14

I have created a EKS cluster using the the command line eksctl and verified that the application is working fine.

But noticing a strange issue, when i try yo access the nodes in the cluster in the web browser i see the following error

Error loading Namespaces
Unauthorized: Verify you have access to the Kubernetes cluster

enter image description here

I am able to see the nodes using kubectl get nodes

I am logged in as the admin user. Any help on how to workaround this would be really great. Thanks.

opensource-developer
  • 2,826
  • 4
  • 38
  • 88

4 Answers4

7

You will need to add your IAM role/user to your cluster's aws-auth config map

Basic steps to follow taken from https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html

kubectl edit -n kube-system configmap/aws-auth

# Please edit the object below. Lines beginning with a '#' will be ignored,
# and an empty file will abort the edit. If an error occurs while saving this file will be
# reopened with the relevant failures.
#
apiVersion: v1
data:
  mapRoles: |
    - rolearn: <arn:aws:iam::111122223333:role/eksctl-my-cluster-nodegroup-standard-wo-NodeInstanceRole-1WP3NUE3O6UCF>
      username: <system:node:{{EC2PrivateDNSName}}>
      groups:
        - <system:bootstrappers>
        - <system:nodes>
  mapUsers: |
    - userarn: <arn:aws:iam::111122223333:user/admin>
      username: <admin>
      groups:
        - <system:masters>
    - userarn: <arn:aws:iam::111122223333:user/ops-user>
      username: <ops-user>
      groups:
        - <system:masters>
Carlos Perea
  • 86
  • 2
  • Is it verified solution or not? I'm using SSO, I tried this solution, maybe I made a mistake somewhere, but I still get the same error. – user1190411 Dec 04 '20 at 09:49
  • 1
    I have verified this, also got the same reply from AWS Support. this solution should work. – opensource-developer Dec 04 '20 at 16:05
  • I have the same problem here. Funny that it's happening at the same time for many users as suggested in an answer below. Do you know if AWS changed something recently on that? Thank you anyways, I'll try this solution – Hammerbot Dec 04 '20 at 17:13
1

Amazon added recently (2020.12) new feature that allows you to browse workloads inside cluster from Aws Console.

If you miss permissions you will get that error. What permissions are needed is described here https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#policy_example3

Piotr
  • 317
  • 1
  • 13
1

Also seeing this error and it got introduced by the latest addition to EKS, see https://aws.amazon.com/blogs/containers/introducing-the-new-amazon-eks-console/

Since then, the console makes requests to EKS in behalf of the user or role you are logged in.

So make sure the kube-system:aws-auth configmap has that user or role added.

This user/role might not be the same you are using locally with AWS CLI, hence kubectl might work while you still see that error !

pHiL
  • 1,722
  • 18
  • 19
0

This might as well be because you created the AWS EKS cluster using a different IAM user than the one currently logged into the AWS Management Console hence the IAM user currently logged into the AWS Management Console does not have permissions to view the namespaces on the AWS EKS cluster.

Try logging in to the AWS Management Console using the IAM user credentials of the user who created the AWS EKS cluster, the issue should be fixed.

Dharman
  • 30,962
  • 25
  • 85
  • 135
far_see
  • 21
  • 3