We have two clusters, named:
- MyCluster (created by me)
- OtherCluster (not created by me)
Where "me" is my own AWS IAM user.
I am able to manage the cluster I created, using kubectl:
>>> aws eks update-kubeconfig --name MyCluster –profile MyUser
>>> kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 59d
But, I cannot manage the “OtherCluster” cluster (that was not created by me):
>>> aws eks update-kubeconfig --name OtherCluster --profile MyUser
>>> kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
error: the server doesn't have a resource type "svc"
After reading the feedback of some people experiencing the same issue in this github issue, I tried doing this under the context of the user who originally created the "OtherCluster".
I accomplished this by editing “~/.kube/config”, adding a “AWS_PROFILE” value at “users.user.env”. The profile represents the user who created the cluster.
~/.kube/config:
…
users
- name: OtherCluster
user:
exec:
apiVersion: client.authentication.k8s.io/v1alpha1
args:
- token
- -i
- OtherCluster
command: aws-iam-authenticator
env:
- name: AWS_PROFILE
value: OTHER_USER_PROFILE
…
This worked:
# ~/.kube/config is currently pointing to OtherCluster
>>> kubectl get svc
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
kubernetes ClusterIP 172.20.0.1 <none> 443/TCP 1d
It is obviously not ideal for me to impersonate another person when I am managing the cluster. I would prefer to grant my own user access to manage the cluster via kubectl. Is there any way I can grant permission to manage the cluster to a user other than the original creator? This seems overly restrictive