问题:
因为eks的kubeconfig是动态生成User和IAM绑定的,所以工具无法直接连
解决方案:
终端创建
# 创建一个命名空间
kubectl create ns vela-system
# 创建一个sa账号
kubectl create sa kubevela-vela-core -n vela-system
# 把sa账号(kubevela-vela-core)与cluster-admin这个具有管理员权限的集群角色绑定
kubectl create clusterrolebinding default-sa-vela --clusterrole=cluster-admin --serviceaccount=vela-system:kubevela-vela-core
# 给这个具有管理员权限的sa账号(kubevela-vela-core)创建一个token
kubectl create token kubevela-vela-core -n vela-system
apiVersion: v1
kind: Config
clusters:
- cluster:
certificate-authority-data: BASE64ENCODED_JWT_TOKEN_NO_PREFIX
server: https://YOUR_KUBERNETES_API_SERVER
name: my-cluster
contexts:
- context:
cluster: my-cluster
user: my-user
name: my-context
current-context: my-context
users:
- name: my-user
user:
token: YOUR_SERVICE_ACCOUNT_TOKEN(把上面创建token的输出复制到此处)YAML创建
# 创建命名空间
apiVersion: v1
kind: Namespace
metadata:
name: vela-system
---
# 创建sa
apiVersion: v1
kind: ServiceAccount
metadata:
name: kubevela-vela-core
namespace: vela-system
---
# 管理员集群角色绑定sa
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default-sa-vela
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
subjects:
- kind: ServiceAccount
name: kubevela-vela-core
namespace: vela-system
---
# 使用sa创建secert
apiVersion: v1
kind: Secret
metadata:
name: kubevela-vela-core-token
namespace: vela-system
labels:
kubernetes.io/service-account.name: kubevela-vela-core
type: kubernetes.io/service-account-token
