Unable to list services in AWS EKS
I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:
error: the server doesn't have a resource type "svc"
I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.
amazon-web-services kubernetes containers
edited Mar 1 at 4:12
MLu
9,47722445
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
add a comment |
I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:
error: the server doesn't have a resource type "svc"
I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.
amazon-web-services kubernetes containers
edited Mar 1 at 4:12
MLu
9,47722445
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
By any chance did you create the EKS cluster using cross-account role?
– MLu
Mar 1 at 5:00
Yes I did. Does that make a difference?
– KeepLearning
Mar 1 at 5:01
add a comment |
I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:
error: the server doesn't have a resource type "svc"
I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.
amazon-web-services kubernetes containers
edited Mar 1 at 4:12
MLu
9,47722445
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
I'm setting up my first Kubernetes EKS cluster by following the Getting Started guide but I can't get past the step that verifies access with kubectl get svc. Instead of the list of services I'm getting:
error: the server doesn't have a resource type "svc"
I've got the aws-iam-authenticator in place, I've got the correct access and secret key for a user that has AWS Admin privileges, I checked everything I could think of yet can't figure out what's causing the error.
amazon-web-services kubernetes containers
amazon-web-services kubernetes containers
edited Mar 1 at 4:12
MLu
9,47722445
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
edited Mar 1 at 4:12
MLu
9,47722445
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
edited Mar 1 at 4:12
MLu
9,47722445
edited Mar 1 at 4:12
MLu
9,47722445
edited Mar 1 at 4:12
MLu
9,47722445
9,47722445
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
asked Mar 1 at 3:44
KeepLearningKeepLearning
303
303
By any chance did you create the EKS cluster using cross-account role?
– MLu
Mar 1 at 5:00
Yes I did. Does that make a difference?
– KeepLearning
Mar 1 at 5:01
add a comment |
By any chance did you create the EKS cluster using cross-account role?
– MLu
Mar 1 at 5:00
Yes I did. Does that make a difference?
– KeepLearning
Mar 1 at 5:01
By any chance did you create the EKS cluster using cross-account role?
– MLu
Mar 1 at 5:00
By any chance did you create the EKS cluster using cross-account role?
– MLu
Mar 1 at 5:00
Yes I did. Does that make a difference?
– KeepLearning
Mar 1 at 5:01
Yes I did. Does that make a difference?
– KeepLearning
Mar 1 at 5:01
add a comment |
1 Answer
1
active
oldest
votes
Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.
For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.
You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:
users:
- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- token
- -i
- cluster-name
- -r <<< Add this
- arn:aws:iam::{company-prod-id}:role/Admin <<< And this
env:
- name: AWS_PROFILE
value: company-login-profile <<< Must be your login account
Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.
Once the role stuff is fixed you should be able to run kubectl get svc.
Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.
Hope that helps :)
answered Mar 1 at 5:17
MLuMLu
9,47722445
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956265%2funable-to-list-services-in-aws-eks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.
For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.
You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:
users:
- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- token
- -i
- cluster-name
- -r <<< Add this
- arn:aws:iam::{company-prod-id}:role/Admin <<< And this
env:
- name: AWS_PROFILE
value: company-login-profile <<< Must be your login account
Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.
Once the role stuff is fixed you should be able to run kubectl get svc.
Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.
Hope that helps :)
answered Mar 1 at 5:17
MLuMLu
9,47722445
add a comment |
Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.
For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.
You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:
users:
- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- token
- -i
- cluster-name
- -r <<< Add this
- arn:aws:iam::{company-prod-id}:role/Admin <<< And this
env:
- name: AWS_PROFILE
value: company-login-profile <<< Must be your login account
Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.
Once the role stuff is fixed you should be able to run kubectl get svc.
Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.
Hope that helps :)
answered Mar 1 at 5:17
MLuMLu
9,47722445
add a comment |
Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.
For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.
You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:
users:
- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- token
- -i
- cluster-name
- -r <<< Add this
- arn:aws:iam::{company-prod-id}:role/Admin <<< And this
env:
- name: AWS_PROFILE
value: company-login-profile <<< Must be your login account
Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.
Once the role stuff is fixed you should be able to run kubectl get svc.
Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.
Hope that helps :)
answered Mar 1 at 5:17
MLuMLu
9,47722445
Make sure you use kubectl with the the exact same IAM User / Role that you used to create the EKS cluster? Only that IAM User / Role is given system:masters privilege in Kubernetes. If you use a different role you'll see this error, even if that other role has Administrator permissions in its IAM Policy.
For example if you created the EKS cluster while logged in with cross-account IAM Role and now you're trying to use it with a different IAM User it won't work.
You can add more IAM users to EKS later but for start you'll have to use the IAM role that created the cluster. For example if you log into some company-login account and the switch role to company-prod account with role Admin you'll have to update the kubeconfig accordingly:
users:
- name: arn:aws:eks:ap-southeast-2:{company-prod-id}:cluster/{cluster-name}
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: aws-iam-authenticator
args:
- token
- -i
- cluster-name
- -r <<< Add this
- arn:aws:iam::{company-prod-id}:role/Admin <<< And this
env:
- name: AWS_PROFILE
value: company-login-profile <<< Must be your login account
Alternatively you can create a cross-account profile for aws-cli as described here: How to “switch role” in aws-cli? In that case you won't need the -r arn:...:role/Admin in kubeconfig as it's already done in ~/.aws/credentials.
Once the role stuff is fixed you should be able to run kubectl get svc.
Once the above works you can Add more IAM Users and IAM Roles to EKS / Kubernetes. I suggest you create a dedicated role like, e.g. EKSAdmin and require your IAM users to assume that in order to manage the cluster.
Hope that helps :)
answered Mar 1 at 5:17
MLuMLu
9,47722445
answered Mar 1 at 5:17
MLuMLu
9,47722445
answered Mar 1 at 5:17
MLuMLu
9,47722445
answered Mar 1 at 5:17
MLuMLu
9,47722445
9,47722445
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f956265%2funable-to-list-services-in-aws-eks%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
By any chance did you create the EKS cluster using cross-account role?
– MLu
Mar 1 at 5:00
Yes I did. Does that make a difference?
– KeepLearning
Mar 1 at 5:01