EKS cluster access - aws-auth : add groups in mapRoles

awot83

2/7/24, 4:42 PM

i try to access an EKS cluster on AWS with AWS Account (same i use for the console)

steps i followed :

aws configure with info provided in the "Command line or programmatic access" (AWS Access Key Id/AWS Secret access key) + add the AWS session token in the credential file.

aws eks update-kubeconfig --name XXXXXXX --region eu-west-1

in the ConfigMap : aws-auth file i added - system:masters in the groups of my role is it ok to add this here ?

mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::XXXXXXXX:role/XXXXXXXX-group-role
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - eks-console-dashboard-full-access-group
      - system:masters    <<--- [[ is it ok to add this group here ?? ]]
      rolearn: arn:aws:iam::MYACCOUNT:role/AWSReservedSSO_AdministratorAccess_XXXXXXXX
      username: AWSReservedSSO_AdministratorAccess_XXXXXXXX

then i try kubectl get svc : and i get :

E0207 16:37:31.292453   45292 memcache.go:238] couldn't get current server API group list: Get "https://XXXXXXXXXXXXXX.sk1.eu-west-1.eks.amazonaws.com/api?timeout=32s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

what does that error mean ? is it a rights problem ? a networking problem ? (security groups allows my ip) thanks for your help

479

1 + 4

amazon-web-services

kubernetes

kubectl

eks

mdaniel

2/8/24, 5:04 AM

Timeout is always a security group issue, or perhaps your apiserver endpoint is in a Private VPC (the hostname will always look the same, but whether it resolves to a Public IP address is the difference). As for your `system:masters` question, yes, it should be fine although there's no reason to be in both groups since `system:masters` is, AFAIK, as high as it gets in k8s RBAC authorities

awot83

2/8/24, 1:16 PM

Thanks for your reply, my ip is allowed in All traffic, in the SG of : my ALB, my bastion on aws, and the EKS cluster, and i stiil get this error : E0208 13:16:08.468631 796 memcache.go:238] couldn't get current server API group list: Get "https://XXXXXXXXXXXXXXXXXXXXXX.sk1.eu-west-1.eks.amazonaws.com/api?timeout=32s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) there is no SG left?

awot83

2/8/24, 4:20 PM

i found what was missing : i also had to add my public ip adress in EKS/Clusters > Manage networking > cluster endpoint in « Public and private » > advanced setting> "Add/edit sources to public access endpoint", we can add a CIDR block and now it ok

mdaniel

2/8/24, 4:21 PM

I'm glad it was something simple, please [add and accept your own answer](https://serverfault.com/help/self-answer) so others will benefit

Score:0

Server

awot83

2/10/24, 2:33 PM

i found what was missing : i add my public ip adress in EKS/Clusters > Manage networking > cluster endpoint in « Public and private » > advanced setting> "Add/edit sources to public access endpoint", we can add a CIDR block and now it is ok

+ 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: EKS cluster access - aws-auth : add groups in mapRoles

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.