedSSO_AdministratorAccess_XXXXXXXX
      username: AWSReservedSSO_AdministratorAccess_XXXXXXXX

then i try kubectl get svc : and i get :

E0207 16:37:31.292453   45292 memcache.go:238] couldn't get current server API group list: Get "https://XXXXXXXXXXXXXX.sk1.eu-west-1.eks.amazonaws.com/api?timeout=32s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

what does that error mean ? is it a rights problem ? a networking problem ? (security groups allows my ip) thanks for your help

Timeout is always a security group issue, or perhaps your apiserver endpoint is in a Private VPC (the hostname will always look the same, but whether it resolves to a Public IP address is the difference). As for your `system:masters` question, yes, it should be fine although there's no reason to be in both groups since `system:masters` is, AFAIK, as high as it gets in k8s RBAC authorities — mdaniel, Feb 08 '23 at 05:04
Thanks for your reply, my ip is allowed in All traffic, in the SG of : my ALB, my bastion on aws, and the EKS cluster, and i stiil get this error : E0208 13:16:08.468631 796 memcache.go:238] couldn't get current server API group list: Get "https://XXXXXXXXXXXXXXXXXXXXXX.sk1.eu-west-1.eks.amazonaws.com/api?timeout=32s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) there is no SG left? — awot83, Feb 08 '23 at 13:16
i found what was missing : i also had to add my public ip adress in EKS/Clusters > Manage networking > cluster endpoint in « Public and private » > advanced setting> "Add/edit sources to public access endpoint", we can add a CIDR block and now it ok — awot83, Feb 08 '23 at 16:20
I'm glad it was something simple, please [add and accept your own answer](https://serverfault.com/help/self-answer) so others will benefit — mdaniel, Feb 08 '23 at 16:21

score 0 · Accepted Answer · answered Feb 10 '23 at 14:33

0

i found what was missing : i add my public ip adress in EKS/Clusters > Manage networking > cluster endpoint in « Public and private » > advanced setting> "Add/edit sources to public access endpoint", we can add a CIDR block and now it is ok

answered Feb 10 '23 at 14:33

awot83

71
2
6

EKS cluster access - aws-auth : add groups in mapRoles

1 Answers1