0

i try to access an EKS cluster on AWS with AWS Account (same i use for the console)

steps i followed :

aws configure with info provided in the "Command line or programmatic access" (AWS Access Key Id/AWS Secret access key) + add the AWS session token in the credential file.

aws eks update-kubeconfig --name XXXXXXX --region eu-west-1

in the ConfigMap : aws-auth file i added - system:masters in the groups of my role is it ok to add this here ?

mapRoles: |
    - groups:
      - system:bootstrappers
      - system:nodes
      rolearn: arn:aws:iam::XXXXXXXX:role/XXXXXXXX-group-role
      username: system:node:{{EC2PrivateDNSName}}
    - groups:
      - eks-console-dashboard-full-access-group
      - system:masters    <<--- [[ is it ok to add this group here ?? ]]
      rolearn: arn:aws:iam::MYACCOUNT:role/AWSReservedSSO_AdministratorAccess_XXXXXXXX
      username: AWSReservedSSO_AdministratorAccess_XXXXXXXX  

then i try kubectl get svc : and i get :

E0207 16:37:31.292453   45292 memcache.go:238] couldn't get current server API group list: Get "https://XXXXXXXXXXXXXX.sk1.eu-west-1.eks.amazonaws.com/api?timeout=32s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)

what does that error mean ? is it a rights problem ? a networking problem ? (security groups allows my ip) thanks for your help

4
  • Timeout is always a security group issue, or perhaps your apiserver endpoint is in a Private VPC (the hostname will always look the same, but whether it resolves to a Public IP address is the difference). As for your system:masters question, yes, it should be fine although there's no reason to be in both groups since system:masters is, AFAIK, as high as it gets in k8s RBAC authorities
    – mdaniel
    Commented Feb 8, 2023 at 5:04
  • Thanks for your reply, my ip is allowed in All traffic, in the SG of : my ALB, my bastion on aws, and the EKS cluster, and i stiil get this error : E0208 13:16:08.468631 796 memcache.go:238] couldn't get current server API group list: Get "XXXXXXXXXXXXXXXXXXXXXX.sk1.eu-west-1.eks.amazonaws.com/…": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) Unable to connect to the server: net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers) there is no SG left?
    – awot83
    Commented Feb 8, 2023 at 13:16
  • i found what was missing : i also had to add my public ip adress in EKS/Clusters > Manage networking > cluster endpoint in « Public and private » > advanced setting> "Add/edit sources to public access endpoint", we can add a CIDR block and now it ok
    – awot83
    Commented Feb 8, 2023 at 16:20
  • I'm glad it was something simple, please add and accept your own answer so others will benefit
    – mdaniel
    Commented Feb 8, 2023 at 16:21

1 Answer 1

0

i found what was missing : i add my public ip adress in EKS/Clusters > Manage networking > cluster endpoint in « Public and private » > advanced setting> "Add/edit sources to public access endpoint", we can add a CIDR block and now it is ok

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .