Getting “Unable to recognize \”hello-k8s.yml\“: Un

I am new to Kubernetes and trying to create a AWS CodePipeline to deploy service to EKS stack.

I am following this tutorial I have followed all the steps including creating a role and adding permissions, so that CodeBuild will be able to talk with EKS.

The issue I am facing right now is when CodePipeline runs, it is failing for below command in the CodeBuild phase.

kubectl apply -f hello-k8s.yml

and giving this error

[Container] 2019/12/04 07:41:43 Running command kubectl apply -f hello-k8s.yml 
unable to recognize "hello-k8s.yml": Unauthorized 
unable to recognize "hello-k8s.yml": Unauthorized

I am not very much sure whether its a credentials issue, because I have used all the steps to add user/role as per tutorial.

Can anyone please help me on this?

标签： amazon-web-services kubernetes kubectl aws-codepipeline aws-codebuild

1条回答

来，给爷笑一个

2楼-- · 2020-05-06 13:00

Deploying Yaml manifests to Kubernetes from CodeBuild requires these steps:

The high-level process includes the following steps:

Create an IAM Service role for CodeBuild
Map the CodeBuild Service role in EKS using “aws-auth” ConfigMap
Create source files in Code repository
Create and Start a CodeBuild Project
Confirm the required objects are created in EKS cluster

Create an IAM Service role for CodeBuild (Don't use existing service role as it includes a '/path/')

Run the following commands to Create a CodeBuild Service Role and attach the required policies:

TRUST = "{   \"Version\": \"2012-10-17\",   \"Statement\": [     {       \"Effect\": \"Allow\",       \"Principal\": {         \"Service\": \"codebuild.amazonaws.com\"       },       \"Action\": \"sts:AssumeRole\"     }   ] }"

$ echo '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "eks:Describe*", "Resource": "*" } ] }' > /tmp/iam-role-policy

$ aws iam create-role --role-name CodeBuildKubectlRole --assume-role-policy-document "$TRUST" --output text --query 'Role.Arn'

$ aws iam put-role-policy --role-name CodeBuildKubectlRole --policy-name eks-describe --policy-document file:///tmp/iam-role-policy

$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/CloudWatchLogsFullAccess

$ aws iam attach-role-policy --role-name CodeBuildKubectlRole --policy-arn arn:aws:iam::aws:policy/AWSCodeBuildAdminAccess

Map the CodeBuild Service role in EKS using “aws-auth” ConfigMap

Edit the ‘aws-auth’ ConfigMap and add the Role Mapping for the CodeBuild service role:

$ vi aws-auth.yaml



apiVersion: v1

kind: ConfigMap

metadata:

  name: aws-auth

  namespace: kube-system

data:

  mapRoles: |

    - rolearn:  arn:aws:iam::AccountId:role/devel-worker-nodes-NodeInstanceRole-14W1I3VCZQHU7

      username: system:node:{{EC2PrivateDNSName}}

      groups:

        - system:bootstrappers

        - system:nodes

    - rolearn: arn:aws:iam::AccountId:role/CodeBuildKubectlRole

      username: build

      groups:

        - system:masters


$ kubectl apply -f aws-auth.yaml

Create source files in Code repository

Create a repository in Github/CodeCommit with sample files as follows:

.
├── buildspec.yml
└── deployment
   └── pod.yaml

A sample repository is located here: https://github.com/shariqmus/codebuild-to-eks

Notes:

The buildspec.yml file installs kubectl, aws-iam-authenticator and configure kubectl in CodeBuild environment
Update the buildspec.yml file with the correct region and cluster_name on Line 16
Add the deployment YAML files in the “deployment” directory

Create and Start a Build Project

Open the CodeBuild console
Click ‘Create Build Project’ button
Name the Project
Use a CodeCommit repository where you have added the attached files : “buildspec.yml” and “pod.yaml”
Use Managed Image > Ubuntu > Standard 1.0
In the Role Name, select “CodeBuildKubectlRole”
Click ‘Create Build Project’ button
Create ‘Start Build’ button to start a Build

Confirm the required objects are created in EKS cluster

You can confirm this with a simple command, e.g.

$ kubectl get all --all-namespaces

0人赞添加讨论(0) 举报