amazon-web-services - 如何在 AWS 中使用 eksctl 创建集群时解决错误

Question

我正在尝试在 AWS us-east-1 区域中为我的根账户的用户账户创建一个集群。但是在尝试创建相同的集群时，我遇到了以下问题

  [ℹ]  eksctl version 0.22.0
  [ℹ]  using region us-east-1
  [ℹ]  subnets for us-east-1a - public:192.168.0.0/19 private:192.168.64.0/19
  [ℹ]  subnets for us-east-1b - public:192.168.32.0/19 private:192.168.96.0/19
  [ℹ]  using Kubernetes version 1.16
  [ℹ]  creating EKS cluster "in28minutes-cluster" in "us-east-1" region with managed nodes
  [ℹ]  will create 2 separate CloudFormation stacks for cluster itself and the initial managed nodegroup
  [ℹ]  if you encounter any issues, check CloudFormation console or try 'eksctl utils describe-stacks --region=us-east-1 --cluster=in28minutes-cluster'
  [ℹ]  CloudWatch logging will not be enabled for cluster "in28minutes-cluster" in "us-east-1"
  [ℹ]  you can enable it with 'eksctl utils update-cluster-logging --region=us-east-1 --cluster=in28minutes-cluster'
  [ℹ]  Kubernetes API endpoint access will use default of {publicAccess=true, privateAccess=false} for cluster "in28minutes-cluster" in "us-east-1"
  [ℹ]  2 sequential tasks: { create cluster control plane "in28minutes-cluster", 2 sequential sub-tasks: { no tasks, create managed nodegroup "in28minutes-cluster-node-group" } }
  [ℹ]  building cluster stack "eksctl-in28minutes-cluster-cluster"
  [ℹ]  deploying stack "eksctl-in28minutes-cluster-cluster"
  [✖]  unexpected status "ROLLBACK_IN_PROGRESS" while waiting for CloudFormation stack "eksctl-in28minutes-cluster-cluster"
  [ℹ]  fetching stack events in attempt to troubleshoot the root cause of the failure
  [✖]  AWS::EC2::SubnetRouteTableAssociation/RouteTableAssociationPrivateUSEAST1B: CREATE_FAILED – "Resource creation cancelled"
  [✖]  AWS::EC2::Route/PublicSubnetRoute: CREATE_FAILED – "Resource creation cancelled"
  [✖]  AWS::EC2::SubnetRouteTableAssociation/RouteTableAssociationPrivateUSEAST1A: CREATE_FAILED – "Resource creation cancelled"
  [✖]  AWS::EC2::NatGateway/NATGateway: CREATE_FAILED – "Resource creation cancelled"
  [✖]  AWS::EC2::SubnetRouteTableAssociation/RouteTableAssociationPublicUSEAST1A: CREATE_FAILED – "Resource creation cancelled"
  [✖]  AWS::EC2::SubnetRouteTableAssociation/RouteTableAssociationPublicUSEAST1B: CREATE_FAILED – "Resource creation cancelled"
  [✖]  AWS::EKS::Cluster/ControlPlane: CREATE_FAILED – "User: arn:aws:iam::750121092648:user/HR is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-east-1:750121092648:cluster/in28minutes-cluster (Service: AmazonEKS; Status Code: 403; Error Code: AccessDeniedException; Request ID: 290ba47a-6423-4ce7-bd25-c429e1f69ea8)"
  [!]  1 error(s) occurred and cluster hasn't been created properly, you may wish to check CloudFormation console
  [ℹ]  to cleanup resources, run 'eksctl delete cluster --region=us-east-1 --name=in28minutes-cluster'
  [✖]  waiting for CloudFormation stack "eksctl-in28minutes-cluster-cluster": ResourceNotReady: failed waiting for successful resource state
  Error: failed to create cluster "in28minutes-cluster"

这是我用来创建集群的命令

create cluster --name in28minutes-cluster --nodegroup-name in28minutes-cluster-node-group  --node-type t2.medium --nodes 3 --nodes-min 3 --nodes-max 7 --managed --asg-access --zones=us-east-1a,us-east-1b

我的用户帐户也有 cloformation 角色

请帮我解决这个问题，我是 aws kubernetes 的新手

Answer 1

您日志中的这一行

[✖]  AWS::EKS::Cluster/ControlPlane: CREATE_FAILED – "User: arn:aws:iam::750121092648:user/HR is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-east-1:750121092648:cluster/in28minutes-cluster (Service: AmazonEKS; Status Code: 403; Error Code: AccessDeniedException; Request ID: 290ba47a-6423-4ce7-bd25-c429e1f69ea8)"

似乎建议用户 HR没有所有必要的 EKS 权限。尝试(暂时)附上 HR用户 AWS 托管 AdministratorAccess政策。然后，如果这解决了问题，请将其范围缩小到仅与 EKS 相关的权限。