I'm having an extremely hard time setting up EKS on AWS. I've followed this tutorial: https://docs.aws.amazon.com/eks/latest/userguide/getting-started.html#eks-launch-workers
I got up to the ~/.kube/config file and when I try to run kubectl get svc I'm prompted with the below.
▶ kubectl get svc
Please enter Username: Alex
Please enter Password: ********
Error from server (Forbidden): services is forbidden: User
"system:anonymous" cannot list services in the namespace "default"I'm unsure where to find the username and password for this entry. Please point me to the exact place where I can find this information.
I think this also has to do with EKS RBAC. I'm not sure how to get around this without having access to the server.
Make sure you have stable version of kubectl install
curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/amd64/kubectlAlso if you getting access denied error then make sure you are using the same IAM user access for kubectl which you used for creating EKS cluster.
When an Amazon EKS cluster is created, the IAM entity (user or role) that creates the
cluster is added to the Kubernetes RBAC authorization table as the administrator
(with system:master permissions. Initially, only that IAM user can make calls to the
Kubernetes API server using kubectl.
If you use the console to create the cluster, you must ensure that the same IAM user
credentials are in the AWS SDK credential chain when you are running kubectl commands
on your cluster.
This issue occurs if your user configuration isn't working in your kubeconfig, or if you are on a version of kubectl less than v1.10
I was getting the same error.
I created the EKS cluster via the aws console, however when I followed the steps in the docs to configure my kubeconfig, I got the same error:
$ kubectl get svc
Please enter Username: JessicaG
Please enter Password: ****************
Error from server (Forbidden): services is forbidden: User "system:anonymous" cannot list services in the namespace "default"This is what ended up being my problem:
In the AWS Getting Started guide in the section "Step 1: Create Your Amazon EKS Cluster: To create your cluster with the console", it says this:
"You must use IAM user credentials for this step, not root credentials. If you create your Amazon EKS cluster using root credentials, you cannot authenticate to the cluster."
It turned out that I had created the EKS cluster with my root credentials, however I was trying to authenticate with my admin user JessicaG.
My solution:
I re-created the cluster with the admin IAM user JessicaG. To do so here are the steps I took:
1) I configured the default user in my local file ~/.aws/credentials with the user's access keys
$ cat ~/.aws/credentials
[default]
aws_access_key_id = <JessicaG access key>
aws_secret_access_key = <JessicaG secret key>2) Created an eks cluster from the command line:
aws eks create-cluster --name eksdemo --role-arn <eksRole> --resources-vpc-config subnetIds=<subnets>,securityGroupIds=<securityGrps>
3) Configured kubeconfig:
apiVersion: v1
clusters:
- cluster:
server: REDACTED
certificate-authority-data: REDACTED
name: eksdemo
contexts:
- context:
cluster: eksdemo
user: aws-jessicag
name: eksdemo
current-context: eksdemo
kind: Config
preferences: {}
users:
- name: aws-jessicag
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
command: heptio-authenticator-aws
args:
- "token"
- "-i"
- "eksdemo"That solved this problem for me.